Daily Archives: February 25, 2024

Vietnam to collect biometrics – even DNA – for new ID cards. Centralised databases never leak.

Posted on by

The Vietnamese government will begin collecting biometric information from its citizens for identification purposes beginning in July this year.

Prime minister Pham Minh Chinh instructed the nation’s Ministry of Public Security to collect the data in the form of iris scans, voice samples and actual DNA, in accordance with amendments to Vietnam’s Law on Citizen Identification.

The ID cards are issued to anyone over the age of 14 in Vietnam, and are optional for citizens between the ages of 6 and 14, according to a government news report.

Ammendments to the Law on Citizen Identification that allow collection of biometrics passed on November 27 of last year.

The law allows recording of blood type among the DNA-related information that will be contained in a national database to be shared across agencies “to perform their functions and tasks.”

The ministry will work with other parts of the government to integrate the identification system into the national database.

As for how the information will be collected, the amendments state:

Biometric information on DNA and voice is collected when voluntarily provided by the people or the agency conducting criminal proceedings or the agency managing the person to whom administrative measures are applied in the process of settling the case according to their functions and duties whether to solicit assessment or collect biometric information on DNA, people’s voices are shared with identity management agencies for updating and adjusting to the identity database.

Vietnam’s future identity cards will incorporate the functions of health insurance cards, social insurance books, driver’s licenses, birth certificates, and marriage certificates, as defined by the amendment.

There are approximately 70 million adults in Vietnam as of 2022, making the collection and safeguarding of such data no small feat.

The Reg is sure the personal information on all those citizens will be just fine – personal data held by governments for ID cards certainly never leaks.

[…]

Source: Vietnam to collect biometrics – even DNA – for new ID cards • The Register

Absolutely retarded.

‘No one understands outsourcing the management of .nl domains to Amazon’

Posted on by

At the beginning of February, SIDN was in the news after announcing that it wanted to outsource part of its services to Amazon Web Services, the American web giant. According to SIDN, the reason for the outsourcing was that implementation on its own servers had become too expensive and too labor-intensive.

Van Eeten: ‘SIDN has not provided any explanation as to how on earth it ended up at Amazon. I can imagine that they don’t feel like dealing with all that iron (servers) and can’t find staff. But then there are numerous Dutch providers who say: ‘Just leave it to us. Then we will arrange everything.’

Van Eeten also does not understand why the registration system used by SIDN would be so demanding. ‘In principle it seems quite simple, I estimate a few hundred accounts on a database. I don’t see any reason why a Dutch cloud service couldn’t handle that.’

The criticism is partly a matter of timing: five years ago there would have been a lot less fuss about it. Van Eeten: ‘But in recent years the question has increasingly arisen whether it is wise to outsource more and more digital services to a handful of American companies. That discussion is about digital sovereignty. And that has become quite a thing in Europe.’

Source: ‘No one understands outsourcing the management of .nl domains to Amazon’ – Emerce

It’s completely nuts that a technical organisation says they can’t be technical – and is washing its hands of running the most popular TLD per capita population in the world!

Wyze says camera breach let 13,000 customers briefly see into other people’s homes

Posted on by

Last week, co-founder David Crosby said that “so far” the company had identified 14 people who were able to briefly see into a stranger’s property because they were shown an image from someone else’s Wyze camera. Now we’re being told that number of affected customers has ballooned to 13,000.

The revelation came from an email sent to customers entitled “An Important Security Message from Wyze,” in which the company copped to the breach and apologized, while also attempting to lay some of the blame on its web hosting provider AWS.

“The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused.

The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation.

As it did before, Wyze is chalking up the incident to “a third-party caching client library” that was recently integrated into its system.

This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.

But it was too late to prevent an estimated 13,000 people from getting an unauthorized peek at thumbnails from a stranger’s homes. Wyze says that 1,504 people tapped to enlarge the thumbnail, and that a few of them caught a video that they were able to view. It also claims that all impacted users have been notified of the security breach, and that over 99 percent of all of its customers weren’t affected.

[…]

Source: Wyze says camera breach let 13,000 customers briefly see into other people’s homes – The Verge

Which it’s better to store stuff on your own NAS hardware instead of some vendor’s cloud.

Chinese and US researchers show new side channel can reproduce fingerprints by listening to swiping sounds on screen

Posted on by

An interesting new attack on biometric security has been outlined by a group of researchers from China and the US. PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound [PDF] proposes a side-channel attack on the sophisticated Automatic Fingerprint Identification System (AFIS). The attack leverages the sound characteristics of a user’s finger swiping on a touchscreen to extract fingerprint pattern features. Following tests, the researchers assert that they can successfully attack “up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%.” This is claimed to be the first work that leverages swiping sounds to infer fingerprint information.

[…]

the PrintListener paper says that “finger-swiping friction sounds can be captured by attackers online with a high possibility.” The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where users carelessly perform swiping actions on the screen while the device mic is live. Hence the side-channel attack name – PrintListener.

