The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Peer-to-peer takes on a whole new meaning when used to spy on 3.7 million or more cameras, other IoT gear

Posted on by

More than 3.7 million. That’s the latest number of surveillance cameras, baby monitors, doorbells with webcams, and other internet-connected devices found left open to hijackers via two insecure communications protocols globally, we’re told.

This is up from estimates of a couple of million last year. The protocols are CS2 Network P2P, used by more than 50 million devices worldwide, and Shenzhen Yunni iLnkP2P, used by more than 3.6 million. The P2P stands for peer-to-peer. The devices’ use of the protocols cannot be switched off.

The upshot is Internet-of-Things gadgets using vulnerable iLnkP2P implementations can be discovered and accessed by strangers, particularly if the default password has not been changed or is easily guessed. Thus miscreants can abuse the protocol to spy on poorly secured cameras and other equipment dotted all over the world (CVE-2019-11219). iLnkP2P connections can also be intercepted by eavesdroppers to snoop on live video streams, login details, and other data (CVE-2019-11220).

Meanwhile, CS2 Network P2P can fall to the same sort of snooping as iLnkP2P (CVE-2020-9525, CVE-2020-9526). iLnkP2P is, we’re told, functionally identical to CS2 Network P2P though there are some differences.

The bugs were found by Paul Marrapese, who has a whole site, hacked.camera, dedicated to the vulnerabilities. “As of August 2020, over 3.7 million vulnerable devices have been found on the internet,” reads the site, which lists affected devices and advice on what to do if you have any at-risk gear. (Summary: throw it away, or try firewalling it off.)

He went public with the CS2 Network P2P flaws this month after being told in February by the protocol’s developers the weaknesses will be addressed in version 4.0. In 2019, he tried to report the iLnkP2P flaws to developers Shenzhen Yunni, received no response, and went public with those bugs in April that year.

At this year’s DEF CON hacking conference, held online last week, Marrapese gave an in-depth dive into the insecure protocols, which you can watch below.

“When hordes of insecure things get put on the internet, you can bet the end result is not going to be pretty,” Marrapese, a red-team member at an enterprise cloud biz, told his web audience. “A $40 purchase from Amazon is all you need to start hacking into devices.”

The protocols use UDP port 32100, and are outlined here by Fabrizio Bertone, who reverse engineered them in 2017. Essentially, they’re designed to let non-tech-savvy owners access their devices, wherever they are. The equipment contacts central servers to announce they’re powered up, and they stay connected by sending heartbeat messages to the servers. These cloud-hosted servers thus know which IP addresses the gadgets are using, and stay in constant touch with the devices.

When a user wants to connect to their device, and starts an app to log into their gadget, the servers will tell the app how to connect to the camera, or whatever it may be, either via the local network or over the internet. If need be, the device and app will be instructed to use something called UDP hole punching to talk to each other through whatever NATs may be in their way, or via a relay if that doesn’t work. This allows the device to be used remotely by the app without having to, say, change any firewall or NAT settings on their home router. The app and device find a way to talk to each other.

“In the context of IoT, P2P is a feature that lets people to connect to their device anywhere in the world without any special setup,” Marrapese said. “You have to remember, some folks don’t even know how to log into their routers, never mind forward a port.”

In the case of iLnkP2P, it turned out it was easy to calculate the unique IDs of strangers’ devices, and thus use the protocol to find and connect to them. The IDs are set at the factory and can’t be changed. Marrapese was able to enumerate millions of gadgets, and use their IP addresses to approximate their physical location, showing equipment scattered primarily across Asia, the UK and Europe, and North America. Many accept the default password, and thus can be accessed by miscreants scanning the internet for vulnerable P2P-connected cameras and the like. According to Marrapese, thousands of new iLnkP2P-connected devices appear online every month.

[…]

Source: Peer-to-peer takes on a whole new meaning when used to spy on 3.7 million or more cameras, other IoT gear • The Register

Trump says TikTok will be banned if not sold by Sept. 15, demands cut of sale fee because he made the deal possible. Extortion much?

Posted on by

President Trump said Monday that TikTok will be shut down in the U.S. if it hasn’t been bought by Microsoft or another company by Sept. 15, and argued — without elaborating — that the U.S. Treasury should get “a very substantial portion” of the sale fee.

