The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Several Fish Can Secretly Walk on Land, Study Suggests

Posted on by

A surprising number of hillstream loaches—a family of Asian fish—are capable of walking on land using all four limbs, according to a new study. It’s a discovery that could explain how some of the earliest animals managed to stroll on solid ground.

South Asian hillstream loaches are a family of small fish that can often be found clinging to rocks in fast-moving waters. New research published in the Journal of Morphology suggests at least 11 species of hillstream loaches can also walk on land, as evidenced by their peculiar anatomies. At least one species, a blind cavefish known as Cryptotora thamicola, has actually been caught in the act, but the new research suggests other hillstream loaches can do it as well.

Brooke Flammang, a biologist at the New Jersey Institute of Technology and the study’s lead principal investigator, along with her colleagues, analyzed 29 hillstream loach specimens. Using micro-CT scans, the team studied and compared the various specimens, looking at their distinctive shapes, muscle groups, and skeletal structures.

Cryptotora thamicola as seen in multiple perspectives.
Cryptotora thamicola as seen in multiple perspectives.
Image: Zach Randall, Florida Museum of Natural History, and BE Flammang, NJIT

This international team of researchers, which included scientists from the Florida Museum of Natural History, Louisiana State University, and Thailand’s Maejo University, also conducted some genetic work, sampling the DNA of 72 loaches in order to reconstruct their evolutionary family tree.

Together, the physical and genetic analysis revealed the fishes’ unusual land-walking capabilities.

“In most fishes, there is no bony connection between the backbone and the pelvic fins. These fish are different because they have hips,” explained Flammang in an email. “The hip bone is a sacral rib, and within the fishes we studied, we found three morphological variants ranging from very thin and not well-connected to robust and having a sturdy connection. We expect that those with the largest, most robust ‘hip’-bones have the best walking ability.”

Cryptotora thamicola in the wild.
Cryptotora thamicola in the wild.
Image: Florida Museum

Of the fish studied, 11 were found to have these robust hips, or pelvic girdles. Interestingly, the resulting gait is reminiscent of the way salamanders walk on land. As noted, the only documented example of a walking hillstream loach is Cryptotora thamicola, also known as the cave angel fish. These blind fish, in addition to walking on land, have been seen climbing up waterfalls, which they do using all four limbs.

[…]

Flammang said these fish don’t represent an intermediate species, that is, some kind of missing link between fully aquatic animals and those capable of living on land.

“But we know that throughout evolution, organisms have repeatedly converged on similar morphologies as a result of facing similar pressures of natural selection,” she said. “And we also know that physics does not change with time. Therefore, we can learn from the mechanics of how this fish walks and use it to better understand how extinct early animals may have walked.”

Source: Several Fish Can Secretly Walk on Land, Study Suggests

How Britain can help you get away with stealing millions: a five-step guide

Posted on by

Step 1: Forget what you think you know

If you want to commit significant financial crime, therefore, you need a bank account, because electronic cash weighs nothing, no matter how much of it there is. But that causes a new problem: the bank account will have your name on it, which will alert the authorities to your identity if they come looking.

This is where shell companies come in. Without a company, you have to act in person, which means your involvement is obvious and overt: the bank account is in your name. But using a company to own that bank account is like robbing a house with gloves on – it leaves no fingerprints, as long as the company’s ownership information is hidden from the authorities. This is why all sensible crooks do it.

[…]

Here is the secret you need to know to get started in the shell company game: the British company registration system contains a giant loophole – the kind of loophole you can drive a billion euros through without touching the sides.

[…]

. The true image associated with “shell companies” these days should not be an exotic island redolent of the sound of the sea and the smell of rum cocktails, but a damp-stained office block in an unfashionable London suburb, or a nondescript street in a northern city. If you want to set up in the money-laundering business, you don’t need to move to the Caribbean: you’d be far better off doing it from the comfort of your own home.

Step 2: Set up a company

The second step is easy, and involves creating a company on the Companies House website. Companies House maintains the UK’s registry of corporate structures and publishes information on shareholders, directors, accounts, partners and so on, so anyone can check up on their bona fides.

Setting up a company costs £12 and takes less than 24 hours. According to the World Bank’s annual Doing Business report, the UK is one of the easiest places anywhere to create a company, so you’ll find the process pretty straightforward.

[…]

While it has bullied the tax havens into checking up on their customers, Britain itself doesn’t bother with all those tiresome and expensive “due diligence” formalities. It is true that, while registering your company on the Companies House website, you will find that it asks for information such as your name and address.

[…]

Step 3: Make stuff up

This third step may be the hardest to really take in, because it seems too simple. Since 2016, the UK government has made it compulsory for anyone setting up a company to name the individual who actually owns it: “the person with significant control”, or PSC.

[…]

Here is the secret: no one checks the accuracy of the information you provide when you register with Companies House. You can say pretty much anything and Companies House will accept it.

[…]

Suspicious typos are everywhere once you start delving into the Companies House database.

[…]

Recently, while messing about on the Companies House website, I came across a PSC named Mr Xxx Stalin, who is apparently a Frenchman resident in east London.

[…]

Xxx Stalin led me to a PSC of a different company, who was named Mr Kwan Xxx, a Kazakh citizen, resident in Germany; then to Xxx Raven; to Miss Tracy Dean Xxx; to Jet Xxx; and finally to (their distant cousin?) Mr Xxxx Xxx. These rabbitholes are curiously engrossing, and before long I’d found Mr Mmmmmmm Yyyyyyyyyyyyyyyyyy, and Mr Mmmmmm Xxxxxxxxxxx (correspondence address: Mmmmmmm, Mmmmmm, Mmm, MMM), at which point I decided to stop.

As trolling goes, it is quite funny, but the implications are also very serious, if you think about what companies are supposed to be for. Limited companies and partnerships have their liability for debts limited, which means that if they go bust, their investors are not personally bankrupted. It’s a form of insurance – society as a whole is accepting responsibility for entrepreneurs’ debts, because we want to encourage entrepreneurial behaviour. In return, entrepreneurs agree to publish details about their companies so we can all check what they are up to, and to make sure they’re not abusing our trust.

[…]

The anti-corruption campaign group Global Witness looked into PSCs last year, and found 4,000 of them were under the age of two. One hadn’t even been born yet. At the opposite end of the spectrum, its researchers found five individuals who each controlled more than 6,000 companies. There are more than 4m companies at Companies House, which is a very large haystack to hide needles in.

You don’t actually even need to list a person as your company’s PSC. It’s permissible to say that your company doesn’t know who owns it (no, you’re not misunderstanding; that just doesn’t make sense), or simply to tie the system up in knots by listing multiple companies in multiple jurisdictions that no investigator without the time and resources of the FBI could ever properly check.

