Chinese television maker Skyworth has issued an apology after a consumer found that his set was quietly collecting a wide range of private data and sending it to a Beijing-based analytics company without his consent.
A network traffic analysis revealed that a Skyworth smart TV scanned for other devices connected to the same local network every 10 minutes and gathered data that included device names, IP addresses, network latency and even the names of other Wi-Fi networks within range, according to a post last week on the Chinese developer forum V2EX.
The data was sent to the Beijing-based firm Gozen Data, the forum user said. Gozen is a data analytics company that specialises in targeted advertising on smart TVs, and it calls itself China‘s first “home marketing company empowered by big data centred on family data”.
[…]
“Isn’t this already the criminal offence of spying on people?” asked one user on Sina.com, a Chinese financial news portal. “Whom will the collected data be sold to, and who is the end user of this data?”
The reaction online eventually prompted Skyworth to respond.
The Shenzhen-based TV and set-top box maker issued a statement on April 27, saying it had ended its “cooperation” with Gozen and demanded the firm delete all its “illegally” collected data. Skyworth also said it had stopped using the Gozen app on its televisions and was looking into the issue.
Gozen issued a statement on its website on the same day, saying its Gozen Data Android app could be disabled on Skyworth TVs, but it did not address the likelihood that users would be aware of this functionality. The company also apologised for “causing user concerns about privacy and security”.
On its official WeChat account, Gozen said in a post from 2019 that it has been working with Skyworth since 2014. Its latest post, which included its apology, said the company collected data for viewership research that includes “television ratings for households and individuals, viewership analysis, advertising analysis and optimisation”. Neither company provided information on the scope and depth of the data collection.
[…]
The revelations about Skyworth and Gozen come amid a national crackdown on the rampant collection and use of user data. Beijing recently introduced new regulations for protecting personal data and curbing its collection through mobile apps.
personal information considered “necessary” for apps in 39 different categories, including messaging and e-commerce. Users should be able to decline to provide data that is not necessary for an app to function, according to the new rules. Users of live-streaming and short-video apps, for example, should be able to use such apps without providing any personal information.
[…]
There have been no reports that Skyworth or Gozen are being investigated. Still, the disclosure and corporate statements have fanned fears among users in China, where Skyworth was the third biggest TV brand by sales volume in 2020, behind
, making up more than 13 per cent of the market. Globally, the company was the fifth-largest TV maker, according to data from Trendforce, behind Samsung Electronics, LG Electronics, TCL and Hisense.
3D scanning and 3D printing may sound like a natural match for one another, but they don’t always play together as easily and nicely as one would hope. I’ll explain what one can expect by highlighting three use cases the average hacker encounters, and how well they do (or don’t) work. With this, you’ll have a better idea of how 3D scanning can meet your part design and 3D printing needs.
How Well Some Things (Don’t) Work
Most 3D printing enthusiasts sooner or later become interested in whether 3D scanning can make their lives and projects easier. Here are a three different intersections of 3D scanning, 3D printing, and CAD along with a few words on how well each can be expected to work.
Goal
Examples and Details
Does it work?
Use scans to make copies of an object.
3D scan something, then 3D print copies.
Objects might be functional things like fixtures or appliance parts, or artistic objects like sculptures.
Mostly yes, but depends on the object
Make a CAD model from a source object.
The goal is a 1:1 model, for part engineering purposes.
Use 3D scanning instead of creating the object in CAD.
Not Really
Digitize inconvenient or troublesome shapes.
Obtain an accurate model of complex shapes that can’t easily be measured or modeled any other way.
Examples: dashboards, sculptures, large objects, objects that are attached to something else or can’t be easily moved, body parts like heads or faces, and objects with many curves.
Useful to make sure a 3D printed object will fit into or on something else.
Creating a CAD model of a part for engineering purposes is not the goal.
Yes, but it depends
In all of these cases, one wants a 3D model of an object, and that’s exactly what 3D scanning creates, so what’s the problem? The problem is that not all 3D models are alike and useful for the same things.
3D Scanning Makes Meshes, Not CAD Models
Broadly speaking, there are two kinds of 3D models: CAD models, and meshes. These can be thought of as being useful for engineering purposes and artistic purposes, respectively. Some readers may consider that a revolting oversimplification, but it is a helpful one to make a point about how 3D scanning, 3D printing, and CAD work do (and don’t) work together.
Hackers designing parts are typically most interested in CAD models, because these represent real-world objects that get modified in terms of real-world measurements. But 3D scanning will not create a CAD model; it will create a mesh.
Typical CAD model editing example, showing a model as a solid object, altered in terms of geometric features and real-world measurements.
A typical mesh editing operation. The object is a network of points connected into a mesh, which can be manipulated and deformed.
Meshes can be used for engineering purposes — .stl files are meshes after all, and are practically synonymous with 3D printing — but a mesh cannot be modified in the the same ways a CAD file can. With a mesh, one does not extrude a face by a specific number of millimeters, nor does one fillet a corner to a specific radius. Meshes can absolutely be modified, but the tools and processes are different.
To sum up: 3D scanning makes 3D models from real-world objects, but the models that come out of the scanning process aren’t necessarily suitable for engineering purposes without additional work.
Options for the Home-based Hacker
At the beginning of this article I selected three typical intersections of 3D scanning, 3D printing, and CAD work to illustrate the various imperfect fits between them. Now I’ll go into those three use cases in more detail, and provide ways for the average hacker to use 3D scanning to make a project easier.
Using 3D Scanning to Create Copies
Photogrammetry is an accessible way to create 3D models, and free as well as paid options exist. Generally, the smaller and more complex an object, the harder it will be to obtain a result that preserves all the features and details.
