Edward Snowden calls for spyware trade ban amid Pegasus revelations

Governments must impose a global moratorium on the international spyware trade or face a world in which no mobile phone is safe from state-sponsored hackers, Edward Snowden has warned in the wake of revelations about the clients of NSO Group.

Snowden, who in 2013 blew the whistle on the secret mass surveillance programmes of the US National Security Agency, described for-profit malware developers as “an industry that should not exist”.

He made the comments in an interview with the Guardian after the first revelations from the Pegasus project, a journalistic investigation by a consortium of international media organisations into the NSO Group and its clients.

[…]

For traditional police operations to plant bugs or wiretap a suspect’s phone, law enforcement would need to “break into somebody’s house, or go to their car, or go to their office, and we’d like to think they’ll probably get a warrant”, he said.

But commercial spyware made it cost-efficient for targeted surveillance against vastly more people. “If they can do the same thing from a distance, with little cost and no risk, they begin to do it all the time, against everyone who’s even marginally of interest,” he said.

“If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.”

Part of the problem arose from the fact that different people’s mobile phones were functionally identical to one another, he said. “When we’re talking about something like an iPhone, they’re all running the same software around the world. So if they find a way to hack one iPhone, they’ve found a way to hack all of them.”

He compared companies commercialising vulnerabilities in widely used mobile phone models to an industry of “infectioneers” deliberately trying to develop new strains of disease.

“It’s like an industry where the only thing they did was create custom variants of Covid to dodge vaccines,” he said. “Their only products are infection vectors. They’re not security products. They’re not providing any kind of protection, any kind of prophylactic. They don’t make vaccines – the only thing they sell is the virus.”

Snowden said commercial malware such as Pegasus was so powerful that ordinary people could in effect do nothing to stop it. Asked how people could protect themselves, he said: “What can people do to protect themselves from nuclear weapons?

“There are certain industries, certain sectors, from which there is no protection, and that’s why we try to limit the proliferation of these technologies. We don’t allow a commercial market in nuclear weapons.”

He said the only viable solution to the threat of commercial malware was an international moratorium on its sale. “What the Pegasus project reveals is the NSO Group is really representative of a new malware market, where this is a for-profit business,” he said. “The only reason NSO is doing this is not to save the world, it’s to make money.”

He said a global ban on the trade in infection vectors would prevent commercial abuse of vulnerabilities in mobile phones, while still allowing researchers to identify and fix them.

“The solution here for ordinary people is to work collectively. This is not a problem that we want to try and solve individually, because it’s you versus a billion dollar company,” he said. “If you want to protect yourself you have to change the game, and the way we do that is by ending this trade.”

[…]

Source: Edward Snowden calls for spyware trade ban amid Pegasus revelations | Edward Snowden | The Guardian

How To Check If Your iPhone Is Infected With Pegasus Using MVT

The revelation that our government might be using spyware called Pegasus to hack into its critics’ phones has started a whole new debate on privacy. The opposition is taking a dig at the ruling party every chance it gets, while the latter is trying to damage control after facing such serious allegations.

Amidst the chaos, one of the members of The Pegasus Project, Amnesty, recently made a public toolkit that can check if your phone is infected with Pegasus. The toolkit, known as MVT, requires users to know their way around the command line.

In a previous post, we wrote about how it works and successfully traces signs of Pegasus. Moreover, we mentioned how MVT is more effective on iOS than Android (the most you can do is scan APKs and SMSes). Hence, in this guide, we’re focusing on breaking down the process to detect Pegasus on iPhone into a step-by-step guide.

First off, you’ll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you’ll have to install libimobiledevice beforehand for that.

Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system — if you don’t have it already. Here’s how you can install the same for Windows, macOS, and Linux.

After that, go through Amnesty’s manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line.

Now, let’s go through the steps for detecting Pegasus on an iPhone backup using MVT.

Steps To Detect Pegasus On iPhone

First of all, you have to decrypt your data backup. To do that, you’ll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path.

mvt-ios decrypt-backup -p password -d /decrypted /backup

Note: Replace “/decrypted” with the directory where you want to store the decrypted backup and “/backup” with the directory where your encrypted backup is located.

Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder.

To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path.

mvt-ios check-backup -o /output -i /pegasus.stix2 /backup

Note: Replace “/output” with the directory where you want to store the scan result, “/backup” with the path where your decrypted backup is stored, and “/pegasus.stix2” with the path where you downloaded the latest IOCs.

After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix “_detected,” then that means your iPhone data is most likely Pegasus-infected.

However, the IOCs are regularly updated by Amnesty’s team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.

Source: How To Check If Your Phone Is Infected With Pegasus Using MVT

Huge data leak shatters the lie that the innocent need not fear surveillance – governments are spying on critics, journos, etc without a warrant using commercial Pegasus spyware by NSO

Billions of people are inseparable from their phones. Their devices are within reach – and earshot – for almost every daily experience, from the most mundane to the most intimate.

Few pause to think that their phones can be transformed into surveillance devices, with someone thousands of miles away silently extracting their messages, photos and location, activating their microphone to record them in real time.

Such are the capabilities of Pegasus, the spyware manufactured by NSO Group, the Israeli purveyor of weapons of mass surveillance.

NSO rejects this label. It insists only carefully vetted government intelligence and law enforcement agencies can use Pegasus, and only to penetrate the phones of “legitimate criminal or terror group targets”.

Yet in the coming days the Guardian will be revealing the identities of many innocent people who have been identified as candidates for possible surveillance by NSO clients in a massive leak of data.

Without forensics on their devices, we cannot know whether governments successfully targeted these people. But the presence of their names on this list indicates the lengths to which governments may go to spy on critics, rivals and opponents.

First we reveal how journalists across the world were selected as potential targets by these clients prior to a possible hack using NSO surveillance tools.

Over the coming week we will be revealing the identities of more people whose phone numbers appear in the leak. They include lawyers, human rights defenders, religious figures, academics, businesspeople, diplomats, senior government officials and heads of state.

Our reporting is rooted in the public interest. We believe the public should know that NSO’s technology is being abused by the governments who license and operate its spyware. But we also believe it is in the public interest to reveal how governments look to spy on their citizens and how seemingly benign processes such as HLR lookups can be exploited in this environment.

[…]

Companies such as NSO operate in a market that is almost entirely unregulated, enabling tools that can be used as instruments of repression for authoritarian regimes such as those in Saudi Arabia, Kazakhstan and Azerbaijan.

The market for NSO-style surveillance-on-demand services has boomed post-Snowden, whose revelations prompted the mass adoption of encryption across the internet. As a result the internet became far more secure, and mass harvesting of communications much more difficult.

But that in turn spurred the proliferation of companies such as NSO offering solutions to governments struggling to intercept messages, emails and calls in transit. The NSO answer was to bypass encryption by hacking devices.

Two years ago the then UN special rapporteur on freedom of expression, David Kaye, called for a moratorium on the sale of NSO-style spyware to governments until viable export controls could be put in place. He warned of an industry that seemed “out of control, unaccountable and unconstrained in providing governments with relatively low-cost access to the sorts of spying tools that only the most advanced state intelligence services were previously able to use”.

