Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

WhatsApp: Users Who Don’t Accept Privacy Terms Can’t Read or send Texts

Posted on by

After causing a huge virtual meltdown with the announcement of its new privacy policy, and then postponing the implementation of said policy due to online fury, WhatsApp has spent the last few weeks trying not to stir up trouble. However, it has just revealed what will happen to users who do not accept its new privacy policy by the May 15 deadline.

WhatsApp has apparently been emailing some of its merchant partners to inform them that it will “slowly ask” users to accept the new privacy policy “in order to have full functionality” of the app, according to TechCrunch, which saw an email and confirmed its veracity with WhatsApp. The email also pointed to a public WhatsApp FAQ page titled, “What happens on the effective date?”

The FAQ page states that WhatsApp will not delete the accounts of users who do not accept the new terms, but that they won’t be able to use it like they normally do.

“If you haven’t accepted by then, WhatsApp will not delete your account. However, you won’t have full functionality of WhatsApp until you accept. For a short time, you’ll be able to receive calls and notifications, but won’t be able to read or send messages from the app,” WhatsApp wrote.

If the “for a short time” part has you scratching your head, WhatsApp did elaborate, sort of. Users who do not accept the new privacy policy by May 15 will be considered inactive users and subject to WhatsApp’s existing policy on that front, as detailed below.

“To maintain security, limit data retention, and protect the privacy of our users, WhatsApp accounts are generally deleted after 120 days of inactivity,” WhatsApp states. “Content stored locally on a user’s device prior to account deletion will remain until WhatsApp is deleted from the device. When a user reregisters for WhatsApp on the same device, their locally stored content will reappear.”

Source: WhatsApp: Users Who Don’t Accept Privacy Terms Can’t Read Texts

Dynamic DIY Macro Keyboard Controls All The Things

Posted on by

[Sebastian] needed a good set of of shortcuts for OBS and decided to make a macro keyboard to help out. By the time he was finished, [Sebastian] had macro’d all the things and built a beautiful and smart peripheral that anyone with a pulse would likely love to have gracing their desk.

The design started with OBS, but this slick little keyboard turned into a system-wide assistant. It assigns the eight keys dynamically based on the program that has focus, and even updates the icon to show changes like the microphone status.

This is done with a Python script on the PC that monitors the running programs and updates the macro keeb accordingly using a serial protocol that [Sebastian] wrote. Thanks to the flexibility of this design, [Sebastian] can even use it to control the office light over MQTT and make the CO2 monitor send a color-coded warning to the jog wheel when there’s trouble in the air.

This project is wide open with fabulous documentation, and [Sebastian] is eager to see what improvements and alternative enclosure materials people come up with. Be sure to check out the walk-through/build video after the break.

Inspired to make your own, but want to start smaller? There are plenty to admire around here.

 

Source: Dynamic Macro Keyboard Controls All The Things | Hackaday

Why You Should Switch From LastPass to Bitward’s Password Manager

Posted on by

Whether you’re looking to make a change in your password management just because, or you’re a LastPass user annoyed with the service’s recent changes to its free tier, switching to the much-loved (and free) Bitwarden service is a good choice. Bitwarden is now the best free password manager for most people—since it works across all of your devices to add convenience and security to your logins—and setting it up is quick and easy.

To get started, head to Bitwarden’s site and create an account. It’s free to do, and all you need to worry about is giving yourself a solid master password. Make it a good one, and one that you don’t use anywhere else, because it’ll be one of the gatekeepers for all of your other passwords that you’ll store on the service. Once you’ve created your account and logged in, make sure you verify your email address using the option in the upper-right corner.

[…]

Source: Why You Should Switch From LastPass to Bitward’s Password Manager

Aussie shakedown: Facebook ‘Endangered Public Safety’ by Blocking News During Pandemic According to Australia- after forcing FB to pay for news on the site

Posted on by

Facebook has endangered public safety by blocking news on the platform in Australia during the covid-19 pandemic, according to Australia’s Treasurer Josh Frydenberg a high-ranking official in the country’s ruling Liberal Party.

Frydenberg appeared on the local TV program “Today,” on Friday morning, Australia time, and insisted the government was not going to tolerate Facebook’s “unnecessary” and “wrong” attempts to bully Australia into submission.

“He endangered public safety,” Frydenberg said of Facebook CEO Mark Zuckerberg. “In the middle of a pandemic, people weren’t able to get access to information about the vaccines.”

Facebook started blocking all news content for Australian users on Thursday in retaliation for the government’s plan to implement a new law that would force large tech companies to pay news publishers for linking to their content. Google previously threatened to block all searches in Australia over the law but has since signed agreements with several large Australian publishers.

[…]

Source: Facebook ‘Endangered Public Safety’ by Blocking News During Pandemic According to Australia

Australia facepalms as Facebook blocks bookstores, sport, health services instead of just news

Posted on by

Facebook is being flayed in Australia after its ban on sharing of links to news publications caught plenty of websites that have nothing to do with news.

The Social Network™ announced its ban with a blog post and the sudden erasure of all posts on certain Facebook pages.

Links to news outlets big and small (including The Register) are currently impossible to post to Facebook from within Australia. Australian Facebook users don’t see news links posted from outside the nation.

Which is as Facebook intended to show its displeasure with Australia’s News Media Bargaining Code, a newly legislated scheme that forces Facebook to negotiate payments with local news publishers for the privilege of linking to their content.

But when Facebook implemented its ban, an online bookstore, charities, and even a domestic violence support service saw their Facebook presences erased. Australia’s national Basketball and Rugby bodies also saw their pages sent to the sin bin.

