Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Changing touchscreen friction and rendering of virtual shapes through change in surface temperature

Posted on by

In this work, we show a large modulation of finger friction by locally changing surface temperature. Experiments showed that finger friction can be increased by ~50% with a surface temperature increase from 23° to 42°C, which was attributed to the temperature dependence of the viscoelasticity and the moisture level of human skin. Rendering virtual features, including zoning and bump(s), without thermal perception was further demonstrated with surface temperature modulation. This method of modulating finger friction has potential applications in gaming, virtual and augmented reality, and touchscreen human-machine interaction.

Source: Surface haptic rendering of virtual shapes through change in surface temperature

Samsung Galaxy Source Code Stolen in Data Breach, might show they slow down specific apps

Posted on by

Samsung confirmed on Monday that a cybersecurity attack exposed sensitive internal data including source code for Galaxy smartphones.

The group claiming responsibility for the attack, Lapsus$, is the same hacking outfit that breached Nvidia last week and leaked employee credentials and proprietary information onto the internet. In the Samsung hack, the group purportedly posted a 190GB torrent file to its Telegram channel, claiming it contains algorithms for biometric login authentication and bootloader—code that could be used to bypass some operating system controls.

Samsung disclosed the breach but didn’t confirm the identity of the hackers or the materials stolen.

[…]

After successfully breaching Nvidia, Lapsus$ blackmailed the GPU maker by threatening to release stolen internal data unless GPU drivers were made open source and Ethereum cryptocurrency mining limiters were removed from Nvidia 30-series graphics cards. The group, which is said to have members in South America and Western Europe, reportedly compromised the credentials of more than 71,000 past and current Nvidia employees.

For Samsung, the data breach arrives shortly after reports emerged claiming the company deliberately limits the performance of around 10,000 apps, including Instagram and TikTok. Samsung said its “Game Optimizing Service” was designed to balance performance and cooling, but many saw this as performance throttling and slammed the Korean tech giant for selectively excluding benchmarking apps.

[…]

 

Source: Samsung Galaxy Source Code Stolen in Data Breach

How safe are your passwords in 2022?

Posted on by

The 2022 update to our famous Hive Systems Password Table that’s been shared across the internet, social media, the news, and organizations worldwide. So what’s new, and what’s our methodology behind it? Keep reading!

Hive Systems Password Table Time it takes a hacker to brute force a password in 2022

Looking for a high resolution version to download?

It’s been two years since we first shared our (now famous) password table. So it was about time we not only updated it for 2022 but we wanted to walk you through our methodology. While the data fits nicely into the table above, things aren’t as as simple as it shows. So we’ll walk you through our data, our assumptions, and oh, you’re going to see a LOT of variations of the password table above!

“So how’d you make the table”?”

In 2020, we shared a colorful table that took the internet by storm. It showed the relative strength of a password against a brute force cracking attempt, based on the password’s length and complexity. The data was based on how long it would take a consumer-budget hacker to crack your password hash using a desktop computer with a top-tier graphics card. Two years later – quite a long period of time in processing power improvement terms –  we’re long overdue for an update.

First, let’s get some key terms out of the way. We’re going to talk about hashing. In the context of passwords, a “hash” is a scrambled version of text that is reproducible if you know what hash software was used. In other words, if I hash the word “password” using MD5 hashing software, the output hash is 5f4dcc3b5aa765d61d8327deb882cf99. Now if you hash the word “password” using MD5 hashing software, you’ll also get 5f4dcc3b5aa765d61d8327deb882cf99! We both secretly know the word “password” is our secret code, but anyone else watching us just sees 5f4dcc3b5aa765d61d8327deb882cf99. For this reason, the passwords you use on websites are stored in servers as hashes instead of in plain text like “password” so that if someone views them, in theory they won’t know the actual password.

You can’t do the reverse. A hash digest like 5f4dcc3b5aa765d61d8327deb882cf99 can’t be reverse computed to produce the word “password” that was used to make it. This one-way approach for hashing functions is by design. So how do hackers who steal hashes from websites ultimately end up with a list of real life passwords?

Hackers solve this problem by cracking the passwords instead. In this context, cracking means making a list of all combinations of characters on your keyboard and then hashing them. By finding matches between this list and the hashes from the stolen passwords, hackers can figure out your true password – letting them log into your favorite websites. And if you use the same password on multiple sites, you’re in for a bad time.

You can do this comparison with any computer, but it is much faster if you accelerate the process with a powerful graphics card. Graphics cards are those circuit boards that stick out of your computer’s bigger green circuit board. Among other things, this special circuit board has a Graphic Processing Unit (GPU) on it. A GPU is the shiny square tile on your graphics card that likely says NVIDIA or AMD on it. Originally GPU’s were built to make pictures and videos load faster on your computer screen. As it turns out, they’re also great for mining cryptocurrencies, and for calculating hashes. A popular application for hashing is called Hashcat. Hashcat includes hashing functions, like MD5, while allowing you to use them quickly and see how fast it was able to do so. As a side note, we usually say “hash function” instead of “hash software.”

[…]

Source: Are Your Passwords in the Green?

The rest of the article is very interesting, including many more graphs depicting various scenarios

Ice Cream Machine Repairers Sue McDonald’s for $900 Million

Posted on by

For years, the tiny startup Kytch worked to invent and sell a device designed to fix McDonald’s notoriously broken ice cream machines, only to watch the fast food Goliath crush their business like the hopes of so many would-be McFlurry customers. Now Kytch is instead seeking to serve out cold revenge—nearly a billion dollars worth of it.

Late Tuesday night, Kytch filed a long-expected legal complaint against McDonald’s, accusing the company of false advertising and tortious interference in its contracts with customers. Kytch’s cofounders, Melissa Nelson and Jeremy O’Sullivan, are asking for no less than $900 million in damages.

Since 2019, Kytch has sold a phone-sized gadget designed to be installed inside McDonald’s ice cream machines. Those Kytch devices would intercept the ice cream machines’ internal communications and send them out to a web or smartphone interface to help owners remotely monitor and troubleshoot the machines’ many foibles, which are so widely acknowledged that they’ve become a full-blown meme among McDonald’s customers. The two-person startup’s new claims against McDonald’s focus on emails the fast food giant sent to every franchisee in November 2020, instructing them to pull Kytch devices out of their ice cream machines immediately.