This is why step three is such an important one in the five-step pathway to creating a British shell company. If you can invent enough information when filing company accounts, then the calculation that underpins the whole idea of a company goes out of the window: you gain the protection from legal action, without giving up anything in return. It’s brilliant.

[…]

Step 4: Lie – but do so cleverly

Most of the daft examples earlier (Mmmmmmm, Mmmmmm, Mmm, MMM) would not be useful for committing fraud, since anyone looking at them can tell they’re not serious. Cumberland Capital Ltd, however, was a different matter. It looked completely legitimate.

[…]

When US police came looking for the people behind Cumberland Capital Ltd, they searched the Companies House website and found that its director was an Australian citizen called Manford Martin Mponda. Anyone researching binary-options fraud might quickly conclude that Mponda was a kingpin. He was a serial company director, with some 80 directorships in UK-registered companies to his name, and features in dozens of complaints.

It already looked like a major scandal that British regulation was so lax that Mponda could have been allowed to conduct a global fraud epidemic behind the screen of UK-registered companies, but the reality was even more remarkable: Mponda had nothing to do with it. He was a victim, too.

Police officers suspect that, after Mponda submitted his details to join a binary-options website, his identity was stolen so it could be used to register him as a director of dozens of UK companies. The scheme was only exposed after complaints to consumer protection bodies were passed onto the City of London police, who then asked their Australian colleagues to investigate.

[…]

So here is step four: don’t just lie, lie cleverly. British companies look legitimate, so look legitimate yourself. Steal a real person’s name, and put that on the company documents. Don’t put your own address on the documents, rent a serviced office to take your post: Paul Manafort used one in Finchley, the binary options fraudsters went to Liverpool, and Lantana Trade was based in the London suburb of Harrow.

[…]

Step 5: Don’t worry about it

I know what you’re thinking: it cannot be this easy. Surely you’ll be arrested, tried and jailed if you try to follow this five-step process. But if you look at what British officials do, rather than at what they say, you’ll begin to feel a lot more secure. The Business Department has repeatedly been warned that the UK is facilitating this kind of financial crime for the best part of a decade, and is yet to take any substantive action to stop it. (Though, to be fair, it did recently launch a “consultation”.)

[…]

In 2011, then-business secretary and Liberal Democrat MP Vince Cable decided to open up Companies House, and everything changed. After Cable’s reform, anyone with an internet connection, anywhere in the world, could create a UK company in about as much time as it takes to order a couple of pizzas, and for approximately the same amount of money. The checks were gone; there was no longer any connection to a verifiably existing person; it was as easy to create a UK company as it was to set up a Twitter account. The rationale was that this would unleash the latent entrepreneurship within the British nation by making it easy to turn business ideas into thriving concerns.

Instead of unchaining a new generation of British businesspeople, however, Cable let slip the dogs of fraud. At first, this rather technical modification to an obscure corner of the British machinery of state did not garner much attention, but for people who understood what it meant it was alarming.

[…]

There is, it turns out, a simple explanation for why successive governments have failed to do anything about it. Last year, when challenged in the House of Commons, Treasury minister John Glen stated that Companies House simply couldn’t afford to check the information filed with it, since that would cost the UK economy hundreds of millions of pounds a year. This is almost certainly an exaggeration. Anti-corruption activists who have looked at the data say the cost would in fact be far less than that, but the key point is that the reform would pay for itself. As Brewer has pointed out, “the burden of cost is one thing. But the cost of fraud is far greater.”

VAT fraud alone costs the UK more than £1bn a year, while the National Crime Agency estimates the cost of all fraud to the UK economy to be £190bn. The cost to the rest of the world of the money laundering enabled by UK corporate entities is almost certainly far higher.

[…]

lesson number five: don’t worry about it. Commit as much fraud as you like, fill your boots, the only reason anyone would care is if you kick up a fuss. And what sensible fraudster is going to do that?

Source: How Britain can help you get away with stealing millions: a five-step guide | World news | The Guardian

Researchers reveal a much richer picture of the past with new DNA recovery technique

Posted on by

Researchers at McMaster University have developed a new technique to tease ancient DNA from soil, pulling the genomes of hundreds of animals and thousands of plants—many of them long extinct—from less than a gram of sediment.

The DNA extraction method, outlined in the journal Quarternary Research, allows scientists to reconstruct the most advanced picture ever of environments that existed thousands of years ago.

The researchers analyzed permafrost samples from four sites in the Yukon, each representing different points in the Pleistocene-Halocene transition, which occurred approximately 11,000 years ago.

This transition featured the extinction of a large number of animal species such as mammoths, mastodons and ground sloths, and the new process has yielded some surprising new information about the way events unfolded, say the researchers. They suggest, for example, that the survived far longer than originally believed.

In the Yukon samples, they found the genetic remnants of a vast array of , including mammoths, horses, bison, reindeer and thousands of varieties of plants, all from as little as 0.2 grams of sediment.

The scientists determined that woolly mammoths and horses were likely still present in the Yukon’s Klondike region as recently as 9,700 years ago, thousands of years later than previous research using fossilized remains had suggested.

[…]

The technique resolves a longstanding problem for scientists, who must separate DNA from other substances mixed in with sediment. The process has typically required harsh treatments that actually destroyed much of the usable DNA they were looking for. But by using the new combination of extraction strategies, the McMaster researchers have demonstrated it is possible to preserve much more DNA than ever.

[…]

Source: Researchers reveal a much richer picture of the past with new DNA recovery technique

Apple sues Epic for destroying the App store and won’t let their users log in using Apple log in (whatever that is)

Posted on by

So, Apple is trying to frame it’s strong arming of companies into paying 30% protection money… uh… app store fees – well… unless you have an agreement to pay less, but only one or two have that… as being in the interest of the people who’s arms they are ripping out. Because we believe the scary man in the suit who has been ripping off customers and consumers left and right over the man who is saying he’s had enough.

Apple has filed a countersuit against Epic Games as the two companies continue their battle over App Store royalties.

The Cupertino giant is seeking a declaratory judgement [PDF] for breach of contract as it claims Epic has broken their agreement to distribute software and in-app purchases though the App Store. The filing is part formal response to the original Epic suit and part Apple making legal allegations of its own.

“Although Epic portrays itself as a modern corporate Robin Hood, in reality it is a multi-billion dollar enterprise that simply wants to pay nothing for the tremendous value it derives from the App Store,” Apple claims.

“Epic’s demands for special treatment and cries of ‘retaliation’ cannot be reconciled with its flagrant breach of contract and its own business practices, as it rakes in billions by taking commissions on game developers’ sales and charging consumers up to $99.99 for bundles of V-Bucks.”