His warnings were ignored. The sale of surveillance continued unabated. That GCHQ-like surveillance tools are now available for purchase by repressive governments may give some of Snowden’s critics pause for thought.

[…]

Source: Huge data leak shatters the lie that the innocent need not fear surveillance | Surveillance | The Guardian

Samsung Bricking Original SmartThings Hubs

Samsung is causing much angst among its SmartThings customers by shutting down support for its original SmartThings home automation hub as of the end of June. These are network-connected home automation routers providing Zigbee and Z-Wave connectivity to your sensors and actuators. It’s not entirely unreasonable for manufacturers to replace aging hardware with new models. But in this case the original hubs, otherwise fully functional and up to the task, have intentionally been bricked.

Users were offered a chance to upgrade to a newer version of the hub at a discount. But the hardware isn’t being made by Samsung anymore, after they redirected their SmartThings group to focus entirely on software. With this new dedication to software, you’d be forgiven for thinking the team implemented a seamless transition plan for its loyal user base — customers who supported and built up a thriving community since the young Colorado-based SmartThings company bootstrapped itself by a successful Kickstarter campaign in 2012. Instead, Samsung seems to leave many of those users in the lurch.

There is no upgrade path for switching to a new hub, meaning that the user has to manually reconnect each sensor in the house which often involves a cryptic sequence of button presses and flashing lights (the modern equivalent of setting the time on your VCR). Soon after you re-pair all your devices, you will discover that the level of software customization and tools that you’ve relied upon for home automation has, or is about to, disappear. They’ve replaced the original SmartThings app with a new in-house app, which by all accounts significantly dumbs down the features and isn’t being well-received by the community. Another very popular tool called Groovy IDE, which allowed users to add support for third-party devices and complex automation tasks, is about to be discontinued, as well.

 

Samsung’s announcement from last year laid out the goals of the transition divided into three phases. After the dust settles, it may well be that new tools will be rolled out which restore the functionality and convenience of the discontinued apps. But it seems that their priority at the moment is to focus on “casual” home automation users, those which just a handful of devices. The “power” users, with dozens and dozens of devices, are left wondering whether they’ve been abandoned. A casual scan through various online forums suggests that many of these loyal users are not waiting to be abandoned. Instead, they are abandoning SmartThings and switching to self-hosted solutions such as Home Assistant.

If this story sounds familiar, it is. We’ve covered several similar of IoT service closures in recent years, including:

Considering the typical home is a decades-long investment, we’d hope that the industry will eventually focus on longer-term approaches to home automation. For example, interoperability of devices using existing or new standards might be a good starting point. If you are using an automation system in your home, do you use a bundled solution like SmartThings, or have you gone the self-hosting route?

Source: Samsung Shuttering Original SmartThings Hubs | Hackaday

Bricking is pretty damn harsh and incredibly wasteful. Also, you bought the hardware, it’s yours!

US FTC Weighs in On Right To Repair

A few days ago, the US Federal Trade Commission (FTC) came out with a 5-0 unanimous vote on its position on right to repair. (PDF) It’s great news, in that they basically agree with us all:

Restricting consumers and businesses from choosing how they repair products can substantially increase the total cost of repairs, generate harmful electronic waste, and unnecessarily increase wait times for repairs. In contrast, providing more choice in repairs can lead to lower costs, reduce e-waste by extending the useful lifespan of products, enable more timely repairs, and provide economic opportunities for entrepreneurs and local businesses.

The long version of the “Nixing the Fix” report goes on to list ways that the FTC found firms were impeding repair: ranging from poor initial design, through restrictive firmware and digital rights management (DRM), all the way down to “disparagement of non-OEM parts and independent repair services”.

While the FTC isn’t making any new laws here, they’re conveying a willingness to use the consumer-protection laws that are already on the books: the Magnuson-Moss Warranty Act and Section 5 of the FTC Act, which prohibits unfair competitive practices.

Only time will tell if this dog really has teeth, but it’s a good sign that it’s barking. And given that the European Union is heading in a similar direction, we’d be betting that repairability increases in the future.

Source: FTC Rules On Right To Repair | Hackaday

Police Are Telling ShotSpotter to Alter Evidence From Gunshot-Detecting AI

On May 31 last year, 25-year-old Safarain Herring was shot in the head and dropped off at St. Bernard Hospital in Chicago by a man named Michael Williams. He died two days later.

Chicago police eventually arrested the 64-year-old Williams and charged him with murder (Williams maintains that Herring was hit in a drive-by shooting). A key piece of evidence in the case is video surveillance footage showing Williams’ car stopped on the 6300 block of South Stony Island Avenue at 11:46 p.m.—the time and location where police say they know Herring was shot.

How did they know that’s where the shooting happened? Police said ShotSpotter, a surveillance system that uses hidden microphone sensors to detect the sound and location of gunshots, generated an alert for that time and place.

Except that’s not entirely true, according to recent court filings.

That night, 19 ShotSpotter sensors detected a percussive sound at 11:46 p.m. and determined the location to be 5700 South Lake Shore Drive—a mile away from the site where prosecutors say Williams committed the murder, according to a motion filed by Williams’ public defender. The company’s algorithms initially classified the sound as a firework. That weekend had seen widespread protests in Chicago in response to George Floyd’s murder, and some of those protesting lit fireworks.

But after the 11:46 p.m. alert came in, a ShotSpotter analyst manually overrode the algorithms and “reclassified” the sound as a gunshot. Then, months later and after “post-processing,” another ShotSpotter analyst changed the alert’s coordinates to a location on South Stony Island Drive near where Williams’ car was seen on camera.

Williams reclassified photo

A screenshot of the ShotSpotter alert from 11:46 PM, May 31, 2020 showing that the sound was manually reclassified from a firecracker to a gunshot.

“Through this human-involved method, the ShotSpotter output in this case was dramatically transformed from data that did not support criminal charges of any kind to data that now forms the centerpiece of the prosecution’s murder case against Mr. Williams,” the public defender wrote in the motion.

[…]

The case isn’t an anomaly, and the pattern it represents could have huge ramifications for ShotSpotter in Chicago, where the technology generates an average of 21,000 alerts each year. The technology is also currently in use in more than 100 cities.

Motherboard’s review of court documents from the Williams case and other trials in Chicago and New York State, including testimony from ShotSpotter’s favored expert witness, suggests that the company’s analysts frequently modify alerts at the request of police departments—some of which appear to be grasping for evidence that supports their narrative of events.

[…]

Untested evidence

Had the Cook County State’s Attorney’s office not withdrawn the evidence in the Williams case, it would likely have become the first time an Illinois court formally examined the science and source code behind ShotSpotter, Jonathan Manes, an attorney at the MacArthur Justice Center, told Motherboard.

“Rather than defend the evidence, [prosecutors] just ran away from it,” he said. “Right now, nobody outside of ShotSpotter has ever been able to look under the hood and audit this technology. We wouldn’t let forensic crime labs use a DNA test that hadn’t been vetted and audited.”