Facebook’s actions to unfriend Australia today … were arrogant and disappointing

Facebook said that the breadth of its blocks is regrettable, but as Australia’s law “does not provide clear guidance on the definition of news content, we have taken a broad definition in order to respect the law as drafted.”

This leaves Facebook in the interesting position of telling advertisers it offers superior micro-targeting services, while telling the world it is unable to tell the difference between a newspaper and a bookshop.

Australia’s Prime Minister Scott Morrison used Facebook to say “Facebook’s actions to unfriend Australia today, cutting off essential information services on health and emergency services, were as arrogant as they were disappointing.”

While Australia facepalms at Facebook’s clumsiness, publishers and politicians around the world have expressed dismay that Facebook has banned news and, by doing so, again demonstrated its ability to shape public discourse.

That Facebook’s contribution to public conversations has so often been to infuse them with misinformation, then promise to do better by ensuring that higher-quality content such as public interest journalism becomes more prominent, has not gone unnoticed.

[…]

Source: Australia facepalms as Facebook blocks bookstores, sport, health services instead of just news • The Register

So a country tells FB to pay for news or not show it and is then suprised that stuff starts dissappearing from FB?

And to complete the shakedown by the Aussie government, read: Facebook ‘Endangered Public Safety’ by Blocking News During Pandemic According to Australia

Uber Drivers Entitled to Paid Vacation and Minimum Wage According to UK Supreme Court

Posted on by

Uber drivers in the UK should be classified as workers and entitled to both paid vacation time and the minimum wage, according to a ruling Friday by Britain’s Supreme Court. But Uber’s London office is already disputing the scope and relevance of the ruling for its British drivers, insisting that its own rules have changed dramatically since the case was first brought by 25 drivers in 2016.

The UK Supreme Court ruling notes five reasons that Uber drivers should be classified as workers rather than independent entrepreneurs. First, the court pointed out that Uber drivers have no say in the amount charged for each ride—a number set by Uber. If Uber sets the price, how are they not the driver’s real employer?

Second, Uber sets the contract terms between riders and drivers through their app. Third, Uber constrains all drivers in their ability to accept and decline rides at will. Drivers are penalized if they decline too many rides, another point of fact that would make it pretty obvious Uber is an employer who’s holding all the cards in the employment relationship.

Fourth, Uber penalizes or bans drivers who don’t maintain a sufficiently high rating, another act more consistent with an employer-employee relationship. And lastly, Uber restricts the amount of communication between drivers and riders, something that wouldn’t be normalized if Uber drivers were really just working for themselves.

From the UK Supreme Court’s press release on Friday’s ruling:

Taking these factors together, the transportation service performed by drivers and offered to passengers through the Uber app is very tightly defined and controlled by Uber. Drivers are in a position of subordination and dependency in relation to Uber such that they have little or no ability to improve their economic position through professional or entrepreneurial skill. In practice the only way in which they can increase their earnings is by working longer hours while constantly meeting Uber’s measures of performance. The Supreme Court considers that comparisons made by Uber with digital platforms which act as booking agents for hotels and other accommodation and with minicab drivers do not advance its case. The drivers were rightly found to be “workers.”

[…]

Source: Uber Drivers Entitled to Paid Vacation and Minimum Wage According to UK Supreme Court

The Apparent Hackers Behind Kia’s Ransomware Attack Are Demanding Millions in Bitcoin

Posted on by

Kia seems to be in quite a predicament. As we reported earlier today, the automaker’s online services appear to have been severed from the outside world, with customers unable to start their cars remotely via Kia’s apps or even log into the company’s financing website to pay their bills. All signs pointed to a potential cyberattack against Kia—ransomware most likely—and that’s exactly what a new report is claiming it is.A report by information security news site Bleeping Computer seems to solidify that theory, as the publication shared a screenshot of an alleged ransom note asking Kia for the hefty sum of $20,000,000 to decrypt its files.Screenshot: KiaThe infection is believed to be the work of a group called DoppelPaymer by Crowdstrike researchers in 2019. Such threat actors routinely hunt big game for large payouts, according to a security bulletin released by the FBI late last year. The note left behind mentions that the malware not only encrypted live data, but also the company’s backups, which more sophisticated attacks of this nature often do to prevent an easy restoration.To make matters worse, it also claims to have exfiltrated a large amount of data along with the hack which it says it will release within three weeks. It’s not clear what kind of data was exfiltrated by the attackers, however, the note claims that it was a “huge amount” of it, and the number of Kia’s online services that were affected does elude to the possibility of a broad net being cast into Kia’s network. In more simple terms, these alleged attackers stole a bunch of stuff out of Kia’s house and then locked the doors to some of the bedrooms inside. After reaching out to Kia multiple times, The Drive finally received an answer on the matter. A Kia spokesperson confirmed that Kia is “experiencing an extended systems outage,” though it does not mention the nature of the outage. It also downplays the ransomware attack allegations shared by Bleeping Computer.”Kia Motors America, Inc. is currently experiencing an extended systems outage,” a Kia spokesperson told The Drive via email. “Affected systems includetheKiaOwnersPortal, UVO Mobile Apps, and the Consumer Affairs Web portal. We apologize for any inconvenience to affected customers and are working to resolve the issue as quickly as possible with minimal interruption to our business.”The spokesperson added: “We are also aware of online speculation that Kia is subject to a ‘ransomware’ attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”Having said that, the report on Bleeping Computer indicates detailed notes from these purported attackers. The attackers apparently used a Protonmail email address to communicate and display a web page on Tor, an encrypted peer-to-peer network that promotes anonymity, complete with an online chat function in case they need support to pay the ransom. At the time of this writing, the hackers were requesting 404.5412 Bitcoin, which equates to roughly $20.9 million. But the message also warns that as they take longer to pay, the fee goes up, ending in 600 Bitcoin ($31 million) should the automaker not pay up within nine days.Screenshots of the actual notes have been published by Bleeping Computer and can be viewed here. It’s also worth noting that DoppelPaymer is the same malware that was responsible for exfiltrating and encrypting data from Visser, a defense contractor and parts manufacturer for both Tesla and SpaceX, just last year.

