UK online used goods bazaar Gumtree exposed its users’ home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw.
British company Pen Test Partners (PTP) spotted the data leakage, which meant anyone could view a Gumtree user’s name and location (either postcode or GPS coordinates) by pressing F12 in their web browser.
In both Firefox and Chrome, F12 opens the “view page source” developer tools screen, showing the code that generates the webpage you see. This meant that anyone could view the precise location of any of the site’s 1.7 million monthly sellers.
PTP claimed it encountered a brick wall of indifference in its first attempts to alert Gumtree to the data breach.
The bug bounty policy specified €500-€5,000, PTP added, and “after the issue was fixed, [it was] informed that no reward was payable because – ‘This is a Responsible Disclosure report, meaning that receiving a reward is a bonus in itself.'”
In a blog post about the kerfuffle, a PTP rsearcher said: “After I queried which of their rules I’d broken on responsible disclosure, they changed their mind and paid the minimum.”
[…]If deciphering every version of HDMI wasn’t already tedious enough, we now know that the latest and greatest HDMI 2.1 standard, well, isn’t very standardized. A TFTCentral investigation revealed that the TV or monitor you purchase with “HDMI 2.1″ might not support any of the latest features.
TFTCentral smelled something fishy when it saw that a Xiaomi monitor with HDMI 2.1 support only reached the specifications for HDMI 2.0. Instead of 4K resolution, the panel was limited to 1080p. And the thing is, Xiaomi technically didn’t do anything wrong. It all comes down to semantics and some murky (and consumer-hostile) guidelines set by the HDMI Licensing Administrator.
[…]
in short, HDMI 2.0 is a subset of HDMI 2.1, meaning its specifications are housed within the newer standard. The standards organization even said it would no longer certify for HDMI 2.0, telling TFTCentral that HDMI 2.0 “no longer exists” and that the features and capabilities of HDMI 2.1 are optional. As long as a monitor supports one of the newer standards, it can be called HDMI 2.1.
As you’d expect, HDMI 2.1 consists of many standards, so TV and monitor makers could theoretically grab the lowest hanging fruit, add it to their (formerly) HDMI 2.0 ports, and slap an HDMI 2.1 label on the box.
The HDMI standards body even confirmed to The Verge that what Xiaomi is doing is perfectly within the rules and that we all depend on manufacturers to be honest about their products. The problem is that they rarely are.
[…]
HDMI 2.1 has made headlines in recent months because of the capabilities it enables on next-gen consoles and gaming PCs—specifically, the ability to run 4K games at 120Hz.
IBM and Samsung claim they’ve made a breakthrough in semiconductor design. On day one of the IEDM conference in San Francisco, the two companies unveiled a new design for stacking transistors vertically on a chip. With current processors and SoCs, transistors lie flat on the surface of the silicon, and then electric current flows from side-to-side. By contrast, Vertical Transport Field Effect Transistors (VTFET) sit perpendicular to one another and current flows vertically.
[…]
the design leads to less wasted energy thanks to greater current flow. They estimate VTFET will lead to processors that are either twice as fast or use 85 percent less power than chips designed with FinFET transistors.
If the Pentagon is going to rely on algorithms and artificial intelligence, it’s got to solve the problem of “brittle AI.” A top Air Force official recently illustrated just how far there is to go.
In a recent test, an experimental target recognition program performed well when all of the conditions were perfect, but a subtle tweak sent its performance into a dramatic nosedive,
Maj. Gen. Daniel Simpson, assistant deputy chief of staff for intelligence, surveillance, and reconnaissance, said on Monday.
Initially, the AI was fed data from a sensor that looked for a single surface-to-surface missile at an oblique angle, Simpson said. Then it was fed data from another sensor that looked for multiple missiles at a near-vertical angle.
“What a surprise: the algorithm did not perform well. It actually was accurate maybe about 25 percent of the time,” he said.
That’s an example of what’s sometimes called brittle AI, which “occurs when any algorithm cannot generalize or adapt to conditions outside a narrow set of assumptions,” according to a 2020 report by researcher and former Navy aviator Missy Cummings. When the data used to train the algorithm consists of too much of one type of image or sensor data from a unique vantage point, and not enough from other vantages, distances, or conditions, you get brittleness, Cummings said.