[…]

A pattern of alterations

In 2016, Rochester, New York, police looking for a suspicious vehicle stopped the wrong car and shot the passenger, Silvon Simmons, in the back three times. They charged him with firing first at officers.

The only evidence against Simmons came from ShotSpotter. Initially, the company’s sensors didn’t detect any gunshots, and the algorithms ruled that the sounds came from helicopter rotors. After Rochester police contacted ShotSpotter, an analyst ruled that there had been four gunshots—the number of times police fired at Simmons, missing once.

Paul Greene, ShotSpotter’s expert witness and an employee of the company, testified at Simmons’ trial that “subsequently he was asked by the Rochester Police Department to essentially search and see if there were more shots fired than ShotSpotter picked up,” according to a civil lawsuit Simmons has filed against the city and the company. Greene found a fifth shot, despite there being no physical evidence at the scene that Simmons had fired. Rochester police had also refused his multiple requests for them to test his hands and clothing for gunshot residue.

Curiously, the ShotSpotter audio files that were the only evidence of the phantom fifth shot have disappeared.

Both the company and the Rochester Police Department “lost, deleted and/or destroyed the spool and/or other information containing sounds pertaining to the officer-involved shooting,”

[…]

Greene—who has testified as a government witness in dozens of criminal trials—was involved in another altered report in Chicago, in 2018, when Ernesto Godinez, then 27, was charged with shooting a federal agent in the city.

The evidence against him included a report from ShotSpotter stating that seven shots had been fired at the scene, including five from the vicinity of a doorway where video surveillance showed Godinez to be standing and near where shell casings were later found. The video surveillance did not show any muzzle flashes from the doorway, and the shell casings could not be matched to the bullets that hit the agent, according to court records.

During the trial, Greene testified under cross-examination that the initial ShotSpotter alert only indicated two gunshots (those fired by an officer in response to the original shooting). But after Chicago police contacted ShotSpotter, Greene re-analyzed the audio files.

[…]

Prior to the trial, the judge ruled that Godinez could not contest ShotSpotter’s accuracy or Greene’s qualifications as an expert witness. Godinez has appealed the conviction, in large part due to that ruling.

“The reliability of their technology has never been challenged in court and nobody is doing anything about it,” Gal Pissetzky, Godinez’s attorney, told Motherboard. “Chicago is paying millions of dollars for their technology and then, in a way, preventing anybody from challenging it.”

The evidence

At the core of the opposition to ShotSpotter is the lack of empirical evidence that it works—in terms of both its sensor accuracy and the system’s overall effect on gun crime.

The company has not allowed any independent testing of its algorithms, and there’s evidence that the claims it makes in marketing materials about accuracy may not be entirely scientific.

Over the years, ShotSpotter’s claims about its accuracy have increased, from 80 percent accurate to 90 percent accurate to 97 percent accurate. According to Greene, those numbers aren’t actually calculated by engineers, though.

“Our guarantee was put together by our sales and marketing department, not our engineers,” Greene told a San Francisco court in 2017. “We need to give them [customers] a number … We have to tell them something. … It’s not perfect. The dot on the map is simply a starting point.”

In May, the MacArthur Justice Center analyzed ShotSpotter data and found that over a 21-month period 89 percent of the alerts the technology generated in Chicago led to no evidence of a gun crime and 86 percent of the alerts led to no evidence a crime had been committed at all.

[..]

Meanwhile, a growing body of research suggests that ShotSpotter has not led to any decrease in gun crime in cities where it’s deployed, and several customers have dropped the company, citing too many false alarms and the lack of return on investment.

[…]

a 2021 study by New York University School of Law’s Policing Project that determined that assaults (which include some gun crime) decreased by 30 percent in some districts in St. Louis County after ShotSpotter was installed. The study authors disclosed that ShotSpotter has been providing the Policing Project unrestricted funding since 2018, that ShotSpotter’s CEO sits on the Policing Project’s advisory board, and that ShotSpotter has previously compensated Policing Project researchers.

[…]

Motherboard recently obtained data demonstrating the stark racial disparity in how Chicago has deployed ShotSpotter. The sensors have been placed almost exclusively in predominantly Black and brown communities, while the white enclaves in the north and northwest of the city have no sensors at all, despite Chicago police data that shows gun crime is spread throughout the city.

Community members say they’ve seen little benefit from the technology in the form of less gun violence—the number of shootings in 2021 is on pace to be the highest in four years—or better interactions with police officers.

[…]

Source: Police Are Telling ShotSpotter to Alter Evidence From Gunshot-Detecting AI

QR Menu Codes Are Tracking You More Than You Think

If you’ve returned to the restaurants and bars that have reopened in your neighborhood lately, you might have noticed a new addition to the post-quarantine decor: QR codes. Everywhere. And as they’ve become more ubiquitous on the dining scene, so has the quiet tracking and targeting that they do.

That’s according to a new analysis by the New York Times, that found these QR codes have the ability to collect customer data—enough to create what Jay Stanley, a senior policy analyst at the American Civil Liberties Union, called an “entire apparatus of online tracking,” that remembers who you are every time you sit down for a meal. While the data itself contains pretty uninteresting information, like your order history or contact information, it turns out there’s nothing stopping that data from being passed to whomever the establishment wants.

[…]

But as the Times piece points out, these little pieces of tech aren’t as innocuous as they might initially seem. Aside from storing data like menus or drink options, QR codes are often designed to transmit certain data about the person who scanned them in the first place—like their phone number or email address, along with how often the user might be scanning the code in question. This data collection comes with a few perks for the restaurants that use the codes (they know who their repeat customers are and what they might order). The only problem is that we actually don’t know where that data actually goes.

Source: QR Menu Codes Are Tracking You More Than You Think

Note for ant fuckers: the QR code does not in fact “transmit” anything – a server behind it detects that you have visited it (if you follow a URL in the code) and then collects data based on what you do on the server, but also on the initial connection (eg location through IP address, URL parameters which can include location information, OS, browser type, etc etc etc)

Shield TV Owners Are Pissed About the Banner Ads in Android TV – wtf are manufacturers doing advertising on products you actually own?

Nvidia’s Shield TVs are some of the best streaming video boxes on the market, but following a recent update to Android TV, Shield TV users are starting to see ads on their home screen and they aren’t happy about it.

The latest update to Android TV on Shield TV devices began rolling out earlier this month and featured a small UI redesign that added large banner images to Android TV’s home screen, similar to what you get when using Google TV devices like the Chromecast with Google TV.

Now technically, Google calls these banner images “recommendations,” as they are regularly updated and rotated to help users find new streaming content Google thinks they might enjoy. However, a number of Shield TV users consider these images to be advertisements (especially when they recommend shows on services users aren’t even subscribed to), and as such, have taken to showing their displeasure with the recent update by review bombing the listing for the Android TV Home app, which now has a one-star rating across more than 800 reviews.