Source: The Apparent Hackers Behind Kia’s Ransomware Attack Are Demanding Millions in Bitcoin

Citibank accidentally wired $500m back to lenders in user-interface super-gaffe – and judge says it can’t be undone

Posted on by

A judge has ruled that Citibank can’t claw back more than $500m (£360m) it mistakenly paid out after outsourced staff and a senior manager made a nearly billion-dollar (£700m) user-interface blunder.The error occurred on August 11 last year, when Citibank was supposed to wire $7.8m (£5.6m) in interest payments to lenders who are propping up troubled cosmetics giant Revlon. But a worker at outsourcing mega-org Wipro accidentally checked the wrong combination of on-screen boxes, leading to the repayment of not only the interest but also the $894m (£640m) principal from the bank’s funds.Citibank has a “six-eyes” policy on massive money transfers of this type. In the Revlon fiasco, a Wipro worker in India configured the transfer using software called Flexcube, his local manager approved it, and Vincent Fratta – a Citibank senior manager based in Delaware, USA – gave the final OK for the transfer of funds, all believing the settings were correct.Below is a screenshot of the transfer set up by the first Wipro worker. He should have ticked not just the principal field but also the front and fund fields, and set their values to the necessary clearing account number. By leaving those two boxes unchecked and values empty – and wrongly assuming putting the account number in the principal field was a correct move – the entire principal of the loan, which was set to mature in 2023, was handed back to 315 creditors.UIIncomplete … The Flexcube interface for the infamous transfer. Click to enlarge. Source: US courts systemIt wasn’t until the next day that staff noticed the error, and sent out emails asking for the funds be returned – and hundreds of millions of dollars were. However, a group of 10 creditors refused to hand back their share the cash, amounting to more than $500m, leading Citibank to sue them in New York to recover the dosh.This week, the US federal district court judge presiding over that lawsuit sided with the lenders, saying [PDF] they had reasonable grounds to think that the transfer was legitimate and that they had legal grounds to keep their money.angry lego minifig man turns on anxious lego minifig manBarclays Bank appeared to be using the Wayback Machine as a ‘CDN’ for some JavascriptREAD MORE”The non-returning lenders believed, and were justified in believing, that the payments were intentional,” Judge Jesse Furman ruled.”Indeed, to believe otherwise — to believe that Citibank, one of the most sophisticated financial institutions in the world, had made a mistake that had never happened before, to the tune of nearly $1bn — would have been borderline irrational.”Since the amount sent back repaid the loaned amounts to the cent and no more, the judge ruled Citibank had no right to reclaim the money.”We are extremely pleased with Judge Furman’s thoughtful, thorough and detailed decision,” Benjamin Finestone, representing two lenders, Brigade and HPS Investment Partners, told CNN.That said, the saga isn’t over yet. The disputed funds are going nowhere, and are held under a temporary restraining order, to give Citibank a chance to challenge the ruling. “We strongly disagree with this decision and intend to appeal,” the mega bank said in a statement. “We believe we are entitled to the funds and will continue to pursue a complete recovery of them.”

Source: Citibank accidentally wired $500m back to lenders in user-interface super-gaffe – and judge says it can’t be undone • The Register

‘Spy pixels in emails have become endemic’

Posted on by

The use of “invisible” tracking tech in emails is now “endemic”, according to a messaging service that analysed its traffic at the BBC’s request.Hey’s review indicated that two-thirds of emails sent to its users’ personal accounts contained a “spy pixel”, even after excluding for spam.Its makers said that many of the largest brands used email pixels, with the exception of the “big tech” firms.Defenders of the trackers say they are a commonplace marketing tactic.And several of the companies involved noted their use of such tech was mentioned within their wider privacy policies.Emails pixels can be used to log: if and when an email is opened how many times it is opened what device or devices are involved the user’s rough physical location, deduced from their internet protocol (IP) address – in some cases making it possible to see the street the recipient is onThis information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles.Hey’s co-founder David Heinemeier Hansson says they amount to a “grotesque invasion of privacy”.

Source: ‘Spy pixels in emails have become endemic’ – BBC News

‘Roaring Kitty’ GameStop investor hit with lawsuit by American idiot

Posted on by

Keith Gill, known as ‘Roaring Kitty’ on YouTube, allegedly duped retail investors into buying inflated stocks while hiding his sophisticated financial background.Mr Gill has downplayed his impact and rebutted claims he violated any laws.Separately, he will testify on Thursday to Congress about the “Reddit rally”.”The idea that I used social media to promote GameStop stock to unwitting investors is preposterous,” Mr Gill said in the prepared testimony.”I was abundantly clear that my channel was for educational purposes only, and that my aggressive style of investing was unlikely to be suitable for most folks checking out the channel.” GameStop: What is it and why is it trending? Real Wolf of Wall Street warns of GameStop losses Share buying mistakes ‘on the rise’Mr Gill allegedly bought GameStop shares for $5 (£3.60) and then used social media to drive shares from around $20 in early January to more than $400 in just two weeks.This violated securities laws against manipulating the market, according to the lawsuit filed by Christian Iovin, a Washington state resident who purchased GameStop stock options.Mr Gill said he used publicly available information to determine GameStop was undervalued, and shared this view with a “tiny” following on social media ahead of January’s huge price surge.The lawsuit also names as defendants Massachusetts Mutual Life Insurance Co and its subsidiary MML Investors Services, which employed Mr Gill until 28 January.The company told Massachusetts regulators it was unaware of Mr Gill’s outside activities.Grilling from lawmakersA number of people involved in the so-called “Reddit rally” are due to appear before Congress on Thursday, including Mr Gill.Others called to testify include Wall Street hedge fund Melvin Capital, along with the chief executive of Reddit.media captionGameStop investors on a wild rideThe chief executive of Robinhood, the trading platform that restricted the purchases of GameStop shares to investors during the trading frenzy, is also expected to testify.The GameStop saga was hailed as a victory of the little guys against big Wall Street hedge funds that were betting against video games retailer GameStop and other struggling businesses.But it is unclear what role hedge funds had in the rally as some are reported to have made millions from the GameStop share rally, that was inspired by Reddit users.

