Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Mixed Reactions to New Nirvana Song Generated by Google’s AI

Posted on by

On the 27th anniversary of Kurt Cobain’s death, Engadget reports: Were he still alive today, Nirvana frontman Kurt Cobain would be 52 years old. Every February 20th, on the day of his birthday, fans wonder what songs he would write if he hadn’t died of suicide nearly 30 years ago. While we’ll never know the answer to that question, an AI is attempting to fill the gap.

A mental health organization called Over the Bridge used Google’s Magenta AI and a generic neural network to examine more than two dozen songs by Nirvana to create a ‘new’ track from the band. “Drowned in the Sun” opens with reverb-soaked plucking before turning into an assault of distorted power chords. “I don’t care/I feel as one, drowned in the sun,” Nirvana tribute band frontman Eric Hogan sings in the chorus. In execution, it sounds not all that dissimilar from “You Know You’re Right,” one of the last songs Nirvana recorded before Cobain’s death in 1994.

Other than the voice of Hogan, everything you hear in the song was generated by the two AI programs Over the Bridge used. The organization first fed Magenta songs as MIDI files so that the software could learn the specific notes and harmonies that made the band’s tunes so iconic. Humorously, Cobain’s loose and aggressive guitar playing style gave Magenta some trouble, with the AI mostly outputting a wall of distortion instead of something akin to his signature melodies. “It was a lot of trial and error,” Over the Bridge board member Sean O’Connor told Rolling Stone. Once they had some musical and lyrical samples, the creative team picked the best bits to record. Most of the instrumentation you hear are MIDI tracks with different effects layered on top.
Some thoughts from The Daily Dot: Rolling Stone also highlighted lyrics like, “The sun shines on you but I don’t know how,” and what is called “a surprisingly anthemic chorus” including the lines, “I don’t care/I feel as one, drowned in the sun,” remarking that they “bear evocative, Cobain-esque qualities….”

Neil Turkewitz went full Comic Book Guy, opining, “A perfect illustration of the injustice of developing AI through the ingestion of cultural works without the authorization of [its] creator, and how it forces creators to be indentured servants in the production of a future out of their control,” adding, “That it’s for a good cause is irrelevant.”

Source: Mixed Reactions to New Nirvana Song Generated by Google’s AI – Slashdot

Google Asked to Hide TorrentFreak Article Reporting that ‘The Mandalorian’ Was Widely Pirated

Posted on by

Google was asked to remove a TorrentFreak article from its search results this week. The article in question reported that “The Mandalorian” was the most pirated TV show of 2020.

This notice claims to identify several problematic URLs that allegedly infringe the copyrights of Disney’s hit series The Mandalorian. This is not unexpected, as The Mandalorian was the most pirated TV show of last year, as we reported in late December. However, we didn’t expect to see our article as one of the targeted links in the notice. Apparently, the news that The Mandalorian is widely pirated — which was repeated by dozens of other publications — is seen as copyright infringement?

Needless to say, we wholeheartedly disagree. This is not the way.
TorrentFreak specifies that the article in question “didn’t host or link to any infringing content.” (TorrentFreak’s article was even linked to by major sites including CNET, Forbes, Variety, and even Slashdot.)

TorrentFreak also reports that it wasn’t Disney who filed the takedown request, but GFM Films… At first, we thought that the German camera company GFM could have something to do with it, as they worked on The Mandalorian. However, earlier takedown notices from the same sender protected the film “The Last Witness,” which is linked to the UK company GFM Film Sales. Since we obviously don’t want to falsely accuse anyone, we’re not pointing fingers.
So what happens next? We will certainly put up a fight if Google decides to remove the page. At the time of writing, this has yet to happen. The search engine currently lists the takedown request as ‘pending,’ which likely means that there will be a manual review. The good news is that Google is usually pretty good at catching overbroad takedown requests. This is also true for TorrentFreak articles that were targeted previously, including our coverage on the Green Book screener leak.

Source: Google Asked to Hide TorrentFreak Article Reporting that ‘The Mandalorian’ Was Widely Pirated – Slashdot

Stolen Data of 533 Million Facebook Users Leaked Online

Posted on by

A user in a low level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free online.

The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.

Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with the IDs listed in the data set. We also verified records by testing email addresses from the data set in Facebook’s password reset feature, which can be used to partially reveal a user’s phone number.

A Facebook spokesperson told Insider that the data was scraped due to a vulnerability that the company patched in 2019.

[…]

This is not the first time that a huge number of Facebook users’ phone numbers have been found exposed online. The vulnerability that was uncovered in 2019 allowed millions of people’s phone numbers to be scraped from Facebook’s servers in violation of its terms of service. Facebook said that vulnerability was patched in August 2019.

Facebook previously vowed to crack down on mass data-scraping after Cambridge Analytica scraped the data of 80 million users in violation of Facebook’s terms of service to target voters with political ads in the 2016 election.

[…]

 

Source: Stolen Data of 533 Million Facebook Users Leaked Online

Yes, this is one of the risks of centralised databases

Sierra Nevada Corporation resurrects plans for crewed Dream Chaser spaceplane, inflatable space station

Posted on by

Sierra Nevada Corporation (SNC) has unveiled plans for an enormous inflatable space station tended by cargo and crew carrying versions of its Dream Chaser spaceplane.

“There is no scalable space travel industry without a spaceplane,” said SNC chair and owner Eren Ozmen.

That’s handy, because with the retirement of the Space Shuttle, the Dream Chaser is nearasdammit the last spaceplane standing. NASA, however, disagreed and selected Boeing’s Calamity Capsule and SpaceX’s Crew Dragon for transportation purposes to and from the International Space Station (ISS).

The space agency did, however, pop SNC into the second round of ISS Commercial Resupply Services (CRS-2), meaning the reusable cargo version of the spaceplane will see orbital action once assembly is complete (due this summer with launch expected late in 2022), but the crew version was not to be troubling the old Space Shuttle runway at Kennedy Space Center.

SNC’s proposal for a space station as an alternative for the ageing ISS is the LIFE habitat: a 27-foot-long, three-storey inflatable module that launches on a conventional rocket and inflates once in orbit. A full-sized prototype is currently being transferred from Johnson Space Center in Texas to Kennedy Space Center in Florida.

The crewed version of the Dream Chaser has also been resurrected and is planned to be used to both “shuttle” private astronauts (we see what you did there, SNC) as well as “rescuing astronauts from space destinations and returning them to Earth via a safe and speedy runway landing.”

