Daily Archives: October 16, 2022

iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled

Posted on by

AmiMoJo shares a report from MacRumors: iOS 16 continues to leak data outside an active VPN tunnel, even when Lockdown mode is enabled, security researchers have discovered. Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16’s approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel.

According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and iOS 16. Mysk and Bakry have now discovered that iOS 16 communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user’s knowledge.

Mysk and Bakry also investigated whether iOS 16’s Lockdown mode takes the necessary steps to fix this issue and funnel all traffic through a VPN when one is enabled, and it appears that the exact same issue persists whether Lockdown mode is enabled or not, particularly with push notifications. This means that the minority of users who are vulnerable to a cyberattack and need to enable Lockdown mode are equally at risk of data leaks outside their active VPN tunnel. […] Due to the fact that iOS 16 leaks data outside the VPN tunnel even where Lockdown mode is enabled, internet service providers, governments, and other organizations may be able to identify users who have a large amount of traffic, potentially highlighting influential individuals. It is possible that Apple does not want a potentially malicious VPN app to collect some kinds of traffic, but seeing as ISPs and governments are then able to do this, even if that is what the user is specifically trying to avoid, it seems likely that this is part of the same VPN problem that affects iOS 16 as a whole

https://m.slashdot.org/story/405931

Shein Owner Fined $1.9 Million For Failing To Notify 39 Million Users of Data Breach – Slashdot

Posted on by

Zoetop, the firm that owns Shein and its sister brand Romwe, has been fined (PDF) $1.9 million by New York for failing to properly disclose a data breach from 2018.

TechCrunch reports: A cybersecurity attack that originated in 2018 resulted in the theft of 39 million Shein account credentials, including those of more than 375,000 New York residents, according to the AG’s announcement. An investigation by the AG’s office found that Zoetop only contacted “a fraction” of the 39 million compromised accounts, and for the vast majority of the users impacted, the firm failed to even alert them that their login credentials had been stolen. The AG’s office also concluded that Zoetop’s public statements about the data breach were misleading. In one instance, the firm falsely stated that only 6.42 million consumers had been impacted and that it was in the process of informing all the impacted users.

https://m.slashdot.org/story/405939

Scientists grow human brain cells to play Pong

Posted on by

Researchers have succeeded in growing brain cells in a lab and hooking them up to electronic connectors proving they can learn to play the seminal console game Pong.

Led by Brett Kagan, chief scientific officer at Cortical Labs, the researchers showed that by integrating neurons into digital systems they could harness “the inherent adaptive computation of neurons in a structured environment”.

According to the paper published in the journal Neuron, the biological neural networks grown from human or rodent origins were integrated with computing hardware via a high-density multielectrode array.

“Through electrophysiological stimulation and recording, cultures are embedded in a simulated game-world, mimicking the arcade game Pong.

“Applying implications from the theory of active inference via the free energy principle, we find apparent learning within five minutes of real-time gameplay not observed in control conditions,” the paper said. “Further experiments demonstrate the importance of closed-loop structured feedback in eliciting learning over time.”

[…]

Researchers have succeeded in growing brain cells in a lab and hooking them up to electronic connectors proving they can learn to play the seminal console game Pong.

Led by Brett Kagan, chief scientific officer at Cortical Labs, the researchers showed that by integrating neurons into digital systems they could harness “the inherent adaptive computation of neurons in a structured environment”.

According to the paper published in the journal Neuron, the biological neural networks grown from human or rodent origins were integrated with computing hardware via a high-density multielectrode array.

“Through electrophysiological stimulation and recording, cultures are embedded in a simulated game-world, mimicking the arcade game Pong.

“Applying implications from the theory of active inference via the free energy principle, we find apparent learning within five minutes of real-time gameplay not observed in control conditions,” the paper said. “Further experiments demonstrate the importance of closed-loop structured feedback in eliciting learning over time.”

[…]

https://www.theregister.com/2022/10/14/boffins_grow_human_brain_cells/

Meta’s New $1499 Headset Will Track Your Eyes for Targeted Ads

Posted on by

Earlier this week, Meta revealed the Meta Quest Pro, the company’s most premium virtual reality headset to date with a new processor and screen, dramatically redesigned body and controllers, and inward-facing cameras for eye and face tracking. “To celebrate the $1,500 headset, Meta made some fun new additions to its privacy policy, including one titled ‘Eye Tracking Privacy Notice,'” reports Gizmodo. “The company says it will use eye-tracking data to ‘help Meta personalize your experiences and improve Meta Quest.’ The policy doesn’t literally say the company will use the data for marketing, but ‘personalizing your experience’ is typical privacy-policy speak for targeted ads.”

From the report: Eye tracking data could be used “in order to understand whether people engage with an advertisement or not,” said Meta’s head of global affair Nick Clegg in an interview with the Financial Times. Whether you’re resigned to targeted ads or not, this technology takes data collection to a place we’ve never seen. The Quest Pro isn’t just going to inform Meta about what you say you’re interested in, tracking your eyes and face will give the company unprecedented insight about your emotions. “We know that this kind of information can be used to determine what people are feeling, especially emotions like happiness or anxiety,” said Ray Walsh, a digital privacy researcher at ProPrivacy. “When you can literally see a person look at an ad for a watch, glance for ten seconds, smile, and ponder whether they can afford it, that’s providing more information than ever before.”

[…]

https://m.slashdot.org/story/405885

AI recruitment software is ‘automated pseudoscience’ says Cambridge study

Posted on by

Claims that AI-powered recruitment software can boost diversity of new hires at a workplace were debunked in a study published this week.