Why it matters: Trump appears to have backed off his threat to immediately ban TikTok after speaking with Microsoft CEO Satya Nadella, who said Sunday that the company will pursue discussions with TikTok’s Chinese parent company ByteDance to purchase the app in the U.S.

The big picture: TikTok has come under intense scrutiny in the U.S. due to concerns that the vast amounts of data it collects could be accessed by the Chinese government, potentially posing a national security threat.

  • Negotiations between TikTok and Microsoft will be overseen by a special government panel called the Committee on Foreign Investment in the United States (CFIUS), Reuters reports.

What he’s saying: Trump appeared to suggest on Monday that Microsoft would have to pay the U.S. government in order to complete the deal, but did not explain the precedent for such an action. He also argued that Microsoft should buy all of TikTok, not just 30% of the company.

  • “I don’t mind if, whether it’s Microsoft or somebody else, a big company, a secure company, a very American company, buy it. It’s probably easier to buy the whole thing than to buy 30% of it. How do you do 30%? Who’s going to get the name? The name is hot, the brand is hot,” Trump said.
  • “A very substantial portion of that price is going to have to come into the Treasury of the United States. Because we’re making it possible for this deal to happen. Right now they don’t have any rights, unless we give it to them. So if we’re going to give them the rights, it has to come into this country. It’s a little bit like the landlord/tenant,” he added.

Our thought bubble, via Axios’ Dan Primack: Trump’s inexplicable claim that part of Microsoft’s purchase price would have to go to the Treasury is skating very close to announcing extortion.

Source: Trump says TikTok will be banned if not sold by Sept. 15, demands cut of sale fee – Axios

Leaky AWS S3 buckets are so common, they’re being found by the thousands now – with lots of buried secrets

Posted on by

Misconfigured AWS S3 storage buckets exposing massive amounts of data to the internet are like an unexploded bomb just waiting to go off, say experts.

The team at Truffle Security said its automated search tools were able to stumble across some 4,000 open Amazon-hosted S3 buckets that included data companies would not want public – things like login credentials, security keys, and API keys.

In fact, the leak hunters say that exposed data was so common, they were able to count an average of around 2.5 passwords and access tokens per file analyzed per repository. In some cases, more than 10 secrets were found in a single file; some files had none at all.

These credentials included SQL Server passwords, Coinbase API keys, MongoDB credentials, and logins for other AWS buckets that actually were configured to ask for a password.

That the Truffle Security team was able to turn up roughly 4,000 insecure buckets with private information shows just how common it is for companies to leave their cloud storage instances unguarded.

Though AWS has done what it can to get customers to lock down their cloud instances, finding exposed storage buckets and databases is pretty trivial for trained security professionals to pull off.

In some cases, the leak-hunters have even partnered up with law firms, collecting referral fees when they send aggrieved customers to take part in class-action lawsuits against companies that exposed their data.

Source: Leaky AWS S3 buckets are so common, they’re being found by the thousands now – with lots of buried secrets • The Register

Windows 10: HOSTS file blocking telemetry is now flagged as a risk

Posted on by

Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a ‘Severe’ security risk.

The HOSTS file is a text file located at C:\Windows\system32\driver\etc\HOSTS and can only be edited by a program with Administrator privileges.

[…]

Microsoft now detects HOSTS files that block Windows telemetry

Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a ‘SettingsModifier:Win32/HostsFileHijack’ threat.

When detected, if a user clicks on the ‘See details’ option, they will simply be shown that they are affected by a ‘Settings Modifier’ threat and has ‘potentially unwanted behavior,’ as shown below.

SettingsModifier:Win32/HostsFileHijack detection
SettingsModifier:Win32/HostsFileHijack detection

BleepingComputer first learned about this issue from BornCity, and while Microsoft Defender detecting HOSTS hijacks is not new, it was strange to see so many people suddenly reporting the detection [1, 2, 3, 4, 5].

While a widespread infection hitting many consumers simultaneously in the past is not unheard of, it is quite unusual with the security built into Windows 10 today.

[…]

Microsoft had recently updated their Microsoft Defender definitions to detect when their servers were added to the HOSTS file.

Users who utilize HOSTS files to block Windows 10 telemetry suddenly caused them to see the HOSTS file hijack detection.

In our tests, some of the Microsoft hosts detected in the Windows 10 HOSTS file include the following:

www.microsoft.com
microsoft.com
telemetry.microsoft.com
wns.notify.windows.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
us.vortex-win.data.microsoft.com
us-v10.events.data.microsoft.com
urs.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
vsgallery.com
watson.live.com
watson.microsoft.com
telemetry.remoteapp.windowsazure.com
telemetry.urs.microsoft.com

If you decide to clean this threat, Microsoft will restore the HOSTS file back to its default contents.