[…]

As seen in a number of reviews and complaints on Reddit, many Shield TV users are unhappy about the way Google has killed off Android TV’s previously minimalist design by implementing intrusive banner ads that take up significantly more space, particularly on what is supposed to be a premium streaming device that goes for $150 or $200 depending on the model.

[…]

But more importantly, the addition of new banner images in Android TV is merely just one example of a growing trend in which major OS makers have begun inserting ads in a number of devices from smartphones to smart TVs. Sometimes these ads are presented as tools to help users find new content, while in other situations (like on Samsung phones), ads can appear as unwanted notifications alerting users about a newly announced Samsung device or service.

[…]

Unfortunately, oftentimes there’s no easy way to get rid of the ads, which causes user dissatisfaction or may even eventually drive users away from their current devices or platforms. But the real sad part is that until users make enough noise or cause a company’s sales to drop, it’s hard to say when this trend of seeing more and more ads in modern gadgets will stop.

Source: Shield TV Owners Are Pissed About the Banner Ads in Android TV

The argument for ads everywhere was that as you were accessing a free service, it had to be paid for by advertising. These products have all been paid for though and as such belong to you. The manufacturer has no business being on these products trying to monetise something you own even further.

iFixit CEO names and shames tech giants for right to repair obstruction – not sustainable at all

iFixit co-founder and CEO Kyle Wiens has exposed how companies including Apple, Samsung, and Microsoft manipulate the design of their products and the supply chain to prevent consumers and third-party repairers from accessing necessary tools and parts to repair products such as smartphones and laptops.

ZDNet Recommends

The best old phones to buy

Why last year’s and older models make great deals.

Read More

Speaking during the Productivity Commission’s virtual right to repair public hearing on Monday, Weins took the opportunity to draw on specific examples of how some of the largest tech companies are obstructing consumers from a right to repair.

“We’ve seen manufacturers restrict our ability to buy parts. There’s a German battery manufacturer named Varta that sells batteries to a wide variety of companies. Samsung happens to use these batteries in their Galaxy earbuds … but when we go to Varta and say can we buy that part as a repair part, they’ll say ‘No, our contract with Samsung will not allow us to sell that’. We’re seeing that increasingly,” he said.

“Apple is notorious for doing this with the chips in their computers. There’s a particular charging chip on the MacBook Pro … there is a standard version of the part and then there’s the Apple version of the part that sits very slightly tweaked, but it’s tweaked enough that it’s only required to work in this computer, and that company again is under contractual requirement with Apple.”

He continued, highlighting that a California-based recycler was contracted by Apple to recycle spare parts that were still in new condition.

“California Apple stops providing service after seven years, so this was at seven years and Apple have warehouses full of spare parts, and rather than selling that out in the marketplace — so someone like me who eagerly would’ve bought them — they were paying the recycler to destroy them,” Wiens said.

Weins also pointed to an example involving a Microsoft Surface laptop.

“[iFixit] rated it on our repairability score, we normally rate products from one to 10; the Surface laptop got a zero. It had a glued-in battery … we had to actually cut our way into the product and destroyed it in the process of trying to get inside,” he said.

[…]

The other major point that was covered during the Productivity Commission’s public hearing was whether there is plausibility to introduce a labelling scheme, much like one that exists in France, in Australia.

[…]

Based on his observation, Weins said the adoption of the French index has been “pretty universal” across all five categories. He also pointed out that a recent Samsung survey showed 86% of French citizens say that the index impacts their purchasing behaviour while 80% said they would give up their favourite brand for a more repairable product.

“This is really substantially driving consumer behaviour,” he said.

For consumer group Choice, the possibility of introducing a labelling scheme to improve right to repair in Australia could work.

“We know from experience, particularly with the water and energy labelling scheme, that if you want manufacturers to improve the quality of products, start by rating and ranking them,” Choice campaign and communications director Erin Turner said during the hearing.

[…]

Source: iFixit CEO names and shames tech giants for right to repair obstruction | ZDNet

US legal eagles representing Apple, IBM, and more take 5 months to inform clients of ransomware data breach, will only offer support if social security number was in data

Law firm Campbell Conroy & O’Neil has warned of a breach from late February which may have exposed data from the company’s lengthy client list of big-name corporations including Apple and IBM.

The breach, which was discovered on 27 February 2021 when a ransomware infection blocked access to selected files on the company’s internal systems, has been blamed on an unnamed “unauthorised actor.”

[…]

While it’s not yet known precisely what data was accessed during the breach, the system affected held a treasure trove including “certain individuals’ names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords),” the company confirmed in a statement regarding the attack.

[…]

The company has also offered those affected a 24-month subscription to credit monitoring, fraud consultation, and identity theft restoration services – but only if they had their Social Security numbers held on the system. For those whose data did not include Social Security numbers, they get nothing bar the company’s apologies.

Source: US legal eagles representing Apple, IBM, and more take 5 months to inform clients of ransomware data breach • The Register

16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines

Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines.

If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights.

The bug (CVE-2021-3438) has lurked in systems for 16 years, researchers at SentinelOne said, but was only uncovered this year. It carries an 8.8 out of 10 rating on the CVSS scale, making it high-severity.

According to researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific input/output operations.

“This function copies a string from the user input using ‘strncpy’ with a size parameter that is controlled by the user,” according to SentinelOne’s analysis, released on Tuesday. “Essentially, this allows attackers to overrun the buffer used by the driver.”

Thus, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode, since the vulnerable driver is locally available to anyone, according to the firm.

The printer-based attack vector is perfect for cybercriminals, according to SentinelOne, since printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every startup.

“Thus, in effect, this driver gets installed and loaded without even asking or notifying the user,” explained the researchers. “Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected.”

[…]

 

Source: 16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines | Threatpost

Cloud seeding in UAE: Artificial rain with drones, electricity

the UAE is now testing a new method that has drones fly into clouds to give them an electric shock to trigger rain production, the BBC and CNN have previously reported.

The project is getting renewed interest after the UAE’s National Center of Meteorology recently published a series of videos on Instagram of heavy rain in parts of the country. Water gushed past trees, and cars drove on rain-soaked roads. The videos were accompanied by radar images of clouds tagged “#cloudseeding.”

The Independent reports recent rain is part of the drone cloud seeding project.

[…]

The UAE oversaw more than 200 cloud seeding operations in the first half of 2020, successfully creating excess rainfall, the National News reported.

There have been successes in the U.S., as well as China, India, and Thailand. Long-term cloud seeding in the mountains of Nevada have increased snowpack by 10% or more each year, according to research published by the American Meteorological Society. A 10-year cloud seeding experiment in Wyoming resulted in 5-10% increases in snowpack, according to the State of Wyoming.

[…]

Source: Cloud seeding in UAE: Artificial rain with drones, electricity

How TikTok serves you content you love – simple, actually

A new video investigation by the Wall Street Journal finds the key to TikTok’s success in how the short-video sharing app monitors viewing times.

Why it matters: TikTok is known for the fiendishly effective way that it selects streams of videos tailored to each user’s taste. The algorithm behind this personalization is the company’s prize asset — and, like those that power Google and Facebook, it’s a secret.

