Amazon latest company to lock up their hardware: will stop you installing stuff on Fire TV Sticks (in the name of combating streaming) and force you to use their own app store

Posted on by

Amazon is rolling out a tougher approach to combat illegal streaming, with the United States-based tech company aiming to block apps loaded onto all its Fire TV Stick devices that are identified as providing pirated content.

[…]

Amazon launched a new Fire TV Stick last month — the 4K Select, which is plugged into a TV to facilitate streaming via the internet — that it insists will be less of a breeding ground for piracy. It comprises enhanced security measures — via a new Vega operating system — and only apps available in Amazon’s app store will be available for customers to download.

[…]

Amazon insists the clampdown will apply to the new and old devices, but registered developers will still be able to use Fire Sticks for legitimate purposes.

[…]

The roll-out has started in Germany and France and will be expanded globally in the coming weeks and months.
Over the summer, The Athletic learned that Amazon had sporadically started blocking apps suspected of being linked to illegal sports streaming.
[…]
Gareth Sutcliffe is a leading tech researcher from Enders Analysis, who speaks on a range of topics in the episode, including the role of the Fire TV Stick device. He says that the previous — and still widely used — device made by Amazon “enables piracy” and that it’s “a broadly risky device for consumer safety”.
Sutcliffe says it “provides a very easy path for malware to enter into a home-computing environment”, there were “policies around developing apps for that device that Amazon took a certain position on and broadly got wrong” as they had made “an open computing device” that was a playground for “a whole world of nefarious actors”.
[…]

Source: Amazon steps up attempts to block illegal sports streaming via Fire TV Sticks – The Athletic

So yes, some apps are illegal, but plenty are legal. And they won’t work either. The “security” angle is just like Google’s move to stop people from installing (sideloading) software on Android. PCs allow you to do this and this generally goes right. It is about control, knowing what apps people install and above all: revenue. Mr Sutcliffe is firmly in the pay of these people and by saying that making an open computing device is wrong, he clearly shows this.

“This is a political deception” − Denmark gives New Chat Control another shot. Mass surveillance for all from behind closed doors.

Posted on by

It’s official, a revised version of the CSAM scanning proposal is back on the EU lawmakers’ table − and is keeping privacy experts worried.

The Law Enforcement Working Party met again this morning (November 12) in the EU Council to discuss what’s been deemed by critics the Chat Control bill.

This follows a meeting the group held on November 5, and comes as the Denmark Presidency put forward a new compromise after withdrawing mandatory chat scanning.

As reported by Netzpolitik, the latest Child Sexual Abuse Regulation (CSAR) proposal was received with broad support during the November 5 meeting, “without any dissenting votes” nor further changes needed.

The new text, which removes all provisions on detection obligations included in the bill and makes CSAM scanning voluntary, seems to be the winning path to finally find an agreement after over three years of trying.

Privacy experts and technologists aren’t quite on board, though, with long-standing Chat Control critic and digital rights jurist, Patrick Breyer, deeming the proposal “a political deception of the highest order.”

Chat Control − what’s changing and what are the risk

As per the latest version of the text, messaging service providers won’t be forced to scan all URLs, pictures, and videos shared by users, but rather choose to perform voluntary CSAM scanning.

There’s a catch, though. Article 4 will include a possible “mitigation measure” that could be applied to high-risk services to require them to take “all appropriate risk mitigation measures.”

According to Breyer, such a loophole could make the removal of detection obligations “worthless” by negating their voluntary nature. He said: “Even client-side scanning (CSS) on our smartphones could soon become mandatory – the end of secure encryption.”

Breaking encryption, the tech that security software like the best VPNs, Signal, and WhatsApp use to secure our private communications, has been the strongest argument against the proposal so far.

Breyer also warns that the new compromise goes further than the discarded proposal, passing from AI-powered monitoring targeting shared multimedia to the scanning of private chat texts and metadata, too.

“The public is being played for fools,” warns Breyer. “Following loud public protests, several member states, including Germany, the Netherlands, Poland, and Austria, said ‘No’ to indiscriminate Chat Control. Now it’s coming back through the back door.”

Breyer is far from being the only one expressing concerns. German-based encrypted email provider, Tuta, is also raising the alarm.

“Hummelgaard doesn’t understand that no means no,” the provider writes on X.

To understand the next steps, we now need to wait and see what the outcomes from today’s meeting look like.

Source: “This is a political deception” − New Chat Control convinces lawmakers, but not privacy experts yet | TechRadar

Google is may be easing up on Android’s new installation restrictions

Posted on by

Back in late August, Google announced a major change to Android that angered many enthusiasts and independent developers. Starting next year, Android will block users from installing apps made by unverified developers. The announcement spurred backlash from power users who felt that the new restrictions would effectively kill sideloading. Today, Google announced a major concession to appease these users. The company says it is building a new “advanced flow” that will allow “experienced users to accept the risks of installing software that isn’t verified.”

An easier way to install unverified apps…hopefully

In a blog post, Google says this new advanced flow is intended for developers and power users who “have a higher risk tolerance and want the ability to download unverified apps.” The company says it is “designing this flow specifically to resist coercion” to ensure that “users aren’t tricked into bypassing these safety checks while under pressure from scammer.” The flow will include “clear warnings” to ensure that users “fully understand the risks involved” with installing apps made by unverified developers, but ultimately, it puts the choice to do so in the user’s hands. Google says it is currently gathering early feedback on the design of this feature and will share more details in the coming months.

Although Google hasn’t shared what this new flow will actually look like, it’ll hopefully be easier than using ADB to install apps. Prior to this announcement, the only method we knew would allow you to install apps from unverified developers was to use ADB, which is simple but tedious for experienced users. Tools like Shizuku would have made ADB app installation possible without the use of a PC, but who knows how long such methods would last. Thus, I’m glad that users won’t have to resort to such hacky methods to install the software of their choice.

Source: Google is easing up on Android’s new sideloading restrictions

Astronomers find three Earth-sized planets orbiting two suns in binary stellar system

Posted on by

An international group of scientists has confirmed the discovery of three Earth-sized planets within the binary stellar system known as TOI-2267, located roughly 190 light-years from Earth. The finding, published in Astronomy & Astrophysics, offers new insight into how planets can form and remain stable in double-star systems, which were once thought too chaotic for complex planetary development.

“Our analysis shows a unique planetary arrangement: two planets are transiting one star, and the third is transiting its companion star,” explains Sebastián Zúñiga-Fernández, a researcher at the University of Liège (ULiège) and first author of the paper. “This makes TOI-2267 the first binary system known to host transiting planets around both of its stars.”

A Compact and Unusual Double-Star System

TOI-2267 consists of two stars locked in a close orbital dance, forming what astronomers call a compact binary system. Such systems create gravitational forces that typically disrupt planet formation. Despite this, researchers have detected three Earth-sized planets in tight orbits, a surprising outcome that challenges long-held theories about where rocky worlds can exist.

[…]

The confirmation process required a major effort involving several observatories. Among the most important were the SPECULOOS and TRAPPIST telescopes operated by ULiège (PI: Michaël Gillon). Designed to detect small exoplanets around cool, dim stars, these robotic instruments were vital for verifying the planets and studying their characteristics in detail.

[…]

Story Source:

Materials provided by University of Liège. Note: Content may be edited for style and length.