Default Windows 10 HOSTS file
Default Windows 10 HOSTS file

Users who intentionally modify their HOSTS file can allow this ‘threat,’ but it may enable all HOSTS modifications, even malicious ones, going forward.

So only allow the threat if you 100% understand the risks involved in doing so.

BleepingComputer has reached out to Microsoft with questions regarding this new detection.

Source: Windows 10: HOSTS file blocking telemetry is now flagged as a risk

Yup, I ran into this a few weeks ago. It’s highly annoying.

Hacker leaks passwords for 900+ enterprise Pulse VPN servers

Posted on by

A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.

ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.

According to a review, the list includes:

  • IP addresses of Pulse Secure VPN servers
  • Pulse Secure VPN server firmware version
  • SSH keys for each server
  • A list of all local users and their password hashes
  • Admin account details
  • Last VPN logins (including usernames and cleartext passwords)
  • VPN session cookies
vpn-details.png
Image: ZDNet

Bank Security, a threat intelligence analyst specialized in financial crime and the one who spotted the list earlier today and shared it with ZDNet, made an interesting observation about the list and its content.

The security researcher noted that all the Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the CVE-2019-11510 vulnerability.

Bank Security believes that the hacker who compiled this list scanned the entire internet IPv4 address space for Pulse Secure VPN servers, used an exploit for the CVE-2019-11510 vulnerability to gain access to systems, dump server details (including usernames and passwords), and then collected all the information in one central repository.

Based on timestamps in the list (a collection of folders), the dates of the scans, or the date the list was compiled, appear to between June 24 and July 8, 2020.

Source: Hacker leaks passwords for 900+ enterprise VPN servers | ZDNet

400 faults found in Qualcomm chips powering your mobile phone with big implications

Posted on by

With over 3 billion users globally, smartphones are an integral, almost inseparable part of our day-to-day lives.

As the mobile market continues to grow, vendors race to provide new features, new capabilities and better technological innovations in their latest devices. To support this relentless drive for innovation, vendors often rely on third parties to provide the required hardware and software for phones. One of the most common third-party solutions is the Digital Signal Processor unit, commonly known as DSP chips.

In this research dubbed “Achilles” we performed an extensive security review of a DSP chip from one of the leading manufacturers: Qualcomm Technologies. Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more.

More than 400 vulnerable pieces of code were found within the DSP chip we tested, and these vulnerabilities could have the following impact on users of phones with the affected chip:

  • Attackers can turn the phone into a perfect spying tool, without any user interaction required – The information that can be exfiltrated from the phone include photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
  • Attackers may be able to render the mobile phone constantly unresponsive – Making all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.
  • Malware and other malicious code can completely hide their activities and become un-removable.

We disclosed these findings with Qualcomm, who acknowledged them, notified the relevant device vendors and assigned them with the following CVE’s : CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.

Source: Achilles: Small chip, big peril. – Check Point Software

New York unveils landmark antitrust bill that makes it easier to sue tech giants

Posted on by

New York state is introducing a bill that would make it easier to sue big tech companies for alleged abuses of their monopoly powers.

New York is America’s financial center and one of its most important tech hubs. If successfully passed, the law could serve as a model for future legislation across the country. It also comes as a federal committee is conducting an anti-trust investigation into tech giants amid concerns that their unmatched market power is suppressing competition.

Bill S8700A, now being discussed by New York’s senate consumer protection committee, would update New York’s antiquated antitrust laws for the 21st century, said the bill’s sponsor, Senator Mike Gianaris.

“Their power has grown to dangerous levels and we need to start reining them in,” he said.

New York’s antitrust laws currently require two players to collaborate in a conspiracy to conduct anticompetitive behavior such as price setting. In other cases companies may underprice products to the point where they are even incurring a loss just to drive others out of the market – anticompetitive behavior that New York’s laws would currently struggle to prosecute.

“Our laws on antitrust in New York are a century old and they were built for a completely different economy,” said Gianaris. “Much of the problem today in the 21st century is unilateral action by some of these behemoth tech companies and this bill would allow, for the first time, New York to engage in antitrust enforcement for unilateral action.”