[…]

Source: Sierra Nevada Corporation resurrects plans for crewed Dream Chaser spaceplane • The Register

SCO Linux FUD Returns From the Dead

Posted on by
The Courts IBM Red Hat Software Linux

SCO Linux FUD Returns From the Dead (zdnet.com) 115

Posted by msmash from the how-about-that dept.
wiredog shares a ZDNet report: I have literally been covering SCO’s legal attempts to prove that IBM illegally copied Unix’s source code into Linux for over 17 years. I’ve written well over 500 stories on this lawsuit and its variants. I really thought it was dead, done, and buried. I was wrong. Xinuos, which bought SCO’s Unix products and intellectual property (IP) in 2011, like a bad zombie movie, is now suing IBM and Red Hat [for] “illegally Copying Xinuos’ software code for its server operating systems.” For those of you who haven’t been around for this epic IP lawsuit, you can get the full story with “27 eight-by-ten color glossy photographs and circles and arrows and a paragraph on the back of each one” from Groklaw. If you’d rather not spend a couple of weeks going over the cases, here’s my shortened version. Back in 2001, SCO, a Unix company, joined forces with Caldera, a Linux company, to form what should have been a major Red Hat rival. Instead, two years later, SCO sued IBM in an all-out legal attack against Linux.

The fact that most of you don’t know either company’s name gives you an idea of how well that lawsuit went. SCO’s Linux lawsuit made no sense and no one at the time gave it much of a chance of succeeding. Over time it was revealed that Microsoft had been using SCO as a sock puppet against Linux. Unfortunately for Microsoft and SCO, it soon became abundantly clear that SCO didn’t have a real case against Linux and its allies. SCO lost battle after battle. The fatal blow came in 2007 when SCO was proven to have never owned the copyrights to Unix. So, by 2011, the only thing of value left in SCO, its Unix operating systems, was sold to UnXis. This acquisition, which puzzled most, actually made some sense. SCO’s Unix products, OpenServer and Unixware, still had a small, but real market. At the time, UnXis now under the name, Xinuos, stated it had no interest in SCO’s worthless lawsuits. In 2016, CEO Sean Synder said, “We are not SCO. We are investors who bought the products. We did not buy the ability to pursue litigation against IBM, and we have absolutely no interest in that.” So, what changed? The company appears to have fallen on hard times. As Synder stated: “systems, like our FreeBSD-based OpenServer 10, have been pushed out of the market.” Officially, in his statement, Snyder now says, “While this case is about Xinuos and the theft of our intellectual property, it is also about market manipulation that has harmed consumers, competitors, the open-source community, and innovation itself.”

Source: SCO Linux FUD Returns From the Dead – Slashdot

Unlock your DJI’s FPV Drone and Crank Up The Power

Posted on by

Apparently, if the GPS on your shiny new DJI FPV Drone detects that it’s not in the United States, it will turn down its transmitter power so as not to run afoul of the more restrictive radio limits elsewhere around the globe. So while all the countries that have put boots on the Moon get to enjoy the full 1,412 mW of power the hardware is capable of, the drone’s software limits everyone else to a paltry 25 mW. As you can imagine, that leads to a considerable performance penalty in terms of range.

But not anymore. A web-based tool called B3YOND promises to reinstate the full power of your DJI FPV Drone no matter where you live by tricking it into believing it’s in the USA. Developed by the team at [D3VL], the unlocking tool uses the new Web Serial API to send the appropriate “FCC Mode” command to the drone’s FPV goggles over USB. Everything is automated, so this hack is available to anyone who’s running a recent version of Chrome or Edge and can click a button a few times.

[..]

Source: Web Tool Cranks Up The Power On DJI’s FPV Drone | Hackaday

Tesla customers say they’ve been double-charged for their cars

Posted on by

Finding an extra $10 charge on your groceries is enough to make most people angry, but what if you paid twice for a a $56,000 car? Tesla buyers have been reporting that they’ve been double-charged on cars for recent purchases and have had trouble contacting the company and getting their money back, according to a report from CNBC and posts on Twitter and the Tesla Motors Club forum.

[…]

As of yesterday, the customers mentioned in the CNBC report have yet to receive their refunds and all have refused to take delivery until the problem is resolved. “This was not some operator error,” Peterson said. “And for a company that has so much technology skill, to have this happening to multiple people really raises questions.” Engadget has reached out for comment.

Source: Tesla customers say they’ve been double-charged for their cars | Engadget

Virgin Galactic’s VSS Imagine is its shiny, next-gen spaceship

Posted on by

Virgin Galactic took to YouTube to reveal, briefly, its first SpaceShip III, which will start ground tests and “glide flights” later this year. It’s an eye-catching vessel, channeling that Star Wars: The Phantom Menace Naboo starship look in a wonderful way. It’s finished with a mirror-like material that’s meant to reflect its surroundings, whether that’s the blackness of space or the blueness of Earth’s atmosphere. It’s not all about aesthetics: it also offers thermal protection.

Source: Virgin Galactic’s VSS Imagine is its shiny, next-gen spaceship | Engadget

Scientists Implant and Then Reverse False Memories in People

Posted on by

now, for the first time ever, scientists have evidence showing they can reverse false memories, according to a study published in the journal Proceedings of the National Academy of Sciences.

“The same way that you can suggest false memories, you can reverse them by giving people a different framing,” the lead researcher of the paper, Aileen Oeberst, head of the Department of Media Psychology at the University of Hagen, told Gizmodo. “It’s interesting, scary even.”

[…]

“As the field of memory research has developed, it’s become very clear that our memories are not ‘recordings’ of the past that can be played back but rather are reconstructions, closer to imaginings informed by seeds of true experiences,” Christopher Madan, a memory researcher at the University of Nottingham who was not involved in the new study, told Gizmodo

[…]

Building off of that, Oeberst’s lab recently implanted false memories in 52 people by using suggestive interviewing techniques. First, they had the participants’ parents privately answer a questionnaire and come up with some real childhood memories and two plausible, but fake, ones—all negative in nature, such as how their pet died or when they lost their toy. Then they had researchers ask the participants to recall these made-up events in a detailed manner, including specifics about what happened. For example, “Your parents told us that when you were 12 years old during a holiday in Italy with your family you got lost. Can you tell me more about it?”

The test subjects met their interviewer three times, once every two weeks, and by the third session most participants believed these anecdotes were true, and over half (56%) developed and recollected actual false memories—a significantly higher percentage than most studies in this area of research.

These findings reveal the depth of false memory and fit closely with prior research in the field, according to Robert Nash, a psychologist at Aston University who was not involved in the study. “Such as the fact that some of the false memories arose almost immediately, even in the first interview, the fact that they increased in richness and frequency with each successive interview, and the fact that more suggestive techniques led to much higher levels of false remembering and believing,” Nash told Gizmodo.

According to Henry Otgaar, a false memory researcher at Maastricht University who was a reviewer of this study, there’s been an increase in people thinking that it’s difficult to implant false memories. This work is important in showing the relative ease by which people can form such false memories, he told Gizmodo.

“Actually, what we see in lab experiments is highly likely underestimation of what we see in real-world cases, in which, for example, a police officer or a therapist, suggestively is dredging for people’s memories that perhaps are not there for weeks, for months, in a highly suggestive fashion,” he said, suggesting this is what happens in some cases of false confessions.