Photogrammetry uses multiple photos of an object taken from a variety of different angles, and software interprets these photos to create a point cloud representing the surface of the object. A mesh 3D model representing the object can then be generated. Some cleanup or post-processing of the model is usually required, depending on the method and software.
This blog post from Prusa Research walks through how to get the best results with Meshroom, a free option for 3D scanning using photogrammetry.
OpenScan (and OpenScan Mini) is a DIY project by [Thomas Megel] aimed at using photogrammetry to scan small objects with high accuracy.
RealityCapture is non-free software with a number of useful features and well-made tutorials. Notably, they have a license model option aimed at occasional use and small quantities. Since most software subscription models rarely make sense for hobbyists and one-off projects, it can be worth a look.
Creating a CAD Model from a 3D Scan
Since 3D scanning will not generate a CAD model, it’s not a direct alternative to designing a part in CAD. Most CAD programs allow importing a mesh, but the imported mesh remains a mesh, which cannot be modified in the same way as other CAD objects. It might be useful as a guide for a new design, however.
A mesh converted to a solid will become an object made up of collection of triangular faces, identical to the ones that made up the original mesh. This is rarely what a novice CAD modeler expects.
One may wonder if it is possible to convert from one format to another. It is, but the conversion may not be what one expects. Converting a CAD model into a mesh is simple enough, but converting a mesh into a CAD solid is less straightforward.
If one’s goal is to use 3D scanning to make the creation of a CAD model easier and the conversion result shown here won’t do the trick, the next best thing is to use the 3D scan as a master and model a new part around it to match, using the imported mesh as a guide. One project that uses this approach is this custom trackball designed around a molded ergonomic prototype.
Some professional software suites have the ability to export to CAD, but the essential workflow is the same, with a scanned mesh being used as the reference for a new design.
3D Scanning to Digitize Inconvenient or Troublesome Shapes
This scan of a laser cutter’s panel is obviously only part of the whole machine, but the important part is present.
Sometimes an accurate 3D model of a shape is needed, and that shape isn’t easily modeled or measured by hand. The same photogrammetry tools mentioned earlier are useful here, but their purpose is different. Instead of modeling the object from top to bottom to make an accurate copy, often only part of the object is needed.
For example, modeling the shape of an equipment panel or dashboard requires only the relevant section to be scanned successfully. A person’s head can be scanned to ensure a precise fit for a helmet or mask, and there’s no need to get a full scan of the entire body. In general, fewer pictures are needed and post-processing and model cleanup is easier because there is a smaller area of interest. A size reference must be included somehow for scaling later, because most 3D scans do not intrinsically create 1:1 models.
An excellent example of this approach is this project to design a custom control panel intended to fit an existing piece of equipment. Unlike when scanning a whole object with the intent of duplicating it, there’s no need to capture difficult-to-reach places like the bottom or back. This makes both scanning and model cleanup easier.
Professional Scanning
Another option is to pay for a professional scan. Fancy scanners and software suites costing thousands, or tens of thousands, of dollars and aimed at engineering applications exist, and while they are out of the reach of the average hacker, paying for a company to do a scan or two might not be.
Accuracy and resolution can be beyond what’s possible with photogrammetry, and some of the professional software suites have fancy features like aligning multiple scans, accurate size references, or the ability to generate CAD models based on scan results.
A 1:1 model from a professional 3D scanning tool, the product of aligning and merging multiple separate scans from different angles to get a complete model. It is still a mesh, but it accurately represents the original in both features and scale.
Shown here is the model of a part I had professionally scanned with a Creaform HandySCAN Black 3D scanner, according to my invoice. It is an old wood grip from an antique firearm. The scan still created a mesh, but it was an accurate 1:1 model of the original that I was able to use to print replacements on an SLA 3D printer.
When getting a quote for professional 3D scanning, be sure to ask about fee structure and be clear about your needs. In my case, it was cost-effective to scan multiple similar objects under a single setup fee.
Know What 3D Scanning Can (and Can’t) Do
3D scanning is getting better and more accessible all the time, but the fact that it generates a mesh means it doesn’t always fit smoothly into a 3D printing and CAD part design workflow. That doesn’t mean it can’t be useful, but it does mean that it’s important to know the limitations, and how they will affect your needs.
Of course, one can always dig out the calipers and manually model a part in CAD, but not all parts and shapes are easily measured or reverse-engineered. 3D scanning is a great alternative to modeling complex, real-world objects that would be impractical or error-prone to create by hand.
Have you successfully used 3D scanning to make a project easier, or have a favorite method or tool to share? We definitely want to hear all about it, so please take a moment to share with us in the comments.
Combined with today’s massive flat panel displays, a nice surround sound system can provide an extremely immersive environment for watching movies or gaming. But a stumbling block many run into is speaker placement. The front speakers generally just go on either side of the TV, but finding a spot for the rear speakers that’s both visually and acoustically pleasing can be tricky.
Which is why [Peter Waldraff] decided to take a rather unconventional approach and hide his rear surround sound speakers in a pair of functioning table lamps. This not only looks better than leaving the speakers out, but raises them up off the floor and into a better listening position. The whole thing looks very sleek thanks to some clever wiring, to the point that you’d never suspect they were anything other than ordinary lamps.
The trick here is the wooden box located at the apex of the three copper pipes that make up the body of the lamp. [Peter] mounted rows of LEDs to the sides of the box that can be controlled with a switch on the bottom, which provides light in the absence of a traditional light bulb. The unmodified speaker goes inside the box, and connects to the audio wires that were run up one of the pipes.