Source: Apple to Epic: Sue me? No, sue you, pal! • The Register

“Epic’s actions have caused Apple to suffer reputational harm and loss of goodwill with consumers who rely on Apple to offer the apps they want to download, like Fortnite, with all of the safety, security, and privacy protections that they expect from Apple,” Apple said in its filing. “Left unchecked, Epic’s conduct threatens the very existence of the iOS ecosystem and its tremendous value to consumers.”

Apple claimed that Epic purposefully sent a “Trojan horse” to the App Store, hiding a line of code in a Fortnite hotfix that allowed the gaming company to “bypass Apple’s app review process” so it could trigger the option for users to pay Epic directly for V-Bucks, the game’s currency. Epic has denied that it hid anything from Apple.

Apple said this hotfix amounted to “little more than theft,” claiming that Epic purposefully tried to find a way to “enjoy all of the benefits of Apple’s iOS platform and related services” without paying Apple what it was contractually owed.

Source: Apple Says ‘Epic’s Conduct Threatens the Very Existence of the iOS Ecosystem’ in Countersuit

As of September 11th, Apple will no longer allow users to sign into Epic Games accounts using “Sign in with Apple.” If you’re using the Apple sign-in feature, make sure to update your Epic Games account email and password before Friday.

This change is the latest petty move in the Apple versus Epic battle.

Source: Apple will stop letting Epic Games use ‘Sign in with Apple’ on September 11th

Hacked Windows 10 Themes Can Swipe Your Microsoft Login

Posted on by

Windows 10 users can customize their desktops with unique themes, and are able to create and share those themes with others. Hackers can also use them to steal your credentials.

A flaw in Windows 10’s theme-creation feature lets hackers modify custom themes that, once installed, trick users into passing over their Microsoft account name and password data via counterfeit login pages. This technique wouldn’t necessarily raise any red flags for an average person, as some legit Windows 10 themes have you sign in after installation.

This “Pass the Hash” attack doesn’t steal your password verbatim, but rather the password hash—a jumbled up and obfuscated version of your password’s data. Companies hash password data to keep it more secure when stored on remote servers, but hackers can unscramble passwords with readily available software. In some cases, passwords can be cracked in just a few seconds.

This vulnerability was discovered by cybersecurity researcher Jimmy Bayne, who publicly disclosed the findings in a Twitter thread.

Bayne alerted Microsoft to the security risk, but the company says it has no plans to change the Theme feature since the credential passing is an intended feature; Hackers have simply found a way to use it maliciously.

With no official action being taken, it’s up to users to keep themselves safe from shady Windows 10 themes.

BleepingComputer and Bayne outline options for enterprise versions of Windows 10, but these won’t work for general users. The smartest move is to avoid custom themes entirely, but if you keep using them, make sure you’re only downloading official themes from secure sources like the Windows Store.

Whether you keep using custom themes or not, you should also update your accounts with unique passwords, turn on two-factor authentication, and use an encrypted password manager. I would also suggest unlinking third-party accounts from your Microsoft account and using local user accounts to sign in to your PC, rather than your Microsoft Account. Protective steps like these make it harder for outsiders to steal your data, even if they happen to snag a password.

Source: Hacked Windows 10 Themes Can Swipe Your Microsoft Login

TCL’s new paper-like display can also play videos

Posted on by

NXTPAPER today — a new type of display that’s meant to offer better eye protection by reducing flicker, blue light and light output. The company said the effect is similar to E Ink, calling it a “combination of screen and paper.” TCL also said it has received eye protection certifications from the German Rhine laboratory, and has 11 different patents for eye protection.

Don’t expect to see NXTPAPER appear on a smartphone, though. TCL said it’s meant for larger devices like tablets or e-readers. The new screen tech will support Full HD definition and allow for smooth video playback on a paper-like experience. Compared to E Ink, TCL said its version will offer 25 percent higher contrast. It uses a “highly reflective screen” to “reuse natural light,” doing away with backlighting in the process. TCL said NXTPAPER will be 36 percent thinner than typical LCD while offering higher contrast. Because it doesn’t require its own lights, the company said the new screen tech is also 65 percent more power efficient. This way, devices won’t need large unwieldy batteries for prolonged use.

Source: TCL’s new paper-like display can also play videos | Engadget

Rocket Lab secretly launched its own satellite that may one day go to the Moon

Posted on by

Rocket Lab recently made a successful return to flight and launched a client satellite from its Electron Rocket, but that’s not all that happened on the mission. The company also secretly launched its own satellite, called Photon, that could one day fly ambitious deep space missions.

Photon is based on Rocket Lab’s “Kick Stage,” which is a mini rocket designed to boost satellite payloads into their final circular orbit once Electron has brought them to space. However, rather than just packing a propulsion system, Photon will carry additional electronics, orientation sensors, power generation units and instruments like cameras. That means that Photon can act as a satellite itself so that clients don’t need to contract third-party providers to design and build them.

Normally, once the Kick Stage does its job, Rocket Lab de-orbits it to burn up in the atmosphere. However, this time it sent a command that switched it into Photon satellite mode to continue on a standalone mission called “First Light.” Intended as a demonstration, it’s equipped with solar panels and a camera that can snap images of itself and the Earth.

Eventually, customers will be able to choose a “launch-plus-spacecraft” mission with the Electron Rocket and Photon satellite, which “eliminate[s] the complexity, risk and delays associated with having to build their own satellite hardware and procure a separate launch,” said Rocket Lab CEO Peter Beck in a statement.

During a press conference, Beck said that the company launched Photon in secret to “make sure it’s all good and it works before announcing it.” Rocket Lab said that a high-energy version of Photon will eventually fly “lunar and interplanetary missions,” including NASA’s Capstone mission in early 2021. In that mission, Photon will fly as a “pathfinder” that will help the Artemis program’s Gateway spacecraft safely approach the Moon.

Source: Rocket Lab secretly launched its own satellite that may one day go to the Moon | Engadget

Harvard created a wool-like 3D-printable material that can shape shift

Posted on by

The team, from the John A. Paulson School of Engineering and Applied Sciences (SEAS), created a 3D-printable material that can be “pre-programmed with reversible shape memory.” The wool-like material can remember old forms and morph back into those, or transform into different shapes when a certain stimulus is applied.

It’s made using keratin extracted from recycled wool. Keratin is a fibrous protein that’s found in hair, which, of course, has a habit of returning to its natural form.

The researchers shaped a single chain of keratin into a spring-like structure. They twisted two of those together and used many such “coiled coils” to assemble large fibers. When a stimulus is applied to the material or it’s stretched out, those structures uncoil and the bonds realign. The material stays that way until it’s triggered to return to its original state, which is programmed with a solution of hydrogen peroxide and monosodium phosphate.