Journal Reference:

  1. S. Zúñiga-Fernández, F. J. Pozuelos, M. Dévora-Pajares, N. Cuello, M. Greklek-McKeon, K. G. Stassun, V. Van Grootel, B. Rojas-Ayala, J. Korth, M. N. Günther, A. J. Burgasser, C. Hsu, B. V. Rackham, K. Barkaoui, M. Timmermans, C. Cadieux, R. Alonso, I. A. Strakhov, S. B. Howell, C. Littlefield, E. Furlan, P. J. Amado, J. M. Jenkins, J. D. Twicken, M. Sucerquia, Y. T. Davis, N. Schanche, K. A. Collins, A. Burdanov, F. Davoudi, B.-O. Demory, L. Delrez, G. Dransfield, E. Ducrot, L. J. Garcia, M. Gillon, Y. Gómez Maqueo Chew, C. Janó Muñoz, E. Jehin, C. A. Murray, P. Niraula, P. P. Pedersen, D. Queloz, R. Rebolo-López, M. G. Scott, D. Sebastian, M. J. Hooton, S. J. Thompson, A. H. M. J. Triaud, J. de Wit, M. Ghachoui, Z. Benkhaldoun, R. Doyon, D. Lafrenière, V. Casanova, A. Sota, I. Plauchu-Frayn, A. Khandelwal, F. Zong Lang, U. Schroffenegger, S. Wampfler, M. Lendl, R. P. Schwarz, F. Murgas, E. Palle, H. Parviainen. Two warm Earth-sized exoplanets and an Earth-sized candidate in the M5V-M6V binary system TOI-2267. Astronomy, 2025; 702: A85 DOI: 10.1051/0004-6361/202554419

Source: Astronomers stunned by three Earth-sized planets orbiting two suns | ScienceDaily

Ryanair tries forcing spyware app downloads by eliminating paper boarding passes

Posted on by

Ryanair is trying to force users to download its mobile app by eliminating paper boarding passes, starting on November 12.

As announced in February and subsequently delayed from earlier start dates, Europe’s biggest airline is moving to digital-only boarding passes, meaning customers will no longer be able to print physical ones. In order to access their boarding passes, Ryanair flyers will have to download Ryanair’s app.

“Almost 100 percent of passengers have smartphones, and we want to move everybody onto that smartphone technology,” Ryanair CEO Michael O’Leary said recently on The Independent’s daily travel podcast.

Customers are encouraged to check in online via Ryanair’s website or app before getting to the airport. People who don’t check in online before getting to the airport will have to pay the airport a check-in fee

[…]

The policy change is also meant to get people to do more with Ryanair’s app, like order food and drinks, view real-time flight information, and receive notifications during delays.

[…]

Eliminating paper boarding passes may create numerous inconveniences. To start, not everyone wants Ryanair’s app on their personal device. And many future customers, especially those who don’t fly with Ryanair frequently or who don’t fly much at all, may be unaware of the change, creating confusion during travel, which can already be inherently stressful.

Also, there are places where Ryanair flies that don’t accept digital boarding passes, including some airports in Albania and Morocco.

[…]

People who are less technically savvy or who don’t have a smart device or whose device has died won’t be completely out of luck. Ryanair says it will accommodate people without access to a smartphone with “a free of charge boarding pass at the airport” if they’ve checked in online “before arriving at the airport.”

[…]

Source: Ryanair tries forcing app downloads by eliminating paper boarding passes – Ars Technica

And of course, because apps run under different regulations and restrictions than websites, Ryanair can collect information about “lifestyle”, such as location, what other apps are running and who knows what else. Apps are pretty scary stuff, which is why so many companies are pushing these things on you in lieu of their websites.

The Best Tools to Use to Find Any Leak in Your Home

Posted on by

Your home is under constant threat from the elements—but especially from water. From roof leaks to burst pipes—water damage is the second-most claimed loss on home insurance policies, just below “wind and hail.” In fact, there are way more losses due to water damage than fire.

And the most troubling aspect of water damage is how silent it can be. You can have a leak for a long time before the damage becomes bad enough to notice. And even if you know you have a water leak somewhere, locating it can often be difficult because water can travel a long way from the source before making its presence known. That’s why you need these five kinds of leak detectors on hand, so you’ll know when a damaging water leak erupts, and be able to find it quickly to minimize the damage.

Moisture alarms

Step one is to have water detectors with alarms set up around the house in places where leaks are probable. These alarms are typically wifi-connected and simply detect moisture beyond a normal level, ringing out an audible alarm and sending a message to your devices warning you of a leak. Having them placed in bathrooms, kitchens, laundry rooms, basements, attics, and anywhere else where the home comes into contact with water means leaks will be noticed right away instead of slowly destroying your property over weeks, months, or even years.

These alarms can often be combined with networked shutoff valves that will automatically turn off the water supply when a leak is detected. That way, even if you’re not home, the damage from a leak will be minimized.

Moisture meter

As useful as leak alarms are, they can only help if present where a water leak occurs—and they only tell you that there’s water, not where the water is coming from. Sometimes the source will be obvious, of course—if the alarm placed near your toilet goes off, chances are good that it’s your toilet doing the leaking. But if the leak begins with a pipe in your wall, one tiny spot on a large roof system, or underground, you’ll need some help locating it.

A moisture meter is a must-have for finding leaks. It’s a simple device that measures the amount of moisture trapped in a material, like drywall or flooring. By taking multiple readings throughout an area, you can pinpoint where the water is concentrated before you start tearing things open to effect a repair, saving you time and money.

Endoscopes

Sometimes you need to see inside the spaces and voids of your home to find a water leak. If you suspect a pipe is leaking in the walls, for example, and you’re getting some confusing moisture meter readings, it might be time to reach for one of the most useful tools you’ll ever own: an endoscopic camera (aka, a borescope). This is a small, flexible camera that can be inserted into a small space and fished around, allowing you to see what’s behind a wall, under a floor, or inside a soffit in your home without ripping everything open. If there’s no obvious way to insert the camera, you can usually drill a small access hole that can be easily repaired later, and the video feed will let you inspect all those pipes to see where the water’s coming from.

Pipe locator

A pipe locator is exactly what it sounds like: It locates the hidden pipes feeding water into and taking water out of your house, which are often inside walls, under floors, or buried underground. If you’re trying to figure out where a leaking pipe might be located, this tool can be invaluable, especially if other options haven’t worked.

They’re not cheap—this one from Rigid is one of the more affordable options, and it’s about $1,800 at the time of this writing. But you can easily spend $1,000 or more if a plumber comes out to locate and fix your leaking pipe, so if you’re comfortable fixing the leak yourself, a tool like this will pay for itself eventually because you’ll be able to isolate the leak, turn off water to just that area, and effect the repair.

Source: The Best Tools to Use to Find Any Leak in Your Home | Lifehacker

Google is clamping down on Android apps that cause excessive battery drain

Posted on by

It can be tough to know when a phone is on its deathbed or when an app is just being an overt battery hog. Google is going to help users get to the bottom of things, according to a recent Android Developers Blog.

The company just announced the launch of a new metric for app developers that keeps an eye on battery usage. If a developer consistently runs afoul of Google’s battery usage guidelines, a warning will pop up in the Play Store to alert end users.

A Play Store warning.
Google

This metric will keep a particular eye on so-called wake locks, which is when smartphones are prevented from entering sleep mode by battery-hungry apps that want to run background processes when the screen is off. Google says wake locks are a “heavy contributor to battery drain” and has developed a threshold for what is deemed acceptable for apps running in the background.

This threshold “considers a user session excessive if it holds more than two cumulative hours of non-exempt wake locks in a 24 hour period.” There are exemptions if the background process offers “clear user benefits” with examples given of audio playback and user-initiated data transfers.