How they did it: WSJ created a batch of individualized dummy accounts to throw at TikTok and test how it homed in on each fake persona’s traits.

What they found: TikTok responds most sensitively to a single signal — how long a user lingers over a video. It starts by showing new users very popular items, and sees which catch their eyes.

  • The TikTok algorithm works so well that some people think it’s reading their minds.

Yes, but: The investigation also found that TikTok — like YouTube — can lure users deep into rabbit holes of increasingly extreme content.

Source: How TikTok sees inside your brain – Axios

Google is starting to tell you how it found Search results

Alphabet’s (GOOGL.O) Google will now show its search engine users more information about why it found the results they are shown, the company said on Thursday.

It said people googling queries will now be able to click into details such as how their result matched certain search terms, in order to better decide if the information is relevant.

Google has been making changes to give users more context about the results its search engine provides. Earlier this year it introduced panels to tell users about the sources of the information they are seeing. It has also started warning users when a topic is rapidly evolving and search results might not be reliable.

Source: Google is starting to tell you how it found Search results | Reuters

Normal Touchscreens Can Also Detect Contaminated Water

We take for granted that the water coming out of the kitchen faucet is safe to drink, but that’s not always the case in other parts of the world. So researchers at the University of Cambridge are developing a new approach to testing for contaminants using a device that billions of people already use every day.

Modern capacitive touchscreens (the kind that can easily detect the subtlest finger taps instead of requiring users to press hard on the screen) feature an invisible grid of electrodes that carry a very small electrical charge. When your conductive finger touches the screen it changes the charge level at a specific location that the smartphone can detect based on grid coordinates. That’s a grossly simplified crash course on how the technology powering modern touchscreens work, but what’s important is their use of a changing electrical charge.

In a recently published paper, the University of Cambridge researchers explain how a stripped-down touchscreen—the same hardware used in smartphones and tablets—was found to be able to detect the electrically charged ions in an electrolyte. Different liquids were piped onto the surface of the touchscreen and using the standard software that’s used to test these screens, the researchers were able to differentiate the samples based on how “the fluids all interact with the screen’s electric fields differently depending on the concentration of ions and their charge.”

The touchscreens used in mobile devices are tuned and calibrated to best respond to interactions with fingers, but the researchers believe that by altering the design of the electrodes, even in just a small area of the screen (a custom app could indicate exactly where a sample needs to be placed) the sensitivity could be optimized for detecting contaminants in samples like soil and water.

[…]

Source: Normal Touchscreens Can Also Detect Contaminated Water

Saudi Aramco data breach sees 1 TB stolen data for sale

[…]

The threat actors are offering Saudi Aramco’s data starting at a negotiable price of $5 million.

Saudi Aramco has pinned this data incident on third-party contractors and tells BleepingComputer that the incident had no impact on Aramco’s operations.

“Zero-day exploitation” used to breach network

This month, a threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale.

ZeroX claims the data was stolen by hacking Aramco’s “network and its servers,” sometime in 2020.

As such, the files in the dump are as recent as 2020, with some dating back to 1993, according to the group.

When asked by BleepingComputer as to what method was used to gain access to the systems, the group did not explicitly spell out the vulnerability but instead called it “zero-day exploitation.”

To create traction among prospective buyers, a small sample set of Aramco’s blueprints and proprietary documents with redacted PII were first posted on a data breach marketplace forum in June this year:

forum post saudi aramco
Forum post with a link to the dark web leak site (BleepingComputer)

However, at the time of initial posting, the .onion leak site had a countdown timer set to 662 hours, or about 28 days, after which the sale and negotiations would begin.

ZeroX told BleepingComputer that the choice of “662 hours,” was intentional and a “puzzle” for Saudi Aramco to solve, but the exact reason behind the choice remains unclear:

ticking timer saudi aramco
Threat actors announced data would be up for sale after 662 hours (BleepingComputer)

The group says that the 1 TB dump includes documents pertaining to Saudi Aramco’s refineries located in multiple Saudi Arabian cities, including Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran.

And, that some of this data includes:

  1. Full information on 14,254 employees: name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, etc.
  2. Project specification for systems related to/including electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecom, etc.
  3. Internal analysis reports, agreements, letters, pricing sheets, etc.
  4. Network layout mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices.
  5. Location map and precise coordinates.
  6. List of Aramco’s clients, along with invoices and contracts.

[…]

Source: Saudi Aramco data breach sees 1 TB stolen data for sale

FAA changes definition of “Astronaut” on day Bezos flies to space

New Federal Aviation Administration (FAA) rules say astronaut hopefuls must be part of the flight crew and make contributions to space flight safety.

That means Jeff Bezos and Sir Richard Branson may not yet be astronauts in the eyes of the US government.

These are the first changes since the FAA wings programme began in 2004.

The Commercial Astronaut Wings programme updates were announced on Tuesday – the same day that Amazon’s Mr Bezos flew aboard a Blue Origin rocket to the edge of space.

To qualify as commercial astronauts, space-goers must travel 50 miles (80km) above the Earth’s surface, which both Mr Bezos and Mr Branson accomplished.

But altitude aside, the agency says would-be astronauts must have also “demonstrated activities during flight that were essential to public safety, or contributed to human space flight safety”.

What exactly counts as such is determined by FAA officials.

In a statement, the FAA said that these changes brought the wings scheme more in line with its role to protect public safety during commercial space flights.

On 11 July, Sir Richard flew on-board Virgin Galactic’s SpaceShipTwo to the edge of space as a test before allowing customers aboard next year.

Mr Bezos and the three other crew members who flew on Blue Origin’s spacecraft may have less claim to the coveted title. Ahead of the launch, Blue Origin CEO Bob Smith said that “there’s really nothing for a crew member to do” on the autonomous vehicle.

[…]

Source: Jeff Bezos and Sir Richard Branson may not be astronauts, US says – BBC News

This looks childish to me – they went to space, they are definitely pioneers. And it’s not like there are going to be very many of them.