[…]
But Simpson said the low accuracy rate of the algorithm wasn’t the most worrying part of the exercise. While the algorithm was only right 25 percent of the time, he said, “It was confident that it was right 90 percent of the time, so it was confidently wrong. And that’s not the algorithm’s fault. It’s because we fed it the wrong training data.”
That was fast: Netflix has canceled its ambitious, widely hyped and, ultimately, widely disappointing anime adaptation Cowboy Bebop, The Hollywood Reporter has learned.
The move comes less than three weeks after the show’s Nov. 19 debut on the streaming service.
The space Western had a rough reception. The 10-episode series garnered only a 46 percent positive critics rating on review aggregator Rotten Tomatoes. Fans seemed to agree, giving the show a 56 percent positive audience score on the site. According to Netflix’s Top 10 site, the series has racked up almost 74 million viewing hours worldwide since its debut — so it got plenty of sampling out of the gate — but it plummeted 59 percent for the week of Nov. 29 to Dec. 5.
Insiders pointed out that Netflix’s renewal rate for scripted series that have two or more seasons stands at 60 percent, in line with industry averages, and, like all Netflix renewal verdicts, the decision was made by balancing the show’s viewership and cost. The streamer also prides itself on taking big swings on projects like Cowboy Bebop and has many other genre shows on the air and in the works.
What a shame – there seems to have been some fashion in bashing this show, especially from people who were 12 when they watched the original and endowed it with some completely non-existing properties. I liked the original and thought this one was brilliant too. This is why we can’t have nice things.
Heads up, future space travelers: No more commercial astronaut wings will be awarded from the Federal Aviation Administration after this year.
The FAA said Friday it’s clipping its astronaut wings because too many people are now launching into space and it’s getting out of the astronaut designation business entirely.
The news comes one day ahead of Blue Origin’s planned liftoff from West Texas with former NFL player and TV celebrity Michael Strahan. He and his five fellow passengers will still be eligible for wings since the FAA isn’t ending its long-standing program until Jan. 1.
NASA’s astronauts also have nothing to worry about going forward—they’ll still get their pins from the space agency.
All 15 people who rocketed into space for the first time this year on private U.S. flights will be awarded their wings, according to the FAA. That includes Blue Origin founder Jeff Bezos and Virgin Galactic’s Richard Branson, as well as the other space newbies who accompanied them on their brief up-and-down trips. The companies handed out their own version of astronaut wings after the flights.
All four passengers on SpaceX’s first private flight to orbit last September also qualified for FAA wings.
Adding Blue Origin’s next crew of six will bring the list to 30. The FAA’ s first commercial wings recipient was in 2004.
Earlier this year, the FAA tightened up its qualifications, specifying that awardees must be trained crew members, versus paying customers along for the ride. But with the program ending, the decision was made to be all-inclusive, a spokesman said.
Future space tourists will get their names put on a FAA commercial spaceflight list. To qualify, they must soar at least 50 miles (80 kilometers) on an FAA-sanctioned launch.
The European Commission has announced that it’s adopting new rules around open source software which will see it release software under open source licenses. The decision follows a Commission study that found investment in open source software leads on average to four times higher returns. There has also been a push for this type of action from the Public Money, Public Code campaign.
If you’re wondering what sort of code the EC could offer to the world, it gave two examples. First, there’s its eSignature, a set of free standards, tools, and services that can speed up the creation and verification of electronic signatures that are legally valid inside the EU. Another example is LEOS (Legislation Editing Open Software) which is used to draft legal texts.
Wikileaks founder Julian Assange can be extradited from the UK to the US, the High Court has ruled.
The US won its appeal against a January UK court ruling that he could not be extradited due to concerns over his mental health.
Judges were reassured by US promises to reduce the risk of suicide. His fiancee said they intended to appeal.
Mr Assange is wanted in the US over the publication of thousands of classified documents in 2010 and 2011.
Senior judges found the lower judge had based her decision in January on the risk of Mr Assange being held in highly restrictive prison conditions if extradited.
