The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Major crypto scammer sentenced to 15 years in prison

Posted on by

The mastermind behind what the government says is one of the largest cryptocurrency Ponzi schemes prosecuted in the US has been sentenced to 15 years in prison. While crypto scams have been getting increasingly common, Swedish citizen Roger Nils-Jonas Karlsson defrauded thousands of victims and stole tens of millions of dollars over a period that lasted almost a decade. He pleaded guilty to securities and wire fraud, as well as money laundering charges on March 4th.

According to the Department of Justice, Karlsson ran his fraudulent investment scheme from 2011 until he was arrested in Thailand in 2019. He targeted financially insecure individuals, such as seniors, persuading them to use cryptocurrency to purchase shares in a business he called “Eastern Metal Securities.” Based on information from court documents, he promised victims huge payouts tied to the price of gold, but the money they handed over wasn’t invested at all. It was moved to Karlsson’s personal bank accounts instead and used to purchase expensive homes and even resorts in Thailand.

To keep his scheme running for almost a decade, he’d rebrand and would show victims account statements in an effort to convince them that their funds are secure. Karlsson would then give them various excuses for payout delays and even falsely claimed to be working with the Securities and Exchange Commission. During the sentencing, US District Judge Charles R. Breyer ordered his Thai resorts and accounts to be forfeited. He was also ordered to pay his victims in the amount of $16,263,820.

Acting US Attorney Stephanie Hinds of the Northern District of California said:

“The investigation into Roger Karlsson’s fraud uncovered a frighteningly callous scheme that lasted more than a decade during which Karlsson targeted thousands of victims, including financially vulnerable seniors, to callously rob them of their assets and all to fuel an extravagant lifestyle surrounded by luxury condominiums and lavish international vacations. The court’s decision to order a 180-month prison term reflects the fact that Karlsson’s cryptocurrency Ponzi scheme is one of the largest to be sentenced to date and ensures that Karlsson now will have plenty of time to think about the harm he has caused to his victims.”

Source: Major crypto scammer sentenced to 15 years in prison | Engadget

Report shines light on REvil’s depressingly simple tactics: Phishing, credential-stuffing RDP servers… the usual

Posted on by

Palo Alto Networks’ global threat intelligence team, Unit 42, has detailed the tactics ransomware group REvil has employed to great impact so far this year – along with an estimation of the multimillion-dollar payouts it’s receiving.

[…]

The group, which provides what security wonks have come to term “Ransomware as a Service” or RAAS, has been fingered in some high-profile attacks: Travelex, an entertainment-focused law firm with an A-lister client base; Apple supplier Quanta Computer; a major meat producer; a nuclear weapons contractor; and fashion giant French Connection UK – among many others.

Most recently, the group gained access to an estimated 1,500 companies through the Kayesa VSA platform. While the company denied a supply-chain attack, it disabled its Saas platform as a security measure – and, as of this morning, was struggling to recover.

[…]

“For these services, REvil takes a percentage of the negotiated ransom price as their fee. Affiliates of REvil often use two approaches to persuade victims into paying up: they encrypt data so that organizations cannot access information, use critical computer systems or restore from backups, and they also steal data and threaten to post it on a leak site (a tactic known as double extortion).”

According to research carried out by Martineau and colleagues, REvil and its affiliates averaged $2.25m in payouts per breach over the first six months of 2021 – chickenfeed compared to the $70m the group is demanding for a universal decryption tool designed to unlock the data being ransomed as a result of the Kaseya attack.

The methods chosen by the group to gain access to the target systems are depressingly simple, Martineau’s report claimed, with the most common methods being as simple as sending a phishing message or attempting to log in to Remote Desktop Protocol (RDP) servers using previously-compromised credentials.

“However,” Martineau noted, “we also observed a few unique vectors that relate to the recent Microsoft Exchange Server CVEs, as well as a case that involved a SonicWall compromise.”

Once in, REvil attackers cement their access by creating new local and domain user accounts, install Cobalt Strike’s Beacon covert payload – a commercial product which apparently delivers a little too well on its promise to “model advanced attackers” for “threat emulation” – and disable antivirus, security services, and other protection systems. The impact is further expanded to other devices on the network, using “various open-source tools to gather intelligence on a victim environment.”

It could be a while before the attack is noticed, too – no surprise given how the group often exfiltrates gigabytes of data as part of its ransom approach. “REvil threat actors often encrypted the environment within seven days of the initial compromise,” Martineau found. “However, in some instances, the threat actor(s) waited up to 23 days. [They] often used MEGASync software or navigated to the MEGASync website to exfiltrate archived data. In one instance, the threat actor used RCLONE to exfiltrate data.

[…]

The full report has been published on the Unit 42 site.

Source: Report shines light on REvil’s depressingly simple tactics: Phishing, credential-stuffing RDP servers… the usual • The Register

Three-dozen US states plus DC sue Google over Play Store’s revenue cut, payment system, and more

Posted on by

As expected, Google is facing a fresh legal assault regarding its Play Store, the 30 per cent cut it took from developers’ revenues via the software souk, and other rules and restrictions.

In an antitrust lawsuit [PDF] filed in a federal district court in San Francisco on Wednesday, 36 US states and commonwealths, plus Washington DC, alleged Google ran roughshod over the Sherman Act, screwing over users and software makers by abusing its monopoly on Android and the distribution of apps.

Those states include New York, California, Florida, Washington, New Jersey, North Carolina, and Arizona, though not Texas, Pennsylvania, Ohio, nor Illinois, among others. There doesn’t appear to be an obvious partisan split.

