The Linkielist

Linking ideas with the world

The Linkielist

Monthly Archives: March 2022

Italy slaps creepy webscraping facial recognition firm Clearview AI with €20 million fine

Posted on by

Italy’s data privacy watchdog said it will fine the controversial facial recognition firm Clearview AI for breaching EU law. An investigation by Garante, Italy’s data protection authority, found that the company’s database of 10 billion images of faces includes those of Italians and residents in Italy. The New York City-based firm is being fined €20 million, and will also have to delete any facial biometrics it holds of Italian nationals.

This isn’t the first time that the beleaguered facial recognition tech company is facing legal consequences. The UK data protection authority last November fined the company £17 million after finding its practices—which include collecting selfies of people without their consent from security camera footage or mugshots—violate the nation’s data protection laws. The company has also been banned in Sweden, France and Australia.

The accumulated fines will be a considerable blow for the now five-year old company, completely wiping away the $30 million it raised in its last funding round. But Clearview AI appears to be just getting started. The company is on track to patent its biometric database, which scans faces across public internet data and has been used by law enforcement agencies around the world, including police departments in the United States and a number of federal agencies. A number of Democrats have urged federal agencies to drop their contracts with Clearview AI, claiming that the tool is a severe threat to the privacy of everyday citizens. In a letter to the Department of Homeland Security, Sens. Ed Markey and Jeff Merkley and Reps. Pramila Jayapal and Ayanna Pressley urged regulators to discontinue their use of the tool.

“Clearview AI reportedly scrapes billions of photos from social media sites without permission from or notice to the pictured individuals. In conjunction with the company’s facial recognition capabilities, this trove of personal information is capable of fundamentally dismantling Americans’ expectation that they can move, assemble, or simply appear in public without being identified,” wrote the authors of the letter.

Despite losing troves of facial recognition data from entire countries, Clearview AI has a plan to rapidly expand this year. The company told investors that it is on track to have 100 billion photos of faces in its database within a year, reported The Washington Post. In its pitch deck, the company said it hopes to secure an additional $50 million from investors to build even more facial recognition tools and ramp up its lobbying efforts.

Source: Italy slaps facial recognition firm Clearview AI with €20 million fine | Engadget

The new silent majority: People who don’t tweet – and are political independents

Posted on by

Most people you meet in everyday life — at work, in the neighborhood — are decent and normal. Even nice. But hit Twitter or watch the news, and you’d think we were all nuts and nasty.

Why it matters: The rising power and prominence of the nation’s loudest, meanest voices obscures what most of us personally experience: Most people are sane and generous — and too busy to tweet.

Reality check: It turns out, you’re right. We dug into the data and found that, in fact, most Americans are friendly, donate time or money, and would help you shovel your snow. They are busy, normal and mostly silent.

  • These aren’t the people with big Twitter followings or cable-news contracts — and they don’t try to pick fights at school board meetings.
  • So the people who get the clicks and the coverage distort our true reality.

Three stats we find reassuring:

  1.  75% of people in the U.S. never tweet.
  2. On an average weeknight in January, just 1% of U.S. adults watched primetime Fox News (2.2 million). 0.5% tuned into MSNBC (1.15 million).
  3. Nearly three times more Americans (56%) donated to charities during the pandemic than typically give money to politicians and parties (21%).

📊 One chart worth sharing: As polarized as America seems, Independents — who are somewhere in the middle — would be the biggest party.

  • In Gallup’s 2021 polling, 29% of Americans identified as Democrats … 27% as Republicans … and 42% as independents.
Reproduced from Gallup; Chart: Axios Visuals

The bottom line: Every current trend suggests politics will get more toxic before it normalizes. But the silent majority gives us hope beyond the nuttiness.

Source: The new silent majority: People who don’t tweet

Changing touchscreen friction and rendering of virtual shapes through change in surface temperature

Posted on by

In this work, we show a large modulation of finger friction by locally changing surface temperature. Experiments showed that finger friction can be increased by ~50% with a surface temperature increase from 23° to 42°C, which was attributed to the temperature dependence of the viscoelasticity and the moisture level of human skin. Rendering virtual features, including zoning and bump(s), without thermal perception was further demonstrated with surface temperature modulation. This method of modulating finger friction has potential applications in gaming, virtual and augmented reality, and touchscreen human-machine interaction.