But researchers, to some extent, already knew how easy it is to trick our memories. Oeberst’s study is innovative in suggesting that it’s equally as easy to reverse those false memories. And knowing the base truth about what actually happened isn’t even necessary to revert the fake recollections.

In the experiment, Oeberst had another interviewer ask participants to identify whether any of their memories could be false, by simply thinking critically about them. The scientists used two “sensitization” techniques: One, source sensitization, where they asked participants to recall the exact source of the memory (what is leading you to remember this; what specific recollection do you, yourself, have?). And two, false memory sensitization, where they explained to the subjects that sometimes being pressured to recall something can elicit false memories.

“And they worked, they worked!” Oeberst said, adding that of course not every single participant was persuaded that their memory was false.

Particularly with the false memory sensitization strategy, participants seemed to regain their trust in their initial gut feeling of what they did and didn’t remember, as if empowered to trust their own recollection more. “I don’t recollect this and maybe it’s not my fault, maybe it’s actually my parents who made something up or they were wrong,” Oeberst said, mimicking the participants’ thought process. “Basically, it’s a different solution to the same riddle.” According to Oeberst, the technique by which false memories are implanted is the same used to reverse them, “just from a different angle, the opposite angle.”

The memories didn’t completely vanish for everybody; 15% to 25% of the participants still believed their false memories were real, and this is roughly the same amount of people who accepted false memories right after the first interview. A year later, 74% of all participants still recognized which were false memories or didn’t remember them at all.

“Up until now, we didn’t have any way to reject or reverse false memory formation,” said Otgaar, who has published over 100 studies on false memory. “But it’s very simple, and with such a simple manipulation that this can already lead to quite strong effects. That’s really interesting.”

The researchers also suggest reframing thinking about false memories in terms of “false remembering,” an action determined by information and context, rather than “false memories,” as if memories were stable files in a computer.

“This is especially important, I think, insofar that remembering is always contextual. It’s less helpful for us to think about whether or not people ‘have’ a false memory and more helpful to think of the circumstances in which people are more or less likely to believe they are remembering,” said Nash.

[…]

Source: Scientists Implant and Then Reverse False Memories in People

Another successful flight for SpaceX’s Starship apart from the landing-in-one-piece thing

Posted on by

SpaceX continued its rich tradition of destroying Starship prototypes with SN11 succumbing to an explosive end during a high-altitude flight test.

Originally planned for 29 March, the test flight from the company’s facility in Boca Chica, Texas, had been postponed until this morning because a Federal Aviation Administrator (FAA) had been unable reach the site in time to observe the test.

The inspector was present today to witness another demonstration of Tesla Technoking Elon Musk’s prowess at blowing up big, shiny rockets.

The test was a repeat of the Serial Number 10 prototype vehicle flight earlier in March. SN10 broke the heart of SpaceX fanbois around the globe by coming so close to complete success. That vehicle managed to return from its high-altitude test in one piece, landing upright. However, seconds later it exploded spectacularly, leaving the way clear (except for some bits of twisted metal) for SN11.

With SN10 almost succeeding, hopes were high for SN11.

The silver rocket, obscured by mist, launched on time. The three Raptor engines appeared to burn normally during the flight, with one shutting down just after the two-minute mark as planned. A second engine was then shut down before the vehicle reached the desired 10km point and the last engine was cut off.

Despite spotty video, the signature “belly flop” of the vehicle was visible as SN11 flipped over for its return to Earth. As it passed through 1km in altitude (according to the SpaceX announcer) the Raptors could be seen gimballing into position and at least one igniting.

And then the video froze again.

However, the audio continued for a few more seconds before a very audible bang was heard. Shortly after, SpaceX’s announcer returned to the air to confirm “another exciting test.”

Exciting for those on the ground, perhaps, as the rocket exploded in the mist.

[…]

 

Source: Another successful flight for SpaceX’s Starship apart from the landing-in-one-piece thing • The Register

Oh dear mr Musk. I’m not going up on that

Wi-Fi devices set to become object sensors by 2024 under planned 802.11bf standard – no, they haven’t thought of security and privacy

Posted on by

In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals.

“When 802.11bf will be finalized and introduced as an IEEE standard in September 2024, Wi-Fi will cease to be a communication-only standard and will legitimately become a full-fledged sensing paradigm,” explains Francesco Restuccia, assistant professor of electrical and computer engineering at Northeastern University, in a paper summarizing the state of the Wi-Fi Sensing project (SENS) currently being developed by the Institute of Electrical and Electronics Engineers (IEEE).

SENS is envisioned as a way for devices capable of sending and receiving wireless data to use Wi-Fi signal interference differences to measure the range, velocity, direction, motion, presence, and proximity of people and objects.

It may come as no surprise that the security and privacy considerations of Wi-Fi-based sensing have not received much attention.

As Restuccia warns in his paper, “As yet, research and development efforts have been focused on improving the classification accuracy of the phenomena being monitored, with little regard to S&P [security and privacy] issues. While this could be acceptable from a research perspective, we point out that to allow widespread adoption of 802.11bf, ordinary people need to trust its underlying technologies. Therefore, S&P guarantees must be provided to the end users.”

[…]

“Indeed, it has been shown that SENS-based classifiers can infer privacy-critical information such as keyboard typing, gesture recognition and activity tracking,” Restuccia explains. “Given the broadcast nature of the wireless channel, a malicious eavesdropper could easily ‘listen’ to CSI [Channel State Information] reports and track the user’s activity without authorization.”

And worse still, he argues, such tracking can be done surreptitiously because Wi-Fi signals can penetrate walls, don’t require light, and don’t offer any visible indicator of their presence.

Restuccia suggests there needs to be a way to opt-out of SENS-based surveillance; a more privacy-friendly stance would be to opt-in, but there’s not much precedent for seeking permission in the technology industry.

[…]

Source: Wi-Fi devices set to become object sensors by 2024 under planned 802.11bf standard • The Register

Android, iOS beam telemetry to Google, Apple even when you tell them not to

Posted on by

In a recent released research paper, titled “Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google” [PDF], Douglas Leith, chairman of computer systems in the school of computer science and statistics at Trinity College Dublin, Ireland, documents how iPhones and Android devices phone home regardless of the wishes of their owners.

According to Leith, Android and iOS handsets share data about their salient characteristics with their makers every 4.5 minutes on average.

“The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc are shared with Apple and Google,” the paper says. “Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this.”

These transmissions occur even when the iOS Analytics & Improvements option is turned off and the Android Usage & Diagnostics option is turned off.

Such data may be considered personal information under privacy rules, depending upon the applicable laws and whether they can be associated with an individual. It can also have legitimate uses.

Of the two mobile operating systems, Android is claimed to be the more chatty: According to Leith, “Google collects a notably larger volume of handset data than Apple.”

Within 10 minutes of starting up, a Google Pixel handset sent about 1MB of data to Google, compared to 42KB of data sent to Apple in a similar startup scenario. And when the handsets sit idle, the Pixel will send about 1MB every 12 hours, about 20x more than the 52KB sent over the same period by an idle iPhone.

