Monthly Archives: February 2024

Coinbase pulls rug. Crypto holder trading is disabled and all assets shown $0 to users. Bitcoin is shooting up currently at $61k highly volatile and history repeats itself. PTSD from GME buy button disable is real. Not your wallet, not your money.

Posted on by

Coinbase is pulling the rug right now.

Check their sub and witness the fire.

Update:
They are now excusing it all with this error.

Update 2:
I argue it is fully artificial override since when loading the webpage it does momentarily flicker your true asset value and it gets then updated to zero when page finishes loading, even after one purges the browser data. So their data comes through, it is just forced to go zero to disable trading. I wait to be debunked. I do have some funds over there purely for science.

Update 3:
I now see my assets again after 70 minutes since the initial downtime began, missing a lot of “valuable” volatility.
Trading is still disabled though.
And in particular BTC-USD advanced trading doesn’t seem to load whatsoever.

Update 4:
Mainstream seems to be making articles now to ensure people their assets are all “wasted” yet safe.
https://www.bnnbloomberg.ca/coinbase-tells-users-your-assets-are-safe-as-some-see-0-balance-1.2040524

…issues with Coinbase may have more significance these days, considering the outsized role the company plays in helping to manage the new spot-Bitcoin ETFs. Coinbase provides a variety of services to the fund issuers, including serving as custodian for eight of the 10 spot Bitcoin ETFs.

Source: Coinbase pulling the rug right now. Crypto holder trading is disabled and all assets shown $0 to users. Bitcoin is shooting up currently at $61k highly volatile and history repeats itself. PTSD from GME buy button disable is real. Not your wallet, not your money. : Superstonk

Basically trading from Coinbase has been suspended now that BTC is flying up. A bit like how Robin Hood and a few other traders stopped people from selling Gamestop when it flew up.

Scammers Are Now Scanning Faces To Defeat Age verification Biometric Security Measures

Posted on by

For quite some time now we’ve been pointing out the many harms of age verification technologies, and how they’re a disaster for privacy. In particular, we’ve noted that if you have someone collecting biometric information on people, that data itself becomes a massive risk since it will be targeted.

And, remember, a year and a half ago, the Age Verification Providers Association posted a comment right here on Techdirt saying not to worry about the privacy risks, as all they wanted to do was scan everyone’s face to visit a website (perhaps making you turn to the left or right to prove “liveness”).

Anyway, now a report has come out that some Chinese hackers have been tricking people into having their faces scanned, so that the hackers can then use the resulting scan to access accounts.

Attesting to this, cybersecurity company Group-IB has discovered the first banking trojan that steals people’s faces. Unsuspecting users are tricked into giving up personal IDs and phone numbers and are prompted to perform face scans. These images are then swapped out with AI-generated deepfakes that can easily bypass security checkpoints

The method — developed by a Chinese-based hacking family — is believed to have been used in Vietnam earlier this month, when attackers lured a victim into a malicious app, tricked them into face scanning, then withdrew the equivalent of $40,000 from their bank account. 

Cool cool, nothing could possibly go wrong in now requiring more and more people to normalize the idea of scanning your face to access a website. Nothing at all.

And no, this isn’t about age verification, but still, the normalization of facial scanning is a problem, as it’s such an obvious target for scammers and hackers.

Source: As Predicted: Scammers Are Now Scanning Faces To Defeat Biometric Security Measures | Techdirt

EU to hit Apple with first ever fine in €500mn music streaming penalty

Posted on by

apple and google as monopoly characters holding big bags of cash in front of a store

Brussels is to impose its first ever fine on tech giant Apple for allegedly breaking EU law over access to its music streaming services, according to five people with direct knowledge of the long-running investigation.

The fine, which is in the region of €500mn and is expected to be announced early next month, is the culmination of a European Commission antitrust probe into whether Apple has used its own platform to favour its services over those of competitors.

The probe is investigating whether Apple blocked apps from informing iPhone users of cheaper alternatives to access music subscriptions outside the App Store. It was launched after music-streaming app Spotify made a formal complaint to regulators in 2019.

The Commission will say Apple’s actions are illegal and go against the bloc’s rules that enforce competition in the single market, the people familiar with the case told the Financial Times. It will ban Apple’s practice of blocking music services from letting users outside its App Store switch to cheaper alternatives.

Brussels will accuse Apple of abusing its powerful position and imposing anti-competitive trading practices on rivals, the people said, adding that the EU would say the tech giant’s terms were “unfair trading conditions”.

It is one of the most significant financial penalties levied by the EU on big tech companies. A series of fines against Google levied over several years and amounting to about €8bn are being contested in court.

Apple has never previously been fined for antitrust infringements by Brussels, but the company was hit in 2020 with a €1.1bn fine in France for alleged anti-competitive behaviour. The penalty was revised down to €372mn after an appeal.

The EU’s action against Apple will reignite the war between Brussels and Big Tech at a time when companies are being forced to show how they are complying with landmark new rules aimed at opening competition and allowing small tech rivals to thrive.

Companies that are defined as gatekeepers, including Apple, Amazon and Google, need to fully comply with these rules under the Digital Markets Act by early next month.

The act requires these tech giants to comply with more stringent rules and will force them to allow rivals to share information about their services.

[…]

Source: EU to hit Apple with first ever fine in €500mn music streaming penalty

You can now mark up your Google Docs with handwritten notes on Android devices

Posted on by

Google Docs is getting an annotation feature that will let you mark up your documents just like you might with a pen and paper. With today’s update, announced at MWC 2024, Google Docs users on Android devices can use a finger or stylus to write notes, highlight text and circle words to their heart’s desire. Google says the feature will work on Android tablets and smartphones, so it’s got some real potential to give devices like foldables even more of a productivity boost. It should also make for a smoother way to sign digital documents.