Source: ‘Roaring Kitty’ GameStop investor hit with lawsuit – BBC News

France has been suffering A Very ‘Solar Winds’-Like Cyberattack since 2017

Posted on by

As the U.S. continues to chart the damage from the sweeping “SolarWinds” hack, France has announced that it too has suffered a large supply chain cyberattack. The news comes via a recently released technical report published by the Agence Nationale de la sécurité des systèmes d’information—or simply ANSSI—the French government’s chief cybersecurity agency. Like the U.S., French authorities have implied that Russia is probably involved.According to ANSSI, a sophisticated hacker group has successfully penetrated the Centreon Systems products, a French IT firm specializing in network and system monitoring that is used by many French government agencies, as well as some of the nation’s biggest companies (Air France, among others). Centreon’s client page shows that it partners with the French Department of Justice, Ecole Polytechnique, and regional public agencies, as well as some of the nation’s largest agri-food production firms.Illustration for article titled France Just Suffered a SolarWinds-Style CyberattackThe SolarWinds Hack Just Keeps Getting More WildNow the Chinese are involved. That’s one of the newest allegations to emerge in the SolarWinds…Read moreWhile ANSSI did not officially attribute the hack to any organization, the agency says the techniques used bear similarities to those of the Russian military hacker group “Sandworm” (also known as Unit 74455). The intrusion campaign, which dates back at least to 2017, allowed the hackers to breach the systems of a number of French organizations, though ANSSI has declined to name the victims or say how many were affected.

Source: France Just Suffered A Very ‘Solar Winds’-Like Cyberattack

Apple new M1 chip specific Malware Has Arrived

Posted on by

Now that Apple has officially begun the transition to Apple Silicon, so has malware.

Security researcher Patrick Wardle published a blog detailing that he’d found a malicious program dubbed GoSearch22, a Safari browser extension that’s been reworked for Apple’s M1 processor. (The extension is a variant of the Pirrit adware family, which is notorious on Macs.) Meanwhile, a new report from Wired also quotes other security researchers as finding other, distinct instances of native M1 malware from Wardle’s findings.

The GoSearch22 malware was signed with an Apple developer ID on Nov. 23,  2020—not long after the first M1 laptops were first unveiled. Having a developer ID means a user downloading the malware wouldn’t trigger Gatekeeper on macOS, which notifies users when an application they’re about to download may not be safe. Developers can take the extra step of submitting apps to Apple to be notarized for extra confirmation. However, Wardle notes in his writeup that it’s unclear whether Apple ever notarized the code, as the certificate for GoSearch22 has since been revoked. Unfortunately, he also writes that since this malware was detected in the wild, regardless of whether Apple notarized it, “macOS users were infected.”

[…]

Source: The M1 Malware Has Arrived

FortressIQ just comes out and says it: To really understand business processes, feed your staff’s screen activity to an AI

Posted on by

In a sign that interest in process mining is heating up, vendor FortressIQ is launching an analytics platform with a novel approach to understanding how users really work – it “videos” their on-screen activity for later analysis.

According to the San Francisco-based biz, its Process Intelligence platform will allow organisations to be better prepared for business transformation, the rollout of new applications, and digital projects by helping customers understand how people actually do their jobs, as opposed to how the business thinks they work.

The goal of process mining itself is not new. German vendor Celonis has already marked out the territory and raised approximately $290m in a funding round in November 2019, when it was valued at $2.5bn.

Celonis works by recording a users’ application logs, and by applying machine learning to data across a number of applications, purports to figure out how processes work in real life. FortressIQ, which raised $30m in May 2020, uses a different approach – recording all the user’s screen activity and using AI and computer vision to try to understand all their behaviour.

Pankaj Chowdhry, CEO at FortressIQ, told The Register that the company had built was a “virtual process analyst”, a software agent which taps into a user’s video card on the desktop or laptop. It streams a low-bandwidth version of what is occuring on the screen to provide the raw data for the machine-learning models.

“We built machine learning and computer vision AI that will, in essence, watch that movie, and convert it into a structured activity,” he said.

In an effort to assure those forgiven for being a little freaked out by the recording of users’ every on-screen move, the company said it anonymises the data it analyses to show which processes are better than others, rather than which user is better. Similarly, it said it guarantees the privacy of on-screen data.

Nonetheless, users should be aware of potential kickbacks when deploying the technology, said Tom Seal, senior research director with IDC.

“Businesses will be somewhat wary about provoking that negative reaction, particularly with the remote working that’s been triggered by COVID,” he said.

At the same time, remote working may be where the approach to process mining can show its worth, helping to understand how people adapt their working patterns in the current conditions.

FortressIQ may have an advantage over rivals in that it captures all data from the users’ screen, rather than the applications the organisation thinks should be involved in a process, said Seal. “It’s seeing activity that the application logs won’t pick up, so there is an advantage there.”