You can find the order here (pdf) and see that they added 5 c

Note FAA Part 460 human spaceflight requirements is also interesting in this discussion regarding human space flight participants

Want unemployment benefits in the US? You may have to submit to facial recognition with a little known company ID.me

[…]

Watkins, a self-described privacy advocate whose mother and grandmother shredded personal information when he was growing up, said he is unwilling to complete the identity verification process his state now requires, which includes having his face analyzed by a little-known company called ID.me.
He sent a sharply worded letter to his state’s unemployment agency criticizing ID.me’s service, saying he would not take part in it given his privacy concerns. In response, he received an automated note from the agency: “If you do not verify your identity soon, your claim will be disqualified and no further benefit payments will be issued.” (A spokesperson for the Colorado Department of Labor and Employment said the agency only allows manual identity verification “as a last resort” for unemployment claimants who are under 18 — because ID.me doesn’t work with minors — and those who have “technological barriers.”)
[…]
Watkins is one of millions across the United States who are being instructed to use ID.me, along with its facial recognition software, to get their unemployment benefits. A rapidly growing number of US states, including Colorado, California and New York, turned to ID.me in hopes of cutting down on a surge of fraudulent claims for state and federal benefits that cropped up during the pandemic alongside a tidal wave of authentic unemployment claims.
As of this month, 27 states’ unemployment agencies had entered contracts with ID.me, according to the company, with 25 of them already using its technology. ID.me said it is in talks with seven more. ID.me also verifies user identities for numerous federal agencies, such as the Department of Veterans Affairs, Social Security Administration and IRS.
[…]
The face-matching technology ID.me employs comes from a San Francisco-based startup called Paravision
[…]
Facial recognition technology, in general, is contentious. Civil rights groups frequently oppose it for privacy issues and other potential dangers. For instance, it has been shown to be less accurate when identifying people of color, and several Black men, at least, have been wrongfully arrested due to the use of facial recognition. It’s barely regulated — there are no federal laws governing its use, though some states and local governments have passed their own rules to limit or prohibit its use. Despite these concerns, the technology has been used across the US federal government, as a June report from the Government Accountability Office showed.
Several ID.me users told CNN Business about problems they had verifying their identities with the company, which ranged from the facial recognition technology failing to recognize their face to waiting for hours to reach a human for a video chat after encountering problems with the technology. A number of people who claim to have had issues with ID.me have taken to social media to beg the company for help with verification, express their own concerns about its face-data collection or simply rant, often in response to ID.me’s own posts on Twitter. And some like Watkins are simply frustrated not to have a say in the matter.
[…]
ID.me said it does not sell user data — which includes biometric and related information such as selfies people upload, data related to facial analyses, and recordings of video chats users participate in with ID.me — but it does keep it. Biometric data, like the facial geometry produced from a user’s selfie, may be kept for years after a user closes their account.
Hall said ID.me keeps this information only for auditing purposes, particularly for government agencies in cases of fraud or identity theft. Users, according to its privacy policy, can ask ID.me to delete personally identifiable information it has gathered from them, but the company “may keep track of certain information if required by law” and may not be able to “completely delete” all user information since it “periodically” backs up such data. (As Ryan Calo, codirector of the University of Washington’s Tech Policy Lab, put it, this data retention policy is “pretty standard,” but, he added, that “doesn’t make it great!”)
[…]
Beyond state unemployment agencies, ID.me is also becoming more widespread among federal agencies such as the IRS, which in June began using ID.me to verify identities of people who want to use its Child Tax Credit Update Portal.
“We’re verifying more than 1% of the American adult population each quarter, and that’s starting to compress more to like 45 or 50 days,” Hall said. The company has more than 50 million users, he said, and signs up more than 230,000 new ones each day.
[…]
Vasquez said that, when a state chooses to use a tool it knows has a tendency to not work as well on some people, she thinks that “starts to invade something more than privacy and get at questions of what society values and how it values different members’ work and what our society believes about dignity.”
Hall claims ID.me’s facial recognition software is over 99% accurate and said an internal test conducted on hundreds of faces of people who had failed to pass the facial recognition check for logging in to the social security website did not show statistically significant evidence of racial bias.

In cases where users are able to opt out of the ID.me process, it can still be arduous and time-consuming: California’s Employment Development Department website, for instance, instructs people who can’t verify their identity via ID.me when applying online to file their claim over the phone or by mail or fax.
Most people aren’t doing this, however; it’s time consuming to deal with snail mail or wade through EDD’s phone system, and many people don’t have access to a fax machine. An EDD spokesperson said that such manual identity verification, which used to be a “significant” part of EDD’s backlog, now accounts for “virtually none” of it.

Long wait times for some

Eighty-five percent of people are able to verify their identity with ID.me immediately for state workforce agencies without needing to go through a video chat, Hall said.
What happens to the remaining 15% worries Akselrod, of the ACLU, since users must have access to a device with a camera — like a smartphone or computer — as well as decent internet access. According to recent Pew research, 15% of American adults surveyed don’t have a smartphone and 23% don’t have home broadband.
“These technologies may be inaccessible for precisely the people for whom access to unemployment insurance is the most critical,” Akselrod said.
[…]

Source: Want your unemployment benefits? You may have to submit to facial recognition first – CNN

What this excellent article doesn’t go into is what a terrible idea having huge centralised databases is, especially one filled with biometric information (which you can’t change) of an entire population

Litre of printer ink? That’ll be £2,410 please. One of the most expensive consumer liquids on the planet – 3rd party ink much cheaper, blocked by manufacturers…

A Which? investigation has found that printer ink is one of the most expensive liquids consumers can purchase when bought from the big inkjet printer manufacturers – and people could save a small fortune by opting for third-party alternatives. 

Which? research has uncovered that inkjet printer ink bought from the manufacturer could be up to 286 per cent more expensive than third-party ink and could easily lead to consumers paying hundreds more than they need to over a five-year period.

During the pandemic, printer ink has become an essential as households across the country have been forced to rely on their home printer for work and homeschooling.

However, many are unaware that they are paying over the odds by buying printer ink from their printer’s manufacturer – and the costs quickly stack up.

The consumer champion surveyed more than 10,000 consumers who own inkjet printers to find out about their experiences with original-branded and third-party inks.

Just over half (56%) of inkjet printer owners said they stick with using potentially pricey original-branded cartridges every time.

Which? assessed the cost of original-branded and third-party ink for the Epson WorkForce WF-7210DTW printer. A multipack of colour ink (cyan, magenta, yellow) costs £75.49 from Epson. This works out at an astonishing £2,410 a litre – or £1,369 for a pint.

The Epson printer also requires a separate Epson black cartridge (£31.99), bringing the total cost of a single original-branded ink refill to £107.48.

On the other hand, restocking with a full set of black and colour inks from the highest-rated third-party supplier in the consumer champion’s survey would cost just £10.99.

[…]

It is not just Epson’s ink prices that are sky high, either. Brother, Canon and HP also charge huge prices for cartridges.

A multipack of ink for the Brother MFCJ5730DW cost £98.39 compared to just £29.21 from the cheapest third-party alternative – a price difference of £1,037 over five years assuming the full set of cartridges were replaced three times each year.

Similarly, a full set of original-branded, high-yield cartridges for a Canon Pixma MX475 costs £80.98 compared to just £12.95 from the cheapest third-party ink supplier- a difference of £68.13 for each purchase, or £1,021 over five years assuming the full set of cartridges were replaced three times each year.

The price difference between own-brand and one of the third-party inks Which? looked at for the HP Officejet 6950 would leave consumers £705 out of pocket over a five-year period assuming the full set of cartridges were replaced three times a year. For a single refill, own-branded inks for the HP 903XL total £91.96 for both black and colour cartridges and just £44.99 from a third-party retailer.

Some HP printers use a system called ‘dynamic security’ which recognises cartridges that use non-HP chips and stops them from working. Over the course of its testing programme, Which? has found 28 HP printers that use this technology.