If a developer doesn’t fix the underlying wake lock issue, they get slapped with a visible warning. The Play Store label says that “this app may use more battery than expected due to high background activity.” That will likely turn off potential downloaders. I certainly wouldn’t pop one of those apps on my phone.

Google will go a step further in some cases, making the offending apps ineligible for certain discovery sections within the Play Store. These rules go into effect on March 1, so we only have a few more months to experience just how quickly an Android phone can go from a full battery to completely dead.

Source: Google is clamping down on Android apps that cause excessive battery drain

Wayland’s Never-Ending Opposition To Multi-Window Positioning

Posted on by

There are many applications out there that use more than one window, with every modern-day platform and GUI toolkit offering the means for said application to position each of its windows exactly where it wants, and to restore these exactly in the configuration and location where the user saved it for that particular session. All toolkits but one, that is, for the Wayland project keeps shooting down proposals. Most recently merge request #264 for the ext-zones protocol by [Matthias Klumpp] as it descended into a 600+ comments spree.

This follows on an attempt two years prior with MR#247, which was rejected despite laying out sound reasons why the session protocol of Wayland does not cover many situations. In the breakdown video of the new ext-zones protocol discussion by [Brodie Robertson] the sheer absurdity of this whole situation becomes apparent, especially since KDE and others are already working around the Wayland project with their own extensions such as via KWin, which is being used commercially in e.g. the automotive world.

In a January 2024 blog post [Matthias] lays out many of his reasonings and views regarding the topic, with a focus on Linux desktop application usage from a scientific application perspective. When porting a Windows-, X11- or MacOS application to Wayland runs into compatibility issues that may necessitate a complete rewrite or dropping of features, the developer is more likely to stick to X11, to not port to Linux at all, or to use what eventually will amount to Wayland forks that patch around these missing API features.

Meanwhile X11 is definitely getting very long in the tooth, yet without it being a clean drop-in replacement it leaves many developers and end-users less than impressed. Perhaps the Wayland project should focus more on the needs of developers and end-users, and less about what it deems to be the One True Way?

 

Source: Wayland’s Never-Ending Opposition To Multi-Window Positioning | Hackaday

Unfortunately, Windows is not immune to this either!

Meta earns 10% of revenue on a deluge of fraudulent ads, documents show

Posted on by

[…]Meta internally projected late last year that it would earn about 10% of its overall annual revenue – or $16 billion – from running advertising for scams and banned goods, internal company documents show.

A cache of previously unreported documents reviewed by Reuters also shows that the social-media giant for at least three years failed to identify and stop an avalanche of ads that exposed Facebook, Instagram and WhatsApp’s billions of users to fraudulent e-commerce and investment schemes, illegal online casinos, and the sale of banned medical products.
On average, one December 2024 document notes, the company shows its platforms’ users an estimated 15 billion “higher risk” scam advertisements – those that show clear signs of being fraudulent – every day. Meta earns about $7 billion in annualized revenue from this category of scam ads each year, another late 2024 document states.
Much of the fraud came from marketers acting suspiciously enough to be flagged by Meta’s internal warning systems. But the company only bans advertisers if its automated systems predict the marketers are at least 95% certain to be committing fraud, the documents show. If the company is less certain – but still believes the advertiser is a likely scammer – Meta charges higher ad rates as a penalty, according to the documents. The idea is to dissuade suspect advertisers from placing ads.
[…]
The details of Meta’s confidential self-appraisal are drawn from documents created between 2021 and this year across Meta’s finance, lobbying, engineering and safety divisions. Together, they reflect Meta’s efforts to quantify the scale of abuse on its platforms – and the company’s hesitancy to crack down in ways that could harm its business interests.
Meta’s acceptance of revenue from sources it suspects are committing fraud highlights the lack of regulatory oversight of the advertising industry, said Sandeep Abraham, a fraud examiner and former Meta safety investigator who now runs a consultancy called Risky Business Solutions.
“If regulators wouldn’t tolerate banks profiting from fraud, they shouldn’t tolerate it in tech,” he told Reuters.
In a statement, Meta spokesman Andy Stone said the documents seen by Reuters “present a selective view that distorts Meta’s approach to fraud and scams.” The company’s internal estimate that it would earn 10.1% of its 2024 revenue from scams and other prohibited ads was “rough and overly-inclusive,” Stone said. The company had later determined that the true number was lower, because the estimate included “many” legitimate ads as well, he said. He declined to provide an updated figure.
[…]

Source: Meta is earning a fortune on a deluge of fraudulent ads, documents show | Reuters

North Korean spies used Google Find Hub as remote-wipe tool

Posted on by

North Korean state-backed spies have found a new way to torch evidence of their own cyber-spying – by hijacking Google’s “Find Hub” service to remotely wipe Android phones belonging to their South Korean targets.

Researchers at South Korean cybersecurity firm Genians said the campaign, attributed to the long-running KONNI group, abused Google’s device management features to trigger factory resets on compromised smartphones and tablets. In several cases, victims’ devices were wiped without authorization, erasing messages, photos, and other data that could have revealed traces of the intrusion.

[…]

According to Genians, the attackers used stolen Google account credentials harvested through spear-phishing or fake login pages to access victims’ profiles on the Find My Device platform. The feature, which allows users to locate lost phones, lock them, or perform a factory reset, became an unwitting tool for sabotage. Once logged in, the hackers could trigger remote wipes, locking victims out of their own phones and destroying incriminating evidence of compromise.

The infection chain began with victims being approached via the popular South Korean messaging app KakaoTalk. Attackers sent files masquerading as benign content to victims, lured them into installing signed MSI attachments or ZIPs, and deployed AutoIT scripts that installed RATs such as RemcosRAT, QuasarRAT and RftRAT. These tools harvested Google and Naver account credentials, enabling attackers to manipulate cloud services and use Find My Device to pull the plug.

Immediately after the reset, the attackers reportedly exploited the victim’s still-logged-in KakaoTalk desktop app to send malware-laden files to the victim’s contacts – effectively turning each compromised account into a secondary infection vector. This rapid follow-on phase allowed the KONNI operators to spread their payloads before targets could regain access to their wiped devices.

Additional findings show the attackers used the GPS location feature in Find My Device to identify when a target was outside and less likely to react quickly. In one incident, the attacker executed the wipe command not just once but three times, further delaying device recovery and ensuring the victim remained locked out.

The tactic underscores a growing risk for anyone relying on “lost device” features that are tied to online identity systems. While the ability to remotely reset a stolen phone is designed as a security safeguard, it also offers attackers an easy way to destroy evidence or cause disruption once account credentials are stolen.

[…]

Genians recommends that users of Find My Device tools enable multifactor or biometric authentication. For victims of KONNI’s latest stunt, however, the damage is already done. Once a factory reset is triggered through Google’s own service, there’s no undo button – just a blank phone and the tidy handiwork of a state hacker covering their tracks.

Source: North Korean spies used Google Find Hub as remote-wipe tool • The Register

Landfall spyware used in 0-day, 0 click attacks on Samsung phones

Posted on by

A previously unknown Android spyware family called LANDFALL exploited a zero-day in Samsung Galaxy devices for nearly a year, installing surveillance code capable of recording calls, tracking locations, and harvesting photos and logs before Samsung finally patched it in April.

The surveillance campaign likely began in July 2024 and abused CVE-2025-21042, a critical bug in Samsung’s image-processing library that affects Galaxy devices running Android versions 13, 14, 15, and 16, according to Palo Alto Networks Unit 42 researchers who discovered the commercial-grade spyware and revealed details of the espionage attacks in a Friday report.