In the base, the speaker and power wires are bundled together so it appears to be one cable. Since running the power and audio wires together like this could potentially have resulted in an audible hum, [Peter] only ran 12 VDC up through the lamp to the LEDs and used an external “wall wart” transformer. For convenience, he also put a USB charging port in the center of the base.
Although people-growing is probably a long way off, mice can now mostly develop inside an artificial uterus (try private window if you hit a paywall) thanks to a breakthrough in developmental biology. So far, the mice can only be kept alive halfway through gestation. There’s a point at which the nutrient formula provided to them isn’t enough, and they need a blood supply to continue growing. That’s the next goal. For now, let’s talk about that mechanical womb setup.
Carousel of Care
The mechanical womb was developed to better understand how various factors such as gene mutations, nutrients, and environmental conditions affect murine fetuses in development. Why do miscarriages occur, and why do fertilized eggs fail to implant in the first place? How exactly does an egg explode into 40 trillion cells when things do work out? This see-through uterus ought to reveal a few more of nature’s gestational secrets.
Dr. Jacob Hanna of Israel’s Weizmann Institute spent seven years building the two-part system of incubators, nutrients, and ventilation. Each mouse embryo floats in a glass jar, suspended in a concoction of liquid nutrients. A carousel of jars slowly spins around night and day to keep the embryos from attaching to the sides of the jars and dying. Along with the nutrient fluid, the mice receive a carefully-controlled mixture of oxygen and carbon dioxide from the ventilation machine. Dr. Hanna and his team have grown over 1,000 embryos this way.
Full gestation in mice takes about 20 days. As outlined in the paper published in Nature, Dr. Hanna and team removed mouse embryos at day five of gestation and were able to grow them for six more days in the artificial wombs. When compared with uterus-grown mice on day eleven, their sizes and weights were identical. According to an interview after the paper was published, the team have already gone even further, removing embryos right after fertilization on day zero, and growing them for eleven days inside the mechanical womb. The next step is figuring out how to provide an artificial blood supply, or a more advanced system of nutrients that will let the embryos grow until they become mice.
Embryonic Ethics
Here’s the most interesting part: the team doesn’t necessarily have to disrupt live gestation to get their embryos. New techniques allow embryos to be created from murine connective tissue cells called fibroblasts without needing fertilized eggs. Between this development and Dr. Hanna’s carousel of care, there would no longer be a need to fertilize eggs merely to destroy them later.
It’s easy to say that any and all animal testing is unethical because we can’t exactly get their consent (not that we would necessarily ask for it). At the same time, it’s true that we learn a lot from testing on animals first. Our lust for improved survival is at odds with our general empathy, and survival tends to win out on a long enough timeline. A bunch of people die every year waiting for organ transplants, and scientists are already growing pigs for that express purpose. And unlocking more mysteries of the gestation process make make surrogate pregnancies possible for more animals in the frozen zoo.
In slightly more unnerving news, some have recently created embryos that are part human and part monkey for the same reason. Maybe this is how we get to planet of the apes.
The hack involves popping open the case of the watch and exposing the back of the main PCB. There, a series of jumpers control various features. [Ian]’s theory is that this allows Casio to save on manufacturing costs by sharing one basic PCB between a variety of watches and enabling features via the jumper selection. With a little solder wick, a jumper pad can be disconnected, enabling the hidden countdown feature. Other features, such as the multiple alarms, can be disabled in the same way with other jumpers, suggesting lower-feature models use this same board too.
It’s a useful trick that means [Ian] now always has a countdown timer on his wrist when he needs it. Excuses for over-boiling the eggs will now be much harder to come by, but we’re sure he can deal. Of course, watch hacks don’t have to be electronic – as this custom transparent case for an Apple Watch demonstrates. Video after the break.
Earlier this week, a company Orbital Marine Power successfully launched its latest tidal turbine. Once it’s connected to the European Marine Energy Centre off the Orkney Islands, the two megawatt O2 will have the capacity to generate enough energy to power 2,000 UK households annually, making it one of the world’s most powerful tidal turbines currently in use.
Construction on the project started in 2019. The O2 builds on Orbital’s previous generation SR2000 tidal turbine. The new model consists of a 239-foot superstructure connected to two turbines with 32 foot long rotors. The blades on those can rotate a full 360-degrees. That’s a feature that allows the O2 to generate power from currents without having to move entirely when they change direction. In the future, Orbital says it also has the option to install even larger blades on the O2.
Netherlands politicians (Geert Wilders (PVV), Kati Piri (PvdA), Sjoerd Sjoerdsma (D66), Ruben Brekelmans (VVD), Tunahan Kuzu (Denk), Agnes Mulder (CDA), Tom van der Lee (GroenLinks), Gert-Jan Segers (ChristenUnie) en Raymond de Roon (PVV).) just got a first-hand lesson about the dangers of deepfake videos. According to NL Times and De Volkskrant, the Dutch parliament’s foreign affairs committee was fooled into holding a video call with someone using deepfake tech to impersonate Leonid Volkov (above), Russian opposition leader Alexei Navalny’s chief of staff.
The perpetrator hasn’t been named, but this wouldn’t be the first incident. The same impostor had conversations with Latvian and Ukranian politicians, and approached political figures in Estonia, Lithuania and the UK.
The country’s House of Representatives said in a statement that it was “indignant” about the deepfake chat and was looking into ways it could prevent such incidents going forward.
There doesn’t appear to have been any lasting damage from the bogus video call. However, it does illustrate the potential damage from deepfake chats with politicians. A prankster could embarrass officials, while a state-backed actor could trick governments into making bad policy decisions and ostracizing their allies. Strict screening processes might be necessary to spot deepfakes and ensure that every participant is real.