The bill will probably be discussed when New York’s senate returns to work in August but is unlikely to pass before next year. It has the support of New York’s attorney general, Letitia James.

Source: New York unveils landmark antitrust bill that makes it easier to sue tech giants | Technology | The Guardian

Our Solar System’s Magnetic Sheild (Heliosphere) is Shaped like a croissant

Posted on by

All the planets of our solar system are encased in a magnetic bubble, carved out in space by the Sun’s constantly outflowing material, the solar wind. Outside this bubble is the interstellar medium — the ionized gas and magnetic field that fills the space between stellar systems in our galaxy. One question scientists have tried to answer for years is on the shape of this bubble, which travels through space as our Sun orbits the center of our galaxy. Traditionally, scientists have thought of the heliosphere as a comet shape, with a rounded leading edge, called the nose, and a long tail trailing behind.

Research published in Nature Astronomy in March and featured on the journal’s cover for July provides an alternative shape that lacks this long tail: the deflated croissant.

Model showing the heliosphere appearing as a deflated croissant shape, wrapped in the interstellar magnetic field
An updated model suggests the shape of the Sun’s bubble of influence, the heliosphere (seen in yellow), may be a deflated croissant shape, rather than the long-tailed comet shape suggested by other research.
Credits: Opher, et al

The shape of the heliosphere is difficult to measure from within. The closest edge of the heliosphere is more than ten billion miles from Earth. Only the two Voyager spacecraft have directly measured this region, leaving us with just two points of ground-truth data on the shape of the heliosphere.

[…]

“There are two fluids mixed together. You have one component that is very cold and one component that is much hotter, the pick-up ions,” said Opher, a professor of astronomy at Boston University. “If you have some cold fluid and hot fluid, and you put them in space, they won’t mix — they will evolve mostly separately. What we did was separate these two components of the solar wind and model the resulting 3D shape of the heliosphere.”

Considering the solar wind’s components separately, combined with Opher’s earlier work using the solar magnetic field as a dominant force in shaping the heliosphere, created a deflated croissant shape, with two jets curling away from the central bulbous part of the heliosphere, and notably lacking the long tail predicted by many scientists.

“Because the pick-up ions dominate the thermodynamics, everything is very spherical. But because they leave the system very quickly beyond the termination shock, the whole heliosphere deflates,” said Opher.

The shape of our shield

The shape of the heliosphere is more than a question of academic curiosity: The heliosphere acts our solar system’s shield against the rest of the galaxy.

An illustration showing the heliosphere being pelted with cosmic rays from outside our solar system
Our heliosphere blocks many cosmic rays, shown as bright streaks in this animated image, from reaching the planets of our solar system.
Credits: NASA’s Goddard Space Flight Center/Conceptual Image Lab
Download from NASA Goddard’s Scientific Visualization Studio.

Energetic events in other star systems, like supernova, can accelerate particles to nearly the speed of light. These particles rocket out in all directions, including into our solar system. But the heliosphere acts as a shield: It absorbs about three-quarters of these tremendously energetic particles, called galactic cosmic rays, that would make their way into our solar system.

Those that do make it through can wreak havoc. We’re protected on Earth by our planet’s magnetic field and atmosphere, but technology and astronauts in space or on other worlds are exposed. Both electronics and human cells can be damaged by the effects of galactic cosmic rays — and because galactic cosmic rays carry so much energy, they’re difficult to block in a way that’s practical for space travel. The heliosphere is spacefarers’ main defense against galactic cosmic rays, so understanding its shape and how that influences the rate of galactic cosmic rays pelting our solar system is a key consideration for planning robotic and human space exploration.

The heliosphere’s shape is also part of the puzzle for seeking out life on other worlds. The damaging radiation from galactic cosmic rays can render a world uninhabitable, a fate avoided in our solar system because of our strong celestial shield. As we learn more about how our heliosphere protects our solar system — and how that protection may have changed throughout the solar system’s history — we can look for other star systems that might have similar protection. And part of that is the shape: Are our heliospheric lookalikes long-tailed comet shapes, deflated croissants, or something else entirely?

Source: Uncovering Our Solar System’s Shape | NASA

Lawmakers Ask California DMV How It Makes $50 Million a Year Selling Drivers’ Data

Posted on by

A group of nearly a dozen lawmakers led by member of Congress Anna Eshoo wrote to the California Department of Motor Vehicles (DMV) on Wednesday looking for answers on how and why the organization sells the personal data of residents. The letter comes after Motherboard revealed last year that the DMV was making $50 million annually from selling drivers’ information.