Android users will have access to multiple pen colors and highlighters with the new annotation tool for Google Docs, which is good news for anyone who loves color-coding their notes. If the popularity of digital notebooks like reMarkable’s tablets or Amazon’s Kindle Scribe has taught us anything, it’s that, as speedy as typing may be, plenty of people still prefer writing by hand when it’s an option. The only thing this update seems to be missing is the ability to convert handwriting to text, which would allow for more extensive writing tasks.

[…]

Source: You can now mark up your Google Docs with handwritten notes on Android devices

Reggaeton Be Gone – use a Raspberry Pi to jam bluetooth speakers when reggaeton music comes on

Posted on by

[…]

Consider this scenario: Your wall-to-wall neighbor loves to blast Reggaeton music at full volume through a Bluetooth speaker every morning at 9 am. You have two options:

  • A. Knock on their door and politely ask them to lower the volume.
  • B. Build an AI device that can handle the situation more creatively.

Reggaeton Be Gone (the name is a homage to Tv-B-Gone device) will monitor room audio, it will identify Reggaeton genre with Machine Learning and trigger comm requests and packets to the Bluetooth speaker with the high goal of disabling it or at least disturbing the sound so much that the neighbor won’t have other option that turn it off.

[…]

Plans to make your own in the Source: Reggaeton Be Gone – Hackster.io

Nintendo files lawsuit against creators of Yuzu emulator

Posted on by

yuzu nintendo switch emulator on android[…]

The 41-page lawsuit was filed against Tropic Haze, the company that makes Yuzu. (Nintendo also specifically references a person aliased as Bunnei, who leads development on Yuzu.) Yuzu is a free emulator that was released in 2018 months after the Nintendo Switch originally launched. The same folks who made Citra, a Nintendo 3DS emulator, made this one. Basically, it’s a piece of software that lets people play Nintendo Switch games on Windows PC, Linux, and Android devices. (It also runs on Steam Deck, which Valve showed — then wiped — in a Steam Deck video clip.) Emulators aren’t necessarily illegal, but pirating games to play on them is. But Nintendo said in its lawsuit that there’s no way to legal way to use Yuzu.

Nintendo argued that Yuzu executes codes that “defeat” Nintendo’s security measures, including decryption using “an illegally-obtained copy of prod.keys.”

“In other words, without Yuzu’s decryption of Nintendo’s encryption, unauthorized copies of games could not be played on PCs or Android devices,” Nintendo wrote in the lawsuit. As to the alleged damages created by Yuzu, Nintendo pointed to the release of The Legend of Zelda: Tears of the Kingdom. Tears of the Kingdom leaked almost two weeks earlier than the game’s May 12 release date. The pirated version of the game spread quickly; Nintendo said it was downloaded more than 1 million times before Tears of the Kingdom’s release date. People used Yuzu to play the game; Nintendo said more than 20% of download links pointed people to Yuzu.

Though Yuzu doesn’t give out pirated copies of games, Nintendo repeatedly said that most ROM sites point people toward Yuzu to play whatever games they’ve downloaded.

[…]

Nintendo is asking the court to shut down the emulator, and for damages. Polygon has reached out to Nintendo and Tropic Haze for comment.

The Tears of the Kingdom publisher is notoriously strict with its intellectual property. Nintendo’s won several lawsuits targeting pirated game sites like RomUniverse, where it was awarded more than $2 million in damages. Nintendo also notoriously went after an alleged Nintendo Switch hacker named Gary Bowser, who was arrested and charged for selling Switch hacks. Though he’s been released from prison, Bowser still owes Nintendo $10 million; he paid Nintendo $175 while in prison from money he earned working in the prison library and kitchen.

Source: Nintendo files lawsuit against creators of Yuzu emulator – Polygon

So if all the links point to the pirated copy of the game, why don’t Nintendo sue Google and Baidu and Yandex and all the other search engines that provide the links? Because they are huge and have massive lawyer engines. And Yuzu doesn’t. And also because providing links is not illegal, as has been seen again and again. Also, creating emulators is not illegal either, but the lawsuits will probably suffocate the company. The law is seriously broken.

Meta will start collecting much more “anonymized” data about Quest headset usage

Posted on by

Meta will soon begin “collecting anonymized data” from users of its Quest headsets, a move that could see the company aggregating information about hand, body, and eye tracking; camera information; “information about your physical environment”; and information about “the virtual reality events you attend.”

In an email sent to Quest users Monday, Meta notes that it currently collects “the data required for your Meta Quest to work properly.” Starting with the next software update, though, the company will begin collecting and aggregating “anonymized data about… device usage” from Quest users. That anonymized data will be used “for things like building better experiences and improving Meta Quest products for everyone,” the company writes.

A linked help page on data sharing clarifies that Meta can collect anonymized versions of any of the usage data included in the “Supplemental Meta Platforms Technologies Privacy Policy,” which was last updated in October. That document lists a host of personal information that Meta can collect from your headset, including:

  • “Your audio data, when your microphone preferences are enabled, to animate your avatar’s lip and face movement”
  • “Certain data” about hand, body, and eye tracking, “such as tracking quality and the amount of time it takes to detect your hands and body”
  • Fitness-related information such as the “number of calories you burned, how long you’ve been physically active, [and] your fitness goals and achievements”
  • “Information about your physical environment and its dimensions” such as “the size of walls, surfaces, and objects in your room and the distances between them and your headset”
  • “Voice interactions” used when making audio commands or dictations, including audio recordings and transcripts that might include “any background sound that happens when you use those services” (these recordings and transcriptions are deleted “immediately” in most cases, Meta writes)
  • Information about “your activity in virtual reality,” including “the virtual reality events you attend”

The anonymized collection data is used in part to “analyz[e] device performance and reliability” to “improve the hardware and software that powers your experiences with Meta VR Products.”