Source: Surface haptic rendering of virtual shapes through change in surface temperature

Samsung Galaxy Source Code Stolen in Data Breach, might show they slow down specific apps

Posted on by

Samsung confirmed on Monday that a cybersecurity attack exposed sensitive internal data including source code for Galaxy smartphones.

The group claiming responsibility for the attack, Lapsus$, is the same hacking outfit that breached Nvidia last week and leaked employee credentials and proprietary information onto the internet. In the Samsung hack, the group purportedly posted a 190GB torrent file to its Telegram channel, claiming it contains algorithms for biometric login authentication and bootloader—code that could be used to bypass some operating system controls.

Samsung disclosed the breach but didn’t confirm the identity of the hackers or the materials stolen.

[…]

After successfully breaching Nvidia, Lapsus$ blackmailed the GPU maker by threatening to release stolen internal data unless GPU drivers were made open source and Ethereum cryptocurrency mining limiters were removed from Nvidia 30-series graphics cards. The group, which is said to have members in South America and Western Europe, reportedly compromised the credentials of more than 71,000 past and current Nvidia employees.

For Samsung, the data breach arrives shortly after reports emerged claiming the company deliberately limits the performance of around 10,000 apps, including Instagram and TikTok. Samsung said its “Game Optimizing Service” was designed to balance performance and cooling, but many saw this as performance throttling and slammed the Korean tech giant for selectively excluding benchmarking apps.

[…]

 

Source: Samsung Galaxy Source Code Stolen in Data Breach

How safe are your passwords in 2022?

Posted on by

The 2022 update to our famous Hive Systems Password Table that’s been shared across the internet, social media, the news, and organizations worldwide. So what’s new, and what’s our methodology behind it? Keep reading!

Hive Systems Password Table Time it takes a hacker to brute force a password in 2022

Looking for a high resolution version to download?

It’s been two years since we first shared our (now famous) password table. So it was about time we not only updated it for 2022 but we wanted to walk you through our methodology. While the data fits nicely into the table above, things aren’t as as simple as it shows. So we’ll walk you through our data, our assumptions, and oh, you’re going to see a LOT of variations of the password table above!

“So how’d you make the table”?”

In 2020, we shared a colorful table that took the internet by storm. It showed the relative strength of a password against a brute force cracking attempt, based on the password’s length and complexity. The data was based on how long it would take a consumer-budget hacker to crack your password hash using a desktop computer with a top-tier graphics card. Two years later – quite a long period of time in processing power improvement terms –  we’re long overdue for an update.

First, let’s get some key terms out of the way. We’re going to talk about hashing. In the context of passwords, a “hash” is a scrambled version of text that is reproducible if you know what hash software was used. In other words, if I hash the word “password” using MD5 hashing software, the output hash is 5f4dcc3b5aa765d61d8327deb882cf99. Now if you hash the word “password” using MD5 hashing software, you’ll also get 5f4dcc3b5aa765d61d8327deb882cf99! We both secretly know the word “password” is our secret code, but anyone else watching us just sees 5f4dcc3b5aa765d61d8327deb882cf99. For this reason, the passwords you use on websites are stored in servers as hashes instead of in plain text like “password” so that if someone views them, in theory they won’t know the actual password.

You can’t do the reverse. A hash digest like 5f4dcc3b5aa765d61d8327deb882cf99 can’t be reverse computed to produce the word “password” that was used to make it. This one-way approach for hashing functions is by design. So how do hackers who steal hashes from websites ultimately end up with a list of real life passwords?

Hackers solve this problem by cracking the passwords instead. In this context, cracking means making a list of all combinations of characters on your keyboard and then hashing them. By finding matches between this list and the hashes from the stolen passwords, hackers can figure out your true password – letting them log into your favorite websites. And if you use the same password on multiple sites, you’re in for a bad time.

You can do this comparison with any computer, but it is much faster if you accelerate the process with a powerful graphics card. Graphics cards are those circuit boards that stick out of your computer’s bigger green circuit board. Among other things, this special circuit board has a Graphic Processing Unit (GPU) on it. A GPU is the shiny square tile on your graphics card that likely says NVIDIA or AMD on it. Originally GPU’s were built to make pictures and videos load faster on your computer screen. As it turns out, they’re also great for mining cryptocurrencies, and for calculating hashes. A popular application for hashing is called Hashcat. Hashcat includes hashing functions, like MD5, while allowing you to use them quickly and see how fast it was able to do so. As a side note, we usually say “hash function” instead of “hash software.”