The news highlights how selling personal data is not limited to private companies, but some government entities follow similar practices too.

“What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear,” the letter, signed by congress members including Ted Lieu, Barbara Lee, and Mike Thompson, as well as California Assembly members Kevin Mullin and Mark Stone, reads.

Specifically, the letter asks what types of organizations has the DMV disclosed drivers’ data to in the past three years. Motherboard has previously reported on how other DMVs around the country sold such information to private investigators, including those hired to spy on suspected cheating spouses. In an earlier email to Motherboard, the California DMV said data requesters may include insurance companies, vehicle manufacturers, and prospective employers.

The information sold in general by DMVs includes names, physical addresses, and car registration information. Multiple other DMVs previously confirmed they have cut-off access to some clients after they abused the data.

On Wednesday, the California DMV said in an emailed statement, “The DMV does not sell driver information for marketing purposes or to generate revenue outside of the cost of administering its requester program—which only provides certain driver and vehicle related information as statutorily required.”

“The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program,” the statement added.

After Motherboard’s earlier investigation into the sale of DMV data to private investigators, senators criticized the practice. Bernie Sanders more specifically said that DMVs should not profit from selling such data.

“In today’s ever-increasing digital world, our private information is too often stolen, abused, used for profit or grossly mishandled,” the new letter from lawmakers reads. “It’s critical that the custodians of the personal information of Americans—from corporations to government agencies—be held to high standards of data protection in order to restore the right of privacy in our country.”

Source: Lawmakers Ask California DMV How It Makes $50 Million a Year Selling Drivers’ Data

Germany plans to dim lights at night to save insects

Posted on by

In a draft law seen by AFP, the country’s environment ministry has drawn up a number of new measures to protect insects, ranging from partially outlawing spotlights to increased protection of natural habitats.

“Insects play an important role in the ecosystem…but in Germany, their numbers and their diversity has severely declined in recent years,” reads the draft law, for which the ministry hopes to get cabinet approval by October.

a city at night: Sundown could mean bright lights must go out in future for German cities like capital Berlin. © David GANNON Sundown could mean bright lights must go out in future for German cities like capital Berlin.

The changes put forward in the law include stricter controls on both lighting and the use of insecticides.

Light traps for insects are to be banned outdoors, while searchlights and sky spotlights would be outlawed from dusk to dawn for ten months of the year.

The draft also demands that any new streetlights and other outdoor lights be installed in such a way as to minimise the effect on plants, insects and other animals.

The use of weed-killers and insecticides would also be banned in national parks and within five to ten metres of major bodies of water, while orchards and dry-stone walls are to be protected as natural habitats for insects.

The proposed reforms are part of the German government’s more general “insect protection action plan”, which was announced last September under growing pressure from environmental and conservation activists.

Source: Germany plans to dim lights at night to save insects

Hackers are defacing loads of high profile Reddit channels with pro-Trump messages

Posted on by

A massive hack has hit Reddit today after tens of Reddit channels have been hacked and defaced to show messages in support of Donald Trump’s reelection campaign.

The hacks are still ongoing at the time of writing, but we were told Reddit’s security team is aware of the issue and has already begun restoring defaced channels.

A partial list of impacted channels (subreddits) is available below. This includes Reddit channels for the NFL, many TV shows, The Pirate Bay, Disneyland, Disney’s Avengers, several city channels, and more. Combined, the channels have tens of millions of subscribers.

The Reddit security team said the hack took place after the intruder(s) took over subreddit moderator accounts. Several moderators have also come forward to admit that their accounts have been hacked and that they did not use two-factor authentication. Channel owners who are having problems have been asked to report problems in this Reddit ModSupport thread.

An account on Twitter took credit for the hack. However, the account’s owners did not respond to a request for comment so ZDNet can verify its claims. The account is now suspended.

reddit-hackers.png
Image: ZDNet

The Reddit hack also comes after Reddit banned r/The_Donald, a channel for Donald Trump supporters, in late June. Reddit said it took the decision to ban the channel for breaking its community rules after reports of harassment, bullying, and threats of violence.

Today’s stunt is reminiscent to a similar one that took place at the end of June and the start of July, when more than 1,800 Roblox accounts were hacked and defaced with a similar pro-Trump reelection message.