However, the US authorities later gave assurances that he would not face those strictest measures unless he committed an act in the future that merited them.
Giving the judgement, Lord Chief Justice Lord Burnett said: “That risk is in our judgement excluded by the assurances which are offered.
“It follows that we are satisfied that, if the assurances had been before the judge, she would have answered the relevant question differently.”
Mr Assange’s fiancee Stella Moris called the ruling “dangerous and misguided”, adding that the US assurances were “inherently unreliable”.
[…]
Wikileaks editor-in-chief Kristinn Hrafnsson said in a statement: “Julian’s life is once more under grave threat, and so is the right of journalists to publish material that governments and corporations find inconvenient.
“This is about the right of a free press to publish without being threatened by a bullying superpower.”
Amnesty International described the ruling as a “travesty of justice” and the US assurances as “deeply flawed”.
Nils Muiznieks, the human rights organisation’s Europe director, said it “poses a grave threat to press freedom both in the Unites States and abroad”.
Judges ordered the case must return to Westminster Magistrates’ Court for a district judge to send it formally to Home Secretary Priti Patel.
Mr Assange’s legal team – Birnberg Peirce Solicitors – said any appeal to the Supreme Court would relate to the question of assurances, rather than on issues such as free speech or “the political motivation of the US extradition request”.
Ventoy is an open source tool to create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI files.
With ventoy, you don’t need to format the disk over and over, you just need to copy the ISO/WIM/IMG/VHD(x)/EFI files to the USB drive and boot them directly.
You can copy many files at a time and ventoy will give you a boot menu to select them (screenshot).
x86 Legacy BIOS, IA32 UEFI, x86_64 UEFI, ARM64 UEFI and MIPS64EL UEFI are supported in the same way.
Most type of OS supported (Windows/WinPE/Linux/ChromeOS/Unix/VMware/Xen…)
770+ image files are tested (list), 90%+ distros in distrowatch.com supported (details),
Jeff Bezos’ rocket company, Blue Origin, became the subject of a federal review this fall after a group of 21 current and former employees co-signed an essay that raised serious questions about the safety of the company’s rockets — including the rocket making headlines for flying Bezos and other celebrities to space.
But that review was hamstrung by a lack of legal protections for whistleblowers in the commercial spaceflight industry, according to emails from Federal Aviation Administration investigators that were obtained by CNN Business.
The FAA also confirmed in a statement Friday that its Blue Origin review is now closed, saying the “FAA investigated the safety allegations made against Blue Origin’s human spaceflight program” and “found no specific safety issues.”
The emails obtained by CNN Business, however, reveal that investigators were not able to speak with any of the engineers who signed the letter anonymously. Investigators also were not able to go to Blue Origin and ask for documents or interviews with current employees or management, according to the FAA.
The situation highlights how commercial spaceflight companies like Blue Origin are operating in a regulatory bubble, insulated from much of the scrutiny other industries are put under. There are no federal whistleblower statues that would protect employees in the commercial space industry if they aid FAA investigators, according to the agency.
A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.
Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.
The 0-day was tweeted along with a POC posted on GitHub. Since this vulnerability is still very new, there isn’t a CVE to track it yet. This has been published as CVE-2021-44228.
This post provides resources to help you understand the vulnerability and how to mitigate it for yourself.
Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.
Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.
Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j2.
Updates (3 hours after posting): According to this blog post (see translation), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.
However, there are other attack vectors targeting this vulnerability which can result in RCE. An attacker could still leverage existing code on the server to execute a payload. An attack targeting the class org.apache.naming.factory.BeanFactory, present on Apache Tomcat servers, is discussed in this blog post.
In the first part of this series of posts where we explore possible subjects that may trigger your “Aha! I know about this and can talk about this!” reflex, medical technology was suggested as an avenue of interest. In this second part, we would like to tickle your memories from not so very long ago but quite far far away and suggest space as a topic for your consideration.