[…]

Leith’s tests excluded data related to services selected by device users, like those related to search, cloud storage, maps, and the like. Instead, they focused on the transmission of data shared when there’s no logged in user, including IMEI number, hardware serial number, SIM serial number, phone number, device ids (UDID, Ad ID, RDID, etc), location, telemetry, cookies, local IP address, device Wi-Fi MAC address, and nearby Wi-Fi MAC addresses.

This last category is noteworthy because it has privacy implications for other people on the same network. As the paper explains, iOS shares additional data: the handset Bluetooth UniqueChipID, the Secure Element ID (used for Apple Pay), and the Wi-Fi MAC addresses of nearby devices, specifically other devices using the same network gateway.

“When the handset location setting is enabled, these MAC addresses are also tagged with the GPS location,” the paper says. “Note that it takes only one device to tag the home gateway MAC address with its GPS location and thereafter the location of all other devices reporting that MAC address to Apple is revealed.”

[…]

Google also has a plausible fine-print justification: Leith notes that Google’s analytics options menu includes the text, “Turning off this feature doesn’t affect your device’s ability to send the information needed for essential services such as system updates and security.” However, Leith argues that this “essential” data is extensive and beyond reasonable user expectations.

As for Apple, you might think a company that proclaims “What happens on your iPhone stays on your iPhone” on billboards, and “Your data. Your choice,” on its website would want to explain its permission-defying telemetry. Yet the iPhone maker did not respond to a request for comment.

Source: Android, iOS beam telemetry to Google, Apple even when you tell them not to – study • The Register

Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges

Posted on by

News that Ubiquiti’s cloud servers had been breached emerged on January 11, 2021, when the company emailed customers the text found in this support forum post. That missive stated: “We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.”

That announcement continued, “We have no indication that there has been unauthorized activity with respect to any user’s account,” but also recommended customers change their passwords because if their records had been accessed, hashed and salted passwords, email addresses, and even physical addresses and phone numbers could be at risk.

An update on Wednesday this week stated an investigation by outside experts “identified no evidence that customer information was accessed, or even targeted,” however.

Crucially, the update also revealed that someone “unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials.” The update does not suggest the extortion attempt was fanciful.

Ubiquiti has not said when the external experts decided customer data was untouched. Which leaves the company in the interesting position of perhaps knowing its core IP has leaked, and not disclosing that, while also knowing that customer data is safe and not disclosing that, either.

The update contains another scary nugget in this sentence: “Please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11.”

But the January 11 notification makes no mention of “the security of our products.”

The update on Wednesday was published two days after Krebs On Security reported that it has seen a letter from a whistleblower to the European Data Protection Supervisor that alleges Ubiquiti has not told the whole truth about the incident.

Krebs said the letter described the attack on Ubiquiti as “catastrophically worse than reported.”

“The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,” the letter reportedly claimed, adding that Ubiquiti’s legal team “silenced and overruled efforts to decisively protect customers.”

The whistleblower separately claimed that whoever was able to break into Ubiquiti’s Amazon-hosted servers, they could have swiped cryptographic secrets for customers’ single sign-on cookies and remote device access, internal source code, and signing keys – far more than the Wi-Fi box maker disclosed in January. The intruder, it is said, obtained a Ubiquiti IT worker’s privileged credentials, got root access to the business’s AWS systems, and thus had a potential free run of its cloud-hosted storage and databases.

Backdoors were apparently stashed in the servers, too, and, as Ubiquiti acknowledged this week, a ransom was demanded to keep quiet about the break-in.

[…]

The update ends with another call for customers to refresh their passwords and enable two-factor authentication. The Register fancies some readers may also consider refreshing their Wi-Fi supplier. ®

PS: It’s not been a great week for Ubiquiti: it just promised to remove house ads it added to the web-based user interface of its UniFi gear.

Source: Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges • The Register

Security has never been one of their strong points so this is not really surprising…

Trustify CEO gets eight years for lying to investors, spending millions on homes, private jets, sports tickets

Posted on by

A tech CEO who lied to investors to get funding and then blew millions of it on maintaining a luxury lifestyle, which included private jets and top seats at sporting events, has been sentenced to just over eight years in prison.

Daniel Boice, 41, set up what he claimed would be the “Uber of private investigators,” called Trustify, in 2015. He managed to pull in over $18m in funding from a range of investors by lying about how successful the business was.

According to the criminal indictment [PDF] against him, investors received detailed financial statements that claimed Trustify was pulling in $500,000 a month and had hundreds of business relationships that didn’t exist. Boice also emailed, called, and texted potential investors claiming the same. But, prosecutors say, the truth was that the biz was making “significantly less” and the documentation was all fake.

The tech upstart started to collapse in November 2018 when losses mounted to the point where Boice was unable to pay his staff. When they complained, he grew angry, fired them, and cut off all company email and instant messaging accounts, they allege in a separate lawsuit [PDF] demanding unpaid wages.

Even as Trustify was being evicted from its office, however, Boice continued to lie to investors, claiming he had $18m in the bank when accounts show he had less than $10,000. Finally in 2019 the company was placed into corporate receivership, leading to over $18m in losses to investors and over $250,000 in unpaid wages.

As well as creating false income and revenue documents, Boice was found to have faked an email from one large investor saying that it was going to invest $7.5m in the business that same day – and then forwarded it to another investor as proof of interest. That investor then sank nearly $2m into the business.

Profligate

While the business was failing, however, Boice used millions invested in it to fund his own lifestyle. He put down deposits on two homes in the US – a $1.6m house in Virginia and a $1m beach house in New Jersey – using company funds. He also paid for a chauffeur, house manager, and numerous other personal expenses with Trustify cash. More money was spent on holidays, a $83,000 private jet flight to Vermont, and over $100,000 was spent on seats at various sporting events. His former employees also allege in a separate lawsuit that he spent $600,000 on a documentary about him and his wife.

[…]

Source: Trustify CEO gets eight years for lying to investors, spending millions on homes, private jets, sports tickets

Why People’s Expensive NFTs Keep Vanishing

Posted on by

When you buy an NFT for potentially as much as an actual house, in most cases you’re not purchasing an artwork or even an image file. Instead, you are buying a little bit of code that references a piece of media located somewhere else on the internet. This is where the problems begin. Ed Clements is a community manager for OpenSea who fields these kinds of problems daily. In an interview, he explained that digital artworks themselves are not immutably registered “on the blockchain” when a purchase is made. When you buy an artwork, rather, you’re “minting” a new cryptographic signature that, when decoded, points to an image hosted elsewhere. This could be a regular website, or it might be the InterPlanetary File System, a large peer-to-peer file storage system.