Other manufacturers use similar tactics such as promoting the use of ‘approved’, ‘original’ or ‘guaranteed’ cartridges on their websites and in instruction manuals. For example, the Epson printer Which? tested flashed up a ‘non-genuine ink detected’ alert on its LCD screen whenever we inserted third-party cartridges.

It is highly concerning that manufacturers are discouraging consumers from using third-party inks – and that some HP printers are actively blocking customers from exerting their right to choose the cheapest ink.

Because of these practices, consumers are understandably confused and concerned about using non-manufacturer inks. Two in five (39%) of the people we surveyed who do not use third-party cartridges said they avoided them because they thought they would not work in their printer.

[…]

“Printer ink shouldn’t cost more than a bottle of high-end champagne or Chanel No5. We’ve found that there are lots of third-party products that are outperforming their branded counterparts at a fraction of the cost.

“Choosing third-party ink should be a personal choice and not dictated by the make of your printer. Which? will continue to make consumers aware of the staggering cost differences between own-brand and third-party inks and give people the information they need to buy the best ink for their printer.”

[…]

Source: Pint of printer ink? That’ll be £1,300 please: Which? reveals the eye-watering cost of branded printer ink – Which? Press Office

So basically that’s a practical monopoly on printer ink then. This is a saga that’s been going on for decades but the price increase recently has been insane!

Commission starts legal action against 23 EU countries over copyright rules they won’t implement that favour big tech over small business and forced censorship

EU countries may be taken to court for their tardiness in enacting landmark EU copyright rules into national law, the European Commission said on Monday as it asked the group to explain the delays.

The copyright rules, adopted two years ago, aim to ensure a level playing field between the European Union’s trillion-euro creative industries and online platforms such as Google, owned by Alphabet (GOOGL.O), and Facebook (FB.O).

Note: level if you are one of the huge tech giants, not so much if you’re a small business or startup – in fact, this makes it very very difficult for startups to enter some sectors at all.

Some of Europe’s artists and broadcasters, however, are still not happy, in particular over the interpretation of a key provision, Article 17, which is intended to force sharing platforms such as YouTube and Instagram to filter copyrighted content.

[…]

The EU executive also said it had asked France, Spain and 19 other EU countries to explain why they missed a June 7 deadline to enact separate copyright rules for online transmission of radio and TV programmes.

The other countries are Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Estonia, Greece, Finland, Ireland, Italy, Lithuania, Luxembourg, Latvia, Poland, Portugal, Romania, Slovenia and Slovakia.

Source: Commission starts legal action against 23 EU countries over copyright rules | Reuters

For more information see:
Article 11, Article 13: EU’s Dangerous Copyright Bill Advances: massive censorship and upload filters (which are impossible) and huge taxes for links.

European Commission Betrays Internet Users By Cravenly Introducing Huge Loophole For Copyright Companies In Upload Filter Guidance

EU Copyright Companies Want Legal Memes Blocked Too Because They Now Admit Upload Filters Are ‘Practically Unworkable’

Wow, the EU actually voted to break the internet for big business copyright gain

Anyway, well done those 23 countries for fighting for freedom of expression and going against big tech and non-democratic authoritarianism in Europe.

You, too, can be a Windows domain controller and do whatever you like, with this trick which requires no authentication at all

The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond’s MS-EFSRPC (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network.

Specifically, security researcher Gilles Lionel found it was possible to use MS-EFSRPC force a device, including Windows domain controllers, to authenticate with a remote attacker-controlled NTLM relay. The end result is an authentication certificate that grants the attacker domain-controller-level access to services, allowing them to commandeer the entire domain.

“PetitPotam takes advantage of servers,” said Microsoft, “where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.”

Lionel published a proof-of-concept exploit, available from the above link, and Microsoft responded by burying the bad news in an advisory released on Friday. The Windows giant described PetitPotam as “a classic NTLM relay attack,” and noted that such attacks have a long, long history.

Which does make us wonder: why does the problem linger on?

Microsoft’s preferred mitigation is for administrators to simply disable NTLM authentication, although doing so could break any number of services and applications that depend on it. A variety of alternatives are also on offer, “listed in order of more secure to less secure.”

Great.

[…]

Windows Server 2008 and up are affected, according to Microsoft’s advisory, and, other than suggesting customers take NTLM mitigations, a fix for MS-EFSRPC does not appear to be incoming.

[…]

Source: You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick • The Register

Windows 11 reopens browser wars by including Teams

You can spot a veteran of the Browser Wars a mile off. These fearsome conflicts, fought across the desktops of the world not 20 years ago, left deep scars.

[…]

By Gen XP, it was all over and the internet desktop was under total Empire control. Then came the Rebel Alliance of Chrome and Firefox, and in a few short years we were liberated.

Like every peacetime generation, those since have forgotten the conflict. They assume that freedom is here by right. The desktop is an antique battleground, as obsolete as warships in the Baltic. We are mobile, we are cloud, all places where access lock-in is baked out.

[…]

the new superweapon you’ll get for free is Microsoft Teams, which is now super-snugly installed on the Windows 11 desktop and just a click away from easy-peasy sign-on to the Empire. Everything else that MS really wants you to use – OneDrive, Office 365, those blasted widgets – you can do away with. Teams? Ah, not so much. Teams is there, ostensibly, to talk to other people, and if they’re on Teams you have to use it too. Documents, spreadsheets, files of all sorts – a OneDrive, Office 365 user can swap stuff with your Google Drive and apps.

[…]

What makes the conferencing space as tempting a resource as Mesopotamian oil fields to the Great Powers? It’s the same as the Browser Wars – those who control the conversation between humans and the digital control the world. Every file you share, every connection made, every link swapped, is treasure to be collected. It’s all funnelled together automatically. Watch as in-Teams access channels spring up across businesses for helplines, content accumulators, special offer conduits, payment systems.

The long trail of interactions between conferencing system users, each other, and their resources, produces a rich seam of ready-to-mine behaviour that, because it is so task-focused, is massively monetisable.

[…]

This is a terrible prospect, not just for Slack but for everyone. IE6’s reign was marked by stagnation; all companies see spending development resources for a monopoly service as waste. It had its slave army toiling in the factory, they should be grateful for what they get. And if you think Teams is less fun than tickling the tonsils of a decomposing turbot, wait until Microsoft has settled in to enjoy its new monopoly.

What saved the world were internet open standards – Microsoft couldn’t manage that lock-in, hard as it tried. This time, the standards don’t exist or where they do, they’re not used by the big players, who control the whole chain end-to-end. Third-party endpoints are not allowed. So it doesn’t matter if you’re on a non-MS desktop or a mobile device, you’ll have to use the Microsoft app.

[…]

 

Source: Windows 11 comes bearing THAAS, Trojan Horse as a service • The Register

Russia’s Checkmate Light Tactical Fighter Is Officially Unveiled (Updated)

The wraps have finally, officially, come off the mock-up of Russia’s new light fighter, the Sukhoi Checkmate, also known as the Light Tactical Aircraft, or LTS in Russian, with a formal unveiling at the opening of the MAKS international air show at Zhukovsky, outside Moscow, today. Observers who had been given a succession of tantalizing, and mainly unofficial, glimpses of the new jet over the last few days now have the chance to examine the aircraft from all aspects. The actual ceremony ended up being delayed by several hours, perhaps to accommodate the visit by Russian President Vladimir Putin, who was shown inspecting the mock-up after opening the show.