Source: Hackers are defacing Reddit with pro-Trump messages | ZDNet

Private equity wants to own your DNA – Blackstone buys Ancestry at $250,- per person

Posted on by

The nation’s largest private equity firm is interested in buying your DNA data. The going rate: $261 per person. That appears to be what Blackstone, the $63 billion private equity giant, is willing to pay for genetic data controlled by one of the major companies gathering it from millions of customers.

Earlier this week, Blackstone announced it was paying $4.7 billion to acquire Ancestry.com, a pioneer in pop genetics that was launched in the 1990s to help people find out more about their family heritage.

Ancestry’s customers get an at-home DNA kit that they send back to the company. Ancestry then adds that DNA information to its database and sends its users a report about their likely family history. The company will also match you to other family members in its system, including distant cousins you may or may not want to hear from. And for up to $400 a year, you can continue to search Ancestry’s database to add to your knowledge of your family tree.

Ancestry has some information, mostly collected from public databases, on hundreds of millions of individuals. But its most valuable information is that of the people who have taken its DNA tests, which totals 18 million. And at Blackstone’s $4.7 billion purchase price that translates to just over $250 each.

[…]

Source: Private equity wants to own your DNA – CBS News

Facebook Relaxed Fact-Checking Standards on Conservative Pages: Report

Posted on by

In an attempt to correct the perception of a small but very vocal minority that claims Facebook’s silencing conservative voices on its platforms, the company’s reportedly swung too far in the opposite direction and essentially gave a free pass to conservative pages to spew their bullshit online.

According to leaked documents reviewed by NBC, Facebook relaxed its fact-checking rules for conservative news outlets and personalities, including Breitbart and former Fox News stooges Diamond and Silk, so that they wouldn’t be penalized for spreading misinformation. This report comes just a day after a Buzzfeed exposé detailing how a Facebook employee was allegedly fired after collecting evidence of this preferential treatment of right-wing pages.

Per its standards, Facebook issues strikes to pages that have repeatedly spread inaccurate or misleading information as determined by the company’s millions of fact-checking partners (news outlets, politicians, influencers, etc.). If an account receives two strikes in a 90-day period, it receives a “repeat offender” status and can be shadowbanned or even temporarily lose advertising privileges. Facebook employees work with fact-checking partners to triage these misinformation flags, with high-priority issues receiving an “escalation” tag that then pushes them on to company higher-ups for review.

According to an archive of these escalations with the last six months that was leaked to NBC, Facebook employees in the misinformation escalations team waived strikes issued to some conservative pages under direct oversight from senior leadership. Roughly two-thirds of the cases listed concerned conservative pages, including those of Donald Trump Jr., Eric Trump, and Gateway Pundit.

[.,..]

Source: Facebook Relaxed Fact-Checking Standards on Conservative Pages: Report

An odd piece of news if not propoganda considering the big tech companies were slammed during their hearings buy the conspiracy seeing anti-vaxxer senators in the room

Whoops, our bad, we just may have ‘accidentally’ left Google Home devices recording your every word, sound, sorry

Posted on by

Your Google Home speaker may have been quietly recording sounds around your house without your permission or authorization, it was revealed this week.

The Chocolate Factory admitted it had accidentally turned on a feature that allowed its voice-controlled AI-based assistant to activate and snoop on its surroundings. Normally, the device only starts actively listening in and making a note of what it hears after it has heard wake words, such as “Ok, Google” or “Hey, Google,” for privacy reasons. Prior to waking, it’s constantly listening out for those words, but is not supposed to keep a record of what it hears.

Yet punters noticed their Google Homes had been recording random sounds, without any wake word uttered, when they started receiving notifications on their phone that showed the device had heard things like a smoke alarm beeping, or glass breaking in their homes – all without giving their approval.

Google said the feature had been accidentally turned on during a recent software update, and it has now been switched off, Protocol reported. It may be that this feature is or was intended to be used for home security at some point: imagine the assistant waking up whenever it hears a break in, for instance. Google just bought a $450m, or 6.6 per cent, stake in anti-burglary giant ADT.

Source: Whoops, our bad, we just may have ‘accidentally’ left Google Home devices recording your every word, sound, sorry • The Register

NRA riddled with Fraud. Investigation Moves NY AG To Seek Group’s Dissolution

Posted on by

The attorney general of New York took action Thursday to dissolve the National Rifle Association following an 18-month investigation that found evidence the powerful gun rights group is “fraught with fraud and abuse.”