Of course, there is still the possibility that users get around prescribed processes using Post-It notes, whiteboards and phone apps, which nobody should put beyond them.

Celonis and FortressIQ come from very different places. The German firm has a background in engineering and manufacturing, with an early use case at Siemens led by Lars Reinkemeyer who has since joined the software vendor as veep for customer transformation. He literally wrote the book on process mining while at the University of California, Santa Barbara. FortressIQ, on the other hand, was founded by Chowdhry who worked as AI leader at global business process outsourcer Genpact before going it alone.

And it’s not just these two players. Software giant SAP has bought Signavio, a specialist in business process analysis and management, in a deal said to be worth $1.2bn to help understand users’ processes as it readies them for the cloud and application upgrades. ®

Source: FortressIQ just comes out and says it: To really understand business processes, feed your staff’s screen activity to an AI • The Register

Kia’s Network Is Down, Finance Sites to Owner Apps, Nobody Will Say Why – yay connected cars

Posted on by

Like it or not, connected cars have become a staple of every day life for millions of Americans. The ability to interact with our cars from afar past the key fob has become something we expect to work, but that all relies on the underpinnings of critical IT infrastructure. And when something isn’t working as expected, a minor inconvenience can translate into a customer nightmare.

Someone over at Kia has been having a very bad week. Since Saturday, Kia’s online and connected services have been down, leaving owners unable to pay their bills, remotely unlock their vehicles, or even warm them up in the middle of one of the harshest winters that parts of the U.S. have seen in quite some time.

via Kia, Twitter

Kia’s hamsters have their work cut out for them.

Owners took to Twitter and various online forums to complain about the unscheduled outage, many confused why they couldn’t view the details of their cars on Kia’s website or various phone apps.

Some owners looking to pay their bills also visited Kia’s finance site where they were unable to login and pay their bills, so they resorted to the phonelines which played a message stating that the self-service options were down for scheduled maintenance. Needless to say, that led to a flurry of people tweeting at Kia because they were unsure of the outcome should they miss a payment due to the outage.

via Kia

Now, it’s not just existing Kia drivers that are affected. New buyers are also stuck, unable to set up accounts with Kia’s online services. We confirmed this by trying to create an account on the Kia owners’ portal, but were greeted with an “Internal Server Error” and couldn’t proceed.

[…]

Source: Kia’s Network Is Down, From Finance Sites to Owner Apps, and Nobody Will Say Why

Astrophysicists re-imagine world map, designing a less distorted, ‘radically different’ way to see the world

Posted on by

How do you flatten a sphere?

For centuries, mapmakers have agonized over how to accurately display our round planet on anything other than a globe.

Now, a fundamental re-imagining of how maps can work has resulted in the most accurate flat map ever made, from a trio of map experts: J. Richard Gott, an emeritus professor of astrophysics at Princeton and creator of a logarithmic map of the universe once described as “arguably the most mind-bending map to date”; Robert Vanderbei, a professor of operations research and financial engineering who created the “Purple America” map of election results; and David Goldberg, a professor of physics at Drexel University.

Their new map is two-sided and round, like a phonograph record or vinyl LP. Like many radical developments, it seems obvious in hindsight. Why not have a two-sided map that shows both sides of the globe? It breaks away from the limits of two dimensions without losing any of the logistical convenience—storage and manufacture—of a flat map.

“This is a map you can hold in your hand,” Gott said.

Princeton professors J. Richard Gott and Robert Vanderbei worked with Drexel professor David Goldberg to create a revolutionary new map: a two-sided disk that can slip inside a textbook or be stacked neatly for storage. It provides more accurate distances than any existing flat map, while keeping visual distortions at a minimum. Credit: Video by J. Richard Gott, Robert Vanderbei and David Goldberg

In 2007, Goldberg and Gott invented a system to score existing maps, quantifying the six types of distortions that flat maps can introduce: local shapes, areas, distances, flexion (bending), skewness (lopsidedness) and boundary cuts (continuity gaps). The lower the score, the better: a globe would have a score of 0.0.

[…]

It can be displayed with the Eastern and Western Hemispheres on the two sides, or in Gott’s preferred orientation, the Northern and Southern Hemispheres, which conveniently allows the equator to run around the edge. Either way, this is a map with no boundary cuts. To measure distances from one side to the other, you can use string or measuring tape reaching from one side of the disk to the other, he suggested.

“If you’re an ant, you can crawl from one side of this ‘phonograph record’ to the other,” Gott said. “We have continuity over the equator. African and South America are draped over the edge, like a sheet over a clothesline, but they’re continuous.”

This double-sided map has smaller distance errors than any single-sided flat map—the previous record-holder being a 2007 map by Gott with Charles Mugnolo, a 2005 Princeton alumnus. In fact, this map is remarkable in having an upper boundary on distance errors: It is impossible for distances to be off by more than ± 22.2%. By comparison, in the Mercator and Winkel Tripel projections, as well as others, distance errors become enormous approaching the poles and essentially infinite from the left to the right margins (which are far apart on the map but directly adjacent on the globe). In addition, areas at the edge are only 1.57 times larger than at the center.

[…]

Source: Astrophysicists re-imagine world map, designing a less distorted, ‘radically different’ way to see the world

Supermicro hardware Hack: Yep did happen. How China Exploited a U.S. Tech Supplier Over Years

Posted on by

In 2010, the U.S. Department of Defense found thousands of its computer servers sending military network data to China—the result of code hidden in chips that handled the machines’ startup process.

In 2014, Intel Corp. discovered that an elite Chinese hacking group breached its network through a single server that downloaded malware from a supplier’s update site.