What does Meta know about what you're doing in VR?
Enlarge / What does Meta know about what you’re doing in VR?
Meta

Meta’s help page also lists a small subset of “additional data” that headset users can opt out of sharing with Meta. But there’s no indication that Quest users can opt out of the new anonymized data collection policies entirely.

These policies only seem to apply to users who make use of a Meta account to access their Quest headsets, and those users are also subject to Meta’s wider data-collection policies. Those who use a legacy Oculus account are subject to a separate privacy policy that describes a similar but more limited set of data-collection practices.

Not a new concern

Meta is clear that the data it collects “is anonymized so it does not identify you.” But here at Ars, we’ve long covered situations where data that was supposed to be “anonymous” was linked back to personally identifiable information about the people who generated it. The FTC is currently pursuing a case against Kochava, a data broker that links de-anonymized geolocation data to a “staggering amount of sensitive and identifying information,” according to the regulator.

Concerns about VR headset data collection dates back to when Meta’s virtual reality division was still named Oculus. Shortly after the launch of the Oculus Rift in 2016, Senator Al Franken (D-Minn.) sent an open letter to the company seeking information on “the extent to which Oculus may be collecting Americans’ personal information, including sensitive location data, and sharing that information with third parties.”

In 2020, the company then called Facebook faced controversy for requiring Oculus users to migrate to a Facebook account to continue using their headsets. That led to a temporary pause of Oculus headset sales in Germany before Meta finally offered the option to decouple its VR accounts from its social media accounts in 2022.

Source: Meta will start collecting “anonymized” data about Quest headset usage | Ars Technica

$500 drone calculates its position with camera, Google Maps

Posted on by

[…]

A team of drone enthusiasts have built a sub-$500 drone that uses a camera and Google Maps to provide itself with GPS co-ordinates, removing the need for a GPS satellite signal. And all of this was done in 24 hours during the El Segundo Defense Tech Hackathon.

[…]

The drone uses a camera mounted underneath it to position itself with imagery from Google Maps highlighting similarities in the images to get a rough estimate of the co-ordinates

[…]

Google Maps allows users to download segments of maps ahead of time, usually for use when you are travelling or camping out in remote areas.

[…]

Without needing to rely on an external constellation of satellites, the GPS-free drone can continue operating on missions in GPS-denied environments, such as remote areas or those that have been jammed. Unlike Skydio’s approach, which uses cameras to position itself, using imagery that doesn’t rely on light to work means this drone can fly anywhere in the world it has imagery for at any time of the day or night.

[…]

Source: $500 drone calculates its position with camera, Google Maps

Vietnam to collect biometrics – even DNA – for new ID cards. Centralised databases never leak.

Posted on by

The Vietnamese government will begin collecting biometric information from its citizens for identification purposes beginning in July this year.

Prime minister Pham Minh Chinh instructed the nation’s Ministry of Public Security to collect the data in the form of iris scans, voice samples and actual DNA, in accordance with amendments to Vietnam’s Law on Citizen Identification.

The ID cards are issued to anyone over the age of 14 in Vietnam, and are optional for citizens between the ages of 6 and 14, according to a government news report.

Ammendments to the Law on Citizen Identification that allow collection of biometrics passed on November 27 of last year.

The law allows recording of blood type among the DNA-related information that will be contained in a national database to be shared across agencies “to perform their functions and tasks.”

The ministry will work with other parts of the government to integrate the identification system into the national database.

As for how the information will be collected, the amendments state:

Biometric information on DNA and voice is collected when voluntarily provided by the people or the agency conducting criminal proceedings or the agency managing the person to whom administrative measures are applied in the process of settling the case according to their functions and duties whether to solicit assessment or collect biometric information on DNA, people’s voices are shared with identity management agencies for updating and adjusting to the identity database.

Vietnam’s future identity cards will incorporate the functions of health insurance cards, social insurance books, driver’s licenses, birth certificates, and marriage certificates, as defined by the amendment.

There are approximately 70 million adults in Vietnam as of 2022, making the collection and safeguarding of such data no small feat.

The Reg is sure the personal information on all those citizens will be just fine – personal data held by governments for ID cards certainly never leaks.

[…]

Source: Vietnam to collect biometrics – even DNA – for new ID cards • The Register

Absolutely retarded.

‘No one understands outsourcing the management of .nl domains to Amazon’

Posted on by

At the beginning of February, SIDN was in the news after announcing that it wanted to outsource part of its services to Amazon Web Services, the American web giant. According to SIDN, the reason for the outsourcing was that implementation on its own servers had become too expensive and too labor-intensive.

Van Eeten: ‘SIDN has not provided any explanation as to how on earth it ended up at Amazon. I can imagine that they don’t feel like dealing with all that iron (servers) and can’t find staff. But then there are numerous Dutch providers who say: ‘Just leave it to us. Then we will arrange everything.’

Van Eeten also does not understand why the registration system used by SIDN would be so demanding. ‘In principle it seems quite simple, I estimate a few hundred accounts on a database. I don’t see any reason why a Dutch cloud service couldn’t handle that.’

The criticism is partly a matter of timing: five years ago there would have been a lot less fuss about it. Van Eeten: ‘But in recent years the question has increasingly arisen whether it is wise to outsource more and more digital services to a handful of American companies. That discussion is about digital sovereignty. And that has become quite a thing in Europe.’

Source: ‘No one understands outsourcing the management of .nl domains to Amazon’ – Emerce

It’s completely nuts that a technical organisation says they can’t be technical – and is washing its hands of running the most popular TLD per capita population in the world!