The complaint is wide-ranging and extensive, from criticizing Google’s commission from app and in-app purchases and that it must handle payments, to undue pressure on phone makers, to a ban on advertising by non-Play stores on Google’s web properties, like YouTube, and more.

[…]

In March, Google dropped its cut of app sales from 30 to 15 per cent for the first $1m a developer makes. The move mirrored a similar decision by Apple last year, matching the same terms almost exactly. This was not enough, it seems, to hold off attorneys general.

[…]

Source: Three-dozen US states plus DC sue Google over Play Store’s revenue cut, payment system, and more • The Register

OnePlus Admits to Throttling OnePlus 9 and 9 Pro for battery life

Posted on by

After a recent investigation by Anandtech pointed out that a number of popular apps were experiencing sluggish performance on the OnePlus 9 and OnePlus 9 Pro, OnePlus has now admitted to throttling hundreds of popular apps to help “reduce power consumption.”

Anandtech’s Andrei Frumusanu noticed that a number of popular browsers, including Google Chrome, performed significantly worse on benchmarks such as Jetstream 2.o and Speedometer 2.0, posting results more similar to those from old budget phones than a modern high-end device. And while Gizmodo does not use those benchmarks as part of our review process (due in part to previous tampering from companies including OnePlus and others), we can confirm similar numbers in our own testing.

Upon further review, Anandtech discovered that OnePlus had installed a custom OnePlus Performance Service function that throttled the performance of apps like YouTube, Snapchat, Discord, Twitter, Zoom, Facebook, Microsoft Office apps, and even a number of first-party apps from OnePlus. And by limiting the performance of certain cores in the OnePlus 9 and 9 Pro’s Snapdragon 888 processor, OnePlus was effectively throttling these apps in order to help deliver increased battery life.

In a statement provided to XDA Developers, OnePlus has confirmed it throttled the performance of apps on the OnePlus 9 and 9 Pro

[…]

Source: OnePlus Admits to Throttling OnePlus 9 and 9 Pro

This Crowdsourced Ransomware Payment Tracker Shows How Much Cybercriminals Have Heisted

Posted on by

Ransomware attacks are on the rise, but quantifying the scope of the problem can be tricky when only the most high-profile cases make headlines. Enter Ransomwhere,

[…]

Jack Cable, a security architect at the cybersecurity consulting firm Krebs Stamos Group, launched the site on Thursday.

[…]

The way it works is Ransomwhere keeps a running tally of ransoms paid out to cybercriminals in the bitcoin cryptocurrency. This is largely made possible because of the transparent nature of bitcoin: All transactions involving the cryptocurrency are recorded on the blockchain, a decentralized database that acts as a public ledger, thus allowing anyone to track any transactions specifically associated with ransomware groups.

[…]

Since the U.S. dollar value of bitcoin is constantly fluctuating, Ransomwhere calculates each ransom amount based on the bitcoin exchange rate on the day that the transaction was sent.

[…]

So far in 2021, the Russia-linked cybercriminal gang that took credit for the Kaseya and JBS attacks, REvil, is leading the pack by a mile with more than $11 million in ransom payments, according to Ransomwhere. Coming in second with 6.2 million is Netwalker, one of the most popular ransomware-as-a-service offerings on the dark web. Though it should be noted that Netwalker has the dubious honor of racking up the most ransom payments of all time, with roughly $28 million to its name based on the site’s data.

REvil could soon surpass that record if its recent demands for $70 million are met. That’s how much the gang asked for on Sunday to publish a universal decryptor that would unlock all computers affected in the Kaseya hack, a supply chain attack that has crippled more than 1,000 companies worldwide and prompted a federal investigation.

[…]

Source: This Crowdsourced Ransomware Payment Tracker Shows How Much Cybercriminals Have Heisted

Iran’s Train System Hacked, Khamenei’s phone nr posted on station msg boards as help line

Posted on by

Cyberattacks reportedly disrupted Iran’s railway system on Friday, causing “unprecedented chaos” at stations throughout the country, according to state media.

The hackers, whoever they are, also reportedly trolled the nation’s Supreme Leader Ali Khamenei, posting his phone number as “the number to call for information” on multiple train station message boards, Reuters reports. According to some Iranian outlets, the number, 64411, was displayed on screens in train stations and redirected to Ayatolla Khamenei’s office when dialed.

The railway’s website, local ticket offices, and cargo services have all apparently been affected, the news outlet reports.

There isn’t otherwise a whole lot of information about this incident, though local reporting would appear to suggest that trains have been massively delayed but not totally stalled.

[…]

Source: Iran’s Train System Reportedly Hacked by Trolling Attackers

Samsung Washing Machine App Requires Access to Your Contacts and Location

Posted on by

A series of Samsung apps that allow customers to control their internet-connected appliances require access to all the phone’s contacts and, in some cases, the phone call app, phone’s location, and camera. Customers have been furious about this for years.

On Wednesday, a Reddit user complained that their washing machine app, the Samsung Smart Washer, wouldn’t work “unless I give it access to my contacts, location and camera.”

This is a common complaint.

[…]

These situations speak to two issues: Apps that demand permissions that they don’t need, and “smart” and internet of things devices that make formerly simple tasks very complicated, and open up potential privacy and security concerns.

Generally speaking, over the last few years, people have become more sensitive to what they’re giving up in privacy and potentially security when they deal with big tech companies. Smart TVs (Samsung included), for example, have been caught listening to users and automatically deliver ads. Tech companies have had to adapt and do better. For example, both Apple and Google allow users to see what data an app has access to, and in some cases users can toggle the permissions individually. The upcoming new version of Android will even have a dedicated “Privacy Dashboard” where users can see which apps used what permissions, and revoke them if they want. Apple’s iOS has similar functionality. But none of this stops app developers from asking users to accept unnecessary permissions.