Those emails warned franchisees that the Kytch devices not only violated the ice cream machines’ warranties and intercepted their “confidential information” but also posed a safety threat and could lead to “serious human injury,” a claim that Kytch describes as false and defamatory. Kytch also notes that McDonald’s used those emails to promote a new ice cream machine, built by its longtime appliance manufacturing partner Taylor, that would offer similar features to Kytch. The Taylor devices, meanwhile, have yet to see public adoption beyond a few test installations.

Kytch cofounder Melissa Nelson says the emails didn’t just result in McDonald’s ice cream machines remaining broken around the world. (About one in seven of the machines in the US remained out of commission on Monday according to McBroken.com, which tracks the problem in real time.) They also kneecapped Kytch’s fast-growing sales just as the startup was taking off. “They’ve tarnished our name. They scared off our customers and ruined our business. They were anti-competitive. They lied about a product that they said would be released,” Nelson says. “McDonald’s had every reason to know that Kytch was safe and didn’t have any issues. It was not dangerous, like they claimed. And so we’re suing them.”

Before it found itself in conflict with soft-serve superpowers, Kytch had shown some early success in solving McDonald’s ice cream headaches. Its internet-connected add-on gadget helped franchisees avoid problems like hours of downtime when Taylor’s finicky daily pasteurization cycle failed. McDonald’s restaurant owners interviewed by WIRED liked the device; one said it saved him “easily thousands of dollars a month” from lost revenue and repair fees. Kytch says that by the end of 2020 it had 500 customers and was doubling its sales every quarter—all of which evaporated when McDonald’s ordered its franchisees to ditch Kytch’s gadgets.

Kytch first fired back against the fast-food ice cream establishment last May, suing Taylor and its distributor TFG for theft of trade secrets. The Kytch founders argued in that lawsuit that Taylor worked with TFG and one franchise owner to stealthily obtain a Kytch device, reverse-engineer it, and attempt to copy its features.

But all along, Kytch’s cofounders have hinted that they intended to use the discovery process in their lawsuit against Taylor to dig up evidence for a suit against McDonald’s too. In fact, the 800 pages of internal Taylor emails and presentations that Kytch has so far obtained in discovery show that it was McDonald’s, not Taylor, that at many points led the effort to study and develop a response to Kytch in 2020.

[…]

Source: Ice Cream Machine Hackers Sue McDonald’s for $900 Million | WIRED

Ukraine state media leaks details of 120,000 Russians soldier on website

Posted on by

Ukrainian news website Ukrainska Pravda says the nation’s Centre for Defence Strategies think tank has obtained the personal details of 120,000 Russian servicemen fighting in Ukraine. The publication has now shared this data freely on its website.

The Register and others have been unable to fully verify the accuracy of the data from the leak. The records include what appears to be names, addresses, passport numbers, unit names, and phone numbers. Some open source intelligence researchers on Twitter said they found positive matches, as did sources who spoke confidentially to El Reg; others said they couldn’t verify dip-sampled data.

[…]

Whether or not the database’s contents is real, the impact on Russian military morale – knowing that your country’s enemies have your personal details and can contact your family if you’re captured, killed, or even still alive – won’t be insignificant.

As Russia’s invasion of Ukraine progresses, or not, cyber-attacks orchestrated by or for the benefit of the Kremlin against Ukraine and the West appear limited, while on the ground, more than 2,000 civilians have been killed, according to Ukrainian officials.

Former UK National Cyber Security Centre (NCSC) chief Ciaran Martin noted in a blog post that even those skeptical of claims that Russia would wage cyber-Armageddon during the invasion will be surprised at the lack of activity. The online assaults against Ukraine of late represent Russia’s “long-standing campaign of cyber harassment of the country … rather than a serious escalation of it,” he wrote.

[…]

Source: 120,000 Russians soldier details leak – Ukraine media • The Register

And now you get into the combatant following orders kind of argument – do you really want to be the side attacking their spouses and children back home?

Hackers hacked by Nvidia Demand NVIDIA Open Source Their Drivers Or They Leak More Data

Posted on by

Hackers that infiltrated NVIDIA systems are now threatening to release more confidential information unless the company commits to open sourcing their drivers. It is unclear what the stolen data contains, but the group confirmed that there are 250GB of hardware related data in their possession. Furthermore, the group confirmed they have evaluated NVIDIA position, which means that NVIDIA is might trying to communicate with the group to prevent future leaks. The group has already published information on NVIDIA DLSS technology and upcoming architectures. Yesterday, Nvidia reportedly retaliated against the hacker group known as “Lapsus$” by sneaking back into the hacker’s system and encrypting the stolen data. The group claimed that it had a backup of the data, though.

Source: Hackers Demand NVIDIA Open Source Their Drivers Or They Leak More Data – Slashdot

These Two Mictic Bluetooth Bracelets Put an Entire Orchestra of Virtual Instruments in Your Hands (IOS only :'( )

Posted on by

[…]

the Mictic One are two Bkuetooth bracelets equipped with movement sensors. The bracelets connect to a mobile device (only iOS at the moment, but the Android version is under development). From the Mictic application, we can select different musical instruments and control the sound they produce by moving our hands and arms. Think of an Air Guitar on steroids and you’ll get an idea of ​​how they work. This video helps too.

The fact is that to say that the Mictic One is an Air Guitar simulator is an understatement, because the application of this startup created in Zurich does much more than that. To begin with, the range of musical instruments that we can imitate is quite wide and ranges from the cello to percussion or a DJ’s mixing desk. Each instrument requires you to make different movements with your arms and hands that mimic (to some extent) the actual movements you would make with that instrument.

The app allows you to add (and control) background tracks, and even mix various instruments and record the results. In fact, up to four pairs of bracelets can be connected in case you want to form an augmented reality band. There are also a handful of actual songs, and the company is already making deals with different record labels to add many more. In fact the device is being sponsored by Moby

[…]

wearing the Mictic One is an experience that is as frustrating as it is exciting. It’s frustrating because getting something out that sounds good is harder than it looks. It is not enough to wave your arms like a crazed ape. You have to move with precision and smoothness. Luckily, each instrument has a video tutorial in which we can learn the basic movements. It’s exciting because when you learn to make them sound the feeling is extremely satisfying.

Soon we will be able to offer you an in-depth review of the device, but the first impression is that they are incredibly fun. The Mictic One (sold as a pair and with a double USB-C cable to charge them both at the same time) are already on sale from the company’s website at a price of 139 Swiss francs (about 135 euros). In the future, the company plans to extend the platform so that it can be used with other devices that do not have the necessary motion sensors, such as mobile phones or smart watches.