“This was a precision espionage campaign, targeting specific Samsung Galaxy devices in the Middle East, with likely victims in Iraq, Iran, Turkey, and Morocco,” Itay Cohen, a senior principal researcher at Unit 42, told The Register. “The use of zero-day exploits, custom infrastructure, and modular payload design all indicate an espionage-motivated operation.”

According to the cyber sleuths, exploiting CVE-2025-21042 likely involved sending a maliciously crafted image to the victim’s device via a messaging application in a “zero-click” attack, meaning that infecting targeted phones didn’t require any user interaction.

“It’s not clear exactly how many people were targeted or exploited, but in a recent, related campaign, involving iOS and WhatsApp, WhatsApp shared that less than 200 were targeted in that campaign, so we can reasonably expect this could be a similar very targeted volume,” Cohen said.

Unit 42’s cyber sleuths originally uncovered Landfall while investigating these other two similar zero-days. In August, Apple patched a critical out-of-bounds write issue (CVE-2025-43300) in the ImageIO framework used in iPhones and iPads that had already been exploited in “extremely sophisticated” attacks.

That same month, Meta issued its own security advisory warning that attackers may have chained a WhatsApp bug (CVE-2025-55177) with this Apple OS-level flaw “in a sophisticated attack against specific targeted users.”

The Meta and WhatsApp security teams also found and disclosed to Samsung another DNG-related zero-day in Galaxy devices in August, and in September, Samsung patched CVE-2025-21043.

Despite the similarities between all of these attack chains, Unit 42 says it can’t definitively connect Landfall to the three other zero-days.

[…]

Source: Landfall spyware used in 0-day attacks on Samsung phones • The Register

Mozilla fellow Esra’a Al Shafei watches the spies through SurveillanceWatch

Posted on by

Digital rights activist Esra’a Al Shafei found FinFisher spyware on her device more than a decade ago. Now she’s made it her mission to surveil the companies providing surveillanceware, their customers, and their funders.

“You cannot resist what you do not know, and the more you know, the better you can protect yourself and resist against the normalization of mass surveillance today,” she told The Register.

To this end, the Mozilla fellow founded Surveillance Watch last year. It’s an interactive map that documents the growing number of surveillance software providers, which regions use the various products, and the investors funding them. Since its launch, the project has grown from mapping connections between 220 spyware and surveillance entities to 695 today.

These include the very well known spy tech like NSO Group’s Pegasus and Cytrox’s Predator, both famously used to monitor politicians, journalists and activists in the US, UK, and around the world.

They also include companies with US and UK government contracts, like Palantir, which recently inked a $10 billion deal with the US Army and pledged a £1.5 billion ($2 billion) investment in the UK after winning a new Ministry of Defense contract. Then there’s Paragon, an Israeli company with a $2 million Immigration and Customs Enforcement (ICE) contract for its Graphite spyware, which lets law enforcement hack smartphones to access content from encrypted messaging apps once the device is compromised.

Even LexisNexis made the list. “People think of LexisNexis and academia,” Al Shafei said. “They don’t immediately draw the connection to their product called Accurint, which collects data from both public and non-public sources and offers them for sale, primarily to government agencies and law enforcement.”

Accurint compiles information from government databases, utility bills, phone records, license plate tracking, and other sources, and it also integrates analytics tools to create detailed location mapping and pattern recognition.

“And they’re also an ICE contractor, so that’s another company that you wouldn’t typically associate with surveillance, but they are one of the biggest surveillance agencies out there,” Al Shafei said.

It also tracks funders. Paragon’s spyware is boosted by AE Industrial Partners, a Florida-based investment group specializing in “national security” portfolios. Other major backers of surveillance technologies include CIA-affiliated VC firm In-Q-Tel, Andreessen Horowitz (also known as a16z), and mega investment firm BlackRock.

This illustrates another trend: It’s not just authoritarian countries using and investing in these snooping tools. In fact, America now leads the world in surveillance investment, with the Atlantic Council think tank identifying 20 new US investors in the past year.

[…]

They know who you are’

The Surveillance Watch homepage announces: “They know who you are. It’s time to uncover who they are.”

It’s creepy and accurate, and portrays all of the feelings that Al Shafei has around her spyware encounters. Her Majal team has “faced persistent targeting by sophisticated spyware technologies, firsthand, for a very long time, and this direct exposure to surveillance threats really led us to launch Surveillance Watch,” she said. “We think it’s very important for people to understand exactly how they’re being surveilled, regardless of the why.”

The reality is, everybody – not just activists and politicians – is subject to surveillance, whether it’s from smart-city technologies, Ring doorbell cameras, or connected cars. Users will always choose simplicity over security, and the same can be said for data privacy.

“We want to show that when surveillance goes not just unnoticed, but when we start normalizing it in our everyday habits, we look at a new, shiny AI tool, and we say, ‘Yes, of course, take access to all my data,'” Al Shafei said. “There’s a convenience that comes with using all of these apps, tracking all these transactions, and people don’t realize that this data can and does get weaponized against you, and not just against you, but also your loved ones.”

Source: Mozilla fellow Esra’a Al Shafei watches the watchers • The Register

LLM side-channel attack allows traffic sniffers to know what you are talking about with your GPT

Posted on by

[…]

Streaming models send responses to users incrementally, in small chunks or tokens, as opposed to sending the complete responses all at once. This makes them susceptible to an attacker-in-the-middle scenario, where someone with the ability to intercept network traffic could sniff those LLM tokens.

“Cyberattackers in a position to observe the encrypted traffic (for example, a nation-state actor at the internet service provider layer, someone on the local network, or someone connected to the same Wi-Fi router) could use this cyberattack to infer if the user’s prompt is on a specific topic,” researchers Jonathan Bar Or and Geoff McDonald wrote.

“This especially poses real-world risks to users by oppressive governments where they may be targeting topics such as protesting, banned material, election process, or journalism,” the duo added.

Redmond disclosed the flaw to affected vendors and says some of them – specifically, Mistral, Microsoft, OpenAI, and xAI – have all implemented mitigations to protect their models from the type of side-channel attack.

[…]

Proof-of-concept shows how the attack would work

Redmond’s team produced a Whisper Leak attack demo and proof-of-concept code that uses the models to conclude a probability (between 0.0 and 1.0) of a topic being “sensitive” – in this case, money laundering.

For this proof-of-concept, the researchers used a language model to generate 100 variants of a question about the legality of money laundering, mixed them with general traffic, and then trained a binary classifier to distinguish the target topic from background queries.

Then they collected data from each language model service individually, recording response times and packet sizes via network sniffing (via tcpdump). Additionally, they shuffled the order of positive and negative samples for collection, and introduced variants by inserting extra spaces between words – this helps avoid caching interference risk.

[…]

The duo then measured the models’ performance using Area Under the Precision-Recall Curve (AUPRC).

In several of the models, including ones hosted by providers Alibaba, DeepSeek, Mistral, Microsoft, xAI, and OpenAI, classifiers achieved over 98 percent AUPRC, indicating near-perfect separation between sensitive and normal traffic.