Clements distinguished between the NFT artwork (the image) and the NFT, which is the little cryptographic signature that actually gets logged. “I use the analogy of OpenSea and similar platforms acting like windows into a gallery where your NFT is hanging,” he said. “The platform can close the window whenever they want, but the NFT still exists and it is up to each platform to decide whether or not they want to close their window.” […] “Closing the window” on an NFT isn’t difficult. NFTs are rendered visually only on the front-end of a given marketplace, where you see all the images on offer. All the front-end code does is sift through the alphanumeric soup on the blockchain to produce a URL that links to where the image is hosted, or less commonly metadata which describes the image. According to Clement: “the code that finds the information on the blockchain and displays the images and information is simply told, ‘don’t display this one.'”

An important point to reiterate is that while NFT artworks can be taken down, the NFTs themselves live inside Ethereum. This means that the NFT marketplaces can only interact with and interpret that data, but cannot edit or remove it. As long as the linked image hasn’t been removed from its source, an NFT bought on OpenSea could still be viewed on Rarible, SuperRare, or whatever — they are all just interfaces to the ledger. The kind of suppression detailed by Clements is likely the explanation for many cases of “missing” NFTs, such as one case documented on Reddit when user “elm099” complained that an NFT called “Big Boy Pants” had disappeared from his wallet. In this case, the user could see the NFT transaction logged on the blockchain, but couldn’t find the image itself. In the case that an NFT artwork was actually removed at the source, rather than suppressed by a marketplace, then it would not display no matter which website you used. If you saved the image to your phone before it was removed, you could gaze at it while absorbing the aura of a cryptographic signature displayed on a second screen, but that could lessen the already-tenuous connection between NFT and artwork. If you’re unable to find a record of the token itself on the Ethereum blockchain, it “has to do with even more arcane Ethereum minutiae,” writes Ben Munster via Motherboard. He explains: “NFTs are generally represented by a form of token called the ERC-721. It’s just as simple to locate this token’s whereabouts as ether (Ethereum’s in-house currency) and other tokens such as ERC-20s. The NFT marketplace SuperRare, for instance, sends tokens directly to buyers’ wallets, where their movements can be tracked rather easily. The token can then generally be found under the ERC-721 tab. OpenSea, however, has been experimenting with a new new token variant: the ERC-1155, a ‘multitoken’ that designates collections of NFTs.

This token standard, novel as it is, isn’t yet compatible with Etherscan. That means ERC-1155s saved on Ethereum don’t show up, even if we know they are on the blockchain because the payments record is there, and the ‘smart contracts’ which process the sale are designed to fail instantly if the exchange can’t be made. […]”

In closing, Munster writes: “This is all illustrative of a common problem with Ethereum and cryptocurrencies generally, which despite being immutable and unhackable and abstractly perfect can only be taken advantage of via unreliable third-party applications.”

Source: Why People’s Expensive NFTs Keep Vanishing – Slashdot

Posted in Art

Privacy Laws Giving Big Internet Companies A Convenient Excuse To Avoid Academic Scrutiny – or not? A Balanced argument

Posted on by

For years we’ve talked about how the fact that no one really understands privacy, leads to very bad attempts at regulating privacy in ways that do more harm than good. They often don’t do anything that actually protects privacy — and instead screw up lots of other important things, from competition to free speech. In fact, in some ways, there’s a big conflict between open internet systems and privacy. There are ways to get around that — usually by moving the data from centralized silos out towards the ends of the network — but that’s rarely happening in practice. I mean, going back over thirteen years ago, we were writing about the inherent conflict between Facebook’s (then) open social graph and privacy. Yet, at the time, Facebook was cheered on for opening up its social graph. It was creating a more “open” internet, an internet that others could build upon.

But, of course, over the years things have changed. A lot. In 2018, after the Cambridge Analytica scandal, Mark Zuckerberg more or less admitted that the world was telling Facebook to lock everything down again:

I do think early on on the platform we had this very idealistic vision around how data portability would allow all these different new experiences, and I think the feedback that we’ve gotten from our community and from the world is that privacy and having the data locked down is more important to people than maybe making it easier to bring more data and have different kinds of experiences.

As we pointed out in response — this was worrisome thinking, because it would likely take us away from a better world in which the data is more controlled by end users. Instead, so many people have now come to think that “protecting privacy” means making the big internet companies lock down our data rather than the much better approach which would be giving us full control over our own data. Those are two different things, that only sometimes look alike.

I say all of that as preamble in suggesting people read an excellent Protocol article by Issie Lapowsky, which — in a very thoughtful and nuanced way — highlights the unfortunate conflict between academic researchers trying to study the big internet companies and the companies’ insistence that they need to keep data private. We’ve touched on this topic before ourselves, in covering the still ongoing fight between Facebook and NYU regarding NYU’s Ad Observer project.

That project involves getting individuals to install a browser extension that shares data back to NYU about what ads the user sees. Facebook insists that it violates their privacy rules — and points to how much trouble it got in (and the massive fines it paid) over the Cambridge Analytica mess. Though, as we explained then, the scenarios are quite different.

Lapowsky’s article goes further — noting how Facebook told her that the Ad Observer project was collecting data without the user’s permission, which worried the PhD student who was working on the project. It turns out that was false. The project only collects data from the user who installs it and agrees (giving permission) to collect the data in question.

But the story and others in the article highlight an unfortunate situation: the somewhat haphazard demands on the big internet companies to “protect privacy” are now providing convenient excuses to those same companies to shut down academic research on those companies and their practices. In some cases there are legitimate concerns. For example, as the article notes, there were concerns about how much Facebook is willing to share regarding ad targeting. That information could be really important for those studying disinformation or civil rights issues. But… it could also be used in nefarious ways:

Facebook released an API for its political ad archive and invited the NYU team to be early testers. Using the API, Edelson and McCoy began studying the spread of disinformation and misinformation through political ads and quickly realized that the dataset had one glaring gap: It didn’t include any data on who the ads were targeting, something they viewed as key to understanding advertisers’ malintent. For example, last year, the Trump campaign ran an ad envisioning a dystopian post-Biden presidency, where the world is burning and no one answers 911 calls due to “defunding of the police department.” That ad, Edelson found, had been targeted specifically to married women in the suburbs. “I think that’s relevant context to understanding that ad,” Edelson said.

But Facebook was unwilling to share targeting data publicly. According to Satterfield, that could make it too easy to reverse-engineer a person’s interests and other personal information. If, for instance, a person likes or comments on a given ad, it wouldn’t be too hard to check the targeting data on that ad, if it were public, and deduce that that person meets those targeting criteria. “If you combine those two data sets, you could potentially learn things about the people who engaged with the ad,” Satterfield said.

Legitimate concern… but also allows the company to shield data that could be really useful to academics. Of course, it doesn’t help that so many people are so distrustful of these big companies that no matter what they do it will be portrayed — sometimes by the very same people — as evil. It was just a few weeks ago that we saw people screaming both about the big internet companies willing to cave in and pay Rupert Murdoch the Australian link tax… and when they refused to. Both options were painted as evil.