Source: These Two Bluetooth Bracelets Put an Entire Orchestra of Virtual Instruments in Your Hands

NSA report: This is how you should be securing your network

Posted on by

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks.

NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance‘ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks.

The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

The US Cybersecurity and Infrastructure Security Agency (CISA) is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations.

The document, from NSA’s cybersecurity directorate, encourages the adoption of ‘zero trust’ networks. Zero trust assumes malicious insiders and threats existing inside and outside classical network boundaries.

[…]

Source: NSA report: This is how you should be securing your network | ZDNet

Opinion: Russia is now reaching endgame in Ukraine

Posted on by

Thesis: pretty soon Russia will stop their war. They have linked up the landmass to the Crimea, control access to the Black Sea and that was their goal all along. They don’t have enough soldiers to take over and administer the Ukraine. The police forces in the Ukraine will never align with a Russian puppet government. The threat to Kiev stalled because Putin was never interested in taking the whole of Ukraine. It’s a red herring which allows Putin to consolidate in the East. Once “peace” is worked out and they pull the 65km convoy back up to Russia and empty away from the west of the country, they will be left with that great swathe of land to the east and no-one will be able to remove them. In practical terms they will have annexed a huge land route to the Crimea as they did the Crimea. They will have displaced the Ukranians that were living there and claim that the whole area is inhabited by their Russian brothers. They will “unite” the newly independent Donbas and Luhansk regions and the regions to the south and they will for all intents and purposes be Russian. NATO will never allow the Ukraine to join anyway and neither will the EU, despite pro-Ukranian sentiment. So Ukraine remains a “buffer state”. Win for Russia.

BitConnect boss accused of $2.4bn fraud has disappeared

Posted on by

Satish Kumbhani, who is accused of scamming people out of $2.4bn in a cryptocurrency Ponzi scheme, has disappeared while evading an American watchdog, a court was told this week.

The BitConnect founder fled his home nation of India and went to ground in another country as the US Securities and Exchange Commission sought to serve a civil fraud lawsuit on him regarding the alleged scam, it is claimed.

“In October 2021, the commission learned that Kumbhani has likely relocated from India to an unknown address in a different foreign country,” Richard Primoff, general attorney at the SEC, said in a letter [PDF] to US federal district Judge John Koeltl on Monday.

[…]

In September, the regulator claimed BitConnect defrauded folks out of billions of dollars by running a Ponzi-like scheme that promised financial returns of up to 40 per cent per month all thanks to its automated crypto-trading bot.

Instead, people’s digital funds were allegedly secretly pocketed by Kumbhani and his associate Glenn Arcaro, who last year pleaded guilty to conspiring to cheat Bitconnect investors. Arcaro faces up to 20 years behind bars. Kumbhani, however, is still at large.

[…]

Source: BitConnect boss accused of $2.4bn fraud has disappeared • The Register

UK Online Safety Bill to require more data to use social media – eg send them your passport

Posted on by

The country’s forthcoming Online Safety Bill will require citizens to hand over even more personal data to largely foreign-headquartered social media platforms, government minister Nadine Dorries has declared.

“The vast majority of social networks used in the UK do not require people to share any personal details about themselves – they are able to identify themselves by a nickname, alias or other term not linked to a legal identity,” said Dorries, Secretary of State for Digital, Culture, Media and Sport (DCMS).

Another legal duty to be imposed on social media platforms will be a requirement to give users a “block” button, something that has been part of most of today’s platforms since their launch.

“When it comes to verifying identities,” said DCMS in a statement, “some platforms may choose to provide users with an option to verify their profile picture to ensure it is a true likeness. Or they could use two-factor authentication where a platform sends a prompt to a user’s mobile number for them to verify.”

“Alternatively,” continued the statement, “verification could include people using a government-issued ID such as a passport to create or update an account.”

Two-factor authentication is a login technology to prevent account hijacking by malicious people, not a method of verifying a user’s government-approved identity.

“People will now have more control over who can contact them and be able to stop the tidal wave of hate served up to them by rogue algorithms,” said Dorries.

Social networks offering services to Britons don’t currently require lots of personal data to register as a user. Most people see this as a benefit; the government seems to see it as a negative.

Today’s statement had led to widespread concerns that DCMS will place UK residents at greater risk of online identity theft or of falling victim to a data breach.

The Online Safety Bill was renamed from the Online Harms Bill shortly before its formal introduction to Parliament. Widely accepted as a disaster in the making by the technically literate, critics have said the bill risks creating an “algorithm-driven censorship future” through new regulations that would make it legally risky for platforms not to proactively censor users’ posts.

It is also closely linked to strong rhetoric discouraging end-to-end encryption rollouts for the sake of “minors”, and its requirements would mean that tech platforms attempting to comply would have to weaken security measures.

Parliamentary efforts at properly scrutinising the draft bill then led to the “scrutineers” instead publishing a manifesto asking for even more stronger legal weapons be included.

[…]

Source: Online Safety Bill to require more data to use social media

Samsung Screwed Up Encryption on 100M Phones

Posted on by

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21.

Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that could have let attackers siphon the devices’ hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that’s found in smartphones.

What’s more, cyber attackers could even exploit Samsung’s cryptographic missteps – since addressed in multiple CVEs – to downgrade a device’s security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

Untrustworthy Implementation of TrustZone

In a paper (PDF) entitled “Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design” – written by by Alon Shakevsky, Eyal Ronen and Avishai Wool – the academics explain that nowadays, smartphones control data that includes sensitive messages, images and files; cryptographic key management; FIDO2 web authentication; digital rights management (DRM) data; data for mobile payment services such as Samsung Pay; and enterprise identity management.

The authors are due to give a detailed presentation of the vulnerabilities at the upcoming USENIX Security, 2022 symposium in August.

The design flaws primarily affect devices that use ARM’s TrustZone technology: the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions.

TrustZone splits a phone into two portions, known as the Normal world (for running regular tasks, such as the Android OS) and the Secure world, which handles the security subsystem and where all sensitive resources reside. The Secure world is only accessible to trusted applications used for security-sensitive functions, including encryption.

Cryptography Experts Wince

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated “serious flaws” in the way its phones encrypt key material in TrustZone, calling it “embarrassingly bad.”

“They used a single key and allowed IV re-use,” Green said.