They then simulated a “more realistic surveillance scenario” in which an attacker monitored 10,000 conversations, with only one about the target topic in the mix. They performed this test several times, and in many cases had zero false positives, while catching the money-laundering messages between 5 percent and 50 percent of the time. They wrote:

For many of the tested models, a cyberattacker could achieve 100% precision (all conversations it flags as related to the target topic are correct) while still catching 5-50% of target conversations … To put this in perspective: if a government agency or internet service provider were monitoring traffic to a popular AI chatbot, they could reliably identify users asking questions about specific sensitive topics – whether that’s money laundering, political dissent, or other monitored subjects – even though all the traffic is encrypted.

There are a few different ways to protect against size and timing information leakage. Microsoft and OpenAI adopted a method introduced by Cloudflare to protect against a similar side-channel attack: adding a random text sequence to response fields to vary token sizes, making them unpredictable, and thus mostly defending against size-based attacks.

[…]

Source: LLM side-channel attack could allow snoops to guess topic • The Register

Critics call proposed changes to landmark EU privacy law ‘death by a thousand cuts’ – “legitimate interest” would allow personal data exfiltration

Posted on by
Privacy activists say proposed changes to Europe’s landmark privacy law, including making it easier for Big Tech to harvest Europeans’ personal data for AI training, would flout EU case law and gut the legislation.
The changes proposed by the European Commission are part of a drive to simplify a slew of laws adopted in recent years on technology, environmental and financial issues which have in turn faced pushback from companies and the U.S. government.
Sign up here.
EU antitrust chief Henna Virkkunen will present the Digital Omnibus, in effect proposals to cut red tape and overlapping legislation such as the General Data Protection Regulation, the Artificial Intelligence Act, the e-Privacy Directive and the Data Act, on November 19.
According to the plans, Google (GOOGL.O)

, opens new tab, Meta Platforms (META.O)

, opens new tab, OpenAI and other tech companies may be allowed to use Europeans’ personal data to train their AI models based on legitimate interest.
In addition, companies may be exempted from the ban on processing special categories of personal data “in order not to disproportionately hinder the development and operation of AI and taking into account the capabilities of the controller to identify and remove special categories of personal data”.
“The draft Digital Omnibus proposes countless changes to many different articles of the GDPR. In combination this amounts to a death by a thousand cuts,” Austrian privacy group noyb said in a statement.
Noyb is known for filing complaints against American companies such as Apple (AAPL.O)
, opens new tab, Alphabet and Meta that have triggered several investigations and resulted in billions of dollars in fines.
“This would be a massive downgrading of Europeans’ privacy 10 years after the GDPR was adopted,” noyb’s Max Schrems said.
European Digital Rights, an association of civil and human rights organisations across Europe, slammed a proposal to merge the ePrivacy Directive, known as the cookie law that resulted in the proliferation of cookie consent pop-ups, into the GDPR.
“These proposals would change how the EU protects what happens inside your phone, computer and connected devices,” EDRi policy advisor Itxaso Dominguez de Olazabal wrote in a LinkedIn post.
“That means access to your device could rely on legitimate interest or broad exemptions like security, fraud detection or audience measurement,” she said.
The proposals would need to be thrashed out with EU countries and European Parliament in the coming months before they can be implemented.

Source: Critics call proposed changes to landmark EU privacy law ‘death by a thousand cuts’ | Reuters

Anyone can claim anything as being “legitimate interest”. It is what terms and conditions have been using for decades to pass any and all data on to third parties. At least the GDPR kind of stood in the way from it going to countries like the USA and China.

The FBI Is Trying to Unmask the Registrar Behind Archive.Today

Posted on by

The FBI is looking to ascertain the identity of the creator of a long-running archiving site that is used by millions of people all over the world.

Archive.Today is a popular archiving website—similar in many ways to the Internet Archive’s Wayback Machine—that keeps copies of news articles and government websites that users have submitted. The site can also be used for skirting paywalls. However, it can also be useful for documenting government websites that may be subject to change. The big difference is that the Internet Archive is a transparent and legitimate non-profit that gives websites the option to opt-out of having their content stored on its platform.

If you haven’t heard of Archive.Today, you may have run into mirror sites hosted at Archive.is or Archive.ph.

About a week ago, the X account belonging to Archive posted a link to a federal subpoena, which is dated October 30th. The subpoena, which was originally spotted by a German news site, is for a Canadian web registration company called Tucows, and demands that the company turn over “customer or subscriber name, address of service, and billing address” as well as an extensive list of other information related to the “customer behind archive.today.”

404 Media notes that Archive.Today has hundreds of millions of webpages saved. The outlet further notes that “very little is known about the person or people who work on archive.today.” There is a modest FAQ page on the site, but it doesn’t offer anything in the way of identifying information about the creator of the site.

The subpoena states:

The information sought through this subpoena relates to a federal criminal investigation being conducted by the FBI. Your company is required to furnish this information. You are requested not to disclose the existence of this subpoena indefinitely as any such disclosure could interfere with an ongoing investigation and enforcement of the law.

Well, I guess that ship has sailed.

Source: The FBI Is Trying to Unmask the Registrar Behind Archive.Today

EU’s minimum wage laws may get shot down by (who else) Denmark

Posted on by

The European Court of Justice (ECJ) is set to deliver a landmark ruling on Tuesday that could determine the future of the EU’s Minimum Wage Directive – and, with it, define the limits of the bloc’s authority over national social policies.

Denmark – backed by Sweden – has taken the Commission to the EU’s top court, arguing that the directive breaches EU treaties by legislating directly on pay, an area beyond the EU’s legal remit.

Adopted in 2022, the Minimum Wage Directive aims to ensure “adequate minimum wages” and stronger collective bargaining – negotiations between workers and employers over pay and conditions – across the EU.

While countries don’t have to introduce a mandatory minimum wage, the rules require those with less than 80% collective-bargaining coverage to come up with a plan to strengthen wage-setting systems.

Belgium, Portugal, Germany, Greece, Spain, France, and Luxembourg all sided with the European Commission wanting to keep the law in place.

“This a real clash here between the Nordic model – collective bargaining – and the EU’s tradition of individual rights,” said Laust Høgedahl, associate professor of employment relations at Aalborg University in Denmark.

In January, the court’s advocate general – an independent expert helping judges decide in complex cases – recommended that judges rule in favour of Denmark in a non-binding opinion.

An ‘earthquake’ under EU’s social pillar

If the court follows the advocate general’s reasoning, it would be “a political earthquake” for the EU’s social policy, said Christina Hiessl, who is a professor of labour law at Belgium’s KU Leuven.

“Up to now, the Court has always sided with the Commission,” Hiessl said.

“The EU also wants to build social rights alongside the single market,” Høgedahl said. “Those social rights will become much harder to advance if this directive falls.”

Hiessl believes Danish fears are exaggerated. “It’s a common misconception that the directive imposes statutory minimum wages,” she said. “It very clearly does not.”

Current figures put Denmark’s collective bargaining rate at 82%, slightly above the 80% threshold – the level of worker coverage below which EU countries are expected to take steps to promote collective bargaining.

According to Høgedahl, Danish resistance is a principled stance rather than one of substance.

“Wage is sacred in Denmark,” he says. “It belongs to the social partners, not to politicians – not in Copenhagen, and certainly not in Brussels.”

Source: EU’s minimum wage faces judgment day | Euractiv

Of course, the Danish, who also want to implement Chat Control (blanket espionage of all EU citizens through their smartphones) would hate to see fair wages for EU citizens as well.

Scientists turn body fat into bone to heal spinal fractures

Posted on by

Researchers at Osaka Metropolitan University have developed a promising new method to repair spinal fractures using stem cells extracted from adipose tissue, or body fat. In animal studies, the treatment successfully healed spinal injuries in rats that mimic osteoporosis-related fractures seen in humans. Because these cells are easy to collect, even from older adults, and cause minimal strain on the body, the technique could provide a gentle, non-invasive alternative for treating bone diseases.