There has been an incredible acceleration of technology and accessibility in this space. With the introduction of CubeSats, space became much more accessible and a few years ago the first fully open-source CubeSat was launched. Companies such as Astra, Rocket Labs and SpaceX have entered the space race, elbowing out the traditional nationally funded efforts. A car was fired into space. Mars was landed on – twice – with the first aircraft on another planet flying around. The moon was rear-ended by the Chinese. 2021 was the year where we launched billionaires into space willy-nilly with even Captain Kirk having a go. NASA got all childish and changed the definition of an astronaut so that some billionaires were one and some weren’t suddenly. Satellite mesh networks are cluttering the skies so ground astronomers can’t see out any more. Nations are firing missiles at satellites, contributing significantly to the space junk problem. Satellites are jamming each other and trying to take each other over. The ISS is leaking and suddenly firing thrusters when it isn’t avoiding aforesaid trash. SpinLaunch is using a giant snail-like centrifuge that launches stuff into space from Earth. Neumann Space is trying to build a gas station for satellites in space. Steve Wozniak wants to become a space janitor and clean up all that mess. China has its own space station.
With all this action also comes condemnation. Should we be spending all that money on space when there are so many problems here on Earth? Reflection: What kind of legal structures and governance do we try to impose on foreign planets, the moon, the space above us, and how do we enforce this? But also what does cheap and plentiful access to space mean on a societal level, looking forward? Technically, what efforts have we thrown into tracking and communicating with these satellites? What should we do with old satellites? How can we as a community access space, and what do we want to do there?
We are looking forward to hearing from you – a workshop, lecture, anything you feel you can contribute is welcome!
Italy’s antitrust authority (AGCM) has fined Amazon €1.13 billion ($1.28 billion) for “abuse of dominant position,” the second penalty it has imposed on Amazon over the last month. Amazon holds a position of “absolute dominance” in the Italian brokerage services market, “which has allowed it to promote its own logistics service, called Fulfillment by Amazon (FBA),” the authority wrote in a (Google translated) press release.
According to the AGCM, companies must use Amazon’s FBA service if they want access to key benefits like the Prime label, which in turn allows them to participate in Black Friday sales and other key events. “Amazon has thus prevented third-party sellers from associating the Prime label with offers not managed with FBA,” it said.
The authority said access to those functions are “crucial” for seller success. It also noted that third-party sellers using FBA are not subject to the same stringent performance requirements as non-FBA sellers. As such, they’re less likely to be suspended from the platform if they fail to meet certain goals. Finally, it noted that sellers using Amazon’s logistics services are discouraged from offering their products on other online platforms, at least to the same extent they do on Amazon.
[…] Consumer Reports, which recently published a 48-page white paper on VPNs that looks into the privacy and security policies of 16 prominent VPN providers. Researchers initially looked into some 51 different companies but ultimately honed in on the most prominent, high-quality providers. The results are decidedly mixed, with the report highlighting a lot of the long offered criticisms of the industry—namely, it’s lack of transparency, its PR bullshit, and its not always stellar security practices. On the flip side, a small coterie of VPNs actually seem pretty good.
[…]
. Consumers may often believe that by using a VPN they are able to become completely invisible online, as companies promise stuff like “unrivaled internet anonymity,” and the ability to “keep your browsing private and protect yourself from hackers and online tracking,” and so on and so forth.
In reality, there are still a whole variety of ways that companies and advertisers can track you across the internet—even if your IP address is hidden behind a virtual veil.
[…]
via a tool developed by a group of University of Michigan researchers, dubbed the “VPNalyzer” test suite, which was able to look at various security issues with VPN connections. The research team found that “malicious and deceptive behaviors by VPN providers such as traffic interception and manipulation are not widespread but are not nonexistent. In total, the VPNalyzer team filed more than 29 responsible disclosures, 19 of which were for VPNs also studied in this report, and is awaiting responses regarding its findings.”
The CR’s own analysis found “little evidence” of VPNs “manipulating users’ networking traffic when testing for evidence of TLS interception,” though they did occasionally run into examples of data leakage.
And, as should hopefully go without saying, any VPN with the word “free” near it should be avoided at all costs, lest you accidentally download some sort of Trojan onto your device and casually commit digital hari-kari.