It’s unclear why apps that are designed to let you set the type of washing cycle you want, or see how long it’s gonna take for the dryer to be done, would need access to your phone’s contacts. In an FAQ for another Samsung app, the company says it needs access to contacts “to check if you already have a Samsung account set up in your device. Knowing this information helps mySamsung to make the sign-in process seamless.”

[…]

Source: Samsung Washing Machine App Requires Access to Your Contacts and Location

Richard Branson becomes first billionaire in space

Posted on by

The rocket ship launched the 70-year-old and his crew from Spaceport America in the New Mexico desert.

Tropical storms had delayed the launch before setting off at around 3.30pm.

Branson – known as ‘Astronaut 001’ – soared into space in his blue spacesuit aboard Virgin Space Ship Unity, a 62ft rocket-powered space plane nestled between the twin hulls of Mother Ship Eve, which propelled them to an altitude of around 55 miles.

Source: Virgin Galactic space launch LIVE – Richard Branson WINS battle with Elon Musk to become first billionaire in space

Link contains a good summary video. Nice to see Richard beat out Elon Musk and Jeff Bezos – what an achievement!

HOTAS, HOSAS, Dual Joysticks, Omnithrottle, Space and Flight sim controllers

Posted on by

What are these terms and how do they work in terms of control schemes? In this world you generally get what you pay for – if it’s cheap, then it’s probably plasticky and nasty. If it’s expensive, then it’s probably high quality. Saitek and Logitech have equipment running from low to midrange. Thrustmaster from mid to high range.

The VKB Gladiator NXT is currently the most popular midrange joystick you can find around $120 – $150 which comes in left and righthand versions.

If you have the money though, you go for the Virpil (VPC) Constellation Alpha (both left and right hand) and MongoosT-50CM2 grips and bases

WingWin.cn has a very good F-16 throttle, stick and instrument panel with desk mounts

shop first image

HOTAS

The world of flight sim control used to be fairly straightforward: ideally you had a stick on the right, a throttle unit on the left and rudders in the middle. Some stick makers tried to replace the rudder with a twistable stick grip and maybe a little throttle lever on the stick so you could get full control cheaper – the four degrees of freedom (roll, yaw, pitch and thrust) / 4 DOF on a single stick. You had less buttons but you used the keyboard and mouse more.

HOSAS / Dual Stick

Now in the resurgence of the age of space sims – (Elite Dangerous, Star Citizen, No Mans Sky, Star Wars Squadrons and Tie Fighter Total Conversion to name a few) the traditional HOTAS (Hands on Throttle and Stick) is losing ground to the HOSAS (Hands on Stick and Stick). The HOSAS offers six degrees of freedom (6 DOF): roll, yaw, pitch, thrust + horizontal and vertical translation / strafing, which makes sense for a space plane that can not only go backwards but can also strafe directly upwards and downwards or left and right.

This gives rise to some interesting control schemes:

Left stick
x-axistranslate / strafe left + right
y-axisthrottle
z/twist-axistranslate / strafe up + down
Right stick
x-axisroll
y-axispitch
z/twist axisyaw

a variation which seems to be popular in Star Wars Squadrons is

Right stick
x-axisyaw
y-axispitch
z/twist-axisroll
`

another variation with throttling

Left stick
x-axistranslate / strafe left + right
y-axistranslate / strafe up + down
z/twist-axisthrust

often combined with:

rudder left footthrottle backwards / reverse
rudder right footthrottle forwards

Different combinations work better or worse depending on the person and how tiring it is for them personally. As Reddit user Enfiguralimificuleur points out: “It worked best for me with Z/twist being the throttle. I found it very efficient to adjust your speed properly. Very easy to stay at that speed as well.
However due to wrist issue and tendinitis, some positions are VERY awkward. Try pulling+right+twisting. Ouch. And even without the pain, this is not comfortable.”

Throttling and the Omnithrottle

The throttle can be set in different ways: a traditional HOTAS throttle is set to where it’s pushed to. Generally sticks have a recentering mechanism. This means that it’s easy to find reverse but can get annoying because to throttle you need to keep pushing the stick forwards. There are a few solutions to this.

First, The VKB gunfighter III base has a dry clutch which will remove the centering spring back of the pitch axes, meaning you can assign that to thrust and basicly have a stick that stays there mimicking a throttle while still allowing for rotation and roll axes.

Second, people can use a traditional throttle as well (so then I guess it becomes a HOTSAS)

Third, you can map a hat to 0, 50, 75, 100% speed and set speeds that way as a sort of cruise control

Fourth you can use the rudder (left foot back, front foot forward) or z-axis (twist) for thrust / throttle control. This will not eliminate the problem though.

The omnithrottle is when you angle the left hand stick around 90 degrees downwards so that it looks like a throttle. You retain the three axes and the extra buttons and hats, giving you more freedom.

Sessine has a guide to converting a VKB stick to an omnithrottle – he gives credits to users JaguarMG and Pretagonist

This extension can also be found on Thingiverse with instructions

There is a Youtube video of the Angled Virpil Stick Adapter / Omnidirectional Throttle here using a Gardena hose to hose fixing adapter

and Issalzul has a two part writeup of their throttle (part 1 / part 2)

r/hotas - Finally finished my omnithrottle mod, thanks to this sub for giving me the idea!