Wyze says camera breach let 13,000 customers briefly see into other people’s homes

Posted on by

Last week, co-founder David Crosby said that “so far” the company had identified 14 people who were able to briefly see into a stranger’s property because they were shown an image from someone else’s Wyze camera. Now we’re being told that number of affected customers has ballooned to 13,000.

The revelation came from an email sent to customers entitled “An Important Security Message from Wyze,” in which the company copped to the breach and apologized, while also attempting to lay some of the blame on its web hosting provider AWS.

“The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused.

The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation.

As it did before, Wyze is chalking up the incident to “a third-party caching client library” that was recently integrated into its system.

This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.

But it was too late to prevent an estimated 13,000 people from getting an unauthorized peek at thumbnails from a stranger’s homes. Wyze says that 1,504 people tapped to enlarge the thumbnail, and that a few of them caught a video that they were able to view. It also claims that all impacted users have been notified of the security breach, and that over 99 percent of all of its customers weren’t affected.

[…]

Source: Wyze says camera breach let 13,000 customers briefly see into other people’s homes – The Verge

Which it’s better to store stuff on your own NAS hardware instead of some vendor’s cloud.

Chinese and US researchers show new side channel can reproduce fingerprints by listening to swiping sounds on screen

Posted on by

An interesting new attack on biometric security has been outlined by a group of researchers from China and the US. PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound [PDF] proposes a side-channel attack on the sophisticated Automatic Fingerprint Identification System (AFIS). The attack leverages the sound characteristics of a user’s finger swiping on a touchscreen to extract fingerprint pattern features. Following tests, the researchers assert that they can successfully attack “up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%.” This is claimed to be the first work that leverages swiping sounds to infer fingerprint information.

[…]

the PrintListener paper says that “finger-swiping friction sounds can be captured by attackers online with a high possibility.” The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where users carelessly perform swiping actions on the screen while the device mic is live. Hence the side-channel attack name – PrintListener.

[…]

Source: Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen — Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks | Tom’s Hardware

Four-day week made permanent for most UK firms in world’s biggest trial

Posted on by

Of the 61 organisations that took part in a six-month UK pilot in 2022, 54 (89%) are still operating the policy a year later, and 31 (51%) have made the change permanent.

More than half (55%) of project managers and CEOs said a four-day week – in which staff worked 100% of their output in 80% of their time – had a positive impact on their organisation, the report found.

For 82% this included positive effects on staff wellbeing, 50% found it reduced staff turnover, while 32% said it improved job recruitment. Nearly half (46%) said working and productivity improved.

[…]

The four-day working week report, by the thinktank Autonomy and researchers from the University of Cambridge, the University of Salford and Boston College in the US, found that “many of the significant benefits found during the initial trial have persisted 12 months on”, although they noted that it was a small sample size.

Almost all (96%) of staff said their personal life had benefited, and 86% felt they performed better at work, while 38% felt their organisation had become more efficient, and 24% said it had helped with caring responsibilities.

Organisations reduced working hours by an average of 6.6 hours to reach a 31.6-hour week. Most gave their staff one full day off a week, either universal or staggered. The report found that protected days off were more effective than those on which staff were “on call” or sometimes expected to work.

The most successful companies made their four-day week “clear, confident and well-communicated”, and co-designed their policies between staff and management, thinking carefully about how to adapt work processes, the authors wrote.

[…]

 

Source: Four-day week made permanent for most UK firms in world’s biggest trial | Work-life balance | The Guardian

Varda Space, Rocket Lab nail first-of-its-kind spacecraft landing in Utah, bring back space grown drugs

Posted on by

A spacecraft containing pharmaceutical drugs that were grown on orbit has finally returned to Earth today after more than eight months in space.

Varda Space Industries’ in-space manufacturing capsule, called Winnebago-1, landed in the Utah desert at around 4:40 p.m. EST. Inside the capsule are crystals of the drug ritonavir, which is used to treat HIV/AIDS. It marks a successful conclusion of Varda’s first experimental mission to grow pharmaceuticals on orbit, as well as the first time a commercial company has landed a spacecraft on U.S. soil, ever.

The capsule will now be sent back to Varda’s facilities in Los Angeles for analysis, and the vials of ritonavir will be shipped to a research company called Improved Pharma for post-flight characterization, Varda said in a statement. The company will also be sharing all the data collected through the mission with the Air Force and NASA, per existing agreements with those agencies.

The first-of-its-kind reentry and landing is also a major win for Rocket Lab, which partnered with Varda on the mission. Rocket Lab hosted Varda’s manufacturing capsule inside its Photon satellite bus; through the course of the mission, Photon provided power, communications, attitude control and other essential operations. At the mission’s conclusion, the bus executed a series of maneuvers and de-orbit burns that put the miniature drug lab on the proper reentry trajectory. The final engine burn was executed shortly after 4 p.m. EST.

[…]

Source: Varda Space, Rocket Lab nail first-of-its-kind spacecraft landing in Utah | TechCrunch

Universal Antivenom for Snake Bites Might Soon Be a Reality

Posted on by

[…]

a team of scientists says they’ve created a lab-made antibody geared to counteract toxic bites from a wide variety of snakes. In early tests with mice, the uber-antivenom appeared to work as intended.

Snake antivenom is typically derived from the antibodies of horses or other animals that produce a strong immune response to snake toxins. These donated antibodies can be highly effective at preventing serious injury and death from a snakebite, but they come with serious limitations.

The chemical makeup of one species’s toxin can vary significantly from another’s, for instance, so antibodies to one specific toxin provide little protection against others. Manufacturers can try to work around this by inoculating animals with several toxins at once, but this method has drawbacks, such as needing a higher dose of antivenom since only some of the antibodies will have any effect.

