The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Google CEO apologises for document outlining how to counter new EU rules by attacking rulemaker, EU’s Breton warns internet is not Wild West

Posted on by

Alphabet GOOGL.O CEO Sundar Pichai has apologised to Europe’s industry chief Thierry Breton over a leaked internal document proposing tactics to counter the EU’s tough new rules on internet companies and lobby against the EU commissioner.

[…]

The call came after a Google internal document outlined a 60-day strategy to attack the European Union’s push for the new rules by getting U.S. allies to push back against Breton.

[…]

The incident underlines the intense lobbying by tech companies against the proposed EU rules, which could impede their businesses and force changes in how they operate.

Breton also warned Pichai about the excesses of the internet.

“The Internet cannot remain a ‘Wild West’: we need clear and transparent rules, a predictable environment and balanced rights and obligations,” he told Pichai.

Breton will announce new draft rules known as the Digital Services Act and the Digital Markets Act together with European Competition Commissioner Margrethe Vestager on Dec. 2.

The rules will set out a list of do’s and don’ts for gatekeepers – online companies with market power – forcing them to share data with rivals and regulators and not to promote their services and products unfairly.

EU antitrust chief Margrethe Vestager has levied fines totalling 8.25 billion euros ($9.7 billion) against Google in the past three years for abusing its market power to favour its shopping comparison service, its Android mobile operating system and its advertising business.

Breton told Pichai that he would increase the EU’s power to curb unfair behaviour by gatekeeping platforms, so that the Internet does not just benefit a handful of companies but also Europe’s small- and medium-sized enterprises and entrepreneurs.

Source: Google CEO apologises for document, EU’s Breton warns internet is not Wild West | Reuters

Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal

Posted on by

The Information Commissioner’s Office has fined Ticketmaster £1.25m after the site’s operators failed to spot a Magecart card skimmer infection until after 9 million customers’ details had been slurped by criminals.

The breach began in February 2018 and was not detected until April, when banks realised their customers’ cards were being abused by criminals immediately after they were used for legitimate purchases on Ticketmaster’s website.

Key to the criminals’ success was Ticketmaster’s decision to deploy a Javascript-powered chatbot on its website payment pages, giving criminals an easy way in by compromising the third party’s JS – something the ICO held against Ticketmaster in its decision to award the fine.

Ticketmaster ‘fessed up to world+dog in June that year, and the final damage has now been revealed by the Information Commissioner’s Office (ICO): 9.4m people’s data was “potentially affected” of which 1.5m were in the UK; 66,000 credit cards were compromised and had to be replaced; and Ticketmaster itself doesn’t know how many people were affected between 25 May and 23 June 2018.

Today’s fine only applies to that May-June period, which happens to be after the Data Protection Act 2018 – the UK implementation of the EU’s GDPR – came into force. This allowed the ICO to impose a higher penalty than it could have done under the pre-GDPR legal regime.

[…]

Ticketmaster remains in denial about its culpability for the breach, telling The Register in a statement: “Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal today’s announcement.”

Inbenta Technologies supplied a custom Javascript-powered chatbot to Ticketmaster which was compromised by the Magecart operators.

Crucially, for whatever reason, Ticketmaster deployed the chatbot on its payment pages, giving the criminals a way in.

As we reported in 2018, Inbenta told us of Ticketmaster’s deployment of the Javascript in question: “Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”

[…]

“It took Ticketmaster approximately nine weeks from the date of Monzo’s notification of possible fraud involving the Ticketmaster website for Ticketmaster to run a payment through its payment page and monitor the network traffic thereon,” said an incredulous ICO, which noted that it took a random Twitter user explaining why JS on a payments page is a bad thing for the business to wake up and do something about it.

Barclaycard and American Express also noticed suspicious goings-on in April 2018, but Ticketmaster steadfastly denied anything was wrong until May, eventually realising the game was up in June.

[…]

Source: Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal • The Register

Mozilla *privacy not included tech buyers guide rated on creepy scale

Posted on by

This is a list of 130 Smart home gadgets, fitness trackers, toys and more, rated for their privacy & security. It’s a large list and shows you how basically anything by big tech is pretty creepy – anything by Amazon and Facebook is super creepy, Google pretty creepy, Apple only creepy. There are a few surprises, like Moleskine being super creepy. Fitness machinery is pretty bad as are some coffee makers… Nintendo Switches and PS5s (surprisingly) aren’t creepy at all…

Source: Mozilla – *privacy not included

Google’s SoundFilter AI separates any sound or voice from mixed-audio recordings

Posted on by

Researchers at Google claim to have developed a machine learning model that can separate a sound source from noisy, single-channel audio based on only a short sample of the target source. In a paper, they say their SoundFilter system can be tuned to filter arbitrary sound sources, even those it hasn’t seen during training.

The researchers believe a noise-eliminating system like SoundFilter could be used to create a range of useful technologies. For instance, Google drew on audio from thousands of its own meetings and YouTube videos to train the noise-canceling algorithm in Google Meet. Meanwhile, a team of Carnegie Mellon researchers created a “sound-action-vision” corpus to anticipate where objects will move when subjected to physical force.

SoundFilter treats the task of sound separation as a one-shot learning problem. The model receives as input the audio mixture to be filtered and a single short example of the kind of sound to be filtered out. Once trained, SoundFilter is expected to extract this kind of sound from the mixture if present.