In one test, researchers programmed a sheet of keratin to have an origami star as its permanent shape. They dunked the sheet in water to make it malleable and rolled it into a tube. But when the team put that tube in the water again, it unrolled and reformed as the origami star.

The researchers believe the material could help reduce waste in the fashion industry. They suggested it could be used for truly one-size-fits-all clothing that stretches to fit the wearer, or bras “whose cup size and shape can be customized every day.” Consumers could save as well if they don’t have to replace stretched-out clothes quite so often.

“This two-step process of 3D printing the material and then setting its permanent shapes allows for the fabrication of really complex shapes with structural features down to the micron level,” Luca Cera, a SEAS postdoctoral fellow and first author of a paper on the material, said in a press release. “This makes the material suitable for a vast range of applications from textile to tissue engineering.”

Source: Harvard created a wool-like 3D-printable material that can shape shift | Engadget

Italy is investigating Apple, Google and Dropbox cloud storage services

Posted on by

Italy’s competition watchdog is investing Apple, Google and Dropbox, TechCrunch reports. In a press release, the AGCM announced that it opened six investigations into the companies’ cloud storage services: Google Drive, iCloud and Dropbox.

The authority is concerned that the services fail to adequately explain how user data will be collected and used for commercial purposes. It’s also investigating unfair clauses in the services’ contracts, terms that exempt the services from some liability and the prevalence of English versions of contracts over Italian versions.

In July, Italy launched an antitrust investigation into Amazon and Apple over Beats headphones. Authorities want to know whether the two companies agreed to prevent retailers outside of Apple’s official program from selling Beats and other Apple products.

Big tech companies are facing increased pressure from antitrust regulators in the US and Europe. The US Department of Justice may present its case against Google later this month. Apple is in a battle with Epic over its App Store rules, and the antitrust case against Amazon keeps getting stronger. It’s hard to say how effective any of these investigations will be at changing the industry’s behavior.

Source: Italy is investigating Apple, Google and Dropbox cloud storage services | Engadget

This is why monopolies are bad

China Just Launched and Landed a Secret Reusable Spacecraft

Posted on by

In recent days, China has quietly launched a secret reusable spacecraft, left it in orbit for two days and safely landed it back on Earth. And although the spacecraft is top secret—we’re not even privy to its design—there are some things that China apparently wants the world to know about it.

According to Xinhua, China’s official news agency, the launch took place on Friday at the Jiuquan Satellite Launch Center in Inner Mongolia. The spacecraft was launched with a Long March-2F rocket, per the South China Morning Post, and successfully returned to its scheduled landing site on Sunday.

A Chinese military source confirmed to the Post that staff and visitors to the launch site had been warned not to film the lift-off or talk about it online.

“There are many firsts in this launch. The spacecraft is new, the launch method is also different. That’s why we need to make sure there is extra security,” the military source said.

The Post, citing Xinhua, reported that during its two-day flight, the spacecraft would test reusable technologies with the aim of “providing technological support for the peaceful use of space.”

And although details of the mission were scarce, the Chinese military source told the Post that it should “take a look at the US X-37B,” a reference to the U.S. Department of Defense’s top-secret space plane developed by Boeing. According to the U.S. Air Force, the X-37B is an experimental test program that aims to demonstrate “reusable spacecraft technologies for America’s future in space and operating experiments, which can be returned to, and examined, on Earth.”

The X-37B is a reusable vehicle that doesn’t require an onboard crew. It enters space on top of a rocket, stays in low Earth orbit and then re-enters the atmosphere. It even lands like a normal plane.

Source: China Just Launched and Landed a Secret Reusable Spacecraft

India flies Mach 6 scramjet for 20 seconds

Posted on by

India claims it flew a perfect scramjet test at Mach 6 on Monday.

A government announcement says the vehicle hitched a ride on a rocket that ascended to an altitude of 30km before launching the “Hypersonic Technology Demonstrator Vehicle

“The cruise vehicle separated from the launch vehicle and the air intake opened as planned. The hypersonic combustion sustained and the cruise vehicle continued on its desired flight path at a velocity of six times the speed of sound i.e., nearly 02 km/second for more than 20 seconds,” the announcement added. “The critical events like fuel injection and auto ignition of scramjet demonstrated technological maturity. The scramjet engine performed in a text book manner.”

Telemetry from the craft and observations led Indian authorities to state: “All the performance parameters have indicated a resounding success of the mission.” India hasn’t released details or images of the vehicle, but did publish the launch video below.

India’s prime minister chipped in with a canned quote about the test being a fine moment in the nation’s drive for self-sufficiency in defense hardware.

Reg readers may recall that India’s done this sort of thing before, notably in a 2016 test flight that saw a scramjet ignite for five seconds. Yesterday’s test lasted rather longer, suggesting India is on the way to developing vehicles with longer ranges.

Which is where things get interesting because China, Russia and the USA are all developing hypersonic weapons. Such craft are strategically significant because they’re so fast that detecting an incoming strike is horrendously hard and developing countermeasures harder still. It’s also vastly difficult to build hypersonic craft because anything moving at 7,000km/h has all sorts of challenges with heat and vibration.

India already has a substantial and capable military and is one of few nations to possess nuclear weapons, operate a blue-water navy and run a space program.

Source: India flies Mach 6 scramjet for 20 whole seconds • The Register

No, Kubernetes doesn’t make applications portable, say analysts. Good luck avoiding lock-in, too

Posted on by

Do not make application portability your primary driver for adopting Kubernetes, say Gartner analysts Marco Meinardi, Richard Watson and Alan Waite, because while the tool theoretically improves portability in practice it also locks you in while potentially denying you access to the best bits of the cloud.

The three advance that theory in a recent “Technical Professional Advice” document that was last week summarised in a blog post.

The Register has accessed the full document and its central idea is that adopting Kubernetes can’t be done without also adopting a vendor of your preferred Kubernetes management tools.

“By using Kubernetes, you simply swap one form of lock-in for another, specifically for one that can lower switching cost should the need arise,” the trio write. “Using Kubernetes to minimize provider lock-in is an attractive idea, but such abstraction layer simply becomes an alternative point of lock-in. Instead of being locked into the underlying infrastructure environment, you are now locked into the abstraction layer.”

“If you adopt Kubernetes only to enable application portability, then you are trying to solve one problem, by taking on three new problems you didn’t already have.”

And that matters because “Although abstraction layers may be attractive for portability, they do not surface completely identical functionality from the underlying services — they often mask or distort them. In general, the use of abstraction layers on top of public cloud services is hardly justified when organizations prioritize time to value and time to market due to their overhead and service incongruence.”

The trio also worry that shooting for portability can cut users off from the best bits of the cloud.

“Implementing portability with Kubernetes also requires avoiding any dependency that ties the application to the infrastructure provider, such as the use of cloud provider’s native services. Often, these services provide the capabilities that drove us to the cloud in the first place,” they write.