[…]

Source: Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen — Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks | Tom’s Hardware

Four-day week made permanent for most UK firms in world’s biggest trial

Posted on by

Of the 61 organisations that took part in a six-month UK pilot in 2022, 54 (89%) are still operating the policy a year later, and 31 (51%) have made the change permanent.

More than half (55%) of project managers and CEOs said a four-day week – in which staff worked 100% of their output in 80% of their time – had a positive impact on their organisation, the report found.

For 82% this included positive effects on staff wellbeing, 50% found it reduced staff turnover, while 32% said it improved job recruitment. Nearly half (46%) said working and productivity improved.

[…]

The four-day working week report, by the thinktank Autonomy and researchers from the University of Cambridge, the University of Salford and Boston College in the US, found that “many of the significant benefits found during the initial trial have persisted 12 months on”, although they noted that it was a small sample size.

Almost all (96%) of staff said their personal life had benefited, and 86% felt they performed better at work, while 38% felt their organisation had become more efficient, and 24% said it had helped with caring responsibilities.

Organisations reduced working hours by an average of 6.6 hours to reach a 31.6-hour week. Most gave their staff one full day off a week, either universal or staggered. The report found that protected days off were more effective than those on which staff were “on call” or sometimes expected to work.

The most successful companies made their four-day week “clear, confident and well-communicated”, and co-designed their policies between staff and management, thinking carefully about how to adapt work processes, the authors wrote.

[…]

 

Source: Four-day week made permanent for most UK firms in world’s biggest trial | Work-life balance | The Guardian

Varda Space, Rocket Lab nail first-of-its-kind spacecraft landing in Utah, bring back space grown drugs

Posted on by

A spacecraft containing pharmaceutical drugs that were grown on orbit has finally returned to Earth today after more than eight months in space.

Varda Space Industries’ in-space manufacturing capsule, called Winnebago-1, landed in the Utah desert at around 4:40 p.m. EST. Inside the capsule are crystals of the drug ritonavir, which is used to treat HIV/AIDS. It marks a successful conclusion of Varda’s first experimental mission to grow pharmaceuticals on orbit, as well as the first time a commercial company has landed a spacecraft on U.S. soil, ever.

The capsule will now be sent back to Varda’s facilities in Los Angeles for analysis, and the vials of ritonavir will be shipped to a research company called Improved Pharma for post-flight characterization, Varda said in a statement. The company will also be sharing all the data collected through the mission with the Air Force and NASA, per existing agreements with those agencies.

The first-of-its-kind reentry and landing is also a major win for Rocket Lab, which partnered with Varda on the mission. Rocket Lab hosted Varda’s manufacturing capsule inside its Photon satellite bus; through the course of the mission, Photon provided power, communications, attitude control and other essential operations. At the mission’s conclusion, the bus executed a series of maneuvers and de-orbit burns that put the miniature drug lab on the proper reentry trajectory. The final engine burn was executed shortly after 4 p.m. EST.

[…]

Source: Varda Space, Rocket Lab nail first-of-its-kind spacecraft landing in Utah | TechCrunch

Universal Antivenom for Snake Bites Might Soon Be a Reality

Posted on by

[…]

a team of scientists says they’ve created a lab-made antibody geared to counteract toxic bites from a wide variety of snakes. In early tests with mice, the uber-antivenom appeared to work as intended.

Snake antivenom is typically derived from the antibodies of horses or other animals that produce a strong immune response to snake toxins. These donated antibodies can be highly effective at preventing serious injury and death from a snakebite, but they come with serious limitations.

The chemical makeup of one species’s toxin can vary significantly from another’s, for instance, so antibodies to one specific toxin provide little protection against others. Manufacturers can try to work around this by inoculating animals with several toxins at once, but this method has drawbacks, such as needing a higher dose of antivenom since only some of the antibodies will have any effect.

[…]

Though snake toxins are remarkably complex and different from one another, even within the same class, the team managed to find sections of these toxins that were pretty similar across different species.

The scientists produced a variety of 3FTx toxins in the lab and then screened them against a database of more than 50 billion synthetic antibodies, looking for ones that could potentially neutralize several toxins at once. After a few rounds of selection, they ultimately identified one antibody that seemed to broadly neutralize at least five different 3FTx variants, called 95Mat5. They then put the antibody to a real-life test, finding that it fully protected mice from dying from the toxins of the many-banded krait, Indian spitting cobra, and black mamba, in some cases better than conventional antivenom; it also offered some protection against venom from the king cobra.

[…]

As seen with the king cobra, the 95Mat5 antibody alone may not work against every elapid snake. And it wouldn’t protect against bites from viper snakes, the other major family of venomous snakes. But the team’s process of identifying broadly neutralizing antibodies—adapted from similar research on the HIV virus—could be used to find other promising antivenom candidates.