For the VKB Gunfighter, ArtoriusPendragon has made a 3d file for the 3-Axis Throttle Adapter

r/HotasDIY - VKB Gunfighter 3-Axis Throttle Adapter

And Sarai_Seneschal has some tips on how to work with the #10 spring on his chair mounted HOSAS build.

r/hotas - VKB MCG Pro, VKB Kosmosima, Monstertech Chair Mount, 3D Printed throttle adapter designed by u/ArtoriusPendragon

CAD / 3D design mice

The 3D Connexion space mouse Pro has 12 programmable buttons and offers 6 DOF as well. It’s a left handed controller but might be interesting.

Attaching stuff to desks and stairs

For that I have a whole other post you can look at. Have fun!

Discuss

For Reddit discussions see r/HotasDIY and r/hotas – thanks for the input there, guys!

Report: Russian Cyber Spies Recently Hacked the RNC

Posted on by

According to a new investigation from Bloomberg, cyber spies connected to the Russian government recently hacked into the Republican National Committee—though the RNC has denied that their systems were breached in this way.

According to Bloomberg, the hacker group known as “Cozy Bear”—thought to be connected to Russia’s intelligence service, the SVR—conducted the intrusion, though it’s not clear what they viewed or whether they stole any data. The hackers are believed to have gained entry to the RNC’s networks through one of its IT providers, a company called Synnex Corp.

The incident occurred this past 4th of July weekend—around the same time that a cybercriminal group was launching a massive ransomware attack on American IT firm Kaseya, the damage from which is still being assessed. The Russian cybercriminal group REvil has claimed responsibility for that attack.

A notorious threat actor, Cozy Bear has been blamed for large parts of the “SolarWinds” hack, the likes of which compromised close to a dozen federal agencies and droves of American businesses. The group, which also goes by its technical designation APT 29, has also been accused of hacking the Democratic National Committee in the past.

[…]

Source: Report: Russian Cyber Spies Recently Hacked the RNC

DRM Strikes Again: Ubisoft Makes Its Own Game Unplayable By Shutting Down DRM Server

Posted on by

DRM has shown time after time to be of almost no hindrance whatsoever for those seeking to pirate video games, but has done an excellent job of hindering those who actually bought the game in playing what they’ve bought. Ubisoft, in particular, has had issues with this over the years, with DRM servers failing and preventing customers from playing games that can no longer ping the DRM server.

And while those instances involved unforeseen downtime or migrations impacting customers’ ability to play their games, this time it turns out that Ubisoft simply stopped supporting the DRM server for Might and Magic X-Legacy. And now basically everyone is screwed.

Last month, Ubisoft decided to end online support for a bunch of older games, but in doing so also brought down the DRM servers for Might and Magic X – Legacy, meaning players couldn’t access the game’s single-player content or DLC.

As Eurogamer reports, fans were not happy, having to cobble together an unofficial workaround to be able to continue playing past a certain point in the single-player. But instead of Ubisoft taking the intervening weeks to release something official to fix this, or reversing their original move to shut down the game’s DRM servers, they’ve decided to do something else.

They have simply removed the game for sale on Steam.

This, of course, does nothing for the people who already bought the game and now suddenly cannot progress through it completely, as all the DLC is non-functional. They can play the game up until a point, but then it just doesn’t work.

There are multiple bad actions on Ubisoft’s part here. First, using DRM like this is a terrible idea with almost no good consequences. But once it’s in use, you would think it would be the obligation of the company to ensure any changes it makes on its end don’t suddenly render purchases made by its customers unplayable. In other words, rather than ending support for a DRM server that nixes parts of a paid-for game, the company could have rolled out patches to remove the DRM completely so that none of this happened. After all, with the game no longer even available as a new purchase, what would be the harm in removing the DRM? And, of course, there’s the total lack of communication to Ubisoft customers about basically all of this.

Which is what has people so understandably pissed.

Source: DRM Strikes Again: Ubisoft Makes Its Own Game Unplayable By Shutting Down DRM Server | Techdirt

Researchers retrofit microscopes to take 3D images of cells in real-time

Posted on by

There’s a limit to what you can learn about cells from 2D pictures, but creating 3D images is a time-intensive process. Now, scientists from UT Southwestern have developed a new “simple and cost-effective” device capable of capturing multi-angle photos that can be retrofitted onto existing lab microscopes. The team say their solution — which involves inserting a unit of two rotating mirrors in front of a microscope’s camera — is 100 times faster than converting images from 2D to 3D.

Currently, this process involves collecting hundreds of photos of a specimen that can be uploaded as an image stack into a graphics software program, which then performs computations in order to provide multiple viewing perspectives. Even with a powerful computer, those two steps can be time-consuming. But, using their optical device, the team found they could bypass that method altogether.

What’s more, they claim their approach is even faster as it requires only one camera exposure instead of the hundreds of camera frames used for entire 3D image stacks. They discovered the technique while de-skewing the images captured by two common light-sheet microscopes. While experimenting with their optical method, they realized that when they used an incorrect amount of de-skew the projected image seemed to rotate.

“This was the aha! moment,” said Reto Fiolka, assistant professor at the Lyda Hill Department of Bioinformatics at UT Southwestern. “We realized that this could be bigger than just an optical de-skewing method; that the system could work for other kinds of microscopes as well.”

Using their modified microscope, the team imaged calcium ions carrying signals between nerve cells in a culture dish and looked at the circulatory system of a zebrafish embryo. They also rapidly imaged cancer cells in motion and a beating zebrafish heart. They also applied the optical unit to additional microscopes, including light-sheet and spinning disk confocal microscopy.

Source: Researchers retrofit microscopes to take 3D images of cells in real-time | Engadget

Getting Your iPhone Near This Cursed Network Breaks Its Wifi

Posted on by

iPhone doesn’t even have to connect to the network to mess up.

