Daily Archives: September 12, 2023

Google Chrome’s Privacy Sandbox: any site can now query all your habits

Posted on by

[…]

Specifically, the web giant’s Privacy Sandbox APIs, a set of ad delivery and analysis technologies, now function in the latest version of the Chrome browser. Website developers can thus write code that calls those APIs to deliver and measure ads to visitors with compatible browsers.

That is to say, sites can ask Chrome directly what kinds of topics you’re interested in – topics automatically selected by Chrome from your browsing history – so that ads personalized to your activities can be served. This is supposed to be better than being tracked via third-party cookies, support for which is being phased out. There are other aspects to the sandbox that we’ll get to.

While Chrome is the main vehicle for Privacy Sandbox code, Microsoft Edge, based on the open source Chromium project, has also shown signs of supporting the technology. Apple and Mozilla have rejected at least the Topics API for interest-based ads on privacy grounds.

[…]

“The Privacy Sandbox technologies will offer sites and apps alternative ways to show you personalized ads while keeping your personal information more private and minimizing how much data is collected about you.”

These APIs include:

  • Topics: Locally track browsing history to generate ads based on demonstrated user interests without third-party cookies or identifiers that can track across websites.
  • Protected Audience (FLEDGE): Serve ads for remarketing (e.g. you visited a shoe website so we’ll show you a shoe ad elsewhere) while mitigating third-party tracking across websites.
  • Attribution Reporting: Data to link ad clicks or ad views to conversion events (e.g. sales).
  • Private Aggregation: Generate aggregate data reports using data from Protected Audience and cross-site data from Shared Storage.
  • Shared Storage: Allow unlimited, cross-site storage write access with privacy-preserving read access. In other words, you graciously provide local storage via Chrome for ad-related data or anti-abuse code.
  • Fenced Frames: Securely embed content onto a page without sharing cross-site data. Or iframes without the security and privacy risks.

These technologies, Google and industry allies believe, will allow the super-corporation to drop support for third-party cookies in Chrome next year without seeing a drop in targeted advertising revenue.

[…]

“Privacy Sandbox removes the ability of website owners, agencies and marketers to target and measure their campaigns using their own combination of technologies in favor of a Google-provided solution,” James Rosewell, co-founder of MOW, told The Register at the time.

[…]

Controversially, in the US, where lack of coherent privacy rules suit ad companies just fine, the popup merely informs the user that these APIs are now present and active in the browser but requires visiting Chrome’s Settings page to actually manage them – you have to opt-out, if you haven’t already. In the EU, as required by law, the notification is an invitation to opt-in to interest-based ads via Topics.

Source: How Google Chrome’s Privacy Sandbox works and what it means • The Register

Clever Camera Trick Allows view of Sun’s Corona

Posted on by

[…]

Using Solar Orbiter’s Extreme Ultraviolet Imager (EUI), the team of scientists behind the mission was able to record part of the Sun’s atmosphere at extreme ultraviolet wavelengths. The last-minute modification to the instrument involved adding a small, protruding “thumb” to block the bright light coming from the Sun such that the fainter light of its atmosphere could be made visible.

“It was really a hack,” Frédéric Auchère, an astrophysicist at the Institute of Astrophysics of the Université Paris-Sud in France, and a member of the EUI team, said in a statement. “I had the idea to just do it and see if it would work. It is actually a very simple modification to the instrument.”

EUI produces high-resolution images of the structures in the Sun’s atmosphere. The team behind the instrument added a thumb to a safety door on EUI, which slides out of the way to let light into the camera so it can capture images of the Sun. If the door stops halfway, however, the thumb ends up shielding the bright light coming from the Sun’s disc in the center so that the fainter ultraviolet light coming from the corona (the outermost part of the atmosphere) can be visible.

A new way to view the Sun

The result is an ultraviolet image of the Sun’s corona. An ultraviolet image of the Sun’s disc has been superimposed in the middle, in the area left blank by the thumb hack, according to ESA.

The corona is usually hidden by the bright light of the Sun’s surface, and can mostly be seen during a total solar eclipse. The camera hack sort of mimics that same effect of the eclipse by blocking out the Sun’s light. The Sun’s corona has long baffled scientists as it is much hotter than the surface of the Sun with temperatures reaching 1.8 million degrees Fahrenheit (1 million degrees Celsius), one of the greatest mysteries surrounding our host star.

“We’ve shown that this works so well that you can now consider a new type of instrument that can do both imaging of the Sun and the corona around it,” Daniel Müller, ESA’s Project Scientist for Solar Orbiter, said in a statement.

[…]

Source: Clever Camera Trick Unlocks Hidden Secrets of Sun’s Atmosphere

China Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials – By finding key in crash dumps

Posted on by

An anonymous reader shared this report from Bloomberg: China-linked hackers breached the corporate account of a Microsoft engineer and are suspected of using that access to steal a valuable key that enabled the hack of senior U.S. officials’ email accounts, the company said in a blog post. The hackers used the key to forge authentication tokens to access email accounts on Microsoft’s cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon and State Department officials earlier this year.