“So they could have derived a different key-wrapping key for each key they protect,” he continued. “But instead Samsung basically doesn’t. Then they allow the app-layer code to pick encryption IVs.” The design decision allows for “trivial decryption,” he said.

[…]

Source: Samsung Screwed Up Encryption on 100M Phones | Threatpost

EU Data Watchdog Calls for Total Ban of Pegasus Spyware

Posted on by

Israeli authorities say it should be probed and U.S. authorities are calling for it to be sanctioned, but EU officials have a different idea for how to handle Pegasus spyware: just ban that shit entirely.

That’s the main takeaway from a new memo released by EPDS, the Union’s dedicated data watchdog on Tuesday, noting that a full-on ban across the entire region is the only appropriate response to the “unprecedented risks” the tech poses—not only to people’s devices but “to democracy and the rule of law.”

“As the specific technical characteristics of spyware tools like Pegasus make control over their use very difficult, we have to rethink the entire existing system of safeguards established to protect our fundamental rights and freedoms,” the report reads. “Pegasus constitutes a paradigm shift in terms of access to private communications and devices. This fact makes its use incompatible with our democratic values.”

A “paradigm shift” is a good way to describe the tool, which has been used to target a mounting number of civic actors, activists, and political figures from around the globe, including some notable figures from inside the EU. This past summer, local outlets reported that French president Emmanuel Macron surfaced among the list of potential targets that foreign actors had planned to target with the software, and later reports revealed traces of the tech appearing on phones from Macron’s current staffers. Officials from other EU member states like Hungary and Spain have also reported the tech on their devices, and Poland became the latest member to join the list last month when a team of researchers found the spyware being used to surveil three outspoken critics of the Polish government.

[…]

Source: EU Data Watchdog Calls for Total Ban of Pegasus Spyware

100 Billion Face Photos? Clearview AI tells investors it’s On Track to Identify ‘Almost Everyone in the World’

Posted on by

tThe Washington Post reports: Clearview AI is telling investors it is on track to have 100 billion facial photos in its database within a year, enough to ensure “almost everyone in the world will be identifiable,” according to a financial presentation from December obtained by The Washington Post.

Those images — equivalent to 14 photos for each of the 7 billion people on Earth — would help power a surveillance system that has been used for arrests and criminal investigations by thousands of law enforcement and government agencies around the world. And the company wants to expand beyond scanning faces for the police, saying in the presentation that it could monitor “gig economy” workers and is researching a number of new technologies that could identify someone based on how they walk, detect their location from a photo or scan their fingerprints from afar.

The 55-page “pitch deck,” the contents of which have not been reported previously, reveals surprising details about how the company, whose work already is controversial, is positioning itself for a major expansion, funded in large part by government contracts and the taxpayers the system would be used to monitor. The document was made for fundraising purposes, and it is unclear how realistic its goals might be. The company said that its “index of faces” has grown from 3 billion images to more than 10 billion since early 2020 and that its data collection system now ingests 1.5 billion images a month.

With $50 million from investors, the company said, it could bulk up its data collection powers to 100 billion photos, build new products, expand its international sales team and pay more toward lobbying government policymakers to “develop favorable regulation.”
The article notes that major tech companies like Amazon, Google, IBM and Microsoft have all limited or ended their own sales of facial recognition technology — adding that Clearview’s presentation simple describes this as a major business opportunity for themselves.

In addition, the Post reports Clearview’s presentation brags “that its product is even more comprehensive than systems in use in China, because its ‘facial database’ is connected to ‘public source metadata’ and ‘social linkage’ information.”

Source: 100 Billion Face Photos? Clearview AI tells investors it’s On Track to Identify ‘Almost Everyone in the World’ – Slashdot

It’s Back: Senators Want ‘EARN IT’ Bill To Scan All Online Messages by private companies – also misusing children as an excuse

Posted on by

A group of lawmakers have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that “would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe,” writes Joe Mullin via the Electronic Frontier Foundation. “It’s a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online — backups, websites, cloud photos, and more — is scanned.” From the report: The bill empowers every U.S. state or territory to create sweeping new Internet regulations, by stripping away the critical legal protections for websites and apps that currently prevent such a free-for-all — specifically, Section 230. The states will be allowed to pass whatever type of law they want to hold private companies liable, as long as they somehow relate their new rules to online child abuse. The goal is to get states to pass laws that will punish companies when they deploy end-to-end encryption, or offer other encrypted services. This includes messaging services like WhatsApp, Signal, and iMessage, as well as web hosts like Amazon Web Services. […]

Separately, the bill creates a 19-person federal commission, dominated by law enforcement agencies, which will lay out voluntary “best practices” for attacking the problem of online child abuse. Regardless of whether state legislatures take their lead from that commission, or from the bill’s sponsors themselves, we know where the road will end. Online service providers, even the smallest ones, will be compelled to scan user content, with government-approved software like PhotoDNA. If EARN IT supporters succeed in getting large platforms like Cloudflare and Amazon Web Services to scan, they might not even need to compel smaller websites — the government will already have access to the user data, through the platform. […] Senators supporting the EARN IT Act say they need new tools to prosecute cases over child sexual abuse material, or CSAM. But the methods proposed by EARN IT take aim at the security and privacy of everything hosted on the Internet.

The Senators supporting the bill have said that their mass surveillance plans are somehow magically compatible with end-to-end encryption. That’s completely false, no matter whether it’s called “client side scanning” or another misleading new phrase. The EARN IT Act doesn’t target Big Tech. It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies — from the largest ones to the very smallest ones — as its tools. The strategy is to get private companies to do the dirty work of mass surveillance.

Source: It’s Back: Senators Want ‘EARN IT’ Bill To Scan All Online Messages – Slashdot

Revealed: UK Gov’t Plans Publicity Blitz to Undermine Chat Privacy, encryption. Of course they use children. And Fear.

Posted on by

The UK government is set to launch a multi-pronged publicity attack on end-to-end encryption, Rolling Stone has learned. One key objective: mobilizing public opinion against Facebook’s decision to encrypt its Messenger app.

The Home Office has hired the M&C Saatchi advertising agency — a spin-off of Saatchi and Saatchi, which made the “Labour Isn’t Working” election posters, among the most famous in UK political history — to plan the campaign, using public funds.

According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt — placing an adult and child (both actors) in a glass box, with the adult looking “knowingly” at the child as the glass fades to black. Multiple sources confirmed the campaign was due to start this month, with privacy groups already planning a counter-campaign.