[…]

Source: Google’s SoundFilter AI separates any sound or voice from mixed-audio recordings | VentureBeat

Microsoft: Russian, North Korean Hackers Attacked Covid-19 Labs

Posted on by

Microsoft researchers have found evidence that Russian and North Korean hackers have systematically attacked covid-19 labs and vaccine makers in an effort to steal data and initiate ransomware attacks.

“Among the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical trials, clinical research organization involved in trials, and one has developed a Covid-19 test,” said Tom Burt, a VP in Customer Security at Microsoft. “Multiple organizations targeted have contracts with or investments from government agencies from various democratic countries for Covid-19 related work.”

“The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium,” wrote Burt.

The attacks seem to be brute force login attempts and spear-phishing meant to lure victims to give up their security credentials. Microsoft, obviously, reports that its tools were able to catch and prevent most of the attacks. Sadly, the hackers are pretending to be World Health Organization reps in order to trick doctors into installing malware.

Zack Whittaker at TechCrunch noted that the Russian group, Strontium, is better known as APT28 or Fancy Bear, and the other groups are probably part of the North Korean Lazarus Group, the hackers responsible for WannaCry ransomware and the Sony hack in 2016.

Source: Microsoft: Russian, North Korean Hackers Attacked Covid-19 Labs

Apple braces for antitrust woes by letting users select and install third-party apps during setup of iOS 14.3

Posted on by

iOS 14.3 will prompt some users to install selected third-party applications during setup, in what is likely an attempt to stifle any allegations of anticompetitive behaviour from regulators.

The feature, which is buried deep within the beta version of the upcoming iOS release and was first spotted by 9to5Mac, is believed to be activated depending on the location of the user, and states: “In compliance with regional legal requirements, continue to view available apps to download.”

Although iOS is not the most widely installed mobile operating system (that particular crown belongs to Android), it is unique insofar as the control exerted by Apple on the ecosystem, famously dubbed the Walled Garden. This limits where users can download third-party software – exclusively the App Store – and forces developers to use Apple’s payment processing methods, which take a 30 per cent cut of all transactions. Moreover, until recently, users were unable to select third-party products for their default browser and email apps.

This has prompted antitrust investigations in several jurisdictions, including the US, Japan, and the EU, often prompted by the complaints of competitors, such as Spotify and Rakuten. This is in addition to the legal action taken by Epic Games, which has claimed Apple deliberately tries to disadvantage third-party developers through its app store policies.

[…]

Source: Apple braces for antitrust woes by letting users select and install third-party apps during setup of iOS 14.3 • The Register

 

This is something I have been talking about since early 2019 and it’s good to see action happening on it

New lawsuit: Why do Android phones mysteriously exchange 260MB a month with Google via cellular data when they’re not even in use? Also Apple + ad fraud

Posted on by

Google on Thursday was sued for allegedly stealing Android users’ cellular data allowances though unapproved, undisclosed transmissions to the web giant’s servers.

The lawsuit, Taylor et al v. Google [PDF], was filed in a US federal district court in San Jose on behalf of four plaintiffs based in Illinois, Iowa, and Wisconsin in the hope the case will be certified by a judge as a class action.

The complaint contends that Google is using Android users’ limited cellular data allowances without permission to transmit information about those individuals that’s unrelated to their use of Google services.

Data sent over Wi-Fi is not at issue, nor is data sent over a cellular connection in the absence of Wi-Fi when an Android user has chosen to use a network-connected application. What concerns the plaintiffs is data sent to Google’s servers that isn’t the result of deliberate interaction with a mobile device – we’re talking passive or background data transfers via cell network, here.

[…]

Android users have to accept four agreements to participate in the Google ecosystem: Terms of Service; the Privacy Policy; the Managed Google Play Agreement; and the Google Play Terms of Service. None of these, the court filing contends, disclose that Google spends users’ cellular data allowances for these background transfers.

To support the allegations, the plaintiff’s counsel tested a new Samsung Galaxy S7 phone running Android, with a signed-in Google Account and default setting, and found that when left idle, without a Wi-Fi connection, the phone “sent and received 8.88 MB/day of data, with 94 per cent of those communications occurring between Google and the device.”

The device, stationary, with all apps closed, transferred data to Google about 16 times an hour, or about 389 times in 24 hours. Assuming even half of that data is outgoing, Google would receive about 4.4MB per day or 130MB per month in this manner per device subject to the same test conditions.

Putting worries of what could be in that data to one side, based on an average price of $8 per GB of data in the US, that 130MB works out to about $1 lost to Google data gathering per month – if the device is disconnected from Wi-Fi the entire time and does all its passive transmission over a cellular connection.

An iPhone with Apple’s Safari browser open in the background transmits only about a tenth of that amount to Apple, according to the complaint.

Much of the transmitted data, it’s claimed, are log files that record network availability, open apps, and operating system metrics. Google could have delayed transmitting these files until a Wi-Fi connection was available, but chose instead to spend users’ cell data so it could gather data at all hours.

Vanderbilt University Professor Douglas C. Schmidt performed a similar study in 2018 – except that the Chrome browser was open – and found that Android devices made 900 passive transfers in 24 hours.

Under active use, Android devices transfer about 11.6MB of data to Google servers daily, or 350MB per month, it’s claimed, which is about half the amount transferred by an iPhone.