[…]

Source: Are Your Passwords in the Green?

The rest of the article is very interesting, including many more graphs depicting various scenarios

Ice Cream Machine Repairers Sue McDonald’s for $900 Million

Posted on by

For years, the tiny startup Kytch worked to invent and sell a device designed to fix McDonald’s notoriously broken ice cream machines, only to watch the fast food Goliath crush their business like the hopes of so many would-be McFlurry customers. Now Kytch is instead seeking to serve out cold revenge—nearly a billion dollars worth of it.

Late Tuesday night, Kytch filed a long-expected legal complaint against McDonald’s, accusing the company of false advertising and tortious interference in its contracts with customers. Kytch’s cofounders, Melissa Nelson and Jeremy O’Sullivan, are asking for no less than $900 million in damages.

Since 2019, Kytch has sold a phone-sized gadget designed to be installed inside McDonald’s ice cream machines. Those Kytch devices would intercept the ice cream machines’ internal communications and send them out to a web or smartphone interface to help owners remotely monitor and troubleshoot the machines’ many foibles, which are so widely acknowledged that they’ve become a full-blown meme among McDonald’s customers. The two-person startup’s new claims against McDonald’s focus on emails the fast food giant sent to every franchisee in November 2020, instructing them to pull Kytch devices out of their ice cream machines immediately.

Those emails warned franchisees that the Kytch devices not only violated the ice cream machines’ warranties and intercepted their “confidential information” but also posed a safety threat and could lead to “serious human injury,” a claim that Kytch describes as false and defamatory. Kytch also notes that McDonald’s used those emails to promote a new ice cream machine, built by its longtime appliance manufacturing partner Taylor, that would offer similar features to Kytch. The Taylor devices, meanwhile, have yet to see public adoption beyond a few test installations.

Kytch cofounder Melissa Nelson says the emails didn’t just result in McDonald’s ice cream machines remaining broken around the world. (About one in seven of the machines in the US remained out of commission on Monday according to McBroken.com, which tracks the problem in real time.) They also kneecapped Kytch’s fast-growing sales just as the startup was taking off. “They’ve tarnished our name. They scared off our customers and ruined our business. They were anti-competitive. They lied about a product that they said would be released,” Nelson says. “McDonald’s had every reason to know that Kytch was safe and didn’t have any issues. It was not dangerous, like they claimed. And so we’re suing them.”

Before it found itself in conflict with soft-serve superpowers, Kytch had shown some early success in solving McDonald’s ice cream headaches. Its internet-connected add-on gadget helped franchisees avoid problems like hours of downtime when Taylor’s finicky daily pasteurization cycle failed. McDonald’s restaurant owners interviewed by WIRED liked the device; one said it saved him “easily thousands of dollars a month” from lost revenue and repair fees. Kytch says that by the end of 2020 it had 500 customers and was doubling its sales every quarter—all of which evaporated when McDonald’s ordered its franchisees to ditch Kytch’s gadgets.

Kytch first fired back against the fast-food ice cream establishment last May, suing Taylor and its distributor TFG for theft of trade secrets. The Kytch founders argued in that lawsuit that Taylor worked with TFG and one franchise owner to stealthily obtain a Kytch device, reverse-engineer it, and attempt to copy its features.

But all along, Kytch’s cofounders have hinted that they intended to use the discovery process in their lawsuit against Taylor to dig up evidence for a suit against McDonald’s too. In fact, the 800 pages of internal Taylor emails and presentations that Kytch has so far obtained in discovery show that it was McDonald’s, not Taylor, that at many points led the effort to study and develop a response to Kytch in 2020.

[…]

Source: Ice Cream Machine Hackers Sue McDonald’s for $900 Million | WIRED

Ukraine state media leaks details of 120,000 Russians soldier on website

Posted on by

Ukrainian news website Ukrainska Pravda says the nation’s Centre for Defence Strategies think tank has obtained the personal details of 120,000 Russian servicemen fighting in Ukraine. The publication has now shared this data freely on its website.

The Register and others have been unable to fully verify the accuracy of the data from the leak. The records include what appears to be names, addresses, passport numbers, unit names, and phone numbers. Some open source intelligence researchers on Twitter said they found positive matches, as did sources who spoke confidentially to El Reg; others said they couldn’t verify dip-sampled data.