And in 2015, the Federal Bureau of Investigation warned multiple companies that Chinese operatives had concealed an extra chip loaded with backdoor code in one manufacturer’s servers.

Each of these distinct attacks had two things in common: China and Super Micro Computer Inc., a computer hardware maker in San Jose, California. They shared one other trait; U.S. spymasters discovered the manipulations but kept them largely secret as they tried to counter each one and learn more about China’s capabilities.

[…]

Around early 2010, a Pentagon security team noticed unusual behavior in Supermicro servers in its unclassified networks.

Implant in the Startup Process

The machines turned out to be loaded with unauthorized instructions directing each one to secretly copy data about itself and its network and send that information to China, according to six former senior officials who described a confidential probe of the incident. The Pentagon found the implant in thousands of servers, one official said; another described it as “ubiquitous.”

Investigators attributed the rogue code to China’s intelligence agencies, the officials said. A former senior Pentagon official said there was “no ambiguity” in that attribution.

[…]

As military experts investigated the Pentagon breach, they determined that the malicious instructions guiding the Pentagon’s servers were hidden in the machines’ basic input-output system, or BIOS, part of any computer that tells it what to do at startup.

Two people with direct knowledge said the manipulation combined two pieces of code: The first was embedded in instructions that manage the order of the startup and can’t be easily erased or updated. That code fetched additional instructions that were tucked into the BIOS chip’s unused memory, where they were unlikely to be found even by security-conscious customers. When the server was turned on, the implant would load into the machine’s main memory, where it kept sending out data periodically.

Manufacturers like Supermicro typically license most of their BIOS code from third parties. But government experts determined that part of the implant resided in code customized by workers associated with Supermicro, according to six former U.S. officials briefed on the findings.

[…]

By 2014, investigators across the U.S. government were looking for any additional forms of manipulation—anything they might have missed, as one former Pentagon official put it. Within months, working with information provided by American intelligence agencies, the FBI found another type of altered equipment: malicious chips added to Supermicro motherboards.

Warnings Delivered

Government experts regarded the use of these devices as a significant advance in China’s hardware-hacking capabilities, according to seven former American officials who were briefed about them between 2014 and 2017. The chips injected only small amounts of code into the machines, opening a door for attackers, the officials said.

Small batches of motherboards with the added chips were detected over time, and many Supermicro products didn’t include them, two of the officials said.

[…]

“The agents said it was not a one-off case; they said this was impacting thousands of servers,” Kumar said of his own discussion with FBI agents.

It remains unclear how many companies were affected by the added-chip attack. Bloomberg’s 2018 story cited one official who put the number at almost 30, but no customer has acknowledged finding malicious chips on Supermicro motherboards.

Several executives who received warnings said the information contained too few details about how to find any rogue chips. Two former senior officials said technical details were kept classified.

[…]

“This wasn’t a case of a guy stealing a board and soldering a chip on in his hotel room; it was architected onto the final device,” Quinn said, recalling details provided by Air Force officials. The chip “was blended into the trace on a multilayered board,” he said.

“The attackers knew how that board was designed so it would pass” quality assurance tests, Quinn said.

[…]

Corporate investigators uncovered yet another way that Chinese hackers were exploiting Supermicro products. In 2014, executives at Intel traced a security breach in their network to a seemingly routine firmware update downloaded from Supermicro’s website.

[…]

A contact in the U.S. intelligence community alerted the company to the breach, according to a person familiar with the matter. The tip helped Intel investigators determine that the attackers were from a state-sponsored group known as APT 17.

APT 17 specializes in complex supply-chain attacks, and it often hits multiple targets to reach its intended victims, according to cybersecurity firms including Symantec and FireEye. In 2012, the group hacked the cybersecurity firm Bit9 in order to get to defense contractors protected by Bit9’s products.

Intel’s investigators found that a Supermicro server began communicating with APT 17 shortly after receiving a firmware patch from an update website that Supermicro had set up for customers. The firmware itself hadn’t been tampered with; the malware arrived as part of a ZIP file downloaded directly from the site, according to accounts of Intel’s presentation.

[…]

Breaches involving Supermicro’s update site continued after the Intel episode, according to two consultants who participated in corporate investigations and asked not to be named.

In incidents at two non-U.S. companies, one in 2015 and the other in 2018, attackers infected a single Supermicro server through the update site, according to a person who consulted on both cases. The companies were involved in the steel industry, according to the person, who declined to identify them, citing non-disclosure agreements. The chief suspect in the intrusions was China, the person said.

In 2018, a major U.S. contract manufacturer found malicious code in a BIOS update from the Supermicro site, according to a consultant who participated in that probe. The consultant declined to share the manufacturer’s name. Bloomberg reviewed portions of a report on the investigation.

It’s unclear whether the three companies informed Supermicro about their issues with the update site, and Supermicro didn’t respond to questions about them.

[…]

Source: Supermicro Hack: How China Exploited a U.S. Tech Supplier Over Years

Brazil’s Health Ministry’s Website Data Leak Exposed 243 Million Medical Records for More Than 6 Months

Posted on by

Personal information of more than 243 million Brazilians was exposed for more than six months thanks to weakly encoded credentials stored in the source code of the Brazilian Ministry of Health’s website. The data leak exposed both living and deceased Brazilians’ medical records to possible unauthorized access. The incident was the second reported by Brazilian publication Estadão and among several others recently affecting South America’s largest nation’s healthcare system.

Sistema Único de Saúde data leak exposed patients’ medical records

For more than six months, personal data belonging to anyone registered with Sistema Único de Saúde (SUS), Brazil’s national health system, could be viewed.