So, sharing data will inevitably be presented by some as violating people’s privacy, while not sharing data will be presented as hiding from researchers and trying to avoid transparency. And there’s probably some truth in every angle to these stories.

Of course, that all leaves out a better approach that these companies could do: give more power to the end users themselves to control their own data. Let the users decide what data is shared and what is not. Let the users decide where and how that data is stored (even if it’s not on the platform itself). But, instead, we just have people yelling about how these companies both have to protect everyone’s privacy and give access to researchers to see what they’re doing with all this data. I don’t think the “middle ground” laid out in the article is all that tenable. Right now it’s just to basically create special exceptions in which academics are “allowed” — under strict conditions — to get access to that data.

The problem with that framing is that the big internet companies still end up in control of the data, rather than the end users. The situation with NYU seems like a perfectly good example. Facebook shouldn’t have to share data from people who don’t consent, but with the Ad Observer, it’s all people who are actually consenting to handing over their own data, and Facebook shouldn’t be in the business of blocking that — even if it’s inevitable that some reporter at some future date will try to spin that into a story claiming that Facebook “violated” privacy because these researchers convinced people to turn over their own info.

Source: Privacy Laws Giving Big Internet Companies A Convenient Excuse To Avoid Academic Scrutiny | Techdirt

The argument Mike makes above is basically a plea for what Sir Tim Berners Lee, inventor of the internet is pleading for and already making in his companies Solid and Inrupt. User data is placed in personal Pods / Silos and the user can determine what data is given to who.

It’s an idealistic scenario that seems to ignore a few things:

  • who hosts the pods? the hoster can usually see into things or at any rate gather metadata (which is usually more valuable than the actual data). Who pays for hosting the pods?
  • will people understand and be willing to take the time to curate their pod access? people have trouble finding privacy settings on their social networks, this promises to be more complex
  • if a site requires access to data in a pod, won’t people blindly click on accept without understanding that they are giving away their data? Or will they be coerced into giving away data they don’t want because there are no alternatives to using the service?

The New York Times has a nice article on what he’s doing: He Created the Web. Now He’s Out to Remake the Digital World.

OpenSSL fixes high-severity flaw that allows hackers to crash huge amount servers globally

Posted on by

OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers.

[…]

On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now.

“Anyway, sounds like you can crash most OpenSSL servers on the Internet today,” he added.

Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server.

“An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client,” maintainers wrote in an advisory. “If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.”

The maintainers have rated the severity high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the fix.

Certificate verification bypass

OpenSSL also fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that aren’t digitally signed by a browser-trusted certificate authority. The vulnerability, tracked as CVE-2021-3450, involves the interplay between a X509_V_FLAG_X509_STRICT flag found in the code and several parameters.

Thursday’s advisory explained:

If a “purpose” has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named “purpose” values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application.

In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose.

[…]

Source: OpenSSL fixes high-severity flaw that allows hackers to crash servers | Ars Technica

One of America’s $135.8 Million Fighter F-35 Jets Shot Itself

Posted on by

An F-35B Joint Strike Fighter shot itself in the skies above Arizona earlier this month, doing at least $2.5 million in damage. The pilot was unharmed and successfully landed the jet. The Pentagon isn’t quite sure how or why the jet shot itself and the incident is still under investigation.

As first reported by Military.com, the F-35 was flying in a training mission at night on March 12 at the Yuman Range Complex in Arizona when it shot itself. This particular F-35 has an externally mounted gatling gun that fires a 25mm armor piercing high explosive round. Sometime during the training, the gun discharged and the round exploded, damaging the underside of the jet.

The pilot landed the jet and a Navy investigation classified the accident as Class A. Class A accidents are the most severe, it’s a classification used when someone in the weapon dies, the whole jet is lost, or the property damage is $2.5 million or greater. “The mishap did not result in any injury to personnel, and an investigation of the incident is currently taking place,” Marine Corps spokesperson Captain Andrew Wood told Military.com.

[…]

Source: One of America’s $135.8 Million Fighter Jets Shot Itself

In 2019 a Dutch F-16 shot itself by flying into a stream of its’ own bullets. In 1956 an F-11 did the same thing. So not unheard of.

Source: A Dutch F-16 Flew Into Its Own Gunfire

Apple Webkit exploited to hack your idevice whilst browsing. Update now!

Posted on by

iOS 14.4.2 and iPadOS 14.4.2

Released March 26, 2021

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.

Description: This issue was addressed by improved management of object lifetimes.

CVE-2021-1879: Clement Lecigne of Google Threat Analysis Group and Billy Leonard of Google Threat Analysis Group

Source: About the security content of iOS 14.4.2 and iPadOS 14.4.2 – Apple Support

GM, Ford, Tesla, Nio, Nissan, Toyota, VW, Subaru, Fiat – electric car companies shutdown due to global chip shortage

Posted on by

New York (CNN Business)A computer chip shortage has shut down the Louisville, Kentucky, Ford plant this week, the latest shutdown because of an industry-wide problem that is expected to spread to many other auto plants in the coming months.The Louisville plant employs 3,800 hourly workers, who will receive about 75% of their normal pay during the one-week shutdown. It assembles the Ford Escape and the Lincoln version of that SUV, the Corsair.

[…]

Automakers cut back orders for computer chips early last year when the pandemic slammed the brakes on auto sales and production because of temporary plant closings.When car sales bounced back sooner than expected, it left the industry struggling with a chip shortage. That was exacerbated by increased demand for laptops during the stay-at-home era — and the electronic and computer industries snapping up the excess supply of chips, said Kristin Dziczek, vice president of research at the Center for Automotive Research, a Michigan think tank.

[…]

Source: Ford shuts down a plant because it can’t find enough computer chips

The computer chip shortage is taking a bigger bite out of General Motors’ production plans than the company originally expected.Last week GM announced that three of itsNorth American plants — the Fairfax plant in Kansas City, Kansas, the CAMI plant in Ingersoll, Ontario and the San Luis Potosi plant in Mexico — would be shuttered this week due to the chip shortage. But on Tuesday the automaker said it would extend the shutdown through at least mid-March, at which time it will reassess its production plans.

[…]

Last week Ford said that its first quarter production would be cut by between 10% to 20% because of chip scarcity, which if it extends into the second quarter could cost the company between $1 billion and $2.5 billion in 2021. The problem for the industry cannot be fixed quickly according to Kristin Dziczek, vice president of research at the Center for Automotive Research, a Michigan think tank. “The magnitude of the impact of the semiconductor issues continues to grow week-to-week,” she said. “It looks like while the industry will resolve the shortages in 2021, the production impact may stretch into the third quarter.”

[…]

The Fairfax plant has about 2,000 hourly workers and 230 salaried staff. They will get about 75% of their normal pay during the shutdown through a combination of unemployment benefits and supplemental pay from GM.

[…]

Source: GM extends shutdown at three plants due to chip shortage

Tesla is shutting down a Model 3 production line at the Fremont, California, factory for two weeks amid an industrywide microchip shortage.