The complaint charges that Google conducts these undisclosed data transfers for further its advertising business, sending “tokens” that identify users for targeted advertising and preload ads that generate revenue even if they’re never displayed.

“Users often never view these pre-loaded ads, even though their cellular data was already consumed to download the ads from Google,” the legal filing claims. “And because these pre-loads can count as ad impressions, Google is paid for transmitting the ads.”

Source: New lawsuit: Why do Android phones mysteriously exchange 260MB a month with Google via cellular data when they’re not even in use? • The Register

MATRIC – control your PC from phone using button templates

Posted on by

KEYBOARD EMULATION

Low level keyboard emulation, works in most apps and games

KEYBOARD MACROS

Record multiple keyboard actions into precisely timed macros

STREAM DECK

MATRIC supports OBS Studio from simple scene switching to full blown studio mode mix console

DECK EDITOR

Create your own decks by using intuitive drag&drop editor

PHOTO CAPTURE

Snap a photo on the smartphone and MATRIC can send it to PC clipboard

BARCODE SCANNER

Scan barcode or QR code using the smartphone and MATRIC will type it to your PC

TOUCHPAD

Uses smartphone screen as multi touch touchpad for PC

VIRTUAL JOYSTICK

Use MATRIC as virtual joystick with full support for buttons and axes

AUDIO PLAYER

Play an audio file on PC

Source: MATRIC

Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped

Posted on by

In a blog post, Alex Weinert, director of identity security at Microsoft, says people should definitely use MFA. He claims that accounts using any type of MFA get compromised at a rate that’s less than 0.1 per cent of the general population.

At the same time, he argues people should avoid relying on SMS messages or voice calls to handle one-time passcodes (OTPs) because phone-based protocols are fundamentally insecure.

“These mechanisms are based on public switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today,” said Weinert. “That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”

Hacking techniques like SIM swapping – where a miscreant calls a mobile carrier posing as a customer to request the customer’s number be ported to a different SIM card in the attacker’s possession – and more sophisticated network attacks like SS7 interception have demonstrated the security shortcomings of public phone networks and the companies running them.

Computer scientists from Princeton University examined SIM swapping in a research study [PDF] earlier this year and their results support Weinert’s claims. They tested AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless and found “all 5 carriers used insecure authentication challenges that could easily be subverted by attackers.”

They also looked at 140 online services that used phone-based authentication to see whether they resisted SIM swapping attacks. And they found 17 had authentication policies that allowed an attacker to hijack an account with a SIM swap.

In September, security firm Check Point Research published a report describing various espionage campaigns, including the discovery of malware that sets up an Android backdoor to steal two-factor authentication codes from SMS messages.

Weinert argues that SMS and voice protocols were not designed with encryption, are easy to attack using social engineering, rely on unreliable mobile carriers, and are subject to shifting regulation.

[…]

Source: Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped • The Register

There’s a Massive Recall of Amazon Neighbourhood Spy Ring Doorbells –  might explode in flames

Posted on by

In a year where it seems everything is both literally and figuratively on fire, it’s not surprising that we can now add Amazon’s Ring Video Doorbell to the list. Yes, it turns out that the device you purchased and installed for the purpose of making your home safer is itself a safety hazard. As a result, Amazon has issued a massive recall of its popular doorbell/spy camera. Here’s what to know.

What’s going on with Ring Doorbells?

Amazon is recalling approximately 350,000 Ring Video Doorbells (2nd Generation) sold through Amazon.com, Ring.com, and at third-party electronics and home goods stores in the United States and Canada between June and October 2020. The company made this decision after receiving reports of 85 incidents tied to incorrectly installed doorbells—23 of which involve doorbells igniting and causing minor property damage, in addition to eight reports of minor burns.

According to the Consumer Product Safety Commission (CPSC), the video doorbell’s battery can overheat if the wrong type of screws are used to install the device, posing fire and burn hazards. As a result, the CPSC advises that consumers immediately stop installing the recalled video doorbells.

Source: There’s a Massive Recall of Amazon Ring Doorbells

You shouldn’t have one of these hacker vulnerable privacy invasion machines anyway.

YouTube to world: Move along, nothing to see here … because we’re having an outage

Posted on by

The video locker was slow to load videos and balked when asked to upload new content on Wednesday, from just before midnight GMT. While all but night-owl European users mostly missed the mess, North American users woke up without their favourite early morning streams and some Asian users were also deprived of their favourite vids and top notch strategic content like Reg lectures.

In typical Google style, YouTube had very little to say about the incident, other than acknowledging it was aware of the situation and then sounding the all-clear without revealing any details about what had transpired.

Multiple observers have pointed out that YouTube’s travails were matched at Google’s Movie-and-TV-show streaming operations, suggesting a problem on common infrastructure.

Plenty of people make a living on YouTube, so the outage is more than an inconvenience or opportunity to make cheap quips about cat videos.

Source: YouTube to world: Move along, nothing to see here … because we’re having an outage • The Register

Researchers 3-D print biomedical parts with supersonic speed

Posted on by

Forget glue, screws, heat or other traditional bonding methods. A Cornell University-led collaboration has developed a 3-D printing technique that creates cellular metallic materials by smashing together powder particles at supersonic speed.

This form of technology, known as “cold spray,” results in mechanically robust, that are 40% stronger than similar materials made with conventional manufacturing processes. The structures’ small size and porosity make them particularly well-suited for building biomedical components, like replacement joints.