Back in June, security researcher Carl Schou found that when he joined the network “%p%s%s%s%s%n”, his iPhone permanently disabled its wifi functionality. Luckily, this was fixed by resetting all network settings, which erased the villainous wifi name from his phone’s memory. You would think that would have been the end of connecting to networks with weird and fishy sounding names, but you are not Schou.

On Sunday, he decided to try his luck again by investigating a public wifi network named “%secretclub%power”. According to Schou, just having an iOS device in the vicinity of a wifi network with this name can permanently disable its wifi functionality.

“You can permanently disable any iOS device’s WiFI by hosting a public WiFi named %secretclub%power,” he wrote on Twitter. “Resetting network settings is not guaranteed to restore functionality.”

Schou apparently struggled to find his way out of this one and get his wifi functionality back. He said he reset network settings multiple times, forced restarted his iPhone, and even contacted Apple’s device security team. The researcher eventually got some help from Twitter, which advised him to manually edit an iPhone backup to remove malicious entries from the known networks plist files.

[…]

Source: Getting Your iPhone Near This Cursed Network Breaks Its Wifi

1994’s Star Wars: TIE Fighter Remade With Modern Graphics

Posted on by

If EA’s Squadrons wasn’t quite to the scale you were hoping for from your Star Wars flight game, never mind: you can always replay 1994 classic TIE Fighter, which now has vastly-improved visuals and some other modern tweaks instead.

What you’re looking at here is TIE Fighter: Total Conversion, which isn’t actually the original TIE Fighter. Instead, it’s a mod for its sequel, 1999’s X-Wing Alliance, porting the original game’s menus and missions into a more robust engine, then using more mods on top of that (the X-Wing Alliance Upgrade Project) to make everything look nicer.

Having been in development for years, the project was finally and fully released over the weekend, and is so much more than just “TIE Fighter with better lighting.” Because this had to be rebuilt in a whole other game, the developers decided to take the opportunity to mess with the original, and have designed a “reimagined” campaign that goes for 37 missions and adds “more ships, bigger battles [and] in some cases completely new missions.”

The soundtrack has also been remastered, proper widescreen resolutions are available, and there’s VR support as well. Though it’s important to note that both those reimagined missions and the soundtrack are optional improvements; you can still play the original campaign and listen to the old MIDI soundtrack if you want.

Source: 1994’s Star Wars: TIE Fighter Remade With Modern Graphics

Audacity users stick the knife – and fork – in to strip audio editor of unwanted features and govt / police spyware

Posted on by

Contributors disgruntled with the recent direction of cross-platform FOSS audio software Audacity are forking the sound editor to a version that does not have the features or requirements that have upset some in the community.

One such project can be found on GitHub, with user “cookiengineer” proclaiming themselves “evil benevolent temporary dictator” in order to get the ball rolling.

“Being friendly seemed to have invited too many trolls,” observed the engineer, “and we must stop this behaviour.”

Presumably that refers to the trolling rather than being friendly. And goodness, the project has had somewhat of a baptism by fire in recent hours as a number of 4chan users elected to launch a raid on it.

This is why we can’t have nice things.

The project is blunt with regard to the causes of the fork – Audacity’s privacy policy updates, the contributors licence agreement, and the a furore over introducing telemetry have all played a part.

[…]

Source: Audacity users stick the knife – and fork – in to strip audio editor of unwanted features • The Register

Thinking about selling your Echo Dot—or any IoT device? Turns out passwords and other data remain even after a reset

Posted on by

Like most Internet-of-things (IoT) devices these days, Amazon’s Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says, users can “remove any… personal content from the applicable device(s)” before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices can be reassembled to retrieve a wealth of sensitive data, including passwords, locations, authentication tokens, and other sensitive data.

Most IoT devices, the Echo Dot included, use NAND-based flash memory to store data. Like traditional hard drives, NAND—which is short for the boolean operator “NOT AND“—stores bits of data so they can be recalled later, but whereas hard drives write data to magnetic platters, NAND uses silicon chips. NAND is also less stable than hard drives because reading and writing to it produces bit errors that must be corrected using error-correcting code.

Reset but not wiped

NAND is usually organized in planes, blocks, and pages. This design allows for a limited number of erase cycles, usually in the neighborhood of between 10,000 to 100,000 times per block. To extend the life of the chip, blocks storing deleted data are often invalidated rather than wiped. True deletions usually happen only when most of the pages in a block are invalidated. This process is known as wear-leveling.

Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over a span of 16 months. They first examined the purchased devices to see which ones had been factory reset and which hadn’t. Their first surprise: 61 percent of them had not been reset. Without a reset, recovering the previous owners’ Wi-Fi passwords, router MAC addresses, Amazon account credentials, and information about connected devices was a relatively easy process.

The next surprise came when the researchers disassembled the devices and forensically examined the contents stored in their memory.

“An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks),” the researchers wrote in a research paper. “We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset.”

[…]

If a device has not been reset (as in 61% of the cases), then it’s pretty simple: you remove the rubber on the bottom, remove 4 screws, remove the body, unscrew the PCB, remove a shielding and attach your needles. You can dump the device then in less than 5 minutes with a standard eMMC/SD Card reader. After you got everything, you reassemble the device (technically, you don’t need to reassemble it as it will work as is) and you create your own fake Wi-Fi access point. And you can chat with Alexa directly after that.

If the device has been reset, it gets more tricky and will involve some soldering. You will at least get the Wi-Fi credentials and potentially the position of the Wi-Fi using the MAC address. In some rare cases, you might be able to connect it to the Amazon cloud and the previous owner’s account. But that depends on the circumstances of the reset.