[…]

Though snake toxins are remarkably complex and different from one another, even within the same class, the team managed to find sections of these toxins that were pretty similar across different species.

The scientists produced a variety of 3FTx toxins in the lab and then screened them against a database of more than 50 billion synthetic antibodies, looking for ones that could potentially neutralize several toxins at once. After a few rounds of selection, they ultimately identified one antibody that seemed to broadly neutralize at least five different 3FTx variants, called 95Mat5. They then put the antibody to a real-life test, finding that it fully protected mice from dying from the toxins of the many-banded krait, Indian spitting cobra, and black mamba, in some cases better than conventional antivenom; it also offered some protection against venom from the king cobra.

[…]

As seen with the king cobra, the 95Mat5 antibody alone may not work against every elapid snake. And it wouldn’t protect against bites from viper snakes, the other major family of venomous snakes. But the team’s process of identifying broadly neutralizing antibodies—adapted from similar research on the HIV virus—could be used to find other promising antivenom candidates.

[…]

Source: Universal Antivenom for Snake Bites Might Soon Be a Reality

Video generation models as world simulators by OpenAI Sora

Posted on by

[…]

Our largest model, Sora, is capable of generating a minute of high fidelity video. Our results suggest that scaling video generation models is a promising path towards building general purpose simulators of the physical world.

This technical report focuses on (1) our method for turning visual data of all types into a unified representation that enables large-scale training of generative models, and (2) qualitative evaluation of Sora’s capabilities and limitations. Model and implementation details are not included in this report.

[…]

Sampling flexibility

Sora can sample widescreen 1920x1080p videos, vertical 1080×1920 videos and everything inbetween. This lets Sora create content for different devices directly at their native aspect ratios. It also lets us quickly prototype content at lower sizes before generating at full resolution—all with the same model.

[…]

Source: Video generation models as world simulators

Canadian college M&M Vending machines secretly scanning faces – revealed by error message

Posted on by

[…]

The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a facial recognition application that nobody expected to be part of the process of using a vending machine.

Reddit post shows error message displayed on a University of Waterloo vending machine (cropped and lightly edited for clarity).
Enlarge / Reddit post shows error message displayed on a University of Waterloo vending machine (cropped and lightly edited for clarity).
SquidKid47 on Reddit

“Hey, so why do the stupid M&M machines have facial recognition?” SquidKid47 pondered.

The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.

Stanley sounded alarm after consulting Invenda sales brochures that promised “the machines are capable of sending estimated ages and genders” of every person who used the machines without ever requesting consent.

This frustrated Stanley, who discovered that Canada’s privacy commissioner had years ago investigated a shopping mall operator called Cadillac Fairview after discovering some of the malls’ informational kiosks were secretly “using facial recognition software on unsuspecting patrons.”

Only because of that official investigation did Canadians learn that “over 5 million nonconsenting Canadians” were scanned into Cadillac Fairview’s database, Stanley reported. Where Cadillac Fairview was ultimately forced to delete the entire database, Stanley wrote that consequences for collecting similarly sensitive facial recognition data without consent for Invenda clients like Mars remain unclear.

Stanley’s report ended with a call for students to demand that the university “bar facial recognition vending machines from campus.”

A University of Waterloo spokesperson, Rebecca Elming, eventually responded, confirming to CTV News that the school had asked to disable the vending machine software until the machines could be removed.

[…]

Source: Vending machine error reveals secret face image database of college students | Ars Technica

iOS and Android users face scans used to break into bank accounts

Posted on by

[…]

GoldPickaxe and GoldPickaxe.iOS target Android and iOS respectively, tricking users into performing biometric verification checks that are ultimately used to bypass the same checks employed by legitimate banking apps in Vietnam and Thailand – the geographic focus of these ongoing attacks.

The iOS version is believed only to be targeting users in Thailand, masquerading as the Thai government’s official digital pensions app. That said, some think it has also made its way to Vietnam. This is because very similar attacks, which led to the theft of tens of thousands of dollars, were reported in the region earlier this month.

“It is of note that GoldPickaxe.iOS is the first iOS Trojan observed by Group-IB that combines the following functionalities: collecting victims’ biometric data, ID documents, intercepting SMS, and proxying traffic through the victims’ devices,” the researchers said.

“Its Android sibling has even more functionalities than its iOS counterpart, due to more restrictions and the closed nature of iOS.”

[…]

Researchers also found the Android version bore many more disguises than the iOS version – taking the form of more than 20 different government, finance, and utility organizations in Thailand, and allowing attackers to steal credentials for all of these services.

How’d they get on Apple phones?

In the case of iOS, the attackers had to be cunning. Their first method involved the abuse of Apple’s TestFlight platform, which allows apps to be distributed as betas before full release to the App Store.

After this method was stymied, attackers switched to more sophisticated social engineering. This involved influencing users to enroll their devices in an MDM program, allowing the attackers to push bad apps to devices that way.

In all cases, the initial contact with victims was made by the attackers impersonating government authorities on the LINE messaging app, one of the region’s most popular.

[…]

Once the biometrics scans were captured, attackers then used these scans, along with deepfake software, to generate models of the victim’s face.

Attackers would download the target banking app onto their own devices and use the deepfake models, along with the stolen identity documents and intercepted SMS messages, to remotely break into victims’ banks.

[…]

Facial biometrics were only mandated in Thailand last year, with plans first announced in March with an enforcement date set for July. Vietnam is poised to mandate similar controls by April this year.

From July 2023, all Thai banking apps had to comply with the new initiative and replace one-time passcodes with facial biometrics to decrease the threat of financial fraud in the region. This applied specifically to transactions exceeding 50,000 BAT (roughly $1,400).