[…]

Successive Home Secretaries of different political parties have taken strong anti-encryption stances, claiming the technology — which is essential for online privacy and security — will diminish the effectiveness of UK bulk surveillance capabilities, make fighting organized crime more difficult, and hamper the ability to stop terror attacks. The American FBI has made similar arguments in recent years — claims which have been widely debunked by technologists and civil libertarians on both sides of the Atlantic.

The new campaign, however, is entirely focused on the argument that improved encryption would hamper efforts to tackle child exploitation online.

[…]

One key slide notes that “most of the public have never heard” of end-to-end encryption – adding that this means “people can be easily swayed” on the issue. The same slide notes that the campaign “must not start a privacy vs safety debate.”

Online advocates slammed the UK government plans as “scaremongering” that could put children and vulnerable adults at risk by undermining online privacy.

[…]

In response to a Freedom of Information request about an “upcoming ad campaign directed at Facebook’s end-to-end encryption proposal,” The Home Office disclosed that, “Under current plans, c.£534,000 is allocated for this campaign.”

[…]

Source: Revealed: UK Gov’t Plans Publicity Blitz to Undermine Chat Privacy – Rolling Stone

PwC’s HSE hack post-incident report should be a textbook for leaders

Posted on by

Ireland’s Health Services Executive has published a fresh summary of the devastating ransomware attack that hit the country’s healthcare sector in the summer of 2021 — on the back of a detailed public post-incident report by consultancy PwC. The HSE is Ireland’s largest public sector employer, with 130,000+ staff manning 70,000+ IT devices across 4,000 locations. More than 80% of the HSE’s extensive IT estate was affected by the Conti ransomware attack, which saw 31 of its 54 acute hospitals cancel services ranging from surgery to radiotherapy.

The report notes that:

  • The HSE did not have a Chief Information Security Officer (CISO) or a “single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.
  • It had no documented cyber incident response runbooks or IT recovery plans (apart from documented AD recovery plans) for recovering from a wide-scale ransomware event.
  • Under-resourced Information Security Managers were not performing their business as usual role (including a NIST-based cybersecurity review of systems) but were working on evaluating security controls for the COVID-19 vaccination system. Antivirus software triggered numerous alerts after detecting Cobalt Strike activity but these were not escalated. (The antivirus server was later encrypted in the attack).
  • There was no security monitoring capability that was able to effectively detect, investigate and respond to security alerts across HSE’s IT environment or the wider National Healthcare Network (NHN).
  • There was a lack of effective patching (updates, bug fixes etc.) across the IT estate and reliance was placed on a single antivirus product that was not monitored or effectively maintained with updates across the estate. (The initial workstation attacked had not had antivirus signatures updated for over a year.)
  • Over 30,000 machines were running Windows 7 (out of support since January 2020).
  • The initial breach came after a HSE staff member interacted with a malicious Microsoft Office Excel file attached to a phishing email; numerous subsequent alerts were not effectively investigated.

PwC’s crisp list of recommendations in the wake of the incident — as well as detail on the business impact of the HSE ransomware attack — may prove highly useful guidance on best practice for IT professionals looking to set up a security programme and get it funded. (PwC’s full 157-page HSE post-incident report is here.)

 

HSE post-incident report recommendations

HSE’s IT environment had high-risk gaps relating to 25 out of 28 of critical cybersecurity controls . Credit: PwC

Among its recommendations: That the HSE “should establish clear responsibilities for IT and cybersecurity across all parties that connect to the NHN, or share health data, or access shared health services. This formalisation of responsibilities should include specification of Service Level Agreements (SLAs) for centrally-provided services, including availability requirements. The HSE should define a code of connection that defines the minimum acceptable level of security controls necessary to connect into the NHN, to be agreed by all parties connected to the NHN, including requirements for central reporting of cybersecurity alerts and incidents. The HSE should establish a programme to monitor and enforce ongoing compliance with this code of conduct. Compliance with the code of connection should become part of the onboarding process of any connecting organisation.”

The report is in keeping with similar post-incident reports across most major recent cybersecurity incidents, including the ransomware attack on the Colonial Pipeline in the US in 2021 — with that company also having an absence of cybersecurity leadership and a basic lack of security hygiene contributing to the incident’s impact.

Source: PwC’s HSE hack post-incident report should be a textbook for leaders

Is Microsoft Stealing People’s Bookmarks, passwords, ID / passport numbers without consent?

Posted on by

received email from two people who told me that Microsoft Edge enabled synching without warning or consent, which means that Microsoft sucked up all of their bookmarks. Of course they can turn synching off, but it’s too late.

Has this happened to anyone else, or was this user error of some sort? If this is real, can some reporter write about it?

(Not that “user error” is a good justification. Any system where making a simple mistake means that you’ve forever lost your privacy isn’t a good one. We see this same situation with sharing contact lists with apps on smartphones. Apps will repeatedly ask, and only need you to accidentally click “okay” once.)

EDITED TO ADD: It’s actually worse than I thought. Edge urges users to store passwords, ID numbers, and even passport numbers, all of which get uploaded to Microsoft by default when synch is enabled.

Source: Is Microsoft Stealing People’s Bookmarks? – Schneier on Security

Penguin Random House Demands Removal Of Maus From Digital Library Because The Book Is Popular Again after ban in the US

Posted on by

We’ve said it over and over again, if libraries did not exist today, there is no way publishers would allow them to come into existence. We know this, in part, because of their attempts to stop libraries from lending ebooks, and to price ebooks at ridiculous markups to discourage libraries, and their outright claims that libraries are unfair competition. And we won’t even touch on their lawsuit over digital libraries.

Anyway, in other book news, you may have heard recently about how a Tennessee school board banned Art Spiegelman’s classic graphic novel about the Holocaust, Maus, from being taught in an eighth-grade English class.

[…]

aus is now back atop various best seller lists, as the controversy has driven sales. Spiegelman is giving fun interviews again where he says things like “well, who’s the snowflake now?” And we see op-eds about how the best way get kids not to read books… is to assign it in English class.

But, also, we have publishers getting into the banning business themselves… by trying to capitalize on the sudden new interest in Maus.