[…]
According to CR’s review, four VPN providers rose to the top of the list in terms of their privacy and security practices. They were:
A research team at City University of Hong Kong (CityU) has discovered a new type of sound wave: The airborne sound wave vibrates transversely and carries both spin and orbital angular momentum like light does. The findings shattered scientists’ previous beliefs about the sound wave, opening an avenue to the development of novel applications in acoustic communications, acoustic sensing and imaging.
The research was initiated and co-led by Dr. Shubo Wang, Assistant Professor in the Department of Physics at CityU, and conducted in collaboration with scientists from Hong Kong Baptist University (HKBU) and the Hong Kong University of Science and Technology (HKUST). It was published in Nature Communications, titled “Spin-orbit interactions of transverse sound.”
Beyond the conventional understanding of sound wave
The physics textbooks tell us there are two kinds of waves. In transverse waves like light, the vibrations are perpendicular to the direction of wave propagation. In longitudinal waves like sound, the vibrations are parallel to the direction of wave propagation. But the latest discovery by scientists from CityU changes this understanding of sound waves.
“While the airborne sound is a longitudinal wave in usual cases, we demonstrated for the first time that it can be a transverse wave under certain conditions. And we investigated its spin-orbit interactions (an important property only exists in transverse waves), i.e. the coupling between two types of angular momentum. The finding provides new degrees of freedom for sound manipulations.”
The absence of shear force in the air, or fluids, is the reason why sound is a longitudinal wave, Dr. Wang explained. He had been exploring whether it is possible to realize transverse sound, which requires shear force. Then he conceived the idea that synthetic shear force may arise if the air is discretized into “meta-atoms,” i.e., volumetric air confined in small resonators with size much smaller than the wavelength. The collective motion of these air “meta-atoms” can give rise to a transverse sound on the macroscopic scale.
Negative refraction induced by the spin-orbit interaction in momentum space. Credit: S. Wang et al. DOI: 10.1038/s41467-021-26375-9
Conception and realization of ‘micropolar metamaterial’
He ingeniously designed a type of artificial material called “micropolar metamaterial” to implement this idea, which appears like a complex network of resonators. Air is confined inside these mutually connected resonators, forming the “meta-atoms.” The metamaterial is hard enough so that only the air inside can vibrate and support sound propagation. The theoretical calculations showed that the collective motion of these air “meta-atoms” indeed produces the shear force, which gives rise to the transverse sound with spin-orbit interactions inside this metamaterial. This theory was verified by experiments conducted by Dr. Ma Guancong’s group in HKBU.
Moreover, the research team discovered that air behaves like an elastic material inside the micropolar metamaterial and thus supports transverse sound with both spin and orbital angular momentum. Using this metamaterial, they demonstrated two types of spin-orbit interactions of sound for the first time. One is the momentum-space spin-orbit interaction, which gives rise to negative refraction of the transverse sound, meaning that sound bends in the opposite directions when passing through an interface. Another one is the real-space spin-orbit interaction, which generates sound vortices under the excitation of the transverse sound.
Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.
A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.
In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.
“(The) sheriff believes (the calls) will help him fend off pending liability via civil action from inmates and activists,” Sexton said. Verus transcribes phone calls and finds certain keywords discussing issues like COVID-19 outbreaks or other complaints about jail conditions.
Prisoners, however, said the tool was used to catch crime. In one case, it allegedly found one inmate illegally collecting unemployment benefits. But privacy advocates aren’t impressed. “The ability to surveil and listen at scale in this rapid way – it is incredibly scary and chilling,” said Julie Mao, deputy director at Just Futures Law, an immigration legal group.
Spotify took down the work of hundreds of comedians, including big names like John Mulaney, Jim Gaffigan, and Kevin Hart, the Wall Street Journal reported on Saturday. Mulaney, Gaffigan, Hart, and other comedians are represented by Spoken Giants, a global rights company that’s leading the fight to get radio and digital platforms, such as Spotify, SiriusXM, Pandora, and YouTube, to pay comedians royalty payments on the copyright for their written work.
According to the outlet, the streaming giant been in negotiations with Spoken Giants but couldn’t reach an agreement. On Thanksgiving, Spotify informed Spoken Giants that would pull all work by comedians represented by the organization until they could come to an understanding.