Attorney General Letitia James claims in a lawsuit filed Thursday that she found financial misconduct in the millions of dollars and that it contributed to a loss of more than $64 million over a three-year period.

The suit alleges that top NRA executives misused charitable funds for personal gain, awarded contracts to friends and family members, and provided contracts to former employees to ensure loyalty.

Seeking to dissolve the NRA is the most aggressive sanction James could have sought against the not-for-profit organization, which James has jurisdiction over because it is registered in New York. James has a wide range of authorities relating to nonprofits in the state, including the authority to force organizations to cease operations or dissolve. The NRA is all but certain to contest it.

The NRA said in a statement that the legal action was political, calling it a “baseless premeditated attack on our organization and the Second Amendment freedoms it fights to defend… we not only will not shrink from this fight – we will confront it and prevail.”

“The NRA’s influence has been so powerful that the organization went unchecked for decades while top executives funneled millions into their own pockets,” James said in a statement. “The NRA is fraught with fraud and abuse, which is why, today, we seek to dissolve the NRA, because no organization is above the law.”

James’ complaint names the National Rifle Association as a whole but also names four current and former NRA executives: Executive Vice President Wayne LaPierre, general counsel John Frazer, former Chief Financial Officer Woody Phillips and former chief of staff Joshua Powell.

Source: NRA Lawsuit: Fraud Investigation Moves New York AG To Seek Group’s Dissolution : NPR

Well, my thoughts and prayers go out to you, NRA and all your gun nut psycho killer friends.

Spotify CEO Daniel Ek says working musicians may no longer be able to release music only “once every three to four years” – they will have to work just like the rest of us

Posted on by

Spotify CEO Daniel Ek discussed streaming and sustainability in a recent interview with Music Ally published on Thursday. Ek denied criticisms that Spotify pays insufficient royalties to artists, and insisted that the role of the musician had changed in today’s “future landscape.”

Ek claimed that a “narrative fallacy” had been created and caused music fans to believe that Spotify doesn’t pay musicians enough for streams of their music. “Some artists that used to do well in the past may not do well in this future landscape,” Ek said, “where you can’t record music once every three to four years and think that’s going to be enough.”

What is required from successful musicians, Ek insisted, is a deeper, more consistent, and prolonged commitment than in the past. “The artists today that are making it realize that it’s about creating a continuous engagement with their fans. It is about putting the work in, about the storytelling around the album, and about keeping a continuous dialogue with your fans.”

Source: Spotify CEO Daniel Ek says working musicians may no longer be able to release music only “once every three to four years” | The FADER

A business model where you work a few weeks a year untill you can just coast along on royalties is wrong on so many levels.

Google victory in German top court over right to be forgotten means you can’t just delete the evil stuff you did

Posted on by

A German court has sided with Google and rejected requests to wipe entries from search results. The cases hinged on whether the right to be forgotten outweighed the public’s right to know.

Germany’s highest court agreed on Monday with lower courts and rejected the two plaintiffs’ appeals over privacy concerns.

In the first case, a former managing director of a charity had demanded Google remove links to certain news articles that appeared in searches of his name. The articles from 2011 reported that the charity was in financial trouble and that the manager had called in sick. He later argued in court that information on his personal health issues should not be divulged to the public years later.

The court ruled that whether links to critical articles have to be removed from the search list always depends on a comprehensive consideration of fundamental rights in the individual case.

A second case was referred to the European Court of Justice. It concerned two leaders of a financial services company that sought to have links to negative reports about their investment model removed. The couple had argued that the US-based websites, which came up in the searches for their names, were full of fake news and sought to market other financial services providers.

[…]

Links are only be deleted from searches in Europe but would appear as normal in other regions. Any data “forgotten” by Google, which mostly provides links to material published by others, is only removed from its search results, not from the internet.

The cases stem from a 2014 ruling in the European Court of Justice (ECJ), which found that EU citizens had the right to request search engines, such as Alphabet’s Google and Microsoft’s Bing, remove “inaccurate, inadequate, irrelevant or excessive” search results linked to their name. The case centered on a Spaniard who found that when his name was Googled, it returned links to an advertisement for a property auction related to an unpaid social welfare debt. He argued the debt had long since been settled.