[…]

Source: Universal Antivenom for Snake Bites Might Soon Be a Reality

Video generation models as world simulators by OpenAI Sora

Posted on by

[…]

Our largest model, Sora, is capable of generating a minute of high fidelity video. Our results suggest that scaling video generation models is a promising path towards building general purpose simulators of the physical world.

This technical report focuses on (1) our method for turning visual data of all types into a unified representation that enables large-scale training of generative models, and (2) qualitative evaluation of Sora’s capabilities and limitations. Model and implementation details are not included in this report.

[…]

Sampling flexibility

Sora can sample widescreen 1920x1080p videos, vertical 1080×1920 videos and everything inbetween. This lets Sora create content for different devices directly at their native aspect ratios. It also lets us quickly prototype content at lower sizes before generating at full resolution—all with the same model.

[…]

Source: Video generation models as world simulators

Canadian college M&M Vending machines secretly scanning faces – revealed by error message

Posted on by

[…]

The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a facial recognition application that nobody expected to be part of the process of using a vending machine.

Reddit post shows error message displayed on a University of Waterloo vending machine (cropped and lightly edited for clarity).
Enlarge / Reddit post shows error message displayed on a University of Waterloo vending machine (cropped and lightly edited for clarity).
SquidKid47 on Reddit

“Hey, so why do the stupid M&M machines have facial recognition?” SquidKid47 pondered.

The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.

Stanley sounded alarm after consulting Invenda sales brochures that promised “the machines are capable of sending estimated ages and genders” of every person who used the machines without ever requesting consent.

This frustrated Stanley, who discovered that Canada’s privacy commissioner had years ago investigated a shopping mall operator called Cadillac Fairview after discovering some of the malls’ informational kiosks were secretly “using facial recognition software on unsuspecting patrons.”

Only because of that official investigation did Canadians learn that “over 5 million nonconsenting Canadians” were scanned into Cadillac Fairview’s database, Stanley reported. Where Cadillac Fairview was ultimately forced to delete the entire database, Stanley wrote that consequences for collecting similarly sensitive facial recognition data without consent for Invenda clients like Mars remain unclear.

Stanley’s report ended with a call for students to demand that the university “bar facial recognition vending machines from campus.”

A University of Waterloo spokesperson, Rebecca Elming, eventually responded, confirming to CTV News that the school had asked to disable the vending machine software until the machines could be removed.

[…]

Source: Vending machine error reveals secret face image database of college students | Ars Technica

iOS and Android users face scans used to break into bank accounts

Posted on by

[…]

GoldPickaxe and GoldPickaxe.iOS target Android and iOS respectively, tricking users into performing biometric verification checks that are ultimately used to bypass the same checks employed by legitimate banking apps in Vietnam and Thailand – the geographic focus of these ongoing attacks.

The iOS version is believed only to be targeting users in Thailand, masquerading as the Thai government’s official digital pensions app. That said, some think it has also made its way to Vietnam. This is because very similar attacks, which led to the theft of tens of thousands of dollars, were reported in the region earlier this month.

“It is of note that GoldPickaxe.iOS is the first iOS Trojan observed by Group-IB that combines the following functionalities: collecting victims’ biometric data, ID documents, intercepting SMS, and proxying traffic through the victims’ devices,” the researchers said.

“Its Android sibling has even more functionalities than its iOS counterpart, due to more restrictions and the closed nature of iOS.”

[…]

Researchers also found the Android version bore many more disguises than the iOS version – taking the form of more than 20 different government, finance, and utility organizations in Thailand, and allowing attackers to steal credentials for all of these services.

How’d they get on Apple phones?

In the case of iOS, the attackers had to be cunning. Their first method involved the abuse of Apple’s TestFlight platform, which allows apps to be distributed as betas before full release to the App Store.

After this method was stymied, attackers switched to more sophisticated social engineering. This involved influencing users to enroll their devices in an MDM program, allowing the attackers to push bad apps to devices that way.

In all cases, the initial contact with victims was made by the attackers impersonating government authorities on the LINE messaging app, one of the region’s most popular.

[…]

Once the biometrics scans were captured, attackers then used these scans, along with deepfake software, to generate models of the victim’s face.

Attackers would download the target banking app onto their own devices and use the deepfake models, along with the stolen identity documents and intercepted SMS messages, to remotely break into victims’ banks.

[…]

Facial biometrics were only mandated in Thailand last year, with plans first announced in March with an enforcement date set for July. Vietnam is poised to mandate similar controls by April this year.

From July 2023, all Thai banking apps had to comply with the new initiative and replace one-time passcodes with facial biometrics to decrease the threat of financial fraud in the region. This applied specifically to transactions exceeding 50,000 BAT (roughly $1,400).

[…]

Source: Stolen iOS users face scans used to break into bank accounts

Which goes to show – biometrics are unchangeable and so make for a really bad (and potentially dangerous, if people are inclinded to amputate parts of your anatomy) security pass.