[…]

Whether or not the database’s contents is real, the impact on Russian military morale – knowing that your country’s enemies have your personal details and can contact your family if you’re captured, killed, or even still alive – won’t be insignificant.

As Russia’s invasion of Ukraine progresses, or not, cyber-attacks orchestrated by or for the benefit of the Kremlin against Ukraine and the West appear limited, while on the ground, more than 2,000 civilians have been killed, according to Ukrainian officials.

Former UK National Cyber Security Centre (NCSC) chief Ciaran Martin noted in a blog post that even those skeptical of claims that Russia would wage cyber-Armageddon during the invasion will be surprised at the lack of activity. The online assaults against Ukraine of late represent Russia’s “long-standing campaign of cyber harassment of the country … rather than a serious escalation of it,” he wrote.

[…]

Source: 120,000 Russians soldier details leak – Ukraine media • The Register

And now you get into the combatant following orders kind of argument – do you really want to be the side attacking their spouses and children back home?

Hackers hacked by Nvidia Demand NVIDIA Open Source Their Drivers Or They Leak More Data

Posted on by

Hackers that infiltrated NVIDIA systems are now threatening to release more confidential information unless the company commits to open sourcing their drivers. It is unclear what the stolen data contains, but the group confirmed that there are 250GB of hardware related data in their possession. Furthermore, the group confirmed they have evaluated NVIDIA position, which means that NVIDIA is might trying to communicate with the group to prevent future leaks. The group has already published information on NVIDIA DLSS technology and upcoming architectures. Yesterday, Nvidia reportedly retaliated against the hacker group known as “Lapsus$” by sneaking back into the hacker’s system and encrypting the stolen data. The group claimed that it had a backup of the data, though.

Source: Hackers Demand NVIDIA Open Source Their Drivers Or They Leak More Data – Slashdot

These Two Mictic Bluetooth Bracelets Put an Entire Orchestra of Virtual Instruments in Your Hands (IOS only :'( )

Posted on by

[…]

the Mictic One are two Bkuetooth bracelets equipped with movement sensors. The bracelets connect to a mobile device (only iOS at the moment, but the Android version is under development). From the Mictic application, we can select different musical instruments and control the sound they produce by moving our hands and arms. Think of an Air Guitar on steroids and you’ll get an idea of ​​how they work. This video helps too.

The fact is that to say that the Mictic One is an Air Guitar simulator is an understatement, because the application of this startup created in Zurich does much more than that. To begin with, the range of musical instruments that we can imitate is quite wide and ranges from the cello to percussion or a DJ’s mixing desk. Each instrument requires you to make different movements with your arms and hands that mimic (to some extent) the actual movements you would make with that instrument.

The app allows you to add (and control) background tracks, and even mix various instruments and record the results. In fact, up to four pairs of bracelets can be connected in case you want to form an augmented reality band. There are also a handful of actual songs, and the company is already making deals with different record labels to add many more. In fact the device is being sponsored by Moby

[…]

wearing the Mictic One is an experience that is as frustrating as it is exciting. It’s frustrating because getting something out that sounds good is harder than it looks. It is not enough to wave your arms like a crazed ape. You have to move with precision and smoothness. Luckily, each instrument has a video tutorial in which we can learn the basic movements. It’s exciting because when you learn to make them sound the feeling is extremely satisfying.

Soon we will be able to offer you an in-depth review of the device, but the first impression is that they are incredibly fun. The Mictic One (sold as a pair and with a double USB-C cable to charge them both at the same time) are already on sale from the company’s website at a price of 139 Swiss francs (about 135 euros). In the future, the company plans to extend the platform so that it can be used with other devices that do not have the necessary motion sensors, such as mobile phones or smart watches.

Source: These Two Bluetooth Bracelets Put an Entire Orchestra of Virtual Instruments in Your Hands

NSA report: This is how you should be securing your network

Posted on by

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks.

NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance‘ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks.

The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

The US Cybersecurity and Infrastructure Security Agency (CISA) is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations.

The document, from NSA’s cybersecurity directorate, encourages the adoption of ‘zero trust’ networks. Zero trust assumes malicious insiders and threats existing inside and outside classical network boundaries.