Source: Google victory in German top court over right to be forgotten | Germany| News and in-depth reporting from Berlin and beyond | DW | 27.07.2020

YouTube threatens to remove music videos in Denmark over songwriter royalty fallout

Posted on by

YouTube is embroiled in a very public spat with songwriters and music publishers in Denmark, via local collection society Koda.

According to Koda – Denmark’s equivalent of ASCAP/BMI (US) or PRS For Music (UK) – YouTube has threatened to remove “Danish music content” (ie. music written by Danish songwriters) from its service.

The cause of this threat is a disagreement between the two parties over the remuneration of songwriters and publishers in the market.

YouTube and Koda’s last multi-year licensing deal expired in April. Since then, the two parties have been operating under a temporary license agreement.

At the same time, Polaris, the umbrella body for collection societies in the Nordics, has been negotiating with YouTube over a new Scandinavia-wide licensing agreement.

But in a statement to media today (July 31), Koda claims YouTube is insisting that – in order to extend its temporary deal in Denmark – Koda must now agree to a near-70% reduction in payments to composers and songwriters.

YouTube has fired back at this claim, suggesting that under its existing temporary deal with Koda (which expires today), the body “earned back less than half of the guarantee payments” handed over by the service.

[…] wait – how on earth does a guarantee payment relate to the amount you renumerate people?

In response to Koda’s refusal to agree to YouTube’s proposed deal, Koda claims that “on the evening of Thursday 30 July, Google announced that they will soon remove all Danish music content on YouTube”.

Reports out of Denmark suggest YouTube may pull the plug on this content as soon as this Saturday.

[…]

“While we’ve had productive conversations we have been unable to secure a fair and equitable agreement before our existing one expired. They are asking for substantially more than what we pay our other partners. This is not only unfair to our other YouTube partners and creators, it is unhealthy for the wider economics of our industry.

“Without a new license, we’re unable to make their content available in Denmark.  Our doors remain open to Koda to bring their content back to YouTube.”

YouTube added in a statement to MBW: “We take copyright law very seriously. As our license expires today and since we have been unable to secure an agreement we will remove identified Koda content from the platform.”

Koda says it “cannot accept” YouTube’s terms, and that as a result “Google have now unilaterally decided that Koda’s members cannot have their content shown on YouTube”.

[…]

Koda’s media director, Kaare Struve, said: “Google have always taken an ‘our way or the highway’ approach, but even for Google, this is a low point.

“Of course, Google know that they can create enormous frustration among our members by denying them access to YouTube – and among the many Danes who use YouTube every day.

“We can only suppose that by doing so, YouTube hope to be able to push through an agreement, one where they alone dictate all terms.”

Koda says that ever since its first agreement with YouTube was signed in 2013, “the level of payments received from YouTube has been significantly lower than the level of payment [distributed] by subscription-based services”.

Koda’s CEO, Gorm Arildsen, said: “It is no secret that our members have been very dissatisfied with the level of payment received for the use of their music on YouTube for many years now. And it’s no secret that we at Koda have actively advocated putting an end to the tech giants’ free-ride approach and underpayment for artistic content in connection with the EU’s new Copyright Directive.

“The fact that Google now demands that the payments due from them should be reduced by almost 70% in connection with a temporary contract extension seems quite bizarre.”

[…]

Source: YouTube threatens to remove music videos in Denmark over songwriter royalty fallout – Music Business Worldwide

Well guys, I reccommend you move over to Vimeo. At least that way you’re helping to break the monopoly. Not that I believe in the slightest that Koda is working in the best interests of artists as much as it’s filling its’ own pockets, but there you go.

AI tracks drone pilot’s location through the small movements the drone makes

Posted on by

The minute details of rogue drone’s movements in the air may unwittingly reveal the drone pilot’s location—possibly enabling authorities to bring the drone down before, say, it has the opportunity to disrupt air traffic or cause an accident. And it’s possible without requiring expensive arrays of radio triangulation and signal-location antennas.

So says a team of Israeli researchers who have trained an AI drone-tracking algorithm to reveal the drone operator’s whereabouts, with a better than 80 per cent accuracy level. They are now investigating whether the algorithm can also uncover the pilot’s level of expertise and even possibly their identity.

[…]

Depending on the specific terrain at any given airport, a pilot operating a drone near a camouflaging patch of forest, for instance, might have an unobstructed view of the runway. But that location might also be a long distance away, possibly making the operator more prone to errors in precise tracking of the drone. Whereas a pilot operating nearer to the runway may not make those same