And then there’s the infrastructure used to run Kubernetes, which the three point out will have variable qualities that make easy portability less likely.

“The more specific to a provider a compute instance is, the less likely it is to be portable in any way,” the analysts wrote. “For example, using EKS on [AWS] Fargate is not CNCF-certified and arguably not even standard Kubernetes. The same is true for virtual nodes on Azure as implemented by ACIs.”

The document also points out that adopting Kubernetes will almost certainly mean acquiring third-party storage and networking tools, which means more elements that have to be reproduced to make applications portable and therefore more lock-in.

Source: No, Kubernetes doesn’t make applications portable, say analysts. Good luck avoiding lock-in, too • The Register

Australia starts second fight with Google and Apple, this time over whether app stores leak data, gouge devs, steal ideas and warp markets

Posted on by

Australia, already embroiled in a nasty fight with Google and Facebook over its plan to make them pay for news links, has opened an inquiry into whether Apple and Google’s app stores offer transparent pricing and see consumers’ data used in worrying ways.

The issues paper [PDF] outlining the scope of the inquiry names only Apple and Google as of interest. The paper also mentions the recent Apple/Epic spat over developer fees to access the app store and proposes to ponder sideloading as a means of bypassing curated stores.

The Australian Competition and Consumer Commission, which will conduct the inquiry, has set out the following matters it wishes to probe:

  1. The ability and incentive for Apple and Google to link or bundle their other goods and services with their app marketplaces, and any effect this has on consumers and businesses.
  2. How Apple and Google’s various roles as the key suppliers of app marketplaces, but also as app developers, operators of the mobile licensing operating system and device manufacturers affect the ability of third party app providers to compete, including the impact of app marketplace fee structures on rivals’ costs.
  3. Terms, conditions and fees (including in-app purchases) imposed on businesses to place apps on app marketplaces.
  4. The effect of app marketplace fee structures on innovation.
  5. How app marketplaces determine whether an app is allowed on their marketplace, and the effect of this on app providers, developers and consumers;
  6. How where an app is ranked in an app marketplace is determined.
  7. The collection and use of consumer data by app marketplaces, and whether consumers are sufficiently informed about and have control over the extent of data that is collected.
  8. Whether processes put in place by app marketplaces to protect consumers from harmful apps are working.The document also reveals an intention to probe whether app store operators “identify which product development ideas are successful and emulate these ideas in their own apps” and seeks “views on the data sharing arrangements between apps and app marketplaces, and any views on the potential for app marketplaces to use data to identify, and respond to, potential competitors to the marketplace’s own apps.”

The Commission has created a survey for consumers and another for developers . The latter asks for comment on “adequacy of communications from the app store during the review process” and the experience of appealing decisions. Which should make for some tasty reading once the inquiry reports in March 2021.

The ACCC lists “legislative reform to address systemic issues” as one possible outcome from the inquiry. Which would be tastier still, given the furor over Australia’s current proposed laws.

Source: Australia starts second fight with Google, this time over whether app stores leak data, gouge devs, steal ideas and warp markets • The Register

I spoke of this in Zagreb at Dors/Cluc 2019 – it’s interesting to see how this is being picked up all over the world

Angry 123-Reg customers in the UK wake up to another day where hosted mail doesn’t get through to users on Microsoft email accounts

Posted on by

Users of UK web hosting firm 123-Reg’s email service told The Reg this morning that 96 hours after clocking the issue, they are still having trouble sending emails to users with Microsoft’s Live, Outlook or Hotmail accounts.

For its part, 123-Reg has confirmed “delays in delivering emails to Hotmail/Outlook/Live email addresses,” but provided no ETA for a fix. According to the issue ticket on its status page, filed on Saturday, September 5, the firm claimed to have identified the root cause – which it has yet to explain – and said it was “working with Microsoft” to resolve it. The issue is not believed to affect the delivery of emails being sent by customers on 123-Reg’s Microsoft 365 “platform”.

Several users have claimed the mail-forwarding issues actually began on Friday morning.

Predictably, punters are irate, with many complaining the outage is causing lost business and reputational damage.

Source: Angry 123-Reg customers in the UK wake up to another day where hosted mail doesn’t get through to users on Microsoft email accounts • The Register

As a private host with email, I feel the frustration. MS and Google are good at this.

Security Risks Revolving the 2020 US Presidential Elections | Techwarn.com

Posted on by

The coronavirus pandemic has forced people around the globe to temporarily modify the ways they go about activities. Activities like these include political elections and campaigning.

Since the virus hit in an election year, it’s highly likely new measures will be taken to prevent mass gatherings during voting. Infection rates aren’t likely to drop any time soon, and even if they did, queues for voting could lead to huge bursts of cases everywhere. At least 15 states in the US postponed presidential election primaries.

Suggestions have been made by election administrators to utilize an analog method of voting known as mail voting. It involves the mailing in of ballots by voters. If this technique is used, it would be highly likely that the results of the election would be decided in weeks or months.

Because of the pandemic, new voter registrations have dropped tremendously, with a 70% decrease experienced in twelve states. This year’s election was expected to break previous voting turnout records. However, with lockdowns still in place, voting participation will seemingly be reduced.

There have also been calls for online voting in some states like New Jersey, Delaware, and West Virginia. Currently, election administrators are holding discussions on the best method to use that would combine voting efficiency, safe health practices, and a speedy turnout of results.

Omnibox – Security Vulnerabilities

The most viable method which has been touted by speculators is the use of Omnibox – an online-based voting and ballot system primarily for the disabled, military and overseas voters. This system has however come under scrutiny from several quarters regarding its credibility.

In a paper released by Michael Specter and J. Alex Halderman, researchers at Massachusetts Institute of Technology (MIT) and the University of Michigan, they highlighted several security vulnerabilities inherent in the system and labelled it insecure on so many levels. Their study was based on three main branches of the system namely:

  • Online Ballot Return: One of these issues stemmed from the fact that the system was reliant on several third-party services which could deliver altered results, robbing the system of its independence and reliability. The risks associated with online ballot return are considered grave and can be influenced by malware and database compromise.
  • Blank Ballot Delivery: Although considered a moderate risk since rigorous electoral screening can check this, blank ballot delivery is still regarded as a risk. The system runs the risk of having voters’ ballots returned as blank or some candidates omitted from the ballot box.
  • Online Ballot Marking Manipulation: Here, attackers discover the voters’ choices and then either alter them or get their votes scanned in a different candidate’s box. This is tagged as high-risk vulnerability and ultimately, one of the reasons why this system is not recommended for use.

Mitigating Online Risks when “going to the polls”

Despite these vulnerabilities which seem like they should be handled by the government – which ordinarily should be, below are ways by which voters themselves can protect their votes from alteration.