The team’s paper, “Solid-State Additive Manufacturing of Porous Ti-6Al-4V by Supersonic Impact,” published Nov. 9 in Applied Materials Today.

The paper’s lead author is Atieh Moridi, assistant professor in the Sibley School of Mechanical and Aerospace Engineering.

“We focused on making cellular structures, which have lots of applications in thermal management, energy absorption and biomedicine,” Moridi said. “Instead of using only heat as the input or the driving force for bonding, we are now using plastic deformation to bond these powder particles together.”

[…]

The particles were between 45 and 106 microns in diameter (a micron is one-millionth of a meter) and traveled at roughly 600 meters per second, faster than the speed of sound. To put that into perspective, another mainstream additive process, direct energy deposition, delivers powders through a nozzle at a velocity on the order of 10 meters per second, making Moridi’s method sixty times faster.

[…]

“If we make implants with these kind of porous structures, and we insert them in the body, the bone can grow inside these pores and make a biological fixation,” Moridi said. “This helps reduce the likelihood of the implant loosening. And this is a big deal. There are lots of revision surgeries that patients have to go through to remove the implant just because it’s loose and it causes a lot of pain.”

While the process is technically termed cold spray, it did involve some heat treatment. Once the particles collided and bonded together, the researchers heated the metal so the components would diffuse into each other and settle like a homogeneous material.

“We only focused on titanium alloys and biomedical applications, but the applicability of this process could be beyond that,” Moridi said. “Essentially, any metallic material that can endure plastic deformation could benefit from this process. And it opens up a lot of opportunities for larger-scale industrial applications, like construction, transportation and energy.”

Source: Researchers 3-D print biomedical parts with supersonic speed

More information: Atieh Moridi et al, Solid-state additive manufacturing of porous Ti-6Al-4V by supersonic impact, Applied Materials Today (2020). DOI: 10.1016/j.apmt.2020.100865

Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years

Posted on by

Swiss politicians only found out last year that cipher machine company Crypto AG was (quite literally) owned by the US and Germany during the Cold War, a striking report from its parliament has revealed.

The company, which supplied high-grade encryption machines to governments and corporations around the world, was in fact owned by the US civilian foreign intelligence service the CIA and Germany’s BND spy agency during the Cold War, as we reported earlier this year.

Although Swiss spies themselves knew that Crypto AG’s products were being intentionally weakened so the West could read messages passing over them, they didn’t tell governmental overseers until last year – barely one year after the operation ended.

So stated the Swiss federal parliament in a report published yesterday afternoon, which has caused fresh raising of eyebrows over the scandal. While infosec greybeard Bruce Schneier told El Reg last year: “I thought we knew this for decades,” referring to age-old (but accurate, though officially denied) news reports of the compromise, this year’s revelations have been the first official admissions that not only was this going on, but that it was deliberately hidden from overseers.

[…]

The revelations that the Swiss state itself knew about Crypto AG’s operations may prove to be a diplomatic embarrassment; aside from secrecy and chocolate, Switzerland’s other big selling point on the international stage is that it is very publicly and deliberately neutral. Secretly cooperating with Western spies during the Cold War and beyond, and enabling spying on state-level customers, is likely to harm that reputation.

Professor Woodward concluded: “If nothing else this whole episode shows that it’s easier to interfere with equipment handling encryption than to try to tackle the encryption head on. But, it has a warning for those who would seek to give a golden key, weaken encryption or provide some other means for government agencies to read encrypted messages. Just like you can’t be a little bit pregnant, if the crypto is weakened then you have to assume your communications are no longer secure.”

Source: Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years • The Register

Campari Ransomware Hackers Take Out Facebook Ads to Get Paid

Posted on by

The Campari Group recently experienced a ransomware attack that allegedly shut down the company’s servers. The malware, created by the RagnarLocker gang, essentially locked corporate servers and allowed the hackers to exfiltrate “2 terabytes” of data, according to the hackers.

On Nov. 6, the company wrote, “at this stage, we cannot completely exclude that some personal and business data has been taken.”

Clearly, it has.

While the booze company admitted to the attack, it’s clear that they haven’t get paid the ransom, as the hackers reportedly took out Facebook ads that targeted Campari Group employees on Facebook.

To post the ads, the hackers broke into a business-focused account owned by another victim, Chris Hodson, and used his credit card to pay for $500 worth of ads. Hodson, a Chicago-based DJ, told security researcher Brian Krebs he had set up two-factor authentication but that the hackers were still able to crack his Hodson Event Entertainment account.

“Hodson said a review of his account shows the unauthorized campaign reached approximately 7,150 Facebook users, and generated 770 clicks, with a cost-per-result of 21 cents,” wrote Krebs. “Of course, it didn’t cost the ransomware group anything. Hodson said Facebook billed him $35 for the first part of the campaign, but apparently detected the ads as fraudulent sometime this morning before his account could be billed another $159 for the campaign.”

[…]

Facebook isn’t the only method the Ragnar group is using to reach out to victims. Security experts believe the hacking group is also now hiring outgoing call center operators in India to help victims remember who, ultimately, is in charge of their data.