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a “crash dump,” which is data stored after a computer or application unexpectedly crashes…

The incident has brought fresh scrutiny to Microsoft’s cybersecurity practices.
Microsoft’s blog post says they corrected two conditions which allowed this to occur. First, “a race condition allowed the key to be present in the crash dump,” and second, “the key material’s presence in the crash dump was not detected by our systems.” We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.

Source: How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials – Slashdot

MGM Resorts Hit By Cyberattack; Hotels and Casinos Impacted

Posted on by

[…]

On Monday, local news outlets in Las Vegas caught wind of various complaints from patrons of MGM businesses; some said ATMs at associated hotels and casinos didn’t appear to be working; others said their hotel room keys had stopped functioning; still others noted that bars and restaurants located within MGM complexes had suddenly been shuttered. If you head to MGM’s website, meanwhile, you’ll note it’s definitely not working the way that it’s supposed to.

MGM put out a short statement Monday saying that it had been the victim of an undisclosed “cybersecurity issue.” The Associated Press notes that computer outages connected to said issue appear to be impacting MGM venues across the U.S.—in Vegas but also in places as far flung as Mississippi, Ohio, Michigan, and large parts of the northeast.

[…]

Source: MGM Resorts Hit By Cyberattack; Hotels and Casinos Impacted

Google taken to court in NL for large scale privacy breaches

Posted on by

The Foundation for the Protection of Privacy Interests and the Consumers’ Association are taking the next step in their fight against Google. The tech company is being taken to court today for ‘large-scale privacy violations’.

The proceedings demand, among other things, that Google stop its constant surveillance and sharing of personal data through online advertising auctions and also pay damages to consumers. Since the announcement of this action on May 23, 2023, more than 82,000 Dutch people have already joined the mass claim.

According to the organizations, Google is acting in violation of Dutch and European privacy legislation. The tech giant collects users’ online behavior and location data on an immense scale through its services and products. Without providing enough information or having obtained permission. Google then shares that data, including highly sensitive personal data about health, ethnicity and political preference, for example, with hundreds of parties via its online advertising platform.

Google is constantly monitoring everyone. Even when using third-party cookies – which are invisible – Google continues to collect data through other people’s websites and apps, even when someone is not using its products or services. This enables Google to monitor almost the entire internet behavior of its users.

All these matters have been discussed with Google, to no avail.

The Foundation for the Protection of Privacy Interests represents the interests of users of Google’s products and services living in the Netherlands who have been harmed by privacy violations. The foundation is working together with the Consumers’ Association in the case against Google. Consumers’ Association Claimservice, a partnership between the Consumers’ Association and ConsumersClaim, processes the registrations of affiliated victims.

More than 82,000 consumers have already registered for the Google claim. They demand compensation of 750 euros per participant.

A lawsuit by the American government against Google starts today in the US . Ten weeks have been set aside for this. This mainly revolves around the power of Google’s search engine.

Essentially, Google is accused of entering into exclusive agreements to guarantee the use of its search engine. These are agreements that prevent alternative search engines from being pre-installed, or from Google’s search app being removed.

Source: Google voor de rechter gedaagd wegens ‘grootschalige privacyschendingen’ – Emerce (NL)

BMW Ends Heated Seat Subscriptions Because People Hated It

Posted on by

Last year, BMW underwent media and customer hellfire over its decision to offer a monthly subscription for heated seats. While seat heating wasn’t the only option available for subscription, it was the one that seemed to infuriate everyone the most, since it concerned hardware already present in the car from the factory. After months of customers continuously expressing their displeasure with the plan, BMW has finally decided to abandon recurring charges for hardware-based functions.

“What we don’t do any more—and that is a very well-known example—is offer seat heating by [monthly subscriptions]” BMW marketing boss Pieter Nota said to Autocar. “It’s either in or out. We offer it by the factory and you either have it or you don’t have it.”

BMW’s move wasn’t solely about charging customers monthly for heated seats. Rather, the luxury automaker wanted to streamline production and reduce costs there by physically installing heated seats in every single car, since 90% of all BMWs are bought with seat heaters anyway. Then, owners who didn’t spec heated seats from the factory could digitally unlock them later with either a monthly subscription or a one-time perma-buy option. Nota still believes it was a good idea.

[…]

BMW was absolutely double dipping with heated seat subscriptions. The company started down that route to reduce production costs, making each car cheaper to build by streamlining the process. Fair enough. However, those reduced costs weren’t then passed down to buyers via lower MSRPs. Customers were technically paying for those heated seats anyway, no matter whether they wanted them. Then, BMW was not only charging extra to use a feature already installed in the car, but also subjecting it to subscription billing, even though seat heating is static hardware not designed to change or improve over time.

Customers weren’t happy, and rightfully made their grievance known. While it’s good that BMW ultimately buckled to the public’s wishes here, it doesn’t seem like the automaker’s board members truly understand why the outrage happened in the first place.

[…]

Source: BMW Ends Heated Seat Subscriptions Because People Hated It