Russia said it had fined Apple $12 million for alleged [Note: why the use of this word? If the fine has been issued, then a Russian court has established guilt and there is no allleging about it!] abuse of its dominance in the mobile applications market, in the latest dispute between Moscow and a Western technology firm.
The Federal Antimonopoly Service (FAS) said on Tuesday that U.S. tech giant Apple’s distribution of apps through its iOS operating system gave its own products a competitive advantage.
[…]
The FAS said in a statement it had imposed a turnover fine on Apple of 906.3 million roubles ($12.1 million) for the alleged violation of Russian anti-monopoly legislation.
It determined in August 2020 that Apple had abused its dominant position and then issued a directive requiring the U.S. company to remove provisions giving it the right to reject third-party apps from its App Store.
That move followed a complaint from cybersecurity company Kaspersky Lab, which had said that a new version of its Safe Kids application had been declined by Apple’s operating system.
Epic Games is using its lawsuit against Apple to accuse the iPhone maker of being particularly greedy. As The Vergereports, expert witness Eric Barns testified that Apple supposedly had an App Store operating margin of 77.8 percent in 2019, itself a hike from 74.9 percent in 2018. He also rejected Apple witness’ claims that you couldn’t practically calculate profit, pointing to info from the company’s Corporate Financial Planning and Analysis group as evidence.
Apple unsurprisingly disagreed. The tech firm told The Verge the margin calculations are “simply” wrong and that it planned to fight the allegations at trial. The firm’s own witness, Richard Schmalensee, claimed that Barnes was looking at one iOS ecosystem element that distorted the apparent operating margin. The real figure was “unremarkable,” he said, adding that you couldn’t study App Store profit without looking at the broader context of devices and services.
The company doesn’t calculate profits and losses based on products and services, Schmalensee said.
There’s no guarantee the court will accept Barnes’ take. Apple’s overall gross profit margin has typically been high relative to much of the industry, but never that high — it was 42.5 percent during the company’s latest winter quarter. Apple has also tended to portray the App Store as a way to drive hardware sales rather than a money-maker in its own right.
The testimony nonetheless does more to explain how Epic will pursue its case against Apple as the court battle begins on May 3rd. The Fortnite creator not only wants to portray Apple as anti-competitive, but abusing its lock on iOS app distribution to reap massive profits.
Amazon may soon be more accountable for more products than the ones it directly sells. According to the LA Times, a California state appeals court has ruled that Amazon is responsible for the safety of third-party products available through its marketplace following a 2015 hoverboard fire. While the internet giant argued that it was only connecting buyers with sellers, judges determined that there was a “direct link” in distribution that made the company liable.
The company won the initial ruling. At the time, a judge sided with Amazon’s view that it was just advertising sellers’ products rather than participating in sales.
In a statement to the Times, Amazon said it “invests heavily” in product safety by screening sellers and products. it also keeps watch on the store for hints of problems. The company declined to comment on the appeal court decision, including whether it intended to challenge the ruling at the state Supreme Court.
The decision, if it holds, could force Amazon to change policies. The tech giant may have to step up its vetting process for sellers and be ready to accept liability for safety problems, including lawsuits. Other stores with similar third-party marketplaces would have to follow suit. That, in turn, might be good news for shoppers —you could see fewer sketchy products in online stores, and you’d have a better chance of resolving safety issues.
Researchers from University of Arizona and University of Utah published a new paper in the Journal of Marketing that examines why most scholarly research is misinterpreted by the public or never escapes the ivory tower and suggests that such research gets lost in abstract, technical, and passive prose.
The study, forthcoming in the Journal of Marketing, is titled “Marketing Ideas: How to Write Research Articles that Readers Understand and Cite” and is authored by Nooshin L. Warren, Matthew Farmer, Tiany Gu, and Caleb Warren.
From developing vaccines to nudging people to eat less, scholars conduct research that could change the world, but most of their ideas either are misinterpreted by the public or never escape the ivory tower.
Why does most academic research fail to make an impact? The reason is that many ideas in scholarly research get lost in an attic of abstract, technical, and passive prose. Instead of describing “spilled coffee” and “one-star Yelp reviews,” scholars discuss “expectation-disconfirmation” and “post-purchase behavior.” Instead of writing “policies that let firms do what they want have increased the gap between the rich and the poor,” scholars write sentences like, “The rationalization of free-market capitalism has been resultant in the exacerbation of inequality.” Instead of stating, “We studied how liberal and conservative consumers respond when brands post polarizing messages on social media,” they write, “The interactive effects of ideological orientation and corporate sociopolitical activism on owned media engagement were studied.”
Why is writing like this unclear? Because it is too abstract, technical, and passive. Scholars need abstraction to describe theory. Thus, they write about “sociopolitical activism” rather than Starbucks posting a “Black Lives Matter” meme on Facebook. They are familiar with technical terms, such as “ideological orientation,” and they rely on them rather than using more colloquial terms such as “liberal or conservative.” Scholars also want to sound objective, which lulls them into the passive voice (e.g., the effects… were studied) rather than active writing (e.g., “we studied the effects…”). Scholars need to use some abstract, technical, and passive writing. The problem is that they tend to overuse these practices without realizing it.
When writing is abstract, technical, and passive, readers struggle to understand it. In one of the researchers’ experiments, they asked 255 marketing professors to read the first page of research papers published in the Journal of Marketing (JM), Journal of MarketingResearch (JMR), and Journal of Consumer Research (JCR). The professors understood less of the papers that used more abstract, technical, and passive writing compared to those that relied on concrete, non-technical, and active writing.