Osteoporosis weakens bones, making them fragile and more likely to break. As Japan’s population continues to age, the number of people affected is projected to surpass 15 million. Among the various types of fractures caused by osteoporosis, compression fractures of the spine, known as osteoporotic vertebral fractures, are the most common. These injuries can result in long-term disability and severely reduce quality of life, highlighting the need for safer and more effective treatments.

How Fat-Derived Stem Cells Help Rebuild Bone

Stem cells derived from adipose tissue (ADSCs) show strong potential for repairing bone damage. These multipotent cells can develop into various types of tissue, including bone. When ADSCs are cultivated into three-dimensional spherical groups called spheroids, their ability to promote tissue repair increases. Pre-differentiating these spheroids toward bone-forming cells further enhances their effectiveness in stimulating bone regeneration.

Led by Graduate School of Medicine student Yuta Sawada and Dr. Shinji Takahashi, the Osaka research team used ADSCs to create bone-differentiated spheroids and combined them with β-tricalcium phosphate, a material commonly used in bone reconstruction. The mixture was applied to rats with spinal fractures, resulting in significant improvements in bone healing and strength.

The researchers also observed that genes responsible for bone formation and regeneration became more active after the treatment, suggesting that the approach stimulates the body’s natural healing processes.

Promising Outlook for Future Treatments

“This study has revealed the potential of bone differentiation spheroids using ADSCs for the development of new treatments for spinal fractures,” said Sawada. “Since the cells are obtained from fat, there is little burden on the body, ensuring patient safety.”

Dr. Takahashi added, “This simple and effective method can treat even difficult fractures and may accelerate healing. This technique is expected to become a new treatment that helps extend the healthy life of patients.”

The findings were published in Bone & Joint Research.

Story Source:

Materials provided by Osaka Metropolitan University. Note: Content may be edited for style and length.

Journal Reference:

  1. Yuta Sawada, Shinji Takahashi, Kumi Orita, Akito Yabu, Masayoshi Iwamae, Yuki Okamura, Yuto Kobayashi, Hiroshi Taniwaki, Hiroaki Nakamura, Hidetomi Terai. Development of a new treatment for osteoporotic vertebral fractures using adipose-derived stem cell spheroids. Bone, 2025; 14 (10): 915 DOI: 10.1302/2046-3758.1410.BJR-2025-0092.R1

Source: Scientists turn body fat into bone to heal spinal fractures | ScienceDaily

Honda’s ‘Bending’ Platform Shatters Decades of Car Design Rigidity

Posted on by

When your next-generation Honda Pilot or Civic goes around a corner the front-end structure is going to deform in the name of handling. Yes, really.

In Japan, Honda engineers explained last week that it’s completely rethought how vehicles are designed in an effort to lower weight, lower cost, and most interestingly, improve dynamics. The solution? A front end structure that bends, twists, and deforms while cornering.

For forever and a day automakers have sold everyone how they’ve increased the rigidity of their latest model and then improved the tuning of their suspension system to enhance corning capabilities. Honda’s now done the opposite.

Honda 0 Series Platform
Joel Feder

The new platform, which will underpin both its midsize and large vehicles ranging from the Civic and CR-V to the Pilot and Odyssey, will optimize body rigidity rather than simply aim to increase it. To that point, Honda’s shifted where the structural reinforcements are placed around the front structure rather than having it all centralized under the engine. The same principles are being applied to the upcoming 0 Series EV platform as well.

The result? When a vehicle goes around a corner the outside of the structure will deform to push the outer wheel down and load up the grip to help improve steering and cornering for less push and more feel thanks to more tire contact. The car’s going to handle better. It should also be quieter and more comfortable thanks to the ability to absorb impacts.

Honda said the new structure is modular with fixed dimensions for the front and rear sections improving commonality. The modularity and new platform design is expected to shave 198 pounds and reduce cost by 10% compared to today’s structure.

The new structure is expected to enter production in 2027.

Source: Honda’s ‘Bending’ Platform Shatters Decades of Car Design Rigidity

Nanotech makes cancer drug 20,000x stronger, without side effects

Posted on by

In a major step toward improving cancer treatment, researchers at Northwestern University have redesigned the molecular structure of a widely used chemotherapy drug, making it far more soluble, potent, and less toxic to the body.

The scientists built a new form of the drug using spherical nucleic acids (SNAs), a type of nanostructure that embeds the drug directly into DNA strands coating tiny spheres. This re-engineering turned a weak, poorly dissolving chemotherapy drug into a highly targeted cancer-fighting agent that spares healthy tissue.

A Dramatic Boost Against Leukemia

The new therapy was tested in animals with acute myeloid leukemia (AML), a fast-growing and hard-to-treat blood cancer. Compared with the standard chemotherapy version, the SNA-based drug entered leukemia cells 12.5 times more efficiently, destroyed them up to 20,000 times more effectively, and slowed cancer progression 59-fold — all without detectable side effects.

This success highlights the growing promise of structural nanomedicine, a field that precisely controls the composition and architecture of nanomedicines to improve how they interact with the human body. With seven SNA-based treatments already in clinical testing, researchers believe this approach could pave the way for new vaccines and therapies for cancers, infections, neurodegenerative disorders, and autoimmune diseases.

[…]

For this study, Mirkin’s team revisited 5-fluorouracil (5-Fu), a long-standing chemotherapy drug known for its limited efficiency and harsh side effects. Because it affects healthy cells as well as cancerous ones, 5-Fu can cause nausea, fatigue, and in rare cases, heart complications.

Mirkin explained that the issue lies not in the drug itself but in its poor solubility. Less than 1% dissolves in many biological fluids, meaning most of it never reaches its intended targets. When a drug cannot dissolve well, it clumps together or remains solid, preventing the body from absorbing it effectively.

“We all know that chemotherapy is often horribly toxic,” Mirkin said. “But a lot of people don’t realize it’s also often poorly soluble, so we have to find ways to transform it into water soluble forms and deliver it effectively.”

How Spherical Nucleic Acids Transform Drug Delivery

To overcome this limitation, the researchers turned to SNAs — globular nanoparticles surrounded by dense shells of DNA or RNA. Cells readily recognize these structures and pull them inside. In this case, Mirkin’s team chemically incorporated the chemotherapy molecules into the DNA strands themselves, creating a drug that cancer cells naturally absorb.

“Most cells have scavenger receptors on their surfaces,” Mirkin explained. “But myeloid cells overexpress these receptors, so there are even more of them. If they recognize a molecule, then they will pull it into the cell. Instead of having to force their way into cells, SNAs are naturally taken up by these receptors.”

Once inside, enzymes break down the DNA shell, releasing the chemotherapy payload directly into the cancer cell. This structural redesign completely changed how 5-Fu interacted with leukemia cells, dramatically increasing its effectiveness.

Precision Targeting With Minimal Harm

In mouse models, the new therapy nearly eliminated leukemia cells in the blood and spleen while significantly extending survival time. Because the SNAs selectively targeted AML cells, healthy tissues remained unharmed.

[…]

Story Source:

Materials provided by Northwestern University. Note: Content may be edited for style and length.