The data leak exposed people’s full names, addresses, phone numbers, and full medical records of Brazilians that signed up for the government’s public-funded healthcare system.

Approximately 32 million medical records belonged to deceased Brazilians, given that the country’s population was 211 million in 2019.

The database login credentials were encoded using Base64 encoding, which could be easily decoded. Anybody could have viewed the website’s source code and the database credentials using the F12 keyboard shortcut or the “View Source Code” option from the browser’s menu.

Subsequently, the exposed database logins could have allowed anybody access to Brazilians’ medical records.

Just last month, Estadão also reported another data leak exposing more than 16 million Brazilian COVID-19 patients’ medical records. The breach occurred after an employee uploaded on GitHub a spreadsheet containing usernames, passwords, and the E-SUS-VE system access keys.

Source: Brazil’s Health Ministry’s Website Data Leak Exposed 243 Million Medical Records for More Than 6 Months – CPO Magazine

Cell Phone Location Privacy could be done easily

Posted on by

We all know that our cell phones constantly give our location away to our mobile network operators; that’s how they work. A group of researchers has figured out a way to fix that. “Pretty Good Phone Privacy” (PGPP) protects both user identity and user location using the existing cellular networks. It protects users from fake cell phone towers (IMSI-catchers) and surveillance by cell providers.

It’s a clever system. The players are the user, a traditional mobile network operator (MNO) like AT&T or Verizon, and a new mobile virtual network operator (MVNO). MVNOs aren’t new. They’re intermediaries like Cricket and Boost.

Here’s how it works:

  1. One-time setup: The user’s phone gets a new SIM from the MVNO. All MVNO SIMs are identical.
  2. Monthly: The user pays their bill to the MVNO (credit card or otherwise) and the phone gets anonymous authentication (using Chaum blind signatures) tokens for each time slice (e.g., hour) in the coming month.
  3. Ongoing: When the phone talks to a tower (run by the MNO), it sends a token for the current time slice. This is relayed to a MVNO backend server, which checks the Chaum blind signature of the token. If it’s valid, the MVNO tells the MNO that the user is authenticated, and the user receives a temporary random ID and an IP address. (Again, this is now MVNOs like Boost already work.)
  4. On demand: The user uses the phone normally.

The MNO doesn’t have to modify its system in any way. The PGPP MVNO implementation is in software. The user’s traffic is sent to the MVNO gateway and then out onto the Internet, potentially even using a VPN.

All connectivity is data connectivity in cell networks today. The user can choose to be data-only (e.g., use Signal for voice), or use the MVNO or a third party for VoIP service that will look just like normal telephony.

The group prototyped and tested everything with real phones in the lab. Their approach adds essentially zero latency, and doesn’t introduce any new bottlenecks, so it doesn’t have performance/scalability problems like most anonymity networks. The service could handle tens of millions of users on a single server, because it only has to do infrequent authentication, though for resilience you’d probably run more.

The paper is here.

Source: Cell Phone Location Privacy | OSINT

Swarm Announces Commercial Availability of Industry’s Lowest-Cost Global Satellite Data Service

Posted on by

Swarm, developer of the world’s lowest-cost live satellite communications network, today announced that the Swarm network is now commercially live and available for customers to begin using. Swarm is the first low-cost satellite provider to offer commercial services to every point in the world, and companies in markets ranging from agriculture, to logistics to maritime can now globally scale their business with Swarm overnight for only $5/month per device.

Source: Swarm Announces Commercial Availability of Industry’s Lowest-Cost Global Satellite Data Service

China issues new anti-monopoly rules targeting its tech giants

Posted on by

The new rules formalise an earlier anti-monopoly draft law released in November and clarify a series of monopolistic practices that regulators plan to crack down on.

The guidelines are expected to put new pressure on the country’s leading internet services, including e-commerce sites such as Alibaba Group’s Taobao and Tmall marketplaces or JD.com. They will also cover payment services like Ant Group’s Alipay or Tencent Holding’s WeChat Pay.

The rules, issued by the State Administration for Market Regulation (SAMR) on its website, bar companies from a range of behaviour, including forcing merchants to choose between the country’s top internet players, a long-time practice in the market.

SAMR said the latest guidelines would “stop monopolistic behaviours in the platform economy and protect fair competition in the market.”

The notice also said it will stop companies from price fixing, restricting technologies and using data and algorithms to manipulate the market.

In a Q&A accompanying the notice, SAMR said reports of internet-related anti-monopoly behaviour had been increasing, and that it was facing challenges regulating the industry.

“The behaviour is more concealed, the use of data, algorithms, platform rules and so on make it more difficult to discover and determine what are monopoly agreements,” it said.

[…]

Source: China issues new anti-monopoly rules targeting its tech giants | Reuters

China to launch public platform to track, crack down on polluters

Posted on by

China will set up a new information platform to allow the public to track the emissions of polluting enterprises and help authorities prosecute those that break the rules or try to “evade supervision”, the environment ministry said.

A total of 2.36 million companies, industrial facilities and institutions in China are legally obliged to obtain permits to emit pollutants like sulphur dioxide or wastewater.

But China has struggled to collect the information required to make the system work, and has also faced obstruction and data fraud from some polluting firms.

According to the environment ministry, the new information platform will allow authorities and members of the public to monitor real-time emission levels and check historical data in order to determine whether rules are being breached. It is set to come into effect on March 1.

Source: China to launch public platform to track, crack down on polluters

I checked Apple’s new privacy ‘nutrition labels.’ Many were false.