As Warren explains, “When readers do not understand an article, they are unlikely to read it, much less absorb it and be influenced by its ideas. We saw this when we analyzed the text of 1640 articles published in JM, JMR, and JCR between 2000 and 2010. We discovered that articles that relied more on abstract, technical, and passive writing accumulated fewer citations on both Google Scholar and the Web of Science.” An otherwise average JM article that scored one standard deviation lower (clearer) on our measures of abstract, technical, and passive writing accumulated approximately 157 more Google Scholar citations as of May 2020 than a JM article with average writing.
Why do scholars write unclearly? There is an unlikely culprit: knowledge. Conducting good research requires authors to know a lot about their work. It takes years to create research that meaningfully advances scientific knowledge. Consequently, academic articles are written by authors who are intimately familiar with their topics, methods, and results. Authors, however, often forget or simply do not realize that potential readers (e.g., Ph.D. students, scholars in other sub-disciplines, practicing professionals, etc.) are less familiar with the intricacies of the research, a phenomenon called the curse of knowledge.
The research team explores whether the curse of knowledge might be enabling unclear writing by asking Ph.D. students to write about two research projects. The students wrote about one project on which they were the lead researcher and another project led by one of their colleagues. The students reported that they were more familiar with their own research than their colleague’s research. They also thought that they wrote more clearly about their own research, but they were mistaken. In fact, the students used more abstraction, technical language, and passive voice when they wrote about their own research than when they wrote about their colleague’s research.
“To make a greater impact, scholars need to overcome the curse of knowledge so they can package their ideas with concrete, technical, and active writing. Clear writing gives ideas the wings needed to escape the attics, towers, and increasingly narrow halls of their academic niches so that they can reduce infection, curb obesity, or otherwise make the world a better place,” says Farmer.
Bobby Kotick, the longtime CEO of “Call of Duty” and “Candy Crush” game maker Activision Blizzard, will see his base salary reduced by 50% and bonus potential slashed as part of a 15-month contract extension, the company reported Thursday in an SEC filing.
Why it matters: The cut isn’t a sign that the company is struggling. Activision, like most big gaming companies, is thriving. But it appears to show a company reacting to criticism of outsized executive compensation.
Kotick’s base salary will be cut in half to $875,000, and his amended contract establishes a reduction of $1.75 million in potential annual bonuses.
Provisions for lucrative bonuses tied to stock performance have also been removed or rewritten to limit other potential bonus payouts. That follows reports that they triggered payments of as much as $200 million earlier this year.
In its filing, Activison’s board said the compensation changes were made after 12 months of “extensive shareholder outreach.”
[…]
The big picture: Kotick became CEO of Activision in 1991, when the company was a struggling player in a much smaller industry. Now it is one of gaming’s most successful.
That success hasn’t meant labor happiness for all. Activision has laid off waves of employees each of the last three years.
Kotick told Gamesbeat Wednesday that Activision needs to hire some 2,500 workers.
So people are still whining that he’s making actual money but these are the types for whom no pay level will ever be acceptable, even if they even out the pay levels throughout the whole company.
I think this is a great exemplary step forwards – the top shouldn’t be earning such stupid amounts more than the lowest employees. Next step, up the earnings of the lower paid people!
Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.
Bill Demirkapi, an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.
Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.
[…]
Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”
Demirkapi’s Experian credit score lookup tool.
KrebsOnSecurity put that tool to the test, asking permission from a friend to have Demirkapi look up their credit score. The friend agreed and said he would pull his score from Experian (at this point I hadn’t told him that Experian was involved). The score he provided matched the score returned by Demirkapi’s lookup tool.
In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.
For example, in my friend’s case Bill’s tool said his mid-700s score could be better if the proportion of balances to credit limits was lower, and if he didn’t owe so much on revolving credit accounts.
“Too many consumer finance company accounts,” the API concluded about my friend’s score.
Microsoft has taken a look at memory management code used in a wide range of equipment, from industrial control systems to healthcare gear, and found it can be potentially exploited to hijack devices.
[…]
Drilling down to the nitty-gritty: Microsoft’s Azure Defender for IoT security research group looked at memory allocation functions, such as malloc(), provided by real-time operating systems, standard C libraries, and software development kits all aimed at embedded electronics: that’s Internet-of-Things (IoT) devices, industrial control systems, and so-called operational technology (OT).
The team found a programming blunder common among much of the software: integer overflows during heap memory allocation. This occurs when an attacker is able to, usually via malicious data inputs, trick application code into making a very large memory allocation for a buffer to hold further incoming information.
The trouble is that a vulnerable memory allocator could take that large size – eg, 0xffffffff on a 32-bit embedded system – and add something like 8 to it because the requested memory block needs eight bytes of metadata to describe it. The size then overflows to 7 and the allocator finds space in memory that’s seven bytes in size for the requested buffer.
The allocator returns a pointer to that small space to the application, which assumes the allocation succeeded for the huge request, and then copies way more than seven bytes of data into the buffer from the attacker. This causes the application to overwrite the memory allocation metadata, structures, and contents. Now the attacker who sent over the data can take full control of the system by overwriting function pointers or altering other values.
The allocations should fail due to the large sizes, but the integer overflow allows them to partially succeed and in a way that’s exploitable. To pull this off, an attacker would need to be able to feed data to the application – either as a file or network traffic or whatever – that causes it to allocate a huge block of heap memory. It would be nice if application code trapped oversize allocations, but in any case, Microsoft found OS and library-level code let it all sail through, too, due to the overflows.
[…]
For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets.”
What is affected? Good question. The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has a summary here.
A resident of Maassluis registered the Mac addresses of 54,000 smartphones and passed them on to an opt-out register. The action of the “Robin 2.4Ghz Hood” keeps all these phone owners out of the municipality’s Wi-Fi tracking.
The promotion is intended to protect the privacy of the residents of Maassluis. The man behind the initiative, Jerry Hopper, also exposed a privacy leak in the neighborhood app Nextdoor in 2019.