Source: Campari Ransomware Hackers Take Out Facebook Ads to Get Paid

Six Reasons Why Google Maps Is the Creepiest App On Your Phone

Posted on by

VICE has highlighted six reasons why Google Maps is the creepiest app on your phone. An anonymous reader shares an excerpt from the report: 1. Google Maps Wants Your Search History: Google’s “Web & App Activity” settings describe how the company collects data, such as user location, to create a faster and “more personalized” experience. In plain English, this means that every single place you’ve looked up in the app — whether it’s a strip club, a kebab shop or your moped-riding drug dealer’s location — is saved and integrated into Google’s search engine algorithm for a period of 18 months. Google knows you probably find this creepy. That’s why the company uses so-called “dark patterns” — user interfaces crafted to coax us into choosing options we might not otherwise, for example by highlighting an option with certain fonts or brighter colors.

2. Google Maps Limits Its Features If You Don’t Share Your Search History: If you open your Google Maps app, you’ll see a circle in the top right corner that signifies you’re logged in with your Google account. That’s not necessary, and you can simply log out. Of course, the log out button is slightly hidden, but can be found like this: click on the circle > Settings > scroll down > Log out of Google Maps. Unfortunately, Google Maps won’t let you save frequently visited places if you’re not logged into your Google account. If you choose not to log in, when you click on the search bar you get a “Tired of typing?” button, suggesting you sign in, and coaxing you towards more data collection.

3. Google Maps Can Snitch On You: Another problematic feature is the “Google Maps Timeline,” which “shows an estimate of places you may have been and routes you may have taken based on your Location History.” With this feature, you can look at your personal travel routes on Google Maps, including the means of transport you probably used, such as a car or a bike. The obvious downside is that your every move is known to Google, and to anyone with access to your account. And that’s not just hackers — Google may also share data with government agencies such as the police. […] If your “Location History” is on, your phone “saves where you go with your devices, even when you aren’t using a specific Google service,” as is explained in more detail on this page. This feature is useful if you lose your phone, but also turns it into a bonafide tracking device.

4. Google Maps Wants to Know Your Habits: Google Maps often asks users to share a quick public rating. “How was Berlin Burger? Help others know what to expect,” suggests the app after you’ve picked up your dinner. This feels like a casual, lighthearted question and relies on the positive feeling we get when we help others. But all this info is collected in your Google profile, making it easier for someone to figure out if you’re visiting a place briefly and occasionally (like on holiday) or if you live nearby.

5. Google Maps Doesn’t Like It When You’re Offline: Remember GPS navigation? It might have been clunky and slow, but it’s a good reminder that you don’t need to be connected to the internet to be directed. In fact, other apps offer offline navigation. On Google, you can download maps, but offline navigation is only available for cars. It seems fairly unlikely the tech giant can’t figure out how to direct pedestrians and cyclists without internet.

6. Google Makes It Seem Like This Is All for Your Own Good: “Providing useful, meaningful experiences is at the core of what Google does,” the company says on its website, adding that knowing your location is important for this reason. They say they use this data for all kinds of useful things, like “security” and “language settings” — and, of course, selling ads. Google also sells advertisers the possibility to evaluate how well their campaigns reached their target (that’s you!) and how often people visited their physical shops “in an anonymized and aggregated manner”. But only if you opt in (or you forget to opt out).

Source: Six Reasons Why Google Maps Is the Creepiest App On Your Phone – Slashdot

It Took Just 5 Minutes Of Movement Data To Identify ‘Anonymous’ VR Users

Posted on by

As companies and governments increasingly hoover up our personal data, a common refrain to keep people from worrying is the claim that nothing can go wrong because the data itself is “anonymized” — or stripped of personal identifiers like social security numbers. But time and time again, studies have shown how this really is cold comfort, given it takes only a little effort to pretty quickly identify a person based on access to other data sets. Yet most companies, many privacy policy folk, and even government officials still like to act as if “anonymizing” your data means something.

The latest case in point: new research out of Stanford (first spotted by the German website Mixed), found that it took researchers just five minutes of examining the movement data of VR users to identify them in the real world. The paper says participants using an HTC Vive headset and controllers watched five 20-second clips from a randomized set of 360-degree videos, then answered a set of questions in VR that were tracked in a separate research paper.

The movement data (including height, posture, head movement speed and what participants looked at and for how long) was then plugged into three machine learning algorithms, which, from a pool of 511 participants, was able to correctly identify 95% of users accurately “when trained on less than 5 min of tracking data per person.” The researchers went on to note that while VR headset makers (like every other company) assures users that “de-identified” or “anonymized” data would protect their identities, that’s really not the case:

“In both the privacy policy of Oculus and HTC, makers of two of the most popular VR headsets in 2020, the companies are permitted to share any de-identified data,” the paper notes. “If the tracking data is shared according to rules for de-identified data, then regardless of what is promised in principle, in practice taking one’s name off a dataset accomplishes very little.”

If you don’t like this study, there’s just an absolute ocean of research over the last decade making the same point: “anonymized” or “de-identified” doesn’t actually mean “anonymous.” Researchers from the University of Washington and the University of California, San Diego, for example, found that they could identify drivers based on just 15 minutes’ worth of data collected from brake pedal usage alone. Researchers from Stanford and Princeton universities found that they could correctly identify an “anonymized” user 70% of the time just by comparing their browsing data to their social media activity.

[…]

Source: It Took Just 5 Minutes Of Movement Data To Identify ‘Anonymous’ VR Users | Techdirt

EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Backdoor Encryption Safely. It can’t.