[…]

Source: Stolen iOS users face scans used to break into bank accounts

Which goes to show – biometrics are unchangeable and so make for a really bad (and potentially dangerous, if people are inclinded to amputate parts of your anatomy) security pass.

Whoops: ‘Smart’ Livall Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers

Posted on by

livall smart helmets

[,,,] a company named Livall makes “smart” bike helmets for skiers and cyclists that includes features like auto-fall detection, GPS location monitoring, and integrated braking lights. The problem: the company apparently didn’t spend enough time securing the company’s app, allowing pretty much anybody to listen in on and track the precise location data of a million customers in real time.

Livall’s smartphone apps feature group audio chats and location data. The problem: Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, found that the chat groups were secured by a six-digit pin code that was very simple to brute force (via Techcrunch):

“That 6 digit group code simply isn’t random enough. We could brute force all group IDs in a matter of minutes.”

Munro also noted that there was nothing to alert a group of cyclists or skiers that someone new had entered the chat, allowing a third party to monitor them in complete silence:

“As soon as one entered a valid group code, one joined the group automatically. There was no further authorisation nor alerts to the other group user. It was therefore trivial to silently join any group, giving us access to any users location and the ability to listen in to any group audio communications.

Whoops a daisy. As with so many modern “smart” tech companies, Munro also notes that Livall only took their findings seriously once they got a prominent security journalist (Zack Whittaker at Techcrunch) involved to bring attention to the problem. Livall finally fixed the problem, but it’s not entirely clear that would have happened without Whittaker’s involvement.

[…]

Source: Whoops: ‘Smart’ Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers | Techdirt

European human rights court says backdooring encrypted comms is against human rights

Posted on by
a picture of an eye staring at your from your mobile phone

The European Court of Human Rights (ECHR) has ruled that laws requiring crippled encryption and extensive data retention violate the European Convention on Human Rights – a decision that may derail European data surveillance legislation known as Chat Control.

The Court issued a decision on Tuesday stating that “the contested legislation providing for the retention of all internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society.”

The “contested legislation” mentioned above refers to a legal challenge that started in 2017 after a demand from Russia’s Federal Security Service (FSB) that messaging service Telegram provide technical information to assist the decryption of a user’s communication. The plaintiff, Anton Valeryevich Podchasov, challenged the order in Russia but his claim was dismissed.

In 2019, Podchasov brought the matter to the ECHR. Russia joined the Council of Europe – an international human rights organization – in 1996 and was a member until it withdrew in March 2022 following its illegal invasion of Ukraine. Because the 2019 case predates Russia’s withdrawal, the ECHR continued to consider the matter.

The Court concluded that the Russian law requiring Telegram “to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users.” As such, the Court considers that requirement disproportionate to legitimate law enforcement goals.

While the ECHR decision is unlikely to have any effect within Russia, it matters to countries in Europe that are contemplating similar decryption laws – such as Chat Control and the UK government’s Online Safety Act.

Chat Control is shorthand for European data surveillance legislation that would require internet service providers to scan digital communications for illegal content – specifically child sexual abuse material and potentially terrorism-related information. Doing so would necessarily entail weakening the encryption that keeps communication private.

Efforts to develop workable rules have been underway for several years and continue to this day, despite widespread condemnation from academics, privacy-oriented orgs, and civil society groups.

Patrick Breyer, a member of the European parliament for the Pirate Party, hailed the ruling for demonstrating that Chat Control is incompatible with EU law.

“With this outstanding landmark judgment, the ‘client-side scanning’ surveillance on all smartphones proposed by the EU Commission in its chat control bill is clearly illegal,” said Breyer.

“It would destroy the protection of everyone instead of investigating suspects. EU governments will now have no choice but to remove the destruction of secure encryption from their position on this proposal – as well as the indiscriminate surveillance of private communications of the entire population!” ®

Source: European human rights court says no to weakened encryption • The Register

New evidence changes key ideas about Earth’s climate history – it wasn’t that hot

Posted on by

A new study published in Science resolves a long-standing scientific debate, and it stands to completely change the way we think about Earth’s climate evolution.

The research debunks the idea that Earth’s surface (across land and sea) has experienced really hot temperatures over the last two billion years. Instead, it shows that Earth has had a relatively stable and mild climate.

Temperature is an important control over chemical reactions that govern life and our environment. This ground-breaking work will have significant implications for scientists working on or questions surrounding biological and climate .

[…]

In the work, Dr. Isson and Ph.D. student Sofia Rauzi adopted novel methods to illuminate a history of Earth’s surface .

They utilized five unique data records derived from different rock types including shale, iron oxide, carbonate, silica, and phosphate. Collectively, these ‘geochemical’ records comprise over 30,000 that span Earth’s multi-billion-year history.

To date, the study is the most comprehensive collation and interpretation of one of the oldest geochemical records—. Oxygen isotopes are different forms of the element oxygen. It is also the first study to use all five existing records to chart a consistent ‘map’ of temperature across an enormous portion of geological time.

“By pairing oxygen isotope records from different minerals, we have been able to reconcile a unified history of temperature on Earth that is consistent across all five records, and the oxygen isotopic composition of seawater,” says Dr. Isson.

The study disproves ideas that early oceans were hot with temperatures greater than 60°C prior to approximately half a billion years ago, before the rise of animals and land plants. The data indicates relatively stable and temperate early-ocean and temperatures of around 10°C which upends current thinking about the environment that complex life evolved in.

The work produces the first ever record of the evolution of terrestrial (land-based) and marine clay abundance throughout Earth history. This is the first direct evidence for an intimate link between the evolution of plants, marine creatures that make skeletons and shells out of silica (siliceous life forms), clay formation, and .