Advocates of machine learning algorithms trained to analyze body language and predict the emotional intelligence of candidates believe the software provides a fairer way to assess workers if it doesn’t consider gender and race. They argue the new tools could remove human biases and help companies meet their diversity, equity, and inclusion goals by hiring more people from underrepresented groups.

But a paper published in the journal Philosophy and Technology by a pair of researchers at the University of Cambridge, however, demonstrates that the software is little more than “automated pseudoscience”. Six computer science undergraduates replicated a commercial model used in industry to examine how AI recruitment software predicts people’s personalities using images of their faces. 

Dubbed the “Personality Machine”, the system looks for the “big five” personality tropes: extroversion, agreeableness, openness, conscientiousness, and neuroticism. They found the software’s predictions were affected by changes in people’s facial expressions, lighting and backgrounds, as well as their choice of clothing. These features have nothing to do with a jobseeker’s abilities, thus using AI for recruitment purposes is flawed, the researchers argue. 

“The fact that changes to light and saturation and contrast affect your personality score is proof of this,” Kerry Mackereth, a postdoctoral research associate at the University of Cambridge’s Centre for Gender Studies, told The Register. The paper’s results are backed up by previous studies, which have shown how wearing glasses and a headscarf in a video interview or adding in a bookshelf in the background can decrease a candidate’s scores for conscientiousness and neuroticism, she noted. 

Mackereth also explained these tools are likely trained to look for attributes associated with previous successful candidates, and are, therefore, more likely to recruit similar-looking people instead of promoting diversity. 

“Machine learning models are understood as predictive; however, since they are trained on past data, they are re-iterating decisions made in the past, not the future. As the tools learn from this pre-existing data set a feedback loop is created between what the companies perceive to be an ideal employee and the criteria used by automated recruitment tools to select candidates,” she said.

The researchers believe the technology needs to be regulated more strictly. “We are concerned that some vendors are wrapping ‘snake oil’ products in a shiny package and selling them to unsuspecting customers,” said co-author Eleanor Drage, a postdoctoral research associate also at the Centre for Gender Studies. 

“While companies may not be acting in bad faith, there is little accountability for how these products are built or tested. As such, this technology, and the way it is marketed, could end up as dangerous sources of misinformation about how recruitment can be ‘de-biased’ and made fairer,” she added.

Mackereth said that although the European Union AI Act classifies such recruitment software as “high risk,” it’s unclear what rules are being enforced to reduce those risks. “We think that there needs to be much more serious scrutiny of these tools and the marketing claims which are made about these products, and that the regulation of AI-powered HR tools should play a much more prominent role in the AI policy agenda.”

“While the harms of AI-powered hiring tools appear to be far more latent and insidious than more high-profile instances of algorithmic discrimination, they possess the potential to have long-lasting effects on employment and socioeconomic mobility,” she concluded. ®

https://www.theregister.com/2022/10/13/ai_recruitment_software_diversity/

Android Leaks Some Traffic Even When ‘Always-On VPN’ Is Enabled – Slashdot

Posted on by

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the “Block connections without VPN,” or “Always-on VPN,” features is enabled. BleepingComputer reports: The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic. This behavior is built into the Android operating system and is a design choice. However, Android users likely didn’t know this until now due to the inaccurate description of the “VPN Lockdown” features in Android’s documentation. Mullvad discovered the issue during a security audit that hasn’t been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

Android offers a setting under “Network & Internet” to block network connections unless you’re using a VPN. This feature is designed to prevent accidental leaks of the user’s actual IP address if the VPN connection is interrupted or drops suddenly. Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features. This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the “Block connections without VPN” setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. “This is a feature request for adding the option to disable connectivity checks while “Block connections without VPN” (from now on lockdown) is enabled for a VPN app,” explains Mullvad in a feature request on Google’s Issue Tracker. “This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy.” In response to Mullvad’s request, a Google engineer said this is the intended functionality and that it would not be fixed for the following reasons:

– Many VPNs actually rely on the results of these connectivity checks to function,
– The checks are neither the only nor the riskiest exemptions from VPN connections,
– The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and the case remains open.

https://m.slashdot.org/story/405837

Google Starts Testing Holographic Video Chats at Real Offices

Posted on by

https://www.cnet.com/tech/computing/google-starts-testing-holographic-video-chats-at-real-offices/

Project Starline, a holographic chat booth

Google’s Project Starline, a holographic chat booth being installed in some early-access test offices this year.

Google

Project Starline, Google’s experimental technology using holographic light field displays to video chat with distant co-workers, is moving out of Google’s offices and into some real corporate locations for testing starting this year.

Google’s Project Starline tech, announced last year at the company’s I/O developer conference, uses giant light field displays and an array of cameras to record and display 3D video between two people at two different remote locations. 

Starline prototypes are being installed at Salesforce, WeWork, T-Mobile and Hackensack Meridian Health offices as part of the early-access program, with each company that’s part of the program getting two units to test for start. 

Google’s Project Starline makes it seem like you’re talking to someone in real life through a window, instead of through video chat.  Google

According to Google, 100 businesses have already demoed Project Starline at the company’s own offices. The off-Google installations are a next step to test how the holographic video chats could be used to create more realistic virtual meetings, without needing to use VR or AR headsets.

This tech won’t be anything that regular customers will be seeing: it’s being installed for corporate use only and only in a few test sites for now. But, it’s technology that Google believes could help remote communications with customers, creating a more immediate sense of presence than standard video chats.