Journal Reference:

  1. Taokun Luo, Young Jun Kim, Zhenyu Han, Jeongmin Hwang, Sneha Kumari, Vinzenz Mayer, Alex Cushing, Roger A. Romero, Chad A. Mirkin. Chemotherapeutic Spherical Nucleic Acids. ACS Nano, 2025; DOI: 10.1021/acsnano.5c16609

Source: Nanotech makes cancer drug 20,000x stronger, without side effects | ScienceDaily

Epic and Google agree to settle their lawsuit and change Android’s fate globally

Posted on by

Just when we thought Epic v. Google might be over, just one Supreme Court rejection away from a complete victory for Epic, both sides have agreed to settle Tuesday evening. And if Judge James Donato, who ordered Google to crack open Android for third-party stores, agrees to the changes, it might turn Epic’s victory into a lasting global one.

Previously, Judge Donato agreed to some of Epic’s biggest demands. He issued a permanent injunction that will force Google to carry rival app stores within its own Google Play Store, and give those rival stores access to the full catalog of Google Play apps, to restore competition to the Android marketplace. The injunction also forced Google to stop requiring developers to use Google Play Billing, after a jury found the company had illegally tied its app store to its payments system.

But those changes only applied to the United States, only lasted for three years, and didn’t change how much Google would charge in app store fees.

Now, instead, Google is agreeing to reduce its standard fee to 20 percent or 9 percent, depending on the kind of transaction and when an app was first installed. It’s agreeing to create a new program in the very next version of Android where alternative app stores can register with Google and (theoretically) become first-class citizens that users can easily install. And it appears to be agreeing to offer “Registered App Stores” and lower fees around the world, not just in the US, lasting through June 2032 — six and a half years instead of just three.

[…]

The details of how, when, and where Google would charge its fees are complicated, and depend on when the app was installed. The “new service fee model would apply to new installs,” Google spokesperson Dan Jackson tells The Verge, and the proposal suggests it would only apply to apps installed after October 2025.

The details also seem to be somewhat tailored to the needs of a game developer like Epic Games. Google can charge 20 percent for an in-app purchase that provides “more than a de minimis gameplay advantage,” for example, or 9 percent if the purchase does not. And while 9 percent sounds like it’s also the cap for apps and in-app subscriptions sold through Google Play, period, the proposal notes that that amount doesn’t include Google’s cut for Play Billing if you buy it through that payment system.

That cut will be 5 percent, Jackson tells The Verge, confirming that “This new proposed model introduces a new, lower fee structure for developers in the US and separates the service fee from fees for using Google Play Billing.” (For reference, Google currently charges 15 percent for subscriptions, 15 percent of the first $1M of developer revenue each year and 30 percent after that, though it also cuts special deals with some big developers.)

If you use an alternative payment system, Google might still get a cut: “the Google Play store is free to assess service fees on transactions, including when developers elect to use alternative billing mechanisms,” the proposal reads. But it sounds like that may not happen in practice: “If the user chooses to pay through an alternative billing system, the developer pays no billing fee to Google,” Jackson tells The Verge.

According to the document, Google would theoretically even be able to get its cut when you click out to an app developer’s website and pay for the app there, as long as it happens within 24 hours.

[…]

“Starting with a version of the next major Android release through June 30, 2032, Google will modify future versions of the Android operating system so that a user can install a Registered App Store from a website by clicking on a single store install screen using neutral language. This will also grant the permission to the store to install apps,” the proposal reads.

The proposed modified injunction keeps many of Epic’s other wins in place, including ones that are already in effect today: it has to stop sharing money or perks with phonemakers, carriers, and app developers in exchange for Google Play exclusivity or preinstallation, and let developers communicate with their customers about pricing outside the Play Store.

Google and Epic say they will discuss this proposal with the judge on Thursday, November 6th.

[…]

Source: Epic and Google agree to settle their lawsuit and change Android’s fate globally | The Verge

Of course, you have no idea what Google will charge to add an appstore. Apple’s costs are in the millions of dollars.

Post-heist reports reveal the password for the Louvre’s video surveillance was ‘Louvre,’ and suddenly the dumpster-tier opsec of videogame NPCs seems a lot less absurd

Posted on by

The air of criminal mystique has been dispelled somewhat in the weeks following the October 18 heist that saw $102 million of crown jewels stolen from the Louvre in broad daylight. The suspects fumbled an entire crown during their escape, before trying and failing to light their mechanical lift on fire as a diversionary tactic. Arsène Lupin would be appalled.

How exactly, then, did the most renowned gallery in France find itself pillaged by a cadre of buffoons in high visibility vests? Reporting from French newspaper Libération indicates the theft is less of an anomaly than we might expect, as the Louvre has suffered from over a decade of glaring security oversights and IT vulnerabilities.

(Image credit: Cass Marshall via Bluesky)

As Rogue cofounder and former Polygon arch-jester Cass Marshall notes on Bluesky, we owe a lot of videogame designers an apology. We’ve spent years dunking on the emptyheadedness of game characters leaving their crucial security codes and vault combinations in the open for anyone to read, all while the Louvre has been using the password “Louvre” for its video surveillance servers.

That’s not an exaggeration. Confidential documents reviewed by Libération detail a long history of Louvre security vulnerabilities, dating back to a 2014 cybersecurity audit performed by the French Cybersecurity Agency (ANSSI) at the museum’s request. ANSSI experts were able to infiltrate the Louvre’s security network to manipulate video surveillance and modify badge access.

“How did the experts manage to infiltrate the network? Primarily due to the weakness of certain passwords which the French National Cybersecurity Agency (ANSSI) politely describes as ‘trivial,'” writes Libération’s Brice Le Borgne via machine translation. “Type ‘LOUVRE’ to access a server managing the museum’s video surveillance, or ‘THALES’ to access one of the software programs published by… Thales.”

(Image credit: Starbreeze)

The museum sought another audit from France’s National Institute for Advanced Studies in Security and Justice in 2015. Concluded two years later, the audit’s 40 pages of recommendations described “serious shortcomings,” “poorly managed” visitor flow, rooftops that are easily accessible during construction work, and outdated and malfunctioning security systems.

Later documents indicate that, in 2025, the Louvre was still using security software purchased in 2003 that is no longer supported by its developer, running on hardware using Windows Server 2003.

When the safeguards for France’s crown jewels are two decades out of date, maybe we could all afford to go a little easier on the absurdity of hacking minigames, password post-it notes and extremely stealable keycards. Heists, it seems, aren’t actually all that hard.

Source: Post-heist reports reveal the password for the Louvre’s video surveillance was ‘Louvre,’ and suddenly the dumpster-tier opsec of videogame NPCs seems a lot less absurd | PC Gamer

Hacking Buttons Back Into The Car Stereo

Posted on by

To our younger readers, a car without an all-touchscreen “infotainment” system may look clunky and dated, but really, you kids don’t know what they’re missing. Buttons, knobs, and switches all offer a level of satisfying tactility and feedback that touchscreens totally lack. [Garage Builds] on YouTube agrees; he also doesn’t like the way his aftermarket Kenwood head unit looks in his 2004-vintage Nissan. That’s why he decided to take matters into his own hands, and hack the buttons back on.

Rather than source a vintage stereo head unit, or try and DIY one from scratch, [Garage Builds] has actually hidden the modern touchscreen unit behind a button panel. That button panel is actually salvaged from the stock stereo, so the looks fit the car. The stereo’s LCD gets replaced with a modern color unit, but otherwise it looks pretty stock at the end.

Adding buttons to the Kenwood is all possible thanks to steering-wheel controls. In order to make use of those, the touchscreen head unit came with a little black box that translated the button press into some kind of one-wire protocol that turned out to be an inverted and carrier-less version of the NEC protocol used in IR TV remotes. (That bit of detective work comes from [michaelb], who figured all this out for his Ford years ago, but [Garage Builds] is also sharing his code on GitHub.)