[…]

Source: NSA report: This is how you should be securing your network | ZDNet

Opinion: Russia is now reaching endgame in Ukraine

Posted on by

Thesis: pretty soon Russia will stop their war. They have linked up the landmass to the Crimea, control access to the Black Sea and that was their goal all along. They don’t have enough soldiers to take over and administer the Ukraine. The police forces in the Ukraine will never align with a Russian puppet government. The threat to Kiev stalled because Putin was never interested in taking the whole of Ukraine. It’s a red herring which allows Putin to consolidate in the East. Once “peace” is worked out and they pull the 65km convoy back up to Russia and empty away from the west of the country, they will be left with that great swathe of land to the east and no-one will be able to remove them. In practical terms they will have annexed a huge land route to the Crimea as they did the Crimea. They will have displaced the Ukranians that were living there and claim that the whole area is inhabited by their Russian brothers. They will “unite” the newly independent Donbas and Luhansk regions and the regions to the south and they will for all intents and purposes be Russian. NATO will never allow the Ukraine to join anyway and neither will the EU, despite pro-Ukranian sentiment. So Ukraine remains a “buffer state”. Win for Russia.

BitConnect boss accused of $2.4bn fraud has disappeared

Posted on by

Satish Kumbhani, who is accused of scamming people out of $2.4bn in a cryptocurrency Ponzi scheme, has disappeared while evading an American watchdog, a court was told this week.

The BitConnect founder fled his home nation of India and went to ground in another country as the US Securities and Exchange Commission sought to serve a civil fraud lawsuit on him regarding the alleged scam, it is claimed.

“In October 2021, the commission learned that Kumbhani has likely relocated from India to an unknown address in a different foreign country,” Richard Primoff, general attorney at the SEC, said in a letter [PDF] to US federal district Judge John Koeltl on Monday.

[…]

In September, the regulator claimed BitConnect defrauded folks out of billions of dollars by running a Ponzi-like scheme that promised financial returns of up to 40 per cent per month all thanks to its automated crypto-trading bot.

Instead, people’s digital funds were allegedly secretly pocketed by Kumbhani and his associate Glenn Arcaro, who last year pleaded guilty to conspiring to cheat Bitconnect investors. Arcaro faces up to 20 years behind bars. Kumbhani, however, is still at large.

[…]

Source: BitConnect boss accused of $2.4bn fraud has disappeared • The Register

UK Online Safety Bill to require more data to use social media – eg send them your passport

Posted on by

The country’s forthcoming Online Safety Bill will require citizens to hand over even more personal data to largely foreign-headquartered social media platforms, government minister Nadine Dorries has declared.

“The vast majority of social networks used in the UK do not require people to share any personal details about themselves – they are able to identify themselves by a nickname, alias or other term not linked to a legal identity,” said Dorries, Secretary of State for Digital, Culture, Media and Sport (DCMS).

Another legal duty to be imposed on social media platforms will be a requirement to give users a “block” button, something that has been part of most of today’s platforms since their launch.

“When it comes to verifying identities,” said DCMS in a statement, “some platforms may choose to provide users with an option to verify their profile picture to ensure it is a true likeness. Or they could use two-factor authentication where a platform sends a prompt to a user’s mobile number for them to verify.”

“Alternatively,” continued the statement, “verification could include people using a government-issued ID such as a passport to create or update an account.”

Two-factor authentication is a login technology to prevent account hijacking by malicious people, not a method of verifying a user’s government-approved identity.

“People will now have more control over who can contact them and be able to stop the tidal wave of hate served up to them by rogue algorithms,” said Dorries.

Social networks offering services to Britons don’t currently require lots of personal data to register as a user. Most people see this as a benefit; the government seems to see it as a negative.

Today’s statement had led to widespread concerns that DCMS will place UK residents at greater risk of online identity theft or of falling victim to a data breach.

The Online Safety Bill was renamed from the Online Harms Bill shortly before its formal introduction to Parliament. Widely accepted as a disaster in the making by the technically literate, critics have said the bill risks creating an “algorithm-driven censorship future” through new regulations that would make it legally risky for platforms not to proactively censor users’ posts.

It is also closely linked to strong rhetoric discouraging end-to-end encryption rollouts for the sake of “minors”, and its requirements would mean that tech platforms attempting to comply would have to weaken security measures.

Parliamentary efforts at properly scrutinising the draft bill then led to the “scrutineers” instead publishing a manifesto asking for even more stronger legal weapons be included.

[…]

Source: Online Safety Bill to require more data to use social media