[…]
“In music, songwriter royalties are a very basic revenue stream, so this is not an unfamiliar concept and our work is based on established precedents and clear copyright language,” King said. “With this take-down, individual comedians are now being penalized for collectively requesting the same compensation songwriters receive.”
The US Federal Bureau of Investigation (FBI) says 49 organisations, including some in government, were hit by Cuba ransomware as of early November this year.
The attacks were spread across five “critical infrastructure”, which, besides government, included the financial, healthcare, manufacturing, and – as you’d expect – IT sectors. The Feds said late last week the threat actors are demanding $76m in ransoms and have already received at least $43.9m in payments.
The ransomware gang’s loader of choice, Hancitor, was the culprit, distributed via phishing emails, or via exploit of Microsoft Exchange vulnerabilities, compromised credentials, or Remote Desktop Protocol (RDP) tools. Hancitor – also known as Chanitor or Tordal – enables a CobaltStrike beacon as a service on the victim’s network using a legitimate Windows service like PowerShell.
The co-founder of a company that has been trusted by technology giants including Google and Twitter to deliver sensitive passwords to millions of their customers also operated a service that ultimately helped governments secretly surveil and track mobile phones, Bloomberg reported Monday, citing former employees and clients. From the report: Since it started in 2013, Mitto AG has established itself as a provider of automated text messages for such things as sales promotions, appointment reminders and security codes needed to log in to online accounts, telling customers that text messages are more likely to be read and engaged with than emails as part of their marketing efforts. Mitto, a closely held company with headquarters in Zug, Switzerland, has grown its business by establishing relationships with telecom operators in more than 100 countries. It has brokered deals that gave it the ability to deliver text messages to billions of phones in most corners of the world, including countries that are otherwise difficult for Western companies to penetrate, such as Iran and Afghanistan. Mitto has attracted major technology giants as customers, including Google, Twitter, WhatsApp, Microsoft’s LinkedIn and messaging app Telegram, in addition to China’s TikTok, Tencent and Alibaba, according to Mitto documents and former employees.
But a Bloomberg News investigation, carried out in collaboration with the London-based Bureau of Investigative Journalism, indicates that the company’s co-founder and chief operating officer, Ilja Gorelik, was also providing another service: selling access to Mitto’s networks to secretly locate people via their mobile phones. That Mitto’s networks were also being used for surveillance work wasn’t shared with the company’s technology clients or the mobile operators Mitto works with to spread its text messages and other communications, according to four former Mitto employees. The existence of the alternate service was known only to a small number of people within the company, these people said. Gorelik sold the service to surveillance-technology companies which in turn contracted with government agencies, according to the employees.
Cryptocurrency exchange BitMart has coughed to a large-scale security breach relating to ETH and BSC hot wallets. The company reckons that hackers made off with approximately $150m in assets.
Security and analytics outfit PeckShield put the figure at closer to $200m.
“We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets today. At this moment we are still concluding the possible methods used. Hackers were able to withdraw assets of the value of approximately 150 million USD,” BitMart said.
“The affected ETH hot wallet and BSC hot wallet carry a small percentage of assets on BitMart and all of our other wallets are secure and unharmed. We are now conducting a thorough security review and we will post updates as we progress,” it added.
Worryingly for customers, BitMart has blocked withdrawals until it has completed a “thorough security review” or, in the common metaphor, shut the stable door after the horse has bolted.
The Securities and Exchange Commission has launched an investigation into whether Tesla failed to tell investors and customers about the fire risks of its faulty solar panels.
Whistleblower and ex-employee, Steven Henkes, accused the company of flouting safety issues in a complaint with the SEC in 2019. He filed a freedom of information request to regulators and asked to see records relating to the case in September, earlier this year. An SEC official declined to hand over documents, and confirmed its probe into the company is still in progress.
[…]
Tesla started selling and installing solar panels after it acquired SolarCity for $2.6bn in 2016. But its goal of becoming a renewable energy company hasn’t been smooth. Several fires have erupted from Tesla’s solar panels installed on the roofs of Walmart stores, Amazon warehouses, and people’s homes.