  • Use Encryption Software: Encryption software helps add an extra layer of security to the data being sent over the Internet. Many times, public WiFis which we all make use of, have malicious elements waiting somewhere on the network to steal user data. To mitigate against this risk, download and use a VPN app when connecting to an unsure network in order to prevent data theft or alteration.
  • Educate Yourself: The government often releases guidelines on best practices to apply when making use of the online voting system. Engage in voter education and also educate people around you. For example, make sure you enter the official voting website, instead of any unapproved system that was established to mislead voters.
  • Use Antivirus Software: Viruses and malwares are one of the many ways by which cyber criminals also perpetuate their acts when it comes to online voting. Getting one of the best antivirus software on the Internet can help detect, scan and remove any suspicious or corrupted program that might be existing on the system.

Dutch minister of Justice holds coronaparty, changes law to escape consequences, appears to DMCA to delete from internet, better than Cummings!

Posted on by

The man who told all of the Netherlands to keep to 1.5m distance and to stay away from older people (Grapperhaus) was photographed hugging his mother in law and repeatedly breaking the distance at his wedding. This is the man who fines people EUR 400,- for this and then gives them a permanent record.

He wasn’t fined – although he did donate some money to the red cross and it didn’t go onto his permanent record. He expressed some sorrow that he was caught when cross examined and then changed the law so that there would be no more permanent crime record. In this way he could remain in parliament, because ciminals have no place there. He also instantly destroyed any credibility he had as well as any ability to enforce any laws. Silmoutaneously the Netherlands was turned into a banana republic.

His party, the CDA (Christian Democrats) decided not to ask Grapperhaus to do the honorable thing and step down and accept his punishment, so the Dutch coalition had no choice but to stand by him or face a parliamentary crisis.

Of course this might remind you of Dominic Cummings, who drove all across the UK to visit his mother during lockdown.

Now searching for images a few days after the fact reveals that a lot of the pictures seem to be unfindable, don’t link properly and are just plain gone, which is usually the right of throwing DMCA and right to be forgotten lawyers at things.

Oud-president Hoge Raad: ‘Minister Grapperhaus moet aftreden’

Zeg eens ‘eh’ met Ferdinand Grapperhaus

Frits Wester: ‘Waarom doet Grapperhaus zichzelf dit aan?’

Nieuwe foto’s van Grapperhaus die de coronaregels overtreedt

Waarom Grapperhaus nog steeds minister van Justitie is

‘Linusgate’: Namby pamby doesn’t like Linus calling FSF names at debconf, feels cancel cultury about it.

Posted on by

253 emails have been leaked from private (high-level) mailing lists of Debian, in which its representatives vocally complain about the talk Linus Torvalds gave at the most recent DebConf conference. Some people insist that he should be permanently banned from future conferences because the language he uses is inappropriate and infringes on the project’s Code of Conduct. This could set a very bad precedent for the open source community, which has recently seen an influx of various CoC policies applied to a number of high-profile projects mostly after very vocal concerns from the people who barely participate in the open source community. Some observers believe that it’s a plot by Microsoft to destroy the open source movement from the inside.

Source: ‘Linusgate’: Debian Project Leaders Want To Ban Linus Torvalds For His Manners – Slashdot

TCL Announces E Ink Color Display That Can Handle Video

Posted on by

Known for its tablets, TVs, and phones, TCL has this week announced a new technology, NXTPAPER, that could totally change how you think about e ink. E ink displays are known for being great to stare at for hours and perfect for reading books (and sometimes even comics), but the latest color displays from E Ink have low resolution and slow refresh rates, making them unusable for video. TCL claims its new NXTPAPER tech could be a solution.

TCL’s press release is a little confusing, as it appears to compare NXTPAPER both to E Ink’s displays and to traditional LCD displays that you find in most tablets and phones today. But by all accounts, the technology used in NXTPAPER sounds like e ink technology. The press release claims it will be 36% thinner than LCD displays and 65% more power-efficient—which lines up with the gains you get from e ink.

Last week, E Ink told the blog Good Ereader that it had plans to improve its own color E Ink technology. While we adore the first color E Ink devices, they’ve not been without their flaws, including a paltry 100-PPI resolution and slower refresh rates. E Ink promised to at least double the resolution to 200 PPI by 2021, with a goal of hitting 300 PPI—the resolution of high-end LCD and monochrome E Ink displays—at a later date.

We don’t know the exact planned resolution for TCL’s competing NXTPAPER technology, but the company claims it will be full HD, and that the text incorporated will allow it to have 25% higher contrast than traditional e ink devices

TCL also says it will offer a “paper-like visual experience in full color with no flicker and no harmful blue light” and that it will rely on natural light—which, again, sounds like e ink.

Source: TCL Announces E Ink Color Display That Can Handle Video

7 years later, US court deems NSA bulk phone-call snooping illegal, possibly unconstitutional, and probably pointless anyway

Posted on by

The United States Court of Appeals for the Ninth Circuit has ruled [PDF] that the National Security Agency’s phone-call slurping was indeed naughty, seven years after former contractor Edward Snowden blew the whistle on the tawdry affair.

It’s been a long time coming, and while some might view the decision as a slap for officials that defended the practice, the three-judge panel said the part played by the NSA programme wasn’t sufficient to undermine the convictions of four individuals for conspiring to send funds to Somalia in support of a terrorist group.

Snowden made public the existence of the NSA data collection programmes in June 2013, and by June 2015 US Congress had passed the USA FREEDOM Act, “which effectively ended the NSA’s bulk telephony metadata collection program,” according to the panel.

The panel took a long, hard look at the metadata collection programme, which slurped the telephony of millions of Americans (as well as at least one of the defendants) and concluded that not only had the Fourth Amendment of the constitution likely been violated, it certainly flouted section 1861 of the Foreign Intelligence Surveillance Act (FISA), which deals with access to business records in foreign intelligence and international terrorism investigations.

“On the merits,” the ruling said, “the panel held that the metadata collection exceeded the scope of Congress’s authorization in 50 U.S.C. § 1861, which required the government to make a showing of relevance to a particular authorized investigation before collecting the records, and that the program therefore violated that section of FISA.”

So, both illegal and quite possibly unconstitutional.

It isn’t a good look for the intelligence services. The panel was able to study the classified records and noted that “the metadata did not and was not necessary to support the requisite probable cause showing for the FISA Subchapter I warrant application in this case.”

The panel went on to administer a light slapping to those insisting that the metadata programme was an essential element in the case. The evidence, such as it was, “did not taint the evidence introduced by the government at trial,” the panel observed before going on to say: “To the extent the public statements of government officials created a contrary impression, that impression is inconsistent with the contents of the classified record.”