[…]

Source: Thinking about selling your Echo Dot—or any IoT device? Read this first | Ars Technica

TikTok’s AI is now available to other companies

Posted on by

TikTok’s AI is no longer a secret — in fact, it’s now on the open market. The Financial Times has learned that parent company ByteDance quietly launched a BytePlus division that sells TikTok technology, including the recommendation algorithm. Customers can also buy computer vision tech, real-time effects and automated translations, among other features.

BytePlus debuted in June and is based in Singapore, although it has presences in Hong Kong and London. The company is looking to register trademarks in the US, although it’s not certain if the firm has an American presence at this stage.

There are already at least a few customers. The American fashion app Goat is already using BytePlus code, as are the Indonesian online shopping company Chilibeli and the travel site WeGo.

ByteDance wouldn’t comment on its plans for BytePlus.

A move like this wouldn’t be surprising, even if it might remove some of TikTok’s cachet. It could help ByteDance compete with Amazon, Microsoft and other companies selling behind-the-scenes tools to businesses. It might also serve as a hedge. TikTok and its Chinese counterpart Douyin might be close to plateauing, and selling their tech could keep the money flowing.

Source: TikTok’s AI is now available to other companies | Engadget

FTC Charges Broadcom With Monopolization of Chip Industry

Posted on by

The Federal Trade Commission has filed charges against Broadcom over allegations that the chip maker monopolized the market for semiconductor components, the agency announced Friday.

According to the commission’s complaint, Broadcom entered into long-term exclusivity and loyalty agreements with both original equipment manufacturers and service providers to prevent them from buying chips from Broadcom’s rivals. The FTC’s investigation, which dates back years, found that Broadcom had been making “exclusive or near-exclusive” deals since 2016 with at least 10 manufacturers of TV set-top boxes and broadband devices. The company also threatened customers who used a rival’s product with retaliation, with nonexclusive customers facing higher prices for slower delivery times and less responsive customer support, the FTC claims.

“By entering exclusivity and loyalty agreements with key customers at two levels of the supply chain, Broadcom created insurmountable barriers for companies trying to compete with Broadcom,” the agency said in a press release Friday.

The FTC said that under a proposed consent order, Broadcom must stop engaging in these kinds of contracts and conditioning access to its chips based on exclusivity or loyalty deals. Broadcom would also be prohibited from retaliating against customers that do business with its competitors.

[…]

The proposed consent order is still subject to a public comment period and a final commission review. For its part, Broadcom has pushed back against the FTC’s allegations while also indicating that it’s willing to cooperate on a settlement. The company resolved a similar antitrust dispute with the European Union last October in which it agreed to stop pushing exclusivity arrangements for chips used in TV set-top boxes and modems for the next seven years.

Source: FTC Charges Broadcom With Monopolization of Chip Industry

Jeff Bezos Steps Down as Amazon’s CEO After 27 Years

Posted on by

DAN HOWLEY: On July 5, Jeff Bezos, the richest person on Earth, will officially step down as CEO of the company he founded in 1994. Amazon will continue to exist, of course. It’s one of the wealthiest publicly traded companies in the world with a market capitalization of $1.7 trilion

[…]

As for Bezos, he’ll remain as the company’s chairman of the board and continue to own a 10.3% stake in the company. Outside of Amazon, he’ll spend more time with his space efforts at Blue Origin.

[…]

Source: Jeff Bezos Steps Down as Amazon’s CEO After 27 Years

Largest ransomware attack ever through hacked Kaseya software by REvil. Thousands of victims in at least 17 countries. $70m asked to decrypt the lot.

Posted on by

Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.

An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.

REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency.

Earlier, the FBI said in a statement that while it was investigating the attack its scale “may make it so that we are unable to respond to each victim individually.” Deputy National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had “directed the full resources of the government to investigate this incident” and urged all who believed they were compromised to alert the FBI.

Biden suggested Saturday the U.S. would respond if it was determined that the Kremlin is at all involved.

Less than a month ago, Biden pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.

[…]

CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”

Voccola said in an interview that only between 50-60 of the company’s 37,000 customers were compromised. But 70% were managed service providers who use the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks.

[…]

The cybersecurity firm ESET identified victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.

Kaseya says the attack only affected “on-premise” customers, organizations running their own data centers, as opposed to its cloud-based services that run software for customers. It also shut down those servers as a precaution, however.

Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.

Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms. U.S. officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.

[…]

Source: Scale, details of massive Kaseya ransomware attack emerge

British right to repair law excludes smartphones and computers

Posted on by

A British right to repair law comes into force today, requiring manufacturers to make spares available to both consumers and third-party repair companies.

However, despite claiming to cover “televisions and other electronic displays,”‘ the law somehow excludes smartphones and laptops…

 

The European Union introduced a right to repair law back in March, and the UK agreed prior to Brexit that it would introduce its own version.

BBC News reports.

From Thursday, manufacturers will have to make spares available to consumers, with the aim of extending the lifespan of products by up to 10 years, it said […]

The right to repair rules are designed to tackle “built-in obsolescence” where manufacturers deliberately build appliances to break down after a certain period to encourage consumers to buy new ones.

Manufacturers will now be legally obliged to make spare parts available to consumers so appliances can be fixed.

Which? notes that the UK law ensures spares are available for either 7 or 10 years after the discontinuation of a product, but that it only covers four specific consumer product categories (plus some commercial/industrial ones).

Spare parts will have to be available within two years of an appliance going on sale, and up until either seven or 10 years after the product has been discontinued, depending on the part. Some parts will only be available to professional repairers, while others will be available to everyone, so you can fix it yourself.