Posted on by

In September, we noted that officials in the EU were continuing an effort to try to ban end-to-end encryption. Of course, that’s not how they put it. They say they just want “lawful access” to encrypted content, not recognizing that any such backdoor effectively obliterates the protections of end-to-end encryption. A new “Draft Council Resolution on Encryption” has come out as the EU Council of Ministers continues to drift dangerously towards this ridiculous position.

We’ve seen documents like this before. It starts out with a preamble insisting that they’re not really trying to undermine encryption, even though they absolutely are.

The European Union fully supports the development, implementation and use of strong encryption. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offline.

Uh huh. That’s basically we fully support you having privacy in your own home, except when we need to spy on you at a moment’s notice. It’s not so comforting when put that way, but it’s what they’re saying.

[…]

This is the same old garbage we’ve seen before. Technologically illiterate bureaucrats who have no clue at all, insisting that if they just “work together” with the tech industry, some magic golden key will be found. This is not how any of this works. Introducing a backdoor into encryption is introducing a massive, dangerous vulnerability

[…]

Attacking end-to-end encryption in order to deal with the miniscule number of situations where law enforcement is stymied by encryption would, in actuality, put everyone at massive risk of having their data accessed by malicious parties.

[…]

Source: EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Nerd Harder To Backdoor Encryption | Techdirt

Introducing a backdoor is introducing a vulnerability – one that anyone can exploit. The good guys, the bad guys and the idiots. There is a long and varied history of exploited backdoors in all kinds of very important stuff (eg the clipper chip, the encryption hardware sold to governments, mobile phone networks, even kids smartwatches, switches, and they’ve all been misused by malicious actors.

Here is a long but not conclusive list

European Commission charges Amazon over misuse of seller data to make copy cat products

Posted on by

The European Union is serving formal antitrust charges to Amazon, saying that the retailer has misused its position to compete against third-party businesses using its platform. Officials, led by competition chief Margrethe Vestager, believe there is enough evidence to charge the company for this misuse. This data, so the claim goes, was used by Amazon to build copycat products to undercut these independent businesses, especially in large markets like France and Germany.

At the same time, regulators have opened a second investigation into favorable treatment around the “Buy Box” and the “Prime Label.” Officials suspect that independent sellers that use Amazon’s own logistics network are able to use features that those with their own logistics networks do not. Vestager said that they want those independents to be able to “compete on the merits” rather than on any sort of lock-in.

Amazon, very broadly, is a retailer itself, but it’s also a retail platform that lets third parties sell their wares side by side with Amazon’s own. These independent, unaffiliated companies can even piggyback on Amazon’s vast logistics and warehousing network. But there’s a catch: If a small seller makes a surprisingly popular product, Amazon can see that sales data on its own system. There could be the temptation for Amazon to make a similar product and direct sales toward itself.

This isn’t a hypothetical, and The Wall Street Journal published a report in April claiming the company was doing this very thing. Former employees have claimed that Amazon can not only identify hot trends but also use that data to price their own products competitively. In one example, the makers of a popular car trunk organizer found that, a while after, Amazon launched a very similar product as part of its private label offering.

Now, Amazon has said that using third-party seller data in this manner is against its own policies and affirmed that position in Congress. Amazon has also said that the practice of producing “private label” goods is used by every major retailer, and isn’t a threat to the independent brands they sell. But regulators in both the US and Europe aren’t satisfied with that answer and are pushing for more information. In July 2019, the EU opened a formal investigation to see if what Amazon was doing violated local competition rules, with today’s charges the result of that procedure.

[…]

 

Source: European Commission charges Amazon over misuse of seller data | Engadget

I have been talking about this since early 2019, it’s good to see action on this!

Analysis of Trump’s tweets reveals systematic diversion of the media

Posted on by

President Donald Trump’s controversial use of social media is widely known and theories abound about its ulterior motives. New research published today in Nature Communications claims to provide the first evidence-based analysis demonstrating the US President’s Twitter account has been routinely deployed to divert attention away from a topic potentially harmful to his reputation, in turn suppressing negative related media coverage.

The international study, led by the University of Bristol in the UK, tested two hypotheses: whether an increase in harmful media coverage was followed by increased diversionary Twitter activity, and if such diversion successfully reduced subsequent media coverage of the harmful topic.

[…]

The study focused on Trump’s first two years in office, scrutinising the Robert Mueller investigation into potential collusion with Russia in the 2016 Presidential Election, as this was politically harmful to the President. The team analysed content relating to Russia and the Mueller investigation in two of the country’s most politically neutral media outlets, New York Times (NYT) and ABC World News Tonight (ABC). The team also selected a set of keywords judged to play to Trump’s preferred topics at the time, which were hypothesized to be likely to appear in diversionary tweets. The keywords related to “jobs”, “China”, and “immigration”; topics representing the president’s supposed political strengths.

The researchers hypothesized that the more ABC and NYT reported on the Mueller investigation, the more Trump’s tweets would mention jobs, China, and immigration, which in turn would result in less coverage of the Mueller investigation by ABC and NYT.

In support of their hypotheses, the team found that every five additional ABC headlines relating to the Mueller investigation was associated with one more mention of a keyword in Trump’s tweets. In turn, two additional mentions of one of the keywords in a Trump was associated with roughly one less mention of the Mueller investigation in the following day’s NYT.

Such a pattern did not emerge with placebo topics that presented no threat to the President, for instance Brexit or other non-political issues such as football or gardening.