“The results suggest that the process of clay formation may have played a key role in regulating climate on early Earth and sustaining the temperate conditions that allowed for the evolution and proliferation of life on Earth,” says Dr. Isson.

[…]

The work produces the first ever record of the evolution of terrestrial (land-based) and marine clay abundance throughout Earth history. This is the first direct evidence for an intimate link between the evolution of plants, marine creatures that make skeletons and shells out of silica (siliceous life forms), clay formation, and .

“The results suggest that the process of clay formation may have played a key role in regulating climate on early Earth and sustaining the temperate conditions that allowed for the evolution and proliferation of life on Earth,” says Dr. Isson.

Source: New evidence changes key ideas about Earth’s climate history

23andMe Thinks ‘Mining’ Your DNA Data Is Its Last Hope

Posted on by

23andMe is in a death spiral. Almost everyone who wants a DNA test already bought one, a nightmare data breach ruined the company’s reputation, and 23andMe’s stock is so close to worthless it might get kicked off the Nasdaq. CEO Anne Wojcicki is on a crisis tour, promising investors the company isn’t going out of business because she has a new plan: 23andMe is going to double down on mining your DNA data and selling it to pharmaceutical companies.

“We now have the ability to mine the dataset for ourselves, as well as to partner with other groups,” Wojcicki said in an interview with Wired. “It’s a real resource that we could apply to a number of different organizations for their own drug discovery.”

That’s been part of the plan since day one, but now it looks like it’s going to happen on a much larger scale. 23andMe has always coerced its customers into giving the company consent to share their DNA for “research,” a friendlier way of saying “giving it to pharmaceutical companies.” The company enjoyed an exclusive partnership with pharmaceutical giant GlaxoSmithKline, but apparently the drug maker already sucked the value out of your DNA, and that deal is running out. Now, 23andMe is looking for new companies who want to take a look at your genes.

[…]

the most exciting opportunity for “improvements” is that 23andMe and the pharmaceutical industry get to develop new drugs. There’s a tinge of irony here. Any discoveries that 23andMe makes come from studying DNA samples that you paid the company to collect.

[…]

The problem with 23andMe’s consumer-facing business is the company sells a product you only need once in a lifetime. Worse, the appeal of a DNA test for most people is the novelty of ancestry results, but if your brother already paid for a test, you already know the answers.

[…]

it’s spent years trying to brand itself as a healthcare service, and not just a $79 permission slip to tell people you’re Irish. In fact, the company thinks you should buy yourself a recurring annual subscription to something called 23andMe+ Total Health. It only costs $1,188 a year.

[…]

The secret is you just can’t learn a ton about your health from genetic screenings, aside from tests for specific diseases that doctors rarely order unless you have a family history.

[…]

What do you get with these subscriptions? It’s kind of vague. Depending on the package, they include a service that “helps you understand how genetics and lifestyle can impact your likelihood of developing certain conditions,” testing for rare genetic conditions, enhanced ancestry features, and more. Essentially, they’ll run genetic tests that you may not need. Then, they may or may not recommend that you talk to a doctor, because they can’t offer you actual medical care.

You could also skip the middleman and start with a normal conversation with your doctor, who will order genetic tests if you need them and bill your insurance company

[…]

If 23andMe company survives, the first step is going to be deals that give more companies access to look at your genetics than ever before. But if 23andMe goes out of business, it’ll get purchased or sold off for parts, which means other companies will get a look at your data anyway.

Source: 23andMe Admits ‘Mining’ Your DNA Data Is Its Last Hope

What this piece misses is the danger of whom the data is sold to – or if it is leaked (which it was). Insurance companies may refuse to insure you. Your DNA may be faked. Your unique and unchangeable identity – and those of your family – has been stolen.

US judge dismisses authors’ ridiculous copyright claim against OpenAI

Posted on by

A US judge has dismissed some of the claims made by writers in a copyright infringement lawsuit against OpenAI, though gave the wordsmiths another chance to amend their complaint.

The case – Paul Tremblay et al vs OpenAI – kicked off in 2023 when novelists Paul Tremblay, Christopher Golden, and Richard Kadrey, and writer-comedian-actress Sarah Silverman accused OpenAI of illegally scraping their work without consent to train the AI champion’s large language models.

The creators claimed that ChatGPT produced accurate summaries of their books and offered that as evidence that their writing had been ripped off. Since OpenAI’s neural networks learn to generate text from its training data, the group argued that its output should be considered a “derivative work” of their IP.

The plaintiffs also alleged that OpenAI’s model deliberately omitted so-called copyright management information, or CMI – think books’ ISBN numbers and authors’ names – when it produced output based on their works. They also accused the startup of unfair competition, negligence, and unjust enrichment.

All in all, the writers are upset that, as alleged, OpenAI not only used copyrighted work without permission and recompense to train its models, its model generates prose that closely apes their own, which one might say would hinder their ability to profit from that work.

Federal district Judge Araceli Martínez-Olguín, sitting in northern California, was asked by OpenAI to dismiss the authors’ claims in August.

In a fresh order [PDF] released on Monday, Martínez-Olguín delivered the bad news for the scribes.

“Plaintiffs fail to explain what the outputs entail or allege that any particular output is substantially similar – or similar at all – to their books. Accordingly, the court dismisses the vicarious copyright infringement claim,” she wrote. She also opined that the authors couldn’t prove that CMI had been stripped from the training data or that its absence indicated an intent to hide any copyright infringement.

Claims of unlawful business practices, fraudulent conduct, negligence, and unjust enrichment were similarly dismissed.

The judge did allow a claim of unfair business practices to proceed.

“Assuming the truth of plaintiffs’ allegations – that defendants used plaintiffs’ copyrighted works to train their language models for commercial profit – the court concludes that defendants’ conduct may constitute an unfair practice,” Martínez-Olguín wrote.