Hopper’s current action is against the municipality’s plan to count visits to the center by April 2021 by registering the unique ID codes of WiFi transmitters (MAC addresses). Anyone who does not want that, says Maassluis, should switch off the Wi-Fi antenna of his phone. According to the technical blogger, that is the other way around, because European privacy rules are opt-in. Don’t opt out.
For a few weeks now, the resident of the city has therefore been measuring the MAC addresses of cars that pass his house. “Knowing that I am also violating the privacy law with this plan, I feel like a kind of Robin Hood in the shadowy realm of data collectors. As far as possible, I have tried to use the same techniques. There is even an opt-out. We anonymize the mac address “on the sensor” by hashing it 2x, and “cutting off” part of the hash. ”
The purpose of the action: “If the hash does not exist, we will send the MAC over a secure connection to the MOA opt-out register.” That register called Wifi Me Niet is the place where people can extract the address of their phone, tablet and computer from the measurement. That is a private initiative.
The more than fifty thousand mac addresses collected by Hopper are more than the thirty thousand inhabitants of his city, he explains on his blog.
“Another question is: how long will it remain technically possible to send unlimited mac addresses to the opt-out register. I am also very curious about how the mac addresses sent by this project are handled if they notice that they have been added via an automated process. Would they be removed? ”
The municipality of Maassluis is not alone in measuring visits to its city center by counting Wi-Fi antennas. Enschede is doing the same. For that, however, the municipality was fined six hundred thousand euros on Wednesday. Research by the Dutch Data Protection Authority showed that the privacy of citizens was not properly guaranteed. They could be tracked without it being necessary.
In Enschede, it was technical politician Dave Borghuis who put the city on fire with his Wi-Fi move.
Municipalities cannot be surprised by the popular slap on the fingers. The Dutch Data Protection Authority already warned shops and municipalities in June 2016 that they must have a legal basis for tracking citizens.
Enschede does not agree with the decision and says it will object to the decision.
AI Dungeon, which uses OpenAI’s GPT-3 to create online text adventures with players, has a habit of acting out sexual encounters with not just fictional adults but also children, prompting the developer to add a content filter.
AI Dungeon is straightforward: imagine an online improvised Zork with an AI generating the story with you as you go. A player types in a text prompt, which is fed into an instance of GPT-3 in the cloud. This backend model uses the input to generate a response, which goes back to the player, who responds with instructions or some other reaction, and this process repeats.
It’s a bit like talking to a chat bot though instead of having a conversation, it’s a joint effort between human and computer in crafting a story on the fly. People can write anything they like to get the software to weave a tapestry of characters, monsters, animals… you name it. The fun comes from the unexpected nature of the machine’s replies, and working through the strange and absurd plot lines that tend to emerge.
Unfortunately, if you mention children, there was a chance it would go from zero to inappropriate real fast, as the SFW screenshot below shows. This is how the machine-learning software responded when we told it to role-play an 11-year-old:
Er, not cool … Software describes the fictional 11-year-old as a girl in a skimpy school uniform standing over you. Click to enlarge
Not, “hey, mother, shall we visit the magic talking tree this morning,” or something innocent like that in response. No, it’s straight to creepy.
Amid pressure from OpenAI, which provides the game’s GPT-3 backend, AI Dungeon’s maker Latitude this week activated a filter to prevent the output of child sexual abuse material. “As a technology company, we believe in an open and creative platform that has a positive impact on the world,” the Latitude team wrote.
“Explicit content involving descriptions or depictions of minors is inconsistent with this value, and we firmly oppose any content that may promote the sexual exploitation of minors. We have also received feedback from OpenAI, which asked us to implement changes.”
And by changes, they mean making the software’s output “consistent with OpenAI’s terms of service, which prohibit the display of harmful content.”
The biz clarified that its filter is designed to catch “content that is sexual or suggestive involving minors; child sexual abuse imagery; fantasy content (like ‘loli’) that depicts, encourages, or promotes the sexualization of minors or those who appear to be minors; or child sexual exploitation.”
And it added: “AI Dungeon will continue to support other NSFW content, including consensual adult content, violence, and profanity.”
[…]
it was also this week revealed programming blunders in AI Dungeon could be exploited to view the private adventures of other players. The pseudonymous AetherDevSecOps, who found and reported the flaws, used the holes to comb 188,000 adventures created between the AI and players from April 15 to 19, and saw that 46.3 per cent of them involved lewd role-playing, and about 31.4 per cent were pure pornographic.
AI Dungeon’s makers were, we’re told, alerted to the API vulnerabilities on April 19. The flaws were addressed, and their details were publicly revealed this week by AetherDevSecOps.
Exploitation of the security shortcomings mainly involved abusing auto-incrementing ID numbers used in API calls, which are easy to enumerate to access data belonging to other players; no rate limits to mitigate this abuse; and a lack of monitoring for anomalous requests that could be malicious activity.
[…]
Community reaction
The introduction of the content filter sparked furor among fans. Some are angry that their free speech is under threat and that it ruins intimate game play with fictional consenting adults, some are miffed that they had no warning this was landing, others are shocked that child sex abuse material was being generated by the platform, and many are disappointed with the performance of the filter.
When it detects sensitive words, the game simply instead says the adventure “took a weird turn.” It appears to be triggered by obvious words relating to children, though the filter is spotty. An innocuous text input describing four watermelons, for example, upset the filter. A superhero rescuing a child was also censored.
Latitude admitted its experimental-grade software was not perfect, and repeated it wasn’t trying to censor all erotic consent – only material involving minors. It also said it will review blocked material to improve its code; given the above, that’s going to be a lot of reading.
the European Union has charged Apple with allegedly “abus[ing] its dominant position” in the music streaming market.