[…]

Professor Lewandowsky said: “It’s unclear whether President Trump, or whoever is at the helm of his Twitter account, engages in such tactics intentionally or if it’s mere intuition. Either way, we hope these results serve as a helpful reminder to the that they have the power to set the news agenda, focusing on the topics they deem most important, while perhaps not paying so much attention to the Twitter-sphere.”

Source: Analysis of Trump’s tweets reveals systematic diversion of the media

Hotels.com, Booking.com Expedia provider exposed data from 2013 for millions of guests on open AWS bucket

Posted on by

Website Planet reports that Prestige Software, the company behind hotel reservation platforms for Hotels.com, Booking.com and Expedia, left data exposed for “millions” of guests on an Amazon Web Services S3 bucket. The 10 million-plus log files dated as far back as 2013 and included names, credit card details, ID numbers and reservation details.

It’s not certain how long the data was left open, or if anyone took the data. Website Planet said the hole was closed a day after telling AWS about the exposure. Prestige confirmed that it owned the data.

The damage could be severe if crooks found the data. WP warned that it could lead to all too common risks with hotel data exposures like credit card fraud, identity theft and phishing scams. Perpetrators could even hijack a reservation to steal someone else’s vacation.

Source: Hotels.com, Expedia provider exposed data for millions of guests | Engadget

UK Company House Demands Company Stop Using Name Which Includes an HTML Closing Tag

Posted on by

A British software engineer came up with “a fun playful name” for his consulting business. He’d named it:

“”>

Unfortunately, this did not amuse the official registrar of companies in the United Kingdom (known as Companies House). The Guardian reports that the U.K. agency “has forced the company to change its name after it belatedly realised it could pose a security risk.” Henceforward, the software engineer’s consulting business will instead be legally known as “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD.” He now says he didn’t realise that Companies House was actually vulnerable to the extremely simple technique he used, known as “cross-site scripting”, which allows an attacker to run code from one website on another.
Engadget adds: Companies House, meanwhile, said it had “put measures in place” to prevent a repeat. You won’t be trying this yourself, at least not in the U.K.

It’s more than a little amusing to see a for-the-laughs code name stir up trouble, but this also illustrates just how fragile web security can be.

Source: UK Agency Demands Company Stop Using Name Which Includes an HTML Closing Tag – Slashdot

To Prevent Free, Frictionless Access To Human Knowledge, Publishers Want Librarians To Be Afraid, Very Afraid

Posted on by

After many years of fierce resistance to open access, academic publishers have largely embraced — and extended — the idea, ensuring that their 35-40% profit margins live on. In the light of this subversion of the original hopes for open access, people have come up with other ways to provide free and frictionless access to knowledge — most of which is paid for by taxpayers around the world. One is preprints, which are increasingly used by researchers to disseminate their results widely, without needing to worry about payment or gatekeepers. The other is through sites that have taken it upon themselves to offer immediate access to large numbers of academic papers — so-called “shadow libraries”. The most famous of these sites is Sci-Hub, created by Alexandra Elbakyan. At the time of writing, Sci-Hub claims to hold 79 million papers.

Even academics with access to publications through their institutional subscriptions often prefer to use Sci-Hub, because it is so much simpler and quicker. In this respect, Sci-Hub stands as a constant reproach to academic publishers, emphasizing that their products aren’t very good in terms of serving libraries, which are paying expensive subscriptions for access. Not surprisingly, then, Sci-Hub has become Enemy No. 1 for academic publishers in general, and the leading company Elsevier in particular. The German site Netzpolitik has spotted the latest approach being taken by publishers to tackle this inconvenient and hugely successful rival, and other shadow libraries. At its heart lies the Scholarly Networks Security Initiative (SNSI), which was founded by Elsevier and other large publishers earlier this year. Netzpolitik explains that the idea is to track and analyze every access to libraries, because “security”

[…]

Since academic publishers can’t compete against Sci-Hub on ease of use or convenience, they are trying the old “security risk” angle — also used by traditional software companies against open source in the early days. Yes, they say, Sci-Hub/open source may seem free and better, but think of the terrible security risks… An FAQ on the main SNSI site provides an “explanation” of why Sci-Hub is supposedly a security risk

[…]

As Techdirt pointed out when that Washington Post article came out, there is no evidence of any connections between Elbakyan and Russian Intelligence. Indeed, it’s hard not to see the investigation as simply the result of whining academic publishers making the same baseless accusation, and demanding that something be “done“. An article in Research Information provides more details about what those “wider ramifications than just getting access to content that sits behind a paywall” might be:

In the specific case of Sci-Hub, academic content (journal articles and books) is illegally harvested using a variety of methods, such as abusing legitimate log in credentials to access the secure computer networks of major universities and by hijacking “proxy” credentials of legitimate users that facilitate off campus remote access to university computer systems and databases. These actions result in a front door being opened up into universities’ networks through which Sci-Hub, and potentially others, can gain access to other valuable institutional databases such as personnel and medical records, patent information, and grant details.

But that’s not how things work in this context. The credentials of legitimate users that Sci-Hub draws on — often gladly “lent” by academics who believe papers should be made widely available — are purely to access articles held on the system. They do not provide access to “other valuable institutional databases” — and certainly not sensitive information such as “personnel and medical records” — unless they are designed by complete idiots. That is pure scaremongering, while this further claim is just ridiculous:

Such activities threaten the scholarly communications ecosystem and the integrity of the academic record. Sci-Hub has no incentive to ensure the accuracy of the research articles being accessed, no incentive to ensure research meets ethical standards, and no incentive to retract or correct if issues arise.