Penguin Random House doesn’t want this new interest in Maus to lead to… people taking it out of the library rather than buying a copy. They’re now abusing copyright law to demand the book be removed from the Internet Archive’s lending library, and they flat out admit that they’re doing so for their own bottom line:

A few days ago, Penguin Random House, the publisher of Maus, Art Spiegelman’s Pulitzer Prize-winning graphic novel about the Holocaust, demanded that the Internet Archive remove the book from our lending library. Why? Because, in their words, “consumer interest in ‘Maus’ has soared” as the result of a Tennessee school board’s decision to ban teaching the book. By its own admission, to maximize profits, a Goliath of the publishing industry is forbidding our non-profit library from lending a banned book to our patrons: a real live digital book-burning.

This is just blatant greed laid bare. As the article notes, whatever problems US copyright law has, it has enshrined the concept of libraries, and the right to lend out books as a key element of the public interest. And the publishers — such as giants like Penguin Random House — would do anything possible to stamp that right out.

Source: Penguin Random House Demands Removal Of Maus From Digital Library Because The Book Is Popular Again | Techdirt

Yet Another Israeli Malware Manufacturer Found Selling To Human Rights Abusers, Targeting iPhones

Posted on by

[…]

Candiru — another Israeli firm with a long list of questionable customers, including Uzbekistan, Saudi Arabia, United Arab Emirates, and Singapore.

Now there’s another name to add to the list of NSO-alikes. And (perhaps not oddly enough) this company also calls Israel home. Reuters was the first to report on this NSO’s competitor’s ability to stay competitive in the international malware race.

A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.

QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.

Like NSO, QuaDream sold a “zero-click” exploit that could completely compromise a target’s phones. We’re using the past tense not because QuaDream no longer exists, but because this particular exploit (the basis for NSO’s FORCEDENTRY) has been patched into uselessness by Apple.

But, like other NSO competitors (looking at you, Candiru), QuaDream has no interest in providing statements, a friendly public face for inquiries from journalists, or even a public-facing website. Its Tel Aviv office seemingly has no occupants and email inquiries made by Reuters have gone ignored.

QuaDream doesn’t have much of a web presence. But that’s changing, due to this report, which builds on earlier reporting on the company by Haaretz and Middle East Eye. But even the earlier reporting doesn’t go back all that far: June 2021. That report shows the company selling a hacking tool called “Reign” to the Saudi government. But that sale wasn’t accomplished directly, apparently in a move designed to further distance QuaDream from both the product being sold and the government it sold it to.

[…]

Reign is apparently the equivalent of NSO’s Pegasus, another powerful zero-click exploit that appears to still be able to hack most iPhone models. But it’s not a true equivalent. According to this report, the tool can be rendered useless by a single system software update and, perhaps more importantly, cannot be remotely terminated by the entity deploying it, should the infection be discovered by the target. This means targeted users have the opportunity to learn a great deal about the exploit, its deployment, and possibly where it originated

[…]

Source: Yet Another Israeli Malware Manufacturer Found Selling To Human Rights Abusers, Targeting iPhones | Techdirt

Indian govt aligned gang plants incriminating evidence on PCs in a very unsophisticated way

Posted on by

For the past decade, unidentified miscreants have been planting incriminating evidence on the devices of human-rights advocates, lawyers, and academics in India seemingly to get them arrested.

That’s according to SentinelOne, which has named the crew ModifiedElephant and described the group’s techniques and targets since 2012 in a report published on Wednesday.

“The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ – files that incriminate the target in specific crimes – prior to conveniently coordinated arrests,” said Tom Hegel, threat researcher at SentinelOne, in a blog post.

Hegel said the group has operated for years without attracting the attention of the cybersecurity community because of its limited scope of operations, its regionally-specific targeting, and its relatively unsophisticated tools.

ModifiedElephant prefers phishing with malicious Microsoft Office attachments to attack targets, and infect them with Windows malware.

In 2013, its messages relied on executable file attachments with deceptive double extensions in the file name (eg filename.pdf.exe). After 2015, the group used .doc, .pps, .docx, .rar, and password protected .rar files. In 2019, its attack vector involved links to hosted malicious files, and the group is also said to have employed large .rar archives to avoid detection.

The gang was also observed throwing Android malware at victims.

“There’s something to be said about how mundane the mechanisms of this operation are,” said Juan Andrés Guerrero-Saade, threat researcher at SentinelOne and adjunct professor at Johns Hopkins SAIS, via Twitter. “The malware is either custom garbage or commodity garbage. There’s nothing technically impressive about this threat actor, instead we marvel at their audacity.”

[…]

SentinelOne does not explicitly state that ModifiedElephant acts on behalf of the Indian government but notes how the group’s activities are consistent with the government’s interests.

“We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases,” wrote Hegel.

According to the report, ModifiedElephant’s web infrastructure overlaps with Operation Hangover, a surveillance effort dating back to 2013 against targets of interest to Indian national security. The security firm also said that Wilson had been targeted by a second threat group, known as SideWinder [PDF], which has attacked government, military, and private sector organizations across Asia.

Hegel observes that SentinelOne last year reported on a threat actor operating in and around Turkey, dubbed EGoManiac, that planted incriminating evidence on the devices of journalists to support arrests made by the Turkish National Police.

Source: ModifiedElephant gang plants incriminating evidence on PCs • The Register

Solar Storm Destroys 40 New SpaceX Starlink Satellites

Posted on by

On Feb. 3, SpaceX launched 49 small satellites into low earth orbit as a part of its Starlink program, an advanced satellite internet service that, as with many other products and services pioneered by American billionaire Elon Musk, is at least a little controversial. The satellites were carried into the atmosphere without a problem and were deployed into their intended orbit, however, once they were orbiting, there was an anomaly in the earth’s atmosphere that caused the loss of all but nine of the quarter-ton satellites.

In a press release, SpaceX claims that a “geomagnetic storm” is the culprit. According to the company, this storm warmed and increased the density of the atmosphere at the 210-kilometer height the satellites were deployed at, increasing the drag on the orbiting hardware to an unsustainable degree. Measures were taken in an attempt to remedy this increase in drag, but these were mostly unsuccessful. Of the 49 satellites launched, 40 have allegedly either already fallen out of orbit or are in the process of doing so

[…]

SpaceX insists that they will not end up as space junk or indeed even impact the ground. It says that the lost hardware poses “zero collision risk with other satellites,” and that by design they will “demise upon atmospheric reentry.” So far, there have been no reported instances of Starlink units causing any damage to life or infrastructure on the ground. However, with plans to eventually launch over ten thousand of the small satellites into low earth orbit, the risk of a collision with an object in space will increase.