According to a new report from Bloomberg, Tesla has informed employees from a Model 3 production line at the Fremont factory that their line is being shut down until March 7:

Workers on a Model 3 production line in Fremont were told their line would be down from Feb. 22 until March 7, said the person, who asked not to be identified because the information is private. Impacted staff were told they would be paid for Feb. 22 and Feb. 23 and not paid for Feb. 28, March 1, 2 and 3. They were advised to take vacation time, if they had it.

The employees in question weren’t informed of the reason behind the shutdown, which remains unconfirmed.

Unlike Model S and Model X production at the Fremont factory, Tesla is not making any significant update to the Model 3 program, which received a refresh late last year.

[…]

The entire auto industry is currently dealing with a global shortage of microchips.

The shortage has already resulted in many vehicle production lines behind halted around the world. GM, Ford, Nissan, Toyota, Volkswagen, Suburu, and Fiat Chrysler have all announced halted or decelerated production lines due to the issue.

[…]

With the cold weather resulting in frequent power outages in Texas last week, Samsung was forced to shut down its semiconductor plant in Austin, which likely affected Tesla’s chip supply.

[…]

Source: Tesla shuts down Model 3 production line for 2 weeks amid chip shortage

China’s electric car startup Nio will shut down for five days due to the global semiconductor shortage, the company announced on Friday in a press release. The five day shutdown will start on Monday and will mean the company produces slightly fewer cars this year than it had planned.

“The overall supply constraint of semiconductors has impacted the Company’s production volume in March 2021,” Nio said in a statement. “The Company expects to deliver approximately 19,500 vehicles in the first quarter of 2021, adjusted from previously released outlook of 20,000 to 20,500 vehicles.”

Nio makes several different models, including a seven-seater electric SUV, a two-seater sports car, and has plans to produce a minivan in 2022. But Nio isn’t the only car company around the world feeling the pinch from the computer chip shortage. CNBC estimates the global auto industry as a whole will lose as much as $US60 ($79) billion from the lack of chips this year as it ripples around the world.

[…]

China is the largest EV market in the world, though Norway outpaces China in EV sales as a percentage of the country’s total car market. An estimated 1.3 million electric vehicles were sold in China last year, representing roughly 40% of all EVs sold around the world, according to research by Canalys. The U.S. market represented just 2.4% of all EV sales in 2020.

Source: Electric Car Company Nio Shuts Down Temporarily in China Over Global Chip Shortage

Data Broker Looking To Sell Global Real-Time Vehicle Location Data To Government Agencies, Including The Military

Posted on by

[…]

utting a couple of middle men between the app data and the purchase of data helps agencies steer clear of Constitutional issues related to the Supreme Court’s Carpenter decision, which introduced a warrant mandate for engaging in proxy tracking of people via cell service providers.

But phones aren’t the only objects that generate a wealth of location data. Cars go almost as many places as phones do, providing data brokers with yet another source of possibly useful location data that government agencies might be interested in obtaining access to. Here’s Joseph Cox of Vice with more details:

A surveillance contractor that has previously sold services to the U.S. military is advertising a product that it says can locate the real-time locations of specific cars in nearly any country on Earth. It says it does this by using data collected and sent by the cars and their components themselves, according to a document obtained by Motherboard.

“Ulysses can provide our clients with the ability to remotely geolocate vehicles in nearly every country except for North Korea and Cuba on a near real time basis,” the document, written by contractor The Ulysses Group, reads. “Currently, we can access over 15 billion vehicle locations around the world every month,” the document adds.

Historical data is cool. But what’s even cooler is real-time tracking of vehicle movements. Of course the DoD would be interested in this. It has a drone strike program that’s thirsty for location data and has relied on even more questionable data in the past to make extrajudicial “death from above” decisions in the past.

Phones are reliable snitches. So are cars — a fact that may come as a surprise to car owners who haven’t been paying attention to tech developments over the past several years. Plenty of data is constantly captured by internal “black boxes,” but tends to only be retained when there’s a collision. But the interconnectedness of cars and people’s phones provides new data-gathering opportunities.

Then there are the car manufacturers themselves, which apparently feel driver data is theirs for the taking and are willing to sell it to third parties who are (also apparently) willing to sell all of this to government agencies.

“Vehicle telematics is data transmitted from the vehicle to the automaker or OEM through embedded communications systems in the car,” the Ulysses document continues. “Among the thousands of other data points, vehicle location data is transmitted on a constant and near real time basis while the vehicle is operating.”

This document wasn’t obtained from FOIA requests. It actually couldn’t be — not if Ulysses isn’t currently selling to government agencies. It was actually obtained by Senator Ron Wyden, who shared it with Vice’s tech-related offshoot, Motherboard. As Wyden noted while handing it over, very little is known about these under-the-radar suppliers of location data and their government customers. This company may have no (acknowledged) government customers at this point, but real-time access to vehicle movement is something plenty of government agencies would be willing to pay for.

[…]

Source: Data Broker Looking To Sell Real-Time Vehicle Location Data To Government Agencies, Including The Military | Techdirt

Clothes retailer Fatface: Someone’s broken in and accessed your personal data, including partial card payment details… Don’t tell anyone

Posted on by

British clothes retailer Fatface has infuriated some customers by telling them “an unauthorised third party” gained access to systems holding their data earlier this year, and then asking them to keep news of the blunder to themselves.

Several people wrote into The Register to let us know about the personal data leak, with reader Terry saying: “You will notice the Fatface email is marked as confidential. This annoyed me.”

Chief exec Liz Evans wrote in an email titled “Strictly private and confidential – Notice of security incident” sent to users yesterday:

—–

Please do keep this email and the information included within it strictly private and confidential.

What happened?

On 17 January 2021, FatFace identified some suspicious activity within its IT systems. We immediately launched an investigation… [and] determined that an unauthorised third party had gained access to certain systems operated by us during a limited period of time earlier the same month….

Some of your personal data may have been involved in the incident. This could include some or all of the below listed categories of information relating to you.

  • First name and surname.
  • Email address.
  • Address details.
  • Partial payment card information by way of the last 4 digits and expiry date.

Please rest assured that full payment card information was not compromised. We have been working with the relevant authorities and external security experts to ensure a comprehensive response to the incident. In addition, we have notified the Information Commissioner’s Office in the UK and other law enforcement authorities of this incident.

We have taken various additional steps to further strengthen the security of our systems. Please rest assured that our systems are secure, our website remains fully operational and FatFace is a safe place to shop, both in store (when we can reopen our shops) and online.

—-

Quite reasonably, customers quickly took to social media to ask where they could find “a public statement on your data breach,” why it had waited so long to inform customers, why the mail was marked “confidential” and whether it was genuine. All were directed to kindly “DM” the firm’s social media handler.