Having the protocol, it simply becomes a matter of grabbing a microcontroller to scan the stock buttons and output the necessary codes to the Kenwood head unit. Of course now he has extra buttons, since the digital head unit has no tape or CD changer to control, nor AM/FM radio to tune. Those get repurposed for the interior and exterior RGB lighting [Garage Builds] has ̶i̶n̶f̶l̶i̶c̶t̶e̶d̶  mounted on this ̶p̶o̶o̶r̶ lovely car. (There’s no accounting for taste. Some of us love the look and some hate it, but he’s certainly captured an aesthetic, and now has easy control of it to boot.) [Garage Builds] has got custom digital gauges to put into the dash of his Nissan, and some of the extra buttons have been adapted to control those, too.

The whole car is actually a rolling hack as you can see from the back catalog of the [Garage Builds] YouTube channel, which might be worth a look if you’re in the intersection of the “electronics enthusiast” and “gearhead” Venn Diagram.

There’s no accounting for taste, but we absolutely agree with him that making everything black rectangles is the death of industrial design.

This isn’t the first time we’ve seen retro radios hacked together with micro-controllers; take a look at this one from a 1970s Toyota. Now that’s vintage!

Source: Hacking Buttons Back Into The Car Stereo | Hackaday

Billy B-Assistant AI Fish

Posted on by

The Billy Bass Assistant is a Raspberry Pi–powered voice assistant embedded inside a Big Mouth Billy Bass Animatronic. It streams conversation using the OpenAI Realtime API, turns its head, flaps it’s tail and moves his mouth based on what he is saying.

This project is still in BETA. Things might crash, get stuck or make Billy scream uncontrollably (ok that last part maybe not literally but you get the point). Proceed with fishy caution.

Billy Bathroom
Billy UI
Billy UI Mobile

Features

  • Realtime conversations using OpenAI Realtime API
  • Personality system with configurable traits (e.g., snark, charm)
  • Physical button to start/interact/intervene
  • 3D-printable backplate for housing USB microphone and speaker
  • Support for the Modern Billy hardware version with 2 motors as well as the Classic Billy hardware version (3 motors)
  • Lightweight web UI:
    • Adjust settings and persona of Billy
    • View debug logs
    • Start/stop/restart Billy
    • Export/Import of settings and persona
    • Hostname and Port configuration
  • MQTT support:
    • sensor with status updates of Billy (idle, speaking, listening)
    • billy/say topic for triggering spoken messages remotely
    • Raspberry Pi Safe Shutdown command
  • Home Assistant command passthrough using the Conversation API
  • Custom Song Singing and animation mode

Source: billy-b-assistant (Github)

72% of game developers say Steam is effectively a PC gaming monopoly

Posted on by

Steam’s longstanding dominance in the PC gaming market often raises questions about how close it is to exercising monopoly power. Although the storefront does not meet the technical definition of a monopoly, many developers are concerned about their reliance on Valve’s platform.

In a survey of over 300 executives from large US and UK game companies, 72% either slightly or strongly agreed that Steam constitutes a monopoly over PC games. Furthermore, 88% said that at least three-quarters of their revenue came from Steam, while 37% reported that the platform accounted for 90% of their total revenue.

Steam is by far the largest PC game distribution service, having recently exceeded 41 million concurrent users. Many customers are so adamant about only purchasing games through Steam that the industry’s largest publishers, including EA, Ubisoft, and even Microsoft, have tried – and failed – to withhold their titles from the service.

Still, Steam does not technically control the entire market. The Epic Games Store and the Windows Store are attempting to compete using free game giveaways, Microsoft’s Game Pass subscription service, and lower sales commissions, but they remain far less popular than Steam. Meanwhile, alternative storefronts such as GOG and itch.io have carved out a niche by focusing on indie and retro titles. Moreover, some of the most popular PC games, such as Fortnite, Minecraft, League of Legends, and World of Warcraft, are not available on Steam.

Despite these caveats, Steam has previously drawn accusations of using its dominant market position to control pricing – a key sign of monopoly power. Last year, a class-action lawsuit started by Wolfire Games decried the store’s standard 30 percent revenue cut and alleged that Steam discouraged companies from lowering prices on stores that took smaller sales commissions.

Atomik Research conducted the recent survey on behalf of Rokky, a company that helps game publishers minimize the impact of grey market key resellers on prices. In addition to opinions on Steam, developers also answered questions about the PC market’s biggest challenges.

The increasing popularity of free-to-play games such as Fortnite, DOTA 2, Counter-Strike 2, Call of Duty: Warzone, and Roblox topped the list of concerns for 40% of respondents. Approximately a third mentioned market saturation and discoverability, echoing data that suggests there aren’t enough players for the thousands of new titles released on Steam each year. A similar portion of survey respondents also expressed concerns regarding subscription services.

Source: 72% of game developers say Steam is effectively a PC gaming monopoly | TechSpot

A monopoly is still a monopoly if there are other players in the market, especially if they are so much smaller. However should there be only a small amount of equal players in the market, the dangers are the same, due to risks of collusion and price fixing as well as only having one other competitor to watch.

DHS wants more biometric data from more people – even from citizens

Posted on by

If you’re filing an immigration form – or helping someone who is – the Feds may soon want to look in your eyes, swab your cheek, and scan your face. The US Department of Homeland Security wants to greatly expand biometric data collection for immigration applications, covering immigrants and even some US citizens tied to those cases.

DHS, through its component agency US Citizenship and Immigration Services, on Monday proposed a sweeping expansion of the agency’s collection of biometric data. While ostensibly about verifying identities and preventing fraud in immigration benefit applications, the proposed rule goes much further than simply ensuring applicants are who they claim to be.

First off, the rule proposes expanding when DHS can collect biometric data from immigration benefit applicants, as “submission of biometrics is currently only mandatory for certain benefit requests and enforcement actions.” DHS wants to change that, including by requiring practically everyone an immigrant is associated with to submit their biometric data.

“DHS proposes in this rule that any applicant, petitioner, sponsor, supporter, derivative, dependent, beneficiary, or individual filing or associated with a benefit request or other request or collection of information, including U.S. citizens, U.S. nationals and lawful permanent residents, and without regard to age, must submit biometrics unless DHS otherwise exempts the requirement,” the rule proposal said.

DHS also wants to require the collection of biometric data from “any alien apprehended, arrested or encountered by DHS.”

It’s not explicitly stated in the rule proposal why US citizens associated with immigrants who are applying for benefits would have to have their biometric data collected. DHS didn’t answer questions to that end, though the rule stated that US citizens would also be required to submit biometric data “when they submit a family-based visa petition.”

Give me your voice, your eye print, your DNA samples

In addition to expanded collection, the proposed rule also changes the definition of what DHS considers to be valid biometric data.

“Government agencies have grouped together identifying features and actions, such as fingerprints, photographs, and signatures under the broad term, biometrics,” the proposal states. “DHS proposes to define the term ‘biometrics’ to mean ‘measurable biological (anatomical, physiological or molecular structure) or behavioral characteristics of an individual,'” thus giving DHS broad leeway to begin collecting new types of biometric data as new technologies are developed.

The proposal mentions several new biometric technologies DHS wants the option to use, including ocular imagery, voice prints and DNA, all on the table per the new rule.

[…]

Source: DHS wants more biometric data – even from citizens • The Register