In fact, Walmart sued the company in 2019 after seven of its supermarkets in the US caught fire. The lawsuit accused Tesla of “utter incompetence or callousness, or both.” Walmart later dropped its claims, and settled the matter privately.
Before Walmart’s lawsuit, however, Steven Henkes, who was employed as a field quality manager by Tesla after the acquisition, said he attempted to raise concerns about fire risks with managers. He claimed in a lawsuit [PDF] filed last year in November that he was wrongfully terminated after he was fired in August, last year. Henkes claimed his concerns about defects in the company’s solar panels and electrical connectors were repeatedly ignored, and after he filed initial whistleblower complaints with the SEC and the US Consumer Protection Safety Commission (CPSC).
Over 60,000 people as well as over 500 commercial consumers could have been potentially affected by fire risks from Tesla’s faulty solar panels, the lawsuit said. Tesla started replacing and reimbursing defective components in 2019, Business Insider reported. The CPSC has also been investigating the company, too. Tesla did not respond to The Register’s questions.
Mandiant continues to track multiple clusters of suspected Russian intrusion activity that have targeted business and government entities around the globe. Based on our assessment of these activities, we have identified two distinct clusters of activity, UNC3004 and UNC2652. We associate both groups with UNC2452 also referred to as Nobelium by Microsoft.
Some of the tactics Mandiant has recently observed include:
Compromise of multiple technology solutions, services, and reseller companies since 2020.
Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims.
Use of novel TTPs to bypass security restrictions within environments including, but not limited to the extraction of virtual machines to determine internal routing configurations.
Use of a new bespoke downloader we call CEELOADER.
Abuse of multi-factor authentication leveraging “push” notifications on smartphones
In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts.
The sections below highlight intrusion activity from multiple incident response efforts that are currently tracked as multiple uncategorized clusters. Mandiant suspects the multiple clusters to be attributable to a common Russian threat. The information below covers some of the Tactics, Techniques, and Procedures (TTPs) used by the threat actors for initial compromise, establishing a foothold, data collection, and lateral movement; how the threat actors provision infrastructure; and indicators of compromise. The information is being shared to raise awareness and allow organizations to better defend themselves.
Life360, a popular tracking app that bills itself as “the world’s leading family safety service,” is purportedly selling location data on the 31 million families and kids that use it to data brokers. The chilling revelation may make users of the Tile Bluetooth tracker, which is being bought by Life360, think twice before continuing to use the device.
Life360’s data selling practices were revealed in a damning report published by the Markup on Monday. The report claims that Life360 sells location data on its users to roughly a dozen data brokers, some of which have sold data to U.S. government contractors. The data brokers then proceed to sell the location data to “virtually anyone who wants to buy it.” Life360 is purportedly one of the largest sources of data for the industry, the outlet found.
While selling location data on families and kids is already alarming, what’s even more frightening is that Life360 is purportedly failing to take steps to protect the privacy of the data it sells. This could potentially allow the location data, which the company says is anonymized, to be linked back to the people it belongs to.
Amazon Web Services (AWS), the engine that powers many of the internet’s most-trafficked websites and apps, appears to be experiencing a widespread outage that is bringing down several popular services.
Amazon, Disney+, and Venmo are all being affected by the outage, and are showing error messages when users attempt to visit their websites. Amazon appears to be aware of the issue and admitted to seeing “Increased Error Rates” in the AWS Management Console. We reached out to Amazon, and the company pointed us to its AWS Service Health Dashboard. An update posted at 8:26 a.m. PT reads:
“We are experiencing API and console issues in the US-EAST-1 Region. We have identified root cause and we are actively working towards recovery. This issue is affecting the global console landing page, which is also hosted in US-EAST-1.
Amazon further revealed the issue to be caused by an “impairment of several network devices.” In a 2:47 p.m. PT update, the company claims to have “mitigated the underlying issue” that caused network devices to be faulty. Server health is improving, according to Amazon, which is now conducting a service-by-service recovery. The company disabled Event Deliveries for Amazon EventBridge in US-EAST-1 as it works for a full recovery for all affected AWS customers. There is still no timeline on when your favorite sites will be fully operational again.