[…]

 

Source: Solar Storm Destroys 40 New SpaceX Starlink Satellites | The Drive

Automakers Can’t Give Up The Idea Of Turning Everyday Features Into Subscription Services With Fees

Posted on by

At the same time car companies are fighting the right to repair movement (and the state and federal legislation popping up everywhere), they’re continuing the quest to turn everyday features — like heated seats — into something users have to pay a recurring fee for.

In 2019, BMW had to abandon a plan to charge $80 per year for Apple CarPlay. The company, having learned nothing, began floating the idea of charging a subscription for features back in 2020, when it proposed making heated seats and heated steering wheels something you pay a permanent monthly fee for. Last December, Toyota proposed imposing a monthly fee for customers who wanted to be able to remotely start their vehicles.

Each and every time these proposals come forward the consumer response is swift and overwhelmingly negative. But with $20 billion in annual additional potential revenue on the table between now and 2030, the industry seems poised to ignore consumers:

“Still, automakers see dollar signs. Stellantis (formerly Fiat Chrysler), Ford, and GM each aim to generate at least $20 billion in annual revenue from software services by 2030. Over-the-air capabilities open up huge opportunities for carmakers to introduce new subscription or pay-per use features over time, Wakefield, of AlixPartners, said. Someday, you may be able to fork over extra to make your car more efficient, sportier, or — in an electric vehicle — unlock extra range for road trips.”

Keep in mind these are decisions being made during a pandemic when most households continue to struggle.

This sort of nickel-and-diming works well in the telecom sector where captive subscribers often can’t switch to a different competitor. But in the auto space, companies risk opening the door to competitors gaining inroads by… not being nickel-and-diming assholes. Many companies may also be overestimating their own product quality; one JD Power survey found that 58% of people who use an automaker’s smartphone app wouldn’t be willing to pay for it. At the same time, as with gaming microtransactions, if enough people are willing to pay to make it worth it, it may not matter what the majority of car consumers think.

Source: Automakers Can’t Give Up The Idea Of Turning Everyday Features Into Subscription Services With Fees | Techdirt

Saturn’s high-altitude winds generate an extraordinary aurorae, tells us more about what they are

Posted on by

Leicester space scientists have discovered a never-before-seen mechanism fuelling huge planetary aurorae at Saturn.

Saturn is unique among planets observed to date in that some of its aurorae are generated by swirling winds within its own atmosphere, and not just from the planet’s surrounding magnetosphere.

At all other observed planets, including Earth, aurorae are only formed by powerful currents that flow into the planet’s atmosphere from the surrounding magnetosphere. These are driven by either interaction with charged particles from the Sun (as at the Earth) or volcanic material erupted from a moon orbiting the planet (as at Jupiter and Saturn).

This discovery changes scientists’ understanding of planetary aurorae and answers one of the first mysteries raised by NASA’s Cassini probe, which reached Saturn in 2004: why can’t we easily measure the length of a day on the Ringed Planet?

When it first arrived at Saturn, Cassini tried to measure the bulk rotation rate of the planet, that determines the length of its day, by tracking ‘pulses’ from Saturn’s atmosphere. To the great surprise of those making the measurements, they found that the rate appeared to have changed over the two decades since the last spacecraft to have flown past the planet—Voyager 2, also operated by NASA—in 1981.

Leicester Ph.D. researcher Nahid Chowdhury is a member of the Planetary Science Group within the School of Physics and Astronomy and corresponding author for the study, published in Geophysical Research Letters. He said:

“Saturn’s internal rotation rate has to be constant, but for decades researchers have shown that numerous periodic properties related to the planet—the very measurements we’ve used at other planets to understand the internal rotation rate, such as the radio emission—tend to change with time. What’s more, there are also independent periodic features seen in the northern and southern hemispheres which themselves vary over the course of a season on the planet.

“Our understanding of the physics of planetary interiors tells us the true rotation rate of the planet can’t change this quickly, so something unique and strange must be happening at Saturn. Several theories have been touted since the advent of the NASA Cassini mission trying to explain the mechanism/s behind these observed periodicities. This study represents the first detection of the fundamental driver, situated in the upper atmosphere of the planet, which goes on to generate both the observed planetary periodicities and aurorae.

Simplified figure showing the direction of winds within layers of Saturn’s atmosphere. Credit: Nahid Chowdhury/University of Leicester

“It’s absolutely thrilling to be able to provide an answer to one of the longest standing questions in our field. This is likely to initiate some rethinking about how local atmospheric weather effects on a planet impact the creation of aurorae, not just in our own Solar System but farther afield too.”

[…]

They measured infrared emissions from the gas giant’s upper atmosphere using the Keck Observatory in Hawai’i and mapped the varying flows of Saturn’s ionosphere, far below the magnetosphere, over the course of a month in 2017.

This map, when fixed against the known pulse of Saturn’s radio aurorae, showed that a significant proportion of the planet’s aurorae are generated by the swirling pattern of weather in its atmosphere and are responsible for the planet’s observed variable rate of rotation.

Researchers believe the system is driven by energy from Saturn’s thermosphere, with winds in the ionosphere observed between 0.3 and 3.0 kilometres per second.

[…]

recently, many researchers have focused on the possibility that it is Saturn’s upper atmosphere that causes this variability.

“This search for a new type of aurora harks back to some of the earliest theories about Earth’s aurora. We now know that aurorae on Earth are powered by interactions with the stream of charged particles driven from the Sun. But I love that the name Aurora Borealis originates from the ‘the Dawn of the Northern Wind’. These observations have revealed that Saturn has a true Aurora Borealis—the first ever aurora driven by the winds in the atmosphere of a planet.”

Dr. Kevin Baines, a JPL-Caltech-based co-author of the study and a member of the Cassini Science Team, added:

“Our study, by conclusively determining the origin of the mysterious variability in radio pulses, eliminates much of the confusion into Saturn’s bulk rotation rate and the length of the day on Saturn.”

Because of the variable rotation rates observed at Saturn, scientists have been prevented from using the regular pulse of radio emission to calculate the bulk internal rotation rate. Fortunately, a novel method was developed by Cassini scientists using gravity-induced perturbations in Saturn’s complex ring system, which now seems to be the most accurate means of measuring the planet’s bulk rotational period, which was determined in 2019 to be 10 hours, 33 minutes and 38 seconds.