Thus not only illegal, possibly unconstitutional but also not particularly helpful in this instance, no matter what officials might have insisted.

While the American Civil Liberties Union (ACLU) declared the ruling “a victory for our privacy rights”, the process could have a while to run yet, including a trip to America’s Supreme Court

Source: US court deems NSA bulk phone-call snooping illegal, possibly unconstitutional, and probably pointless anyway • The Register

European ISPs report mysterious wave of DDoS attacks

Posted on by

More than a dozen internet service providers (ISPs) across Europe have reported DDoS attacks that targeted their DNS infrastructure.

The list of ISPs that suffered attacks over the past week includes Belgium’s EDP, France’s Bouygues TélécomFDNK-netSFR, and the Netherlands’ CaiwayDeltaFreedomNetOnline.nl, Signet, and Tweak.nl.

Attacks lasted no longer than a day and were all eventually mitigated, but ISP services were down while the DDoS was active.

NBIP, a non-profit founded by Dutch ISPs to collectively fight DDoS attacks and government wiretapping attempts, provided ZDNet with additional insights into the past week’s incidents.

“Multiple attacks were aimed towards routers and DNS infrastructure of Benelux based ISPs,” a spokesperson said. “Most of [the attacks] were DNS amplification and LDAP-type of attacks.”

“Some of the attacks took longer than 4 hours and hit close to 300Gbit/s in volume,” NBIB said.

[…]

Source: European ISPs report mysterious wave of DDoS attacks | ZDNet

These students figured out their tests were graded by AI — and the easy way to cheat – The Verge

Posted on by

Simmons, who is a history professor herself. Then, Lazare clarified that he’d received his grade less than a second after submitting his answers. A teacher couldn’t have read his response in that time, Simmons knew — her son was being graded by an algorithm.

Simmons watched Lazare complete more assignments. She looked at the correct answers, which Edgenuity revealed at the end. She surmised that Edgenuity’s AI was scanning for specific keywords that it expected to see in students’ answers. And she decided to game it.

[…]

Now, for every short-answer question, Lazare writes two long sentences followed by a disjointed list of keywords — anything that seems relevant to the question. “The questions are things like… ‘What was the advantage of Constantinople’s location for the power of the Byzantine empire,’” Simmons says. “So you go through, okay, what are the possible keywords that are associated with this? Wealth, caravan, ship, India, China, Middle East, he just threw all of those words in.”

“I wanted to game it because I felt like it was an easy way to get a good grade,” Lazare told The Verge. He usually digs the keywords out of the article or video the question is based on.

Apparently, that “word salad” is enough to get a perfect grade on any short-answer question in an Edgenuity test.

Edgenuity didn’t respond to repeated requests for comment, but the company’s online help center suggests this may be by design. According to the website, answers to certain questions receive 0% if they include no keywords, and 100% if they include at least one. Other questions earn a certain percentage based on the number of keywords included.

[…]

One student, who told me he wouldn’t have passed his Algebra 2 class without the exploit, said he’s been able to find lists of the exact keywords or sample answers that his short-answer questions are looking for — he says you can find them online “nine times out of ten.” Rather than listing out the terms he finds, though, he tried to work three into each of his answers. (“Any good cheater doesn’t aim for a perfect score,” he explained.)

Source: These students figured out their tests were graded by AI — and the easy way to cheat – The Verge

Bill Barr to destroy antitrust case vs Google by forcing DoJ complaint filed before case is ready but before Trump re-election voting

Posted on by

Several interested parties in the U.S. government have been looking to put Google’s head on a spike, and while undoubtedly there’s been some degree of jockeying between them for which will ultimately get the credit, they’ve been proceeding with care and caution in the interest of building an ironclad case against a particularly canny opponent. Leave it to Bill Barr—who in a better world would instead star in a live-action remake of Droopy Dog— to take all that hard work and piss it away.

Per reporting in the New York Times, “Justice Department officials told lawyers involved in the antitrust inquiry into Alphabet […] to wrap up their work by the end of September.” These lawyers apparently viewed the new, abrupt deadline—against an enormously powerful company with nearly unlimited resources to throw at a comprehensive legal defense—as “arbitrary.”

In all likeliness it’s anything but arbitrary. As we near the general election in November, the Trump camp is looking for a win to hang its hat on. We’ve already seen the president decide—seemingly mid-interview with Axios’s Jonathan Swan—to cut the number of troops deployed in Afghanistan by half, and likewise claim during his keynote speech at the RNC that he will release a covid-19 vaccine. Not coincidentally, both of these miraculous claims are projected (by Trump and seemingly only Trump) to come to fruition around November. Breaking up Google, which is increasingly a source of ire for Republicans and Democrats (albeit for wildly different reasons) appears to be a gambit by Barr to find that win—or at least the appearance of one.

We’ve reached out to Google and the Department of Justice for comment and will update if we hear back.

As mentioned, the DOJ isn’t the only game in town where fining, regulating, or otherwise frustrating Google’s market dominance is concerned. A coalition of 50 state attorneys general is also probing the company, while the FTC, the House’s Antitrust Subcommittee, and the Senate Antitrust Subcommittee have ongoing investigations more broadly into the practices of big tech. All have been gathering evidence for a year or more, which is what makes Barr’s hastiness particularly egregious. Per the Times:

Some lawyers in the department worry that Mr. Barr’s determination to bring a complaint this month could weaken their case and ultimately strengthen Google’s hand, according to interviews with 15 lawyers who worked on the case or were briefed on the department’s strategy […] Many career staff members in the antitrust division, including more than a dozen who were hired during the Trump administration, considered the evidence solid that Google’s search and advertising businesses violated antitrust law. But some told associates that Mr. Barr was forcing them to come up with “half-baked” cases so he could unveil a complaint by Sept. 30.

As is the case with most would-be totalitarians, the appearance of strength for Trump is often pursued at the expense of actually wielding power effectively. If true, Barr’s reported plan to jump the gun on a Google antitrust case is a prime example. By looking the part and going after Google now, he would be likely to undermine the other existing cases against the company. If, say, Google manages to dodge claims by the DOJ of a monopoly on web search advertising (of which it controls more than 90% of the market), that becomes precedent the FTC or House needs to overcome to prove said monopoly exists.

Regulating big tech—and regulating it in a smart and comprehensive way—would be a steep uphill climb in the best of political climates. Leave it to Trump and his lackeys to carve that hill into a sheer cliff face and slather it in grease. Maybe someone else will clean it up.

Source: Report: DOJ Puts to File Google Antitrust Case in September

After Facebook Balks, Apple Delays “Privacy” (ie only Apple spies on you) Feature

Posted on by

In June, Apple unveiled plans for an iOS 14 privacy update that forces developers to gather users’ consent before tracking their activities across third-party apps and websites. Needless to say, giving users more control over how their information is gathered and trafficked is expected to bruise advertisers—especially Facebook, which uses that information to narrow its targeting functions.