The end result is very much in keeping with the observations that The War Zone has been gathering based on initial, leaked, imagery, much of it that came when the aircraft was still literally under wraps. The United Aircraft Corporation and Rostec, for their part, which are responsible for the Sukhoi design bureau, seemed to actively encourage this process, harnessing it as something of a PR coup.

ROSTEC

The unveiling of the Sukhoi Checkmate, or LTS, earlier today.

You can read our full assessment of the jet here, based on its first fleeting appearance “in the flesh,” as well as our analysis of the single-engine concept and the potential sales prospects of such an aircraft.

The aircraft’s intake has been one of its most debated features over the last week. New imagery shows the angular ventral inlet, which wraps around the lower nose section, to share features with a diverterless supersonic inlet (DSI) design, but exactly how mature Russia’s take on this concept is, remains to be seen.

In terms of new developments, we now know that, as suspected, there is a larger main weapons bay within the lower fuselage. This is designed to accommodate three examples of the RVV-BD air-to-air missile, the export version of the very-long-range R-37M, or AA-13 Axehead, a weapon that you can read more about here. Furthermore, we now have confirmation that the long, conformal weapons bays located forward of the main landing gear are indeed intended to house smaller air-to-air missiles, for close-range defense.

Performance-wise, the manufacturer is apparently claiming a short takeoff and landing capability (rather than a full short takeoff and vertical landing capability, as in the F-35B), a range of up to 1,860 miles, combat radius of 930 miles, and a payload in excess of 15,000 pounds.

The airframe is said to be stressed to 8g, which is only slightly less than the 9g at which the airframe of the Su-35S Flanker heavyweight fighter is rated. This may reflect the fact the design focuses more on low-observable characteristics and range than maneuverability, although the final result is likely closer to the Su-57, concentrating on reducing the signature from the frontal hemisphere, rather than all-aspect stealth.

[…]

The projected timeline for the LTS includes the first flight of a technology demonstrator in 2023, followed by construction of pre-series prototypes in 2024-25, and delivery of initial production examples potentially as early as 2026-27.

[…]

The planned powerplant is not confirmed, but it is described as an engine in the 14.5 to 16-ton thrust class engine, utilizing off-the-shelf components. This rating would put it at the upper end of the output of the AL-41F1 turbofan now used in the Su-57, or at the lower end of the all-new Izdeliye 30, which is currently still in development.

[…]

In addition to the three long-range and two short-range AAMs that can be carried in the internal bays, a wide variety of air-to-ground ordnance is being offered as well. Unusually for a fifth-generation design, as well as different precision-guided munitions, the unveiling showed that the jet will also be able to carry various unguided rockets and dumb bombs. There will also be provision for an internal cannon, likely a 30mm weapon as on the Su-57.

YOUTUBE SCREENCAP/ROSTEC

YOUTUBE SCREENCAP/ROSTEC

The active electronically scanned array (AESA) radar, of undisclosed type, is intended to engage six targets simultaneously while operating in a hostile electronic countermeasures environment. The radar will be part of one of an all-round sensor suite, including passive devices, likely similar to those found on the Su-57.

[…]

As of today, the program is being funded internally, with investors being sought to launch production for export. Interestingly, officials said they hoped that Russia might opt for the unmanned variant, rather than the manned fighter.

Source: Russia’s Checkmate Light Tactical Fighter Is Officially Unveiled (Updated)

F-117 flying more often as Aggressors

More and more as of late, some of the F-117 Nighthawks long retired from active duty are now enjoying their secretive second life as developmental and red air aggressor platforms. The Air Force Test Center pilots that fly the Air Force Materiel Command-owned jets out of the shadowy Tonopah Test Range Airport (TTR) have been steadily expanding their operations in recent months with the type operating from other installations, refueling from standard tankers, and even frequenting Nellis AFB, home of the USAF’s aggressors. We have reported extensively on this unique role for the F-117s, including their first known appearance at the giant Red Flag air warfare exercises last August. Now we have new images that show “Black Jets” in action, roaring low over the Nevada desert during a Red Flag sortie.

[…]

As for the F-117s, part of their duties includes serving as low-observable aggressors, which has become a necessity in a world where stealthy aircraft and cruise missiles are proliferating. They also work in a developmental role for low-observable and counter-low observable technologies. For Red Flag, they are part of the bad guys’ team. While flying missions during broad daylight may not have been on the docket during their operational career, these jets provide a target unlike anything fleet aircrews have encountered before. One can imagine how their elusive radar signature can only become harder to detect while flying amongst the ground clutter.

[…]

Also of note, the F-117s have their retractable antennas extended, which does impact their low-observable cloak from certain angles. This could be a necessity for taking part in the exercise or it could be because the aircraft are leaving the training area and can communicate more freely as they are no longer valid targets. It’s also worth noting that radar reflectors are not mounted on the aircraft, so they are in a low-observable configuration.

[…]

Source: F-117 Aggressors Photographed Low Over The Nevada Desert During Red Flag War Games

Japanese Police Arrest Man For Selling Modded Save Files For Single-Player Nintendo Game

Japan’s onerous Unfair Competition Prevention Law has created what looks from here like a massive overreach on the criminalization of copyright laws. Past examples include Japanese journalism executives being arrested over a book that tells people how to back up their own DVDs, along with more high-profile cases in which arrests occurred over the selling of cheats or exploits in online multiplayer video games. While these too seem like an overreach of copyright law, or at least an over-criminalization of relatively minor business problems facing electronic media companies, they are nothing compared with the idea that a person could be arrested and face jail time for the crime of selling modded save-game files for single player game like The Legend of Zelda: Breath of the Wild.

A 27-year old man in Japan was arrested after he was caught attempting to sell modified Zelda: Breath of The Wild save files.

As reported by the Broadcasting System of Niigata (and spotted by Dextro) Ichimin Sho was arrested on July 8 after he posted about modified save files for the Nintendo Switch version of Breath of The Wild. He posted his services onto an unspecified auction site, describing it as “the strongest software.” He would provide modded save files that would give the player improved in-game abilities and also items that were difficult to obtain were made available as requested by the customer. In his original listing, he reportedly was charging folks 3,500 yen (around $31 USD) for his service.

Upon arrest, Sho admitted that he’s made something like $90k over 18 months selling modded saves and software. Whatever his other ventures, the fact remains that Sho was arrested for selling modded saves for this one Zelda game to the public. And this game is fully a single-player game. In other words, there is not aspect of this arrest that involved staving off cheating in online multiplayer games, which is one of the concerns that has typically led to these arrests in Japan within the gaming industry.

[…]

Source: Japanese Police Arrest Man For Selling Modded Save Files For Single-Player Nintendo Game | Techdirt