For now, the right to repair laws only cover:

  • Dishwashers
  • Washing machines and washer-dryers
  • Refrigeration appliances
  • Televisions and other electronic displays

They also cover non-consumer electronics, such as light sources, electric motors, refrigerators with a direct sales function (eg fridges in supermarkets, vending machines for cold drinks), power transformers and welding equipment.

However, while you would expect “other electronic displays” to include iPhones, iPads, and most Macs, Which? states that these product categories are excluded.

Cookers, hobs, tumble dryers, microwaves or tech such as laptops or smartphones aren’t covered.

A cynical person might suspect some behind-the-scenes lobbying by Apple and other phone and computer brands…

Source: British right to repair law excludes smartphones and computers – 9to5Mac

Apple’s developer problems are much bigger than Epic and ‘Fortnite’

Posted on by

Near the end of the Epic v. Apple trial, Judge Yvonne Gonzales Rogers had some pointed questions for Tim Cook on the state of Apple’s relationship with its developers. Citing an internal survey of developers, she noted that 39 percent of them indicated they were unhappy with the App Store’s distribution. What incentive, then, she asked, does Apple have to work with them?

Cook seemed to be caught off guard by the question. He said Apple rejects a lot of apps and that “friction” can be a good thing for users. Rogers replied that it “doesn’t seem you feel pressure or competition to change the manner in which you act to address concerns of developers.”

It was a brief but telling exchange. And one that strikes at the heart of Apple’s currently rocky relationship with developers.

Epic vs. Apple vs. developers

Ostensibly, Epic’s antitrust case against Apple was about the iPhone maker’s treatment of Fortnite and its refusal to allow the game developer to bypass the App Store for in-app purchases. Epic, along with many other prominent developers, has long chafed at Apple’s 30 percent commission, or “App Store” tax.

It’s not just that they see 30 percent as greedy and unfair (Apple recently lowered its take to 15 percent for small developers). It’s that Apple has appeared to treat some developers differently than others. For example, documents unearthed during the trial detail how Apple went to great lengths to prevent Netflix from yanking in-app purchases from its app.

After considering “punitive measures” toward the streaming giant, Apple offered Netflix custom APIs that most developers don’t have access to. It also dangled the possibility of additional promotion in the App Store or even at its physical retail stores. Netflix ended up pulling in-app purchases anyway, but it was illustrative of the kind of “special treatment” many developers have long suspected Apple employs towards some apps.

Meanwhile, game developers have no choice but to pay Apple’s “tax.” Not only that, but Apple’s rules prohibit them from even alerting their users that they may be able to make the same purchase elsewhere for less — what’s known as its “anti-steering” rules.

Friction over these rules is nothing new. But the details of these arrangements, and Apple’s hardball tactics with developers, had never been as exposed as they were during the trial.

“What was great about the Epic trial was that it brought many of these issues to light and into the public dialogue,” said Meghan DiMuzio, executive director for the Coalition for App Fairness, an advocacy group representing developers who believe Apple’s policies are anticompetitive. “I think we saw how Apple more generally chooses to approach their relationships with developers and how they value, or don’t value, their relationships with developers. I think those are really incredible soundbites and storylines to have out in the public eye.”

The case touched on other issues that have been the source of long-simmering developer frustrations with Cupertino, and not just for giants like Netflix. Epic also highlighted common developer complaints around App Store search ads, fraudulent apps and Apple’s often inscrutable review process.

In one particularly memorable exchange, the developer of yoga app Down Dog spoke at length about how Apple’s opaque policies can have an outsize impact on developers. For example, he said Apple had repeatedly rejected app updates for seemingly bizarre reasons, like using a “wrong” color on a login page. Once, he said, an update was rejected because App Store reviewers couldn’t find his app’s integration with Apple’s Health app. He later realized it was because the reviewers were testing on an iPad, which doesn’t support the Health app.

These types of complaints are probably familiar to most developers. It’s not unusual for Apple to quibble over the placement of a particular button, or some other minor feature. These seemingly small issues can drag on for days or weeks, as Epic repeatedly pointed out. But it’s rare for such squabbles to spill over into public view as they did during the trial.

The trial raised other, more fundamental issues, too. A witness for Epic testified that the operating margin for the App Store was 78 percent, a figure Apple disputed but didn’t offer evidence to the contrary. Instead, Tim Cook and other execs have maintained they simply don’t know how much money the App Store makes.

Cook did, however, have much more to say when pressed on whether game developers effectively “subsidize” the rest of the App Store. “We are creating the entire amount of commerce on the store, and we’re doing that by focusing on getting the largest audience there,” Cook stated.

The argument struck a nerve with some. Marco Arment, a longtime iOS developer whose apps have been featured by Apple, wrote a scathing blog post in response.

“The idea that the App Store is responsible for most customers of any reasonably well-known app is a fantasy,” Arment writes. “The App Store is merely one platform’s forced distribution gateway, ‘facilitating’ the commerce no more and no less than a web browser, an ISP or cellular carrier, a server-hosting company, or a credit-card processor. For Apple to continue to claim otherwise is beyond insulting, and borders on delusion.”

Determining just how many developers agree with that sentiment, though, is trickier. There are millions of iOS developers and for much of the App Store’s history, most have been reluctant to publicly criticize Apple. The company has conducted its own surveys — as evidenced in the Epic trial disclosures — but the findings aren’t typically made public. And even Cook admitted he was unsure if it’s a metric the company regularly tracks.

“There’s not a lot of actual third-party survey on the developer ecosystem,” says Ben Bajarin, CEO of analyst firm Creative Strategies. He has been conducting his own poll of Apple developers to gauge their feelings toward the company.