It also noted that it would be giving recipients “access to a complimentary Experian Identity Plus membership… purely out of an abundance of caution and not because we consider your data specifically to be at risk.”

It did not detail how many people had been affected. The firm has “200 stores across the UK and Ireland” – doing particularly well in seaside areas – and offers international shipping, although its website currently says this is unavailable.

[…]

Source: Clothes retailer Fatface: Someone’s broken in and accessed your personal data, including partial card payment details… Don’t tell anyone • The Register

I guess they don’t have to notify anyone now that the UK is out of the EU and doesn’t have to conform to GDPR rules…

Guns.Com Got Hacked – personal data available on forum

Posted on by

Watch out, firearm lovers. The subtly-named guns.com, a place where Americans can go to pick out whatever stylish boomstick they like and have it shipped straight to their neck of the woods, seems to have a pretty awful data breach on its hands.

Back in January, a hacker temporarily disabled the company’s website, interfering with the site’s retail operations and forcing the weapons peddler to apologize to its confused customers for the whole debacle.

Guns.com has claimed that this attack was meant to prevent the “business from operating”—and that there is “no indication” of any attempt to steal data. However, this assessment may be wrong.

This week a large cache of files allegedly taken from the site appeared on the popular dark web site Raid Forums. In fact, an anonymous user offered Guns.com’s entire kit and caboodle—allegedly everything from troves of consumer and administrative data to the site’s stolen source code—free to all comers.

The data dump shows substantial gun buyer information, including user IDs, full names, email addresses, phone numbers, hashed passwords, and, most alarmingly, physical addresses—including city, state, and zip code information. The site data has been viewed by Gizmodo and it was originally reported on by Hackread.

The dump also seems to show access to information about many of the firearms providers that sell through the platform (the site acts as a location for sellers as much as for buyers), and Hackread reports that an excel file within the data tranche shows “sensitive login details of Guns.com including its administrator’s WordPress, MYSQL, and Cloud (Azure) credentials,” though it’s unclear if this is recent information. We also found back-end code for a Laravel-powered version of the site although it isn’t clear what platform the retailer is currently using.

[…]

Source: Guns.Com Got Hacked

Big Tech CEOs Waffle on Banning the 12 Major Anti-Vaxxers that cause 73% of misinformation

Posted on by

After a report from the Center for Countering Digital Hate (CCDH) and Anti-Vax Watch found that a huge percentage of misinformation and conspiracy theories about vaccines can be traced back to just a dozen people, the CEOs of Facebook, Google, and Twitter told Congress they weren’t sure they would ban them.

The CCDH/Anti-Vax Watch report found that some 73 percent of misinformation on Facebook, and 17 percent on Twitter, is linked to a group of 12 accounts including prominent anti-vaxxers Joseph Mercola, Robert F. Kennedy Jr., Ty & Charlene Bollinger, Sherri Tenpenny, and Rizza Islam. The report also identified what it concluded were clear violations of platform policies on the spread of disinformation about the novel coronavirus pandemic and vaccines in general. The report was prominently cited in a letter by 12 state attorneys general to Twitter CEO Jack Dorsey and Facebook CEO Mark Zuckerberg demanding they do more to fight coronavirus-related misinformation; according to the Washington Post, this mirrors internal Facebook research showing relatively tiny groups of users are primarily responsible for flooding the site with anti-vaccine content.

“Analysis of a sample of anti-vaccine content that was shared or posted on Facebook and Twitter a total of 812,000 times between 1 February and 16 March 2021 shows that 65 percent of anti-vaccine content is attributable to the Disinformation Dozen,” the report states. “Despite repeatedly violating Facebook, Instagram, and Twitter’s terms of service agreements, nine of the Disinformation Dozen remain on all three platforms, while just three have been comprehensively removed from just one platform.”

“Research conducted by CCDH last year has shown that platforms fail to act on 95 percent of the Covid and vaccine misinformation reported to them, and we have uncovered evidence that Instagram’s algorithm actively recommends similar misinformation,” they added. “Tracking of 425 anti-vaccine accounts by CCDH shows that their total following across platforms now stands at 59.2 million as a result of these failures.”

[…]

Source: Big Tech CEOs Waffle on Banning the 12 Major Anti-Vaxxers

Venus Flytraps Have Magnetic Fields Like the Human Brain

Posted on by

[…]

a group of mavericks out of Switzerland have detected a magnetic signal in a plant. Using a highly sensitive magnetometer, an interdisciplinary team of researchers have measured signals from a Venus flytrap of up to .5 picotesla. To make matters even more mind-blowing, this signal is roughly equivalent to the biomagnetic field strength of the human brain. The full report is here.

The findings shine a light on a whole new world of plant communications we never knew was there and paves the path for new approaches to diagnose and treat plant diseases. It’s a parade-worthy “I told you so” for champions of plant intelligence, and a new dawn for how we live in harmony with the green kingdom.

[…]

So, why does it matter that a plant has a detectable biomagnetic signal? Well,  bioelectromagnetism is the amount of magnetic signal given off by a living thing,

[…]

The Venus flytrap boasts three trigger hairs that serve as mechanosensors. When a prey insect touches a trigger hair, an Action Potential is generated and travels along both trap lobes. If a second touch-induced Action Potential is fired within 30 seconds, the energy stored in the open trap is released and the capture organ closes. This is the plant-insect equivalent of a repeat offender. Imprisonment ensues.

Crucial to making these findings was the fact that this electrical activity doesn’t carry into the stalk of traps, which allowed the researchers to isolate the lobe by slicing it from the rest of the plant. Biologically intact, it was then placed on to a sensor.

Venus Flytraps Have Magnetic Fields Like the Human Brain

 

[…]

The readings returned pretty much identical results four times in a row.

Venus Flytraps Have Magnetic Fields Like the Human Brain

The discovery is as huge for biomagnetism in plants as it is for electro-physiology in general. We now have proof of a pathway for long-distance signal propagation between plant cells. Talk amongst your cells.

Both signal a new era of understanding plant systems we are only just coming to grips with.

https___bucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com_public_images_186597a2-8314-4f7d-8901-cbd3c80dbcce_1000x483.jpg

A 2017 study published in ‘Frontiers in Plant Science’ looked at the photosynthetic properties of pale green leaf rice. Image: Gu, et. al.

Now what?

The report’s introduction ponders, “in the future, magnetometry may be used to study long-distance electrical signaling in a variety of plant species, and to develop noninvasive diagnostics of plant stress and disease.”

With the help of this current research, crops could be scanned for temperature shifts, chemical changes, or pests without having to damage the plants themselves.

[…]

Perhaps our best next step is looking at how other species interact with these magnetic fields. Since these fields exist, they may serve some practical purpose. “Plants and insects have co-evolved for millions of years,” explained Crutsinger. “The trap is getting prey. But insects could leverage that to their own benefit as well. They’re super sensitive and they have antennas. How might they cue in on the magn

[…]

Source: Venus Flytraps Have Magnetic Fields Like the Human Brain