[…]

 

Source: Saturn’s high-altitude winds generate an extraordinary aurorae, study finds

Bitcoin a lifeline for sex workers, like ex-nurse making $1.3 million – banks and other payment providers refuse to process them

Posted on by

[…]

Knox describes herself as “one of the most outspoken sex workers, particularly for crypto.” Her interest kicked off in 2014, which is when she says several vendors, including PayPal, Square Cash, and Venmo, shut down her accounts because of red flags related to sex work.

So Knox started accepting cryptocurrencies instead. Her first exchange of bitcoin for content was pretty casual.

It started on a Skype call with a client. “I had a Coinbase account at the time, and he said, ‘Hold your QR code right to this camera here,’ and he sent it through the camera. And I got it,” she explained.

It took 15 minutes, and there were no chargebacks, no website commission fees, and no bank intermediaries to turn down the transaction – all major pluses in her industry. But the biggest attraction was having total and irreversible ownership over the money she had earned.

[…]

“The majority of sex work in the U.S. is legal. It’s not dealt with fairly, but it’s still legal,” explained Kristen DiAngelo, an activist and Sacramento-based sex worker who has spent over four decades in the industry. “Stripping is legal…massage is legal…escorting is legal. The only thing that’s really illegal in the U.S. is the honest exchange of sexual activity for remuneration, for money.”

Some escorts – who charge anywhere from $1,700 an hour to $11,000 for a full 24 hours – now explicitly say in their ads that they prefer to be paid in bitcoin or ethereum.

[…]

Allie Rae is a 37-year-old mother of three boys who says she went from making about $84,000 a year as an ICU nurse in Boston to $1.3 million, thanks to her work on OnlyFans, which has more than 130 million users.

[…]

DiAngelo tells CNBC she will never forget the first time her bank account was closed without warning.

It happened when she was on a trip to Washington, D.C. over a decade ago.

“I had just gone into the bank, made a deposit, and I went to buy lunch in Dupont Circle,” said DiAngelo. “I gave him my card, and it was declined. I gave him my card, and it was declined again. And I gave my card again, and it was declined again. And I was like, ‘No, no, no, no, that can’t be right. There’s something wrong.’”

DiAngelo called Citibank and learned that her account had been frozen and she should tear up her credit card. DiAngelo says the customer service rep told her that they weren’t “at liberty” to tell her why it had happened, and she would have to write a formal letter to request additional details.

They did, however, say that she was still responsible for any money owed.

[…]

So DiAngelo did what other sex workers do: She “platform hopped,” meaning that she brought her money to another bank. When they also flagged and closed her account, she moved on to the next. After being shut out of a third bank, DiAngelo says she turned exclusively to bitcoin for her online banking needs.

Nearly every sex worker interviewed for this story mentioned platform hopping. The government has a set of anti-trafficking guidelines drawn up by the Financial Crimes Enforcement Network, or FinCEN, and the banks and big payment apps keep an eye out for activity deemed suspicious by those guidelines. Those red flags include making cash deposits frequently – a hallmark of the sex work profession.

[…]

In 2014, for example, PayPal booted her because of a payment for her used socks that was large enough to get red-flagged. Knox says neither she nor the buyer were refunded. (PayPal tells CNBC that her account was “closed due to policy violations.”)

Later, in 2016, Coinbase closed her account and blocked her from making others. (Coinbase acknowledged to CNBC that its terms of service prohibit the use of its “commerce or retail services connected to adult content.”)

“We’re the ones being punished – not the traffickers, not those that are actually abusing workers,” said Alana Evans, who has been an adult performer since the late 90′s. Evans is currently president of the Adult Performance Artists Guild, or APAG, a federally recognized union within the adult industry that represents all workers from adult film set actors, to content creators.

“They’ve attacked our banking; our ability to operate like the rest of the world,” explained DiAngelo. “You don’t exist if you can’t use the banking system.”

[…]

One hazard of the trade are chargebacks, in which a transaction is reversed when a consumer claims they have been fraudulently charged for a good or service they did not receive. It is a tool designed to protect consumers, but many sex workers say it is a tool that is abused in their industry by clients who dispute a transaction for a product or service they have already received.

Take OnlyFans. There are some customers who will dispute a transaction once they’ve already received custom video clips, or photos. OnlyFans’ official policy on its website says the creator, not the company, foots the bill for a chargeback. (OnlyFans did not respond to requests for comment.)

Many models have taken to forums like Reddit to share their experiences, in which they say these alleged scammers will sometimes put in for a chargeback six months after receiving pictures or videos.

Transactions in cryptocurrencies are final, rendering chargebacks impossible.

[…]

UK-based escort agency VIP Passion started to accept bitcoin in 2013. Two years later, Backpage made a similar move into bitcoin, litecoin, and dogecoin after Visa and Mastercard refused to process payments for its “adult” section.

Visa said at the time that the company’s rules prohibited the network from “being used for illegal activity” and that Visa had a “long history of working with law enforcement to safeguard the integrity of the payment system.” Mastercard issued a similar statement, saying that the card company has rules prohibiting its cards from “being used for illegal or brand-damaging activities.”

[…]

Stabile warns there are still barriers to mass crypto adoption among sex workers.

For one, there’s a steep learning curve for both workers and customers. Sex workers have written and circulated guides online on how to use crypto, but a sizable knowledge gap remains.

It is also difficult to get some customers to spend their bitcoin on adult content.

“They generally use it as a store of value,” says Stabile. “It’s a speculative currency.”

Knox says often clients choose not to pay her in crypto.

“That’s the hurdle that we’re at right now. We can take it all day long, but until people start using it and start paying us with it, it’s not going to really take off for adoption,” said Knox.

Sex workers who do accept crypto also have to contend with volatile prices, which can cut into their earnings. For instance, bitcoin is down more than 40% from its November all-time high.

[…]

DiAngelo says that in the early days of crypto, she would use bitcoin ATMs at liquor stores and gas stations to deposit cash to buy bitcoin. These machines charge commissions above and beyond the cost of the transaction.

Another major problem relates to the rules that govern cryptocurrency exchanges. Many platforms like Coinbase require know-your-customer, or KYC compliance. In practice, that means having to connect an ID and bank account to the platform – a non-starter for many working in the industry.

Because of this, some workers later find they can’t cash out the crypto they have earned for products or services rendered.

[…]

“For people like me making millions of dollars, a thirty day notice from OnlyFans would be the end of us. Crypto really feels like it’s kinda it, otherwise we’re going to be controlled forever and who knows the kind of content they’re going to continue to ban. They can turn you off tomorrow.”

Source: Bitcoin a lifeline for sex workers, like ex-nurse making $1.3 million