He says he sees “a pretty big gap” between the smaller, independent developers and the larger businesses on the App Store. Developers with smaller projects, he says, are “simply much more reliant on Apple.” And while they quibble with things like search ads or Apple’s review process, they don’t have many alternatives. “These aren’t developers that have a huge budget for marketing […] they’re entirely reliant on Apple to get them customers.”

The coming antitrust battles

[…]

Source: Apple’s developer problems are much bigger than Epic and ‘Fortnite’ | Engadget

How is it possible that Apple doesn’t know the income from its app store?

Sam Altman’s New Startup Wants to Give You Crypto for Eyeball Scans – yes this is a terrible dr evil plan idea

Posted on by

hould probably sit down for this one. Sam Altman, the former CEO of famed startup incubator Y Combinator, is reportedly working on a new cryptocurrency that’ll be distributed to everyone on Earth. Once you agree to scan your eyeballs.

Yes, you read correctly.

You can thank Bloomberg for inflicting this cursed news on the rest of us. In its report, Bloomberg says Altman’s forthcoming cryptocurrency and the company behind it, both dubbed Worldcoin, recently raised $25 million from investors. The company is purportedly backed by Andreessen Horowitz, LinkedIn founder Reid Hoffman, and Day One Ventures.

“I’ve been very interested in things like universal basic income and what’s going to happen to global wealth redistribution and how we can do that better,” Altman told Bloomberg, explaining what fever dream inspired this.
[…]

What supposedly makes Worldcoin different is it adds a hardware component to cryptocurrency in a bid to “ensur[e] both humanness and uniqueness of everybody signing up, while maintaining their privacy and the overall transparency of a permissionless blockchain.” Specifically, Bloomberg says the gadget is a portable “silver-colored spherical gizmo the size of a basketball” that’s used to scan people’s irises. It’s undergoing testing in some cities, and since Worldcoin is not yet ready for distribution, the company is giving volunteers other cryptocurrencies like Bitcoin in exchange for participating. There are supposedly fewer than 20 prototypes of this eyeball scanning orb, and currently, each reportedly costs $5,000 to make.

Supposedly the whole iris scanning thing is “essential” as it would generate a “unique numerical code” for each person, thereby discouraging scammers from signing up multiple times. As for the whole privacy problem, Worldcoin says the scanned image is deleted afterward and the company purportedly plans to be “as transparent as possible.”

Source: Sam Altman’s New Startup Wants to Give You Crypto for Eyeball Scans

Advertisers Are Selling Americans’ Data to Hundreds of Shady Foreign Businesses

Posted on by

Senator Ron Wyden has released a list of hundreds of secretive, foreign-owned companies that are buying up Americans’ data. Some of the customers include companies based in states that are ostensibly “unfriendly” to the U.S., like Russia and China.

First reported by Motherboard, the news comes after recent information requests made by a bipartisan coalition of Senators, who asked prominent advertising exchanges to provide a transparent list of any “foreign-headquartered or foreign-majority owned” firms to whom they sell consumer “bidstream data.” Such data is typically collected, bought, and sold amidst the intricate advertising ecosystem, which uses “real-time bidding” to monetize consumer preferences and interests.

Wyden, who helped lead the effort, has expressed concerns that Americans’ data could fall into the hands of foreign intelligence agencies to “supercharge hacking, blackmail, and influence campaigns,” as a previous letter from him and other Senators puts it.

“Few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments,” the letter states.

In response to the information requests, most companies seem to have responded with vague, evasive answers. However, advertising firm Magnite has provided a list of over 150 different companies it sells to while declining to note which countries they are based in. Wyden’s staff spent time researching the companies and Motherboard reports that the list includes the likes of Adfalcon—a large ad firm based in Dubai that calls itself the “first mobile advertising network in the Middle East”—as well as Chinese companies like Adtiming and Mobvista International.

Magnite’s response further shows that the kinds of data it provides to these companies may include all sorts of user information—including age, name, and the site names and domains they visit, device identifiers, IP address, and other information that would help any discerning observer piece together a fairly comprehensive picture of who you are, where you’re located, and what you’re interested in.

You can peruse the full list of companies that Magnite works with and, foreign ownership aside, they just naturally sound creepy. With confidence-inspiring names like “12Mnkys,” “Freakout,” “CyberAgent Dynalst,” and “Zucks,” these firms—many of which you’d be hard-pressed to even find an accessible website for—are doing God knows what with the data they procure.

The question naturally arises: How is it that these companies that we know literally nothing about seem to have access to so much of our personal information? Also: Where are the federal regulations when you need them?

Source: Advertisers Are Selling Americans’ Data to Hundreds of Shady Foreign Businesses

And that’s why Europe has GDPR

Another Exploit Hits WD My Book Live Owners – wipes could be rival hacker groups fighting for botnet control

Posted on by

While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers.

My Book Live packaging

(Image credit: Western Digital)

Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was also triggered, allowing hackers to remotely perform a factory reset without a password and to install a malicious binary file.

[…]

Analysis of WD’s firmware suggests code meant to prevent the issue had been commented out, preventing it from running, by WD itself, and an authentication type was not added to component_config.php which results in the drives not asking for authentication before performing the factory reset.

The question then arises of why one hacker would use two different exploits, particularly an undocumented authentication bypass when they already had root access through the command injection vulnerability, with venerable tech site Ars Technica speculating that more than one group could be at work here, with one bunch of bad guys trying to take over, or sabotage, another’s botnet.

Source: Another Exploit Hits WD My Book Live Owners | Tom’s Hardware

So is it possible that the authentication code was commented out?!