Posted on by

[…]

Apple only lets you access iPhone apps through its own App Store, which it says keeps everything safe. It appeared to bolster that idea when it announced in 2020 that it would ask app makers to fill out what are essentially privacy nutrition labels. Just like packaged food has to disclose how much sugar it contains, apps would have to disclose in clear terms how they gobble your data. The labels appear in boxes toward the bottom of app listings. (Click here for my guide on how to read privacy nutrition labels.)

But after I studied the labels, the App Store is now a product I trust less to protect us. In some ways, Apple uses a narrow definition of privacy that benefits Apple — which has its own profit motivations — more than it benefits us.

Apple’s big privacy product is built on a shaky foundation: the honor system. In tiny print on the detail page of each app label, Apple says, “This information has not been verified by Apple.”

The first time I read that, I did a double take. Apple, which says caring for our privacy is a “core responsibility,” surely knows devil-may-care data harvesters can’t be counted on to act honorably. Apple, which made an estimated $64 billion off its App Store last year, shares in the responsibility for what it publishes.

It’s true that just by asking apps to highlight data practices, Apple goes beyond Google’s rival Play Store for Android phones. It has also promised to soon make apps seek permission to track us, which Facebook has called an abuse of Apple’s monopoly over the App Store.

In an email, Apple spokeswoman Katie Clark-AlSadder said: “Apple conducts routine and ongoing audits of the information provided and we work with developers to correct any inaccuracies. Apps that fail to disclose privacy information accurately may have future app updates rejected, or in some cases, be removed from the App Store entirely if they don’t come into compliance.”

My spot checks suggest Apple isn’t being very effective.

And even when they are filled out correctly, what are Apple’s privacy labels allowing apps to get away with not telling us?

Trust but verify

A tip from a tech-savvy Washington Post reader helped me realize something smelled fishy. He was using a journaling app that claimed not to collect any data but, using some technical tools, he spotted it talking an awful lot to Google.

[…]

To be clear, I don’t know exactly how widespread the falsehoods are on Apple’s privacy labels. My sample wasn’t necessarily representative: There are about 2 million apps, and some big companies, like Google, have yet to even post labels. (They’re only required to do so with new updates.) About 1 in 3 of the apps I checked that claimed they took no data appeared to be inaccurate. “Apple is the only one in a position to do this on all the apps,” says Jackson.

But if a journalist and a talented geek could find so many problems just by kicking over a few stones, why isn’t Apple?

Even after I sent it a list of dubious apps, Apple wouldn’t answer my specific questions, including: How many bad apps has it caught? If being inaccurate means you get the boot, why are some of the ones I flagged still available?

[…]

We need help to fend off the surveillance economy. Apple’s App Store isn’t doing enough, but we also have no alternative. Apple insists on having a monopoly in running app stores for iPhones and iPads. In testimony to Congress about antitrust concerns last summer, Apple CEO Tim Cook argued that Apple alone can protect our security.

Other industries that make products that could harm consumers don’t necessarily get to write the rules for themselves. The Food and Drug Administration sets the standards for nutrition labels. We can debate whether it’s good at enforcement, but at least when everyone has to work with the same labels, consumers can get smart about reading them — and companies face the penalty of law if they don’t tell the truth.

Apple’s privacy labels are not only an unsatisfying product. They should also send a message to lawmakers weighing whether the tech industry can be trusted to protect our privacy on its own.

Source: I checked Apple’s new privacy ‘nutrition labels.’ Many were false.

A Bug in Lenovo System Update Service is Driving Up CPU Usage and Prompting Fan Noise in Laptops and Desktops, Customers Say

Posted on by

Since late January, most users running a pre-installed Lenovo image of Windows 10 has been bitten by a bug in Lenovo’s System Update Service (SUService.exe) causing it to constantly occupy a CPU thread. This was noticed by many ThinkPad and IdeaPad users as an unexpected increase in fan noise, but many desktop users might not notice the problem. I’m submitting this story to Slashdot because Lenovo does not provide an official support venue for their software, and the problem has persisted for several weeks with no indication of a patch forthcoming. While this bug continues to persist, anyone with a preinstalled Lenovo image of Windows 10 will have greatly reduced battery life on a laptop, and greatly increased power consumption in any case. As a thought experiment, if this causes 1 million systems to increase their idle power consumption by 40 watts, this software bug is currently wasting 40 megawatts, or about 1/20th the output of a typical commercial power station. On my ThinkPad P15, this bug actually wastes 80 watts of power, so the indication is that 40 watts per system is a very conservative number.

Lenovo’s official forums and unofficial reddit pages have seen several threads pop up since late January with confused users noticing the issue, but so far Lenovo is yet to issue an official statement. Users have recommended uninstalling the Lenovo System Update Service as a workaround, but that won’t stop this power virus from eating up megawatts of power around the world for those who don’t notice this power virus’s impact on system performance.

Source: A Bug in Lenovo System Update Service is Driving Up CPU Usage and Prompting Fan Noise in Laptops and Desktops, Customers Say – Slashdot

Researchers Say Favicons Can Track You Across the Web

Posted on by

German software designer Jonas Strehle has published a proof of concept on GitHub that he says demonstrates a method in which the favicon’s cache can be used to store a unique identifier for a user that is readable “in the browser’s incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers.”As Motherboard points out, Strehle started building the project after reading a research paper from the University of Illinois at Chicago that describes the technique. The basic gist of the method starts with the fact that favicon’s get cached in your browser the first time you visit a website. When you return to the site, the browser checks to see if the favicon has been stored in its own special home on your machine that’s called the F-Cache. If the data is out of date or missing, the browser requests data from the website’s servers. Strehle explained what happens next in a write up on his website: A web server can draw conclusions about whether a browser has already loaded a favicon or not: So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-Cache, no further request is sent. By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.

Source: Researchers Say Favicons Can Track You Across the Web