The charges stem from an initial complaint filed by Spotify in 2019. At the time, Spotify accused Apple of having “an unfair advantage at every turn” by imposing a series of obstacles that favored its own services at the expense of competitors. As it turns out, the European Commission seems to agree with Spotify.
“By setting strict rules on the App Store that disadvantage competing music streaming services, Apple deprives users of cheaper music streaming choices and distorts competition,” the European Commission said in a tweet.
The Commission further explained in a press release that it took issue with Apple’s role as a gatekeeper to the iOS ecosystem. Because the App Store is the only venue for developers to reach iOS users, the Commission contends that elevates Apple to a dominant position within the music streaming market. In particular, it singled out Apple’s mandatory 30% commission for in-app purchases and “anti-steering provisions.” The latter refers to limitations within the App Store that prevent developers from informing consumers of alternative payment options that might be cheaper. That in turn forces rival music streaming services to raise subscription prices for consumers to make up for their higher costs—all while Apple benefits by acting as a middle man for in-app billing and communications with consumers.
[…]
It’s a no-brainer that each company would point to the other as being in the wrong here. But it’s clear that Apple’s 30% commission and control over in-app transactions is a sore point for multiple companies. Next week, Epic Games will also go to federal court to argue that Apple abused its power to kick Fortnite out of the App Store. That dramatic brouhaha last summer sparked a number of app developers—including Spotify, Tile, and Epic Games—to form the Coalition for App Fairness (CAF), a nonprofit that aims to fight against the so-called Apple tax and other anticompetitive app store policies.
[…]
. If found guilty, Apple could face up to a 10% fine on its annual revenue—which, any way you slice it would be a lot of money. However, the Commission says that there are “no legal deadlines for bringing an antitrust investigation to an end” and that an investigation will last as long as it needs to, “depend[ing] on a number of factors.” In other words, while this is a major milestone in Apple’s App Store antitrust saga, it’s far, far, far from being over.
I have been talking about ending the monopoly stranglehold big tech has been excersising since early 2019 so it’s good to see the end of this is all coming together finally
Virologist and medical researcher Jonas Salk developed a successful polio vaccine that was approved in 1955, helping the world all but eradicate the disease.
When the late journalist Edward Murrow asked Salk who owned that vaccine’s patent, he famously responded, “Could you patent the sun?” It was in large part his commitment to keeping the jab’s recipe open-source that vaccines were produced globally and millions around the world were able to get it.
As the covid-19 health crisis unfolds, multinational pharmaceutical corporations like Moderna and Pfizer have taken a different approach. Their tight hold on the technology for their covid-19 vaccines has made them billions of dollars. While these strict intellectual property laws protections have allowed the rich to get even richer, they’ve put a damper on efforts to manufacture vaccines at scale. And with supply limited, the U.S. and other rich nations have engaged in bilateral negotiations with pharmaceutical corporations and hoarded all the doses they can, leaving poor nations in the dust.
The loss of life and suffering sparked by these strict patent protections are a major warning sign for our climate future. To avert environmental catastrophe, everyone needs access to clean energy. Intellectual property law could get in the way of that. And in the end, we could all suffer the consequences of a clean energy apartheid.
[…]
At its general council meeting next week, the World Trade Organization has the opportunity to help staunch the spread of covid-19 by waiving some protections on covid-19 vaccines developed by Moderna and Pfizer under the Trade-Related Aspects of Intellectual Property Rights Agreement. More than 100 nations, including India, have urged it to do. The Biden administration is reportedly considering endorsing this move, though then again, it’s been reportedly “considering” it for months.
This isn’t just something World Trade Organization negotiators should do out of the goodness of their hearts—though it absolutely is that, assuming they have hearts. Failing to do so could result in variants that bypass vaccines, which could harm those lucky enough to have gotten the shot and send the world economy back into a tailspin.
“As the pandemic ravages the Global South, what are wealthy northern countries going to do? Just completely ban all contact with poorer countries? It won’t work,” said Basav Sen, climate justice project director at the Institute for Policy Studies. “It is extremely short-sighted to push this kind of logic of intellectual property and corporate profit over what is clearly a prominent threat for all of humanity.”
The Florida Keys Mosquito Control District and Oxitec Ltd today announced location participation plans for its landmark Florida Keys pilot project. Project managers anticipate that during the last week of April and first week of May release boxes, non-release boxes and netted quality control boxes will be placed in six locations: two on Cudjoe Key, one on Ramrod Key and three on Vaca Key. Throughout all release locations less than 12,000 mosquitoes are expected to emerge each week for approximately 12 weeks. Untreated comparison sites will be monitored with mosquito traps on Key Colony Beach, Little Torch Key, and Summerland Key.
This marks the start of the US EPA approved project to evaluate this safe, sustainable and environmentally-friendly solution to control the invasive Aedes aegypti mosquito species.
Oxitec’s non-biting male mosquitoes will emerge from the boxes to mate with the local biting female mosquitoes. The female offspring of these encounters cannot survive, and the population of Aedes aegypti is subsequently controlled.
The Aedes aegypti mosquito makes up about four percent of the mosquito population in the Keys but is responsible for virtually all mosquito-borne diseases transmitted to humans. This species of mosquito transmits dengue, Zika, yellow fever and other human diseases, and can transmit heartworm and other potentially deadly diseases to pets and animals.
There’s a lot of fear mongering on this one, based on some outright lies and old facts, eg using an old nature article that has since been rescinded, inflating massively the number of mosquitos to be released, saying people aren’t told where the mosquitos will be released (they do tell people, just read above), etc etc. I’m sure that maybe some of their fears are legitimate but throwing in all of this bullshit really weakens their case and makes me too bored to find the hidden gem in the codswallop after I keep factchecking and finding out that the fearmongers are lying yet again.