Sci-Hub simply provides free, frictionless access for everyone to existing articles from academic publishers. The articles are still as accurate and ethical as they were when they first appeared. To accuse Sci-Hub of “threatening” the scholarly communications ecosystem by providing universal access is absurd. It’s also revealing of the traditional publishers’ attitude to the uncontrolled dissemination of publicly-funded human knowledge, which is what they really fear and are attacking with the new SNSI campaign.

Source: To Prevent Free, Frictionless Access To Human Knowledge, Publishers Want Librarians To Be Afraid, Very Afraid | Techdirt

Nasal spray might prevent COVID-19 infections – it does in ferrets

Posted on by

Many hopes for a return to a semi-normal life after COVID-19 revolve around vaccines, but those injections have limits — they’re harder to deploy in low-income and rural areas where there’s no guarantee of easy distribution. Science may offer a more accessible alternative, though. Columbia University researchers have developed a nasal spray that has successfully prevented COVID-19 infections in tests with ferrets as well as a 3D model of human lungs.

The lipopeptide (that is, a lipid and peptide combination) prevents the coronavirus from fusing with a target cell’s membrane by blocking a key protein from adopting a necessary shape. It should work immediately and last for at least 24 hours. It’s also affordable, lasts a long time, and doesn’t need refrigeration.

A spray like this is still some ways from reaching the public. There would need to be human clinical trials, not to mention large-scale production to provide enough access. Scientists are planning to “rapidly advance” to further testing, Columbia said.

The move could bring protection to many parts of the world where mass COVID-19 vaccinations would be difficult. It might also serve as a “complement” even in places where vaccines are readily available, key researchers Anne Moscona and Matteo Porotto said. People who can’t take vaccines, or those for whom vaccinations don’t work, could spray themselves daily knowing they’d be safe. That, in turn, could further limit the spread of the virus and hasten the end to the pandemic.

Source: Nasal spray might prevent COVID-19 infections | Engadget

Android v 7.1.1 and lower Won’t Support Many Secure Certificates in 2021

Posted on by

One of the world’s top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021, Android Police reported Saturday.

The Mozilla-partnered nonprofit Let’s Encrypt said that its partnership with fellow certificate authority IdenTrust will expire on Sept. 1, 2021. Since it has no plans to renew its cross-signing agreement, Let’s Encrypt plans to stop default cross-signing for IdenTrust’s root certificate, DST Root X3, beginning on Jan. 11 as the organization switches over to solely using its own ISRG Root X1 root.

It’s a pretty significant shift considering that as much as one-third of all web domains rely on the organization’s certificates. But since older software won’t trust Let’s Encrypt’s root certificate, this could “introduce some compatibility woes,” lead developer Jacob Hoffman-Andrews said in a blog post Friday.

“Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1,” he said. “Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.”

The only workaround for these users would be to install Firefox since it relies on its own certificate store that includes Let’s Encrypt’s root, though that wouldn’t keep applications from breaking or ensure functionality beyond your browser.

Let’s Encrypt noted that roughly 34% of Android devices are running a version older than 7.1 based on data from Google’s Android development suite. That translates to millions of users potentially being cut off from large portions of the secure web beginning in 2021

Source: Older Android Phones Won’t Support Many Secure Websites in 2021

AST & Science wants to launch 243 mobile broadband satellites into space used by the A Train – and NASA’s quite worried about crashes into scientific craft

Posted on by

AST & Science, a Texas-based company, has applied for approval to build SpaceMobile, which claims to be the “first and only space-based cellular broadband network to be accessible by standard smartphones.” Its proposed network is under review by the FCC. However, NASA reckons it will heighten the risk of contact between spacecraft within a region that is already crowded.

The space agency is particularly concerned about the gap between 690 and 740km above Earth, an area home to the so-called A-train. The A-train consists of ten spacecraft used to monitor Earth, operated by various groups including NASA, the United States Geological Survey, France’s National Centre for Space Studies, and Japan’s Aerospace Exploration Agency. AST wants to place its satellites across 16 orbital planes at an altitude of 700km, a distance that’s too close for comfort.

“The AST constellation would be essentially collocated with the A-Train if the proposed orbit altitude is chosen,” Samantha Fonder, NASA’s Representative to the Commercial Space Transportation Interagency Group, and a member of its Human Exploration and Operations Mission Directorate, wrote in a letter [PDF] addressed to the FCC.

What’s more the area is also particularly risky since it contains chunks of debris leftover from a previous orbital crash. “Additionally, this is an orbit regime that has a large debris object density (resulting from the Fengyun1-C ASAT test and the Iridium33-COSMOS 2251collision) and therefore experiences frequent conjunctions with debris objects,” she continued.

Fonder reckons that placing another 243 satellites near the A-train will increase the chances of a space smash. NASA has arrived at that conclusion by taking into account various factors, including the size of the AST’s SpaceMobile birds. They are much bigger than the spacecraft in the A-train and carry 900-square-metre antennas.

Source: FYI: Someone wants to launch mobile broadband satellites into space used by scientific craft – and NASA’s not happy • The Register