Although this case against OpenAI has been narrowed, it clearly isn’t over yet. The plaintiffs have been given another opportunity to amend their initial arguments alleging violation of copyright by filing a fresh complaint before March 13.

The Register has asked OpenAI and a lawyer representing the plaintiffs for comment. We’ll let you know if they have anything worth saying. ®

Source: US judge dismisses authors’ copyright claim against OpenAI • The Register

See also: A Bunch Of Authors Sue OpenAI Claiming Copyright Infringement, Because They Don’t Understand Copyright

and: OpenAI disputes authors’ claims that every ChatGPT response is a derivative work, it’s transformative

France uncovers a vast Russian disinformation campaign in Europe

Posted on by

RUSSIA HAS been at the forefront of internet disinformation techniques at least since 2014, when it pioneered the use of bot farms to spread fake news about its invasion of Crimea. According to French authorities, the Kremlin is at it again. On February 12th Viginum, the French foreign-disinformation watchdog, announced it had detected preparations for a large disinformation campaign in France, Germany, Poland and other European countries, tied in part to the second anniversary of Vladimir Putin’s invasion of Ukraine and the elections to the European Parliament in June.

Viginum said it had uncovered a Russian network of 193 websites which it codenames “Portal Kombat”. Most of these sites, such as topnews.uz.ua, were created years ago and many were left dormant. Over 50 of them, such as news-odessa.ru and pravda-en.com, have been created since 2022. Current traffic to these sites, which exist in various languages including French, German, Polish and English, is low. But French authorities think they are ready to be activated aggressively as part of what one official calls a “massive” wave of Russian disinformation.

Viginum says it watched the sites between September and December 2023. It concluded that they do not themselves generate news stories, but are designed to spread “deceptive or false” content about the war in Ukraine, both on websites and via social media. The underlying objective is to undermine support for Ukraine in Europe. According to the French authorities, the network is controlled by a single Russian organisation.

[…]

For France, the detection of this latest Russian destabilisation effort comes after a series of campaigns that it has attributed to Moscow. Last November the French foreign ministry denounced a “Russian digital interference operation” that spread photos of Stars of David stencilled on walls in a neighbourhood of Paris, in order to stir intercommunal tension in France shortly after the start of the Israel-Hamas conflict. Viginum then detected a network of 1,095 bots on X (formerly Twitter), which published 2,589 posts. It linked this to a Russian internet complex called Recent Reliable News, known for cloning the websites of Western media outlets in order to spread fake news; the EU has dubbed that complex “Doppelgänger”.

France held the same network responsible in June 2023 for the cloning of various French media websites, as well as that of the French foreign ministry. On the cloned ministry website, hackers posted a statement suggesting, falsely, that France was to introduce a 1.5% “security tax” to finance military aid to Ukraine.

[…]

Key advance for capturing carbon from the air

Posted on by

vanadium crystal bar and cube

Zeiss Makro-Planar T*2/100mm ZE

A chemical element so visually striking that it was named for a goddess shows a “Goldilocks” level of reactivity — neither too much nor too little — that makes it a strong candidate as a carbon scrubbing tool.

The element is vanadium, and research by Oregon State University scientists has demonstrated the ability of vanadium peroxide molecules to react with and bind carbon dioxide — an important step toward improved technologies for removing carbon dioxide from the atmosphere.

[…]

how some transition metal complexes can react with air to remove carbon dioxide and convert it to a metal carbonate, similar to what is found in many naturally occurring minerals.

Transition metals are located near the center of the periodic table and their name arises from the transition of electrons from low energy to high energy states and back again, giving rise to distinctive colors. For this study, the scientists landed on vanadium, named for Vanadis, the old Norse name for the Scandinavian goddess of love said to be so beautiful her tears turned to gold.

Nyman explains that carbon dioxide exists in the atmosphere at a density of 400 parts per million. That means for every 1 million air molecules, 400 of them are carbon dioxide, or 0.04%.

“A challenge with direct air capture is finding molecules or materials that are selective enough, or other reactions with more abundant air molecules, such as reactions with water, will outcompete the reaction with CO2,” Nyman said. “Our team synthesized a series of molecules that contain three parts that are important in removing carbon dioxide from the atmosphere, and they work together.”

One part was vanadium, so named because of the range of beautiful colors it can exhibit, and another part was peroxide, which bonded to the vanadium. Because a vanadium peroxide molecule is negatively charged, it needed alkali cations for charge balance, Nyman said, and the researchers used potassium, rubidium and cesium alkali cations for this study.

[…]

vanadium peroxide is a beautiful, purple Goldilocks that becomes golden when exposed to air and binds a carbon dioxide molecule.”

She notes that another valuable characteristic of vanadium is that it allows for the comparatively low release temperature of about 200 degrees Celsius for the captured carbon dioxide.

[…]

“Being able to rerelease the captured CO2 enables reuse of the carbon capture materials, and the lower the temperature required for doing that, the less energy that’s needed and the smaller the cost. There are some very clever ideas about reuse of captured carbon already being implemented — for example, piping the captured CO2 into a greenhouse to grow plants.”

[…]

Story Source:

Materials provided by Oregon State University. Original written by Steve Lundeberg. Note: Content may be edited for style and length.

Journal Reference:

  1. Eduard Garrido Ribó, Zhiwei Mao, Jacob S. Hirschi, Taylor Linsday, Karlie Bach, Eric D. Walter, Casey R. Simons, Tim J. Zuehlsdorff, May Nyman. Implementing vanadium peroxides as direct air carbon capture materials. Chemical Science, 2024; 15 (5): 1700 DOI: 10.1039/D3SC05381D

 

Source: Key advance for capturing carbon from the air | ScienceDaily