Within a week, Basecamp’s loathed no-politics-at-work rule has escalated to a mass exodus. This afternoon, reporter Casey Newton tweeted that around one-third of the company’s employees accepted buyouts following a “contentious all-hands meeting.” The software company behind Ruby on Rails, Campfire, and HEY was, until this week or so, generally perceived by outsiders as one of the good ones.
The stir came out of left field on Tuesday, when co-founder and CEO Jason Fried announced a ban on “societal and political discussions” within the company Basecamp account. The move depressingly aligned with similar internal policies at companies like Google and Amazon, who’ve also lost all semblance of moral superiority.
Microsoft is shaking up the world of PC gaming today with a big cut to the amount of revenue it takes from games on Windows. The software giant is reducing its cut from 30 percent to just 12 percent from August 1st, in a clear bid to compete with Steam and entice developers and studios to bring more PC games to its Microsoft Store.
“Game developers are at the heart of bringing great games to our players, and we want them to find success on our platforms,” says Matt Booty, head of Xbox Game Studios at Microsoft. “A clear, no-strings-attached revenue share means developers can bring more games to more players and find greater commercial success from doing so.”
These changes will only affect PC games and not Xbox console games in Microsoft’s store. While Microsoft hasn’t explained why it’s not reducing the 30 percent it takes on Xbox game sales, it’s likely because the console business model is entirely different to PC. Microsoft, Sony, and Nintendo subsidize hardware to make consoles more affordable, and offer marketing deals in return for a 30 percent cut on software sales.
Microsoft’s new reduction on the PC side is significant, and it matches the same revenue split that Epic Games offers PC game developers while also putting more pressure on Valve to reduce its Steam store cut. Valve still takes a 30 percent cut on sales in its Steam store, which is reduced to 25 percent when sales hit $10 million, and then 20 percent for every sale after $50 million.
Let’s be clear – it’s still taking 12% of everything it has put virtually no effort in to making. All it does is hold up an electronic store front on some servers. And the point the article is making: that it’s cheap compared to the seeming “industry standard” 30% shows really that there is and has been a price cartel between the tiny amount of major players in the electronic market place.
This is the kind of monopoloy I have been talking about since the beginning of 2019.
China today launched the main module of its new space station into low Earth orbit. The ambitious project is set to be China’s answer to the International Space Station, which has never included China in its membership.
The 55-foot core module is called Tianhe, or Harmony of the Heavens. It blasted off from the Wenchang Launch Center in Hainan in the wee hours of Thursday morning, late Wednesday night for the United States. It launched aboard a 190-foot-tall Long March-5b Rocket, which has been the flagship launcher of the program since 2016. This is the first of 11 launches planned to see the finished product of the Chinese Space Station in operation by late 2022.
Should all go according to plan, Tianhe is the section of the station that will actually house Chinese astronauts, for stints of up to half a year. The next launches will send up two experimental modules, which will attach to either side of Tianhe, four cargo shipments, and four crewed missions, the first of which is slated for June. Tianhe has a total of five docking ports, which could be expanded to six.
The core module is the largest spacecraft yet developed by China, according to Chinese state media. The total station weight will be around 66 tons. While a far cry from the over 450 tons the ISS was at its completion in 1998, the main goals of the space station—conducting experiments in space and exploring how properties of space affect the results—doesn’t really require a ton of room.
Stratolaunch, the aerospace company founded by the late Seattle billionaire Paul Allen, put the world’s biggest airplane through its second flight test today, two years after the first flight.
Roc rose as high as 14,000 feet and traveled at a top speed of 199 mph during a flight that lasted three hours and 14 minutes — which is close to an hour longer than the first flight on April 13, 2019. During that earlier flight, the airplane reached a maximum speed of 189 mph and maximum altitude of 17,000 feet.
Zachary Krevor, Stratolaunch’s chief operating officer, said today’s flight accomplished all of its test objectives by checking the performance of improved instrumentation, a more robust flight control system and an environmental control system that allowed the pilots to work in a pressurized cockpit. Krevor said the crew included chief pilot Evan Thomas, pilot Mark Giddings and flight engineer Jake Riley.
[…]
Since Roc’s first flight in 2019, the business model for the 10-year-old venture has shifted: In its early years, Stratolaunch focused on using Roc as a flying launch pad for sending rockets and their payloads to orbit. The concept capitalizes on the air launch system pioneered by SpaceShipOne, which won financial backing from Allen and won the $10 million Ansari X Prize in 2004,
The new owners still expect to use Roc for air launch, but the current focus is on using the plane as a testbed for Stratolaunch’s hypersonic flight vehicles, Once the plane is cleared for regular operations, perhaps next year, Stratolaunch could begin launching its Talon-A prototype hypersonic plane.
[…]
Other companies, principally including Virgin Orbit, are also working on next-generation air launch technology. Such systems hold the promise of greater versatility and quicker response time for launching payloads, due to the fact that the carrier planes can take off from a wide variety of runways, fly around inclement weather and theoretically launch their payloads in any desired orbital inclination.
Stratolaunch’s twin-fuselage, six-engine Roc airplane is in a class by itself, thanks to its world-record wingspan of 385 feet. In comparison, the wingspan of the modified Boeing 747 that Virgin Orbit is using comes to 211 feet. The previous record-holder was the Spruce Goose, a prototype seaplane that made its debut in 1947 and had a 320-foot wingspan. Built by Mojave-based Scaled Composites, Roc has the capacity to carry more than 500,000 pounds of payload.