As the initial autumn deadline closed in, Facebook protested last week that the change could render Facebook’s Audience Network—its ad service offered to third-party apps—“so ineffective on iOS 14 that it may not make sense to offer it on iOS 14 in the future.” The company claimed that blocking personalization is expected to cut Audience Network revenue by half or more, and that the move would hurt the over 19,000 developers who work with Facebook, many of which are “small businesses that depend on ads to support their livelihood.”

Apple’s messaging to users, as illustrated in the latest promo images for iOS 14, doesn’t give surveillance a nice ring. It will tell you bluntly that such-and-such app “would like permission to track you across apps and websites owned by other companies.” Apple pointed out to Gizmodo that it still embraces in-app advertising and does not prohibit tracking. In fact, Facebook can still gather that data (using Apple’s advertiser ID), if it’s willing to ask iOS users to agree to be tracked (using that scary messaging.) But both Apple and Facebook know that the data collection business operates more smoothly when begging for forgiveness later rather than asking permission now. If not, companies wouldn’t have mastered the art of doublespeak and constructed labyrinthine settings menus.

Apple, on the other hand, will still be able to benefit from gathering your information in various ways without asking permission because Apple doesn’t necessarily need to share or gather your information with data brokers and outside companies—your data is already growing organically within Apple’s walled garden. For example, Apple might show you an ad for a weight loss app in the App Store based on the fact that you read an article from a lifestyle publication in the Apple News app—a function which is automatically enabled, and can be toggled off, under “Apple Advertising.” Similarly, Apple says that developers can use data gained from activity within their own apps through Apple’s vendor-specific identifier. (Apple says that the “tracking” prompt would still show up if Apple-created apps intend to share information beyond Apple.)

But it’s hard to imagine a competing vendor that would have access to such a sprawling network of native data, aside from Google, which has its own devices and browser and advertiser ID. And sticking the notification on Facebook polishes Apple’s self-fashioned reputation a big tech company which values privacy. (It is not.)

[…]

Apple says that now apps won’t need to ask users permission to be tracked until 2021, “to give developers time to make necessary changes.” Apple will also require developers to submit details on the data their apps collect—including “sensitive information” such as race, sexual orientation, disability, and political affiliation—which will be published in the App Store later this year.

Source: After Facebook Balks, Apple Delays Privacy Feature

Facebook finally joins responsible disclosure for bugs they find

Posted on by

Facebook has published its first Vulnerability Disclosure Policy and given itself grounds to blab the existence of bugs to the world if it thinks that’s the right thing to do.

“Facebook may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software,” the company writes. “When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.”

The Social Network™ has made itself the arbiter of what needs to be disclosed and when it needs to be disclosed. The company’s policy is to contact “the appropriate responsible party” and give them 21 days to respond.

“Facebook will evaluate based on our interpretation of the risk to people.”

“If we don’t hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability,” the policy says, adding: “If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Facebook will disclose the vulnerability.”

But the company has also outlined exceptions to those rules, with acceleration of disclosure if a bug is already being exploited and slowing down news “If a project’s release cycle dictates a longer window.”

The third reason is:

“If a fix is ready and has been validated, but the project owner unnecessarily delays rolling out the fix, we might initiate the disclosure prior to the 90-day deadline when the delay might adversely impact the public.”

Facebook “will evaluate each issue on a case-by-case basis based on our interpretation of the risk to people.”

The policy isn’t wildly difficult from that used by Google’s Project Zero, which also discloses bugs after 90 days and also offers extensions under some circumstances.

Source: Facebook to blab bugs it finds if it thinks code owners aren’t fixing fast enough • The Register

The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy

Posted on by

In July 2017, Tesla CEO Elon Musk got on stage at the National Governors Association in Rhode Island and confirmed that a “fleet-wide hack” is one of Tesla’s biggest concerns as the automaker moves to autonomous vehicles.

He even presented a strange scenario that could happen in an autonomous future:

“In principle, if someone was able to say hack all the autonomous Teslas, they could say – I mean just as a prank – they could say ‘send them all to Rhode Island’ [laugh] – across the United States… and that would be the end of Tesla and there would be a lot of angry people in Rhode Island.”

What Musk knew that the public didn’t was that Tesla got a taste of that actually happening just a few months prior to his talk.

The Big Tesla Hack

Back in 2017, Jason Hughes was already well known in the Tesla community under his WK057 alias on the forums.

He was an early member of the Tesla “root access” community, a group of Tesla owners who would hack their own cars to get more control over them and even unlock unreleased features.

[…]

After Tesla started to give customers access to more data about Supercharger stations, mainly the ability to see how many chargers were currently available at a specific charging station through its navigation app, Hughes decided to poke around and see if he could expose the data.

He told Electrek:

“I found a hole in the server-side of that mechanism that allowed me to basically get data for every Supercharger worldwide about once every few minutes.”

The hacker shared the data on the Tesla Motors Club forum, and the automaker seemingly wasn’t happy about it.

Someone who appeared to be working at Tesla posted anonymously about how they didn’t want the data out there.

Hughes responded that he would be happy to discuss it with them.

20 minutes later, he was on a conference call with the head of the Supercharger network and the head of software security at Tesla.

They kindly explained to him that they would prefer for him not to share the data, which was technically accessible through the vehicles. Hughes then agreed to stop scraping and sharing the Supercharger data.

After reporting his server exploit through Tesla’s bug reporting service, he received a $5,000 reward for exposing the vulnerability.

With now having more experience with Tesla’s servers and knowing that their network wasn’t the most secure, to say the least, he decided to go hunting for more bug bounties.

After some poking around, he managed to find a bunch of small vulnerabilities.

The hacker told Electrek:

“I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was ‘Mothership’.”

Mothership is the name of Tesla’s home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through “Mothership.”

After downloading and dissecting the data found in the repository, Hughes started using his car’s VPN connection to poke at Mothership. He eventually landed on a developer network connection.

That’s when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla’s fleet.

All he needed was a vehicle’s VIN number, and he had access to all of those through Tesla’s “tesladex” database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.

At the time, I gave Hughes the VIN number of my own Tesla Model S, and he was able to give me its exact location and any other information about my own vehicle.

[…]

Hughes couldn’t really send Tesla cars driving around everywhere like Tesla’s CEO described in a strange scenario few months later, but he could “Summon” them.

In 2016, Tesla released its Summon feature, which enables Tesla owners to remotely move their cars forward or backward a few dozen feet without anyone in them.

[…]

the automaker awarded him a special $50,000 bug report reward — several times higher than the max official bug reward limit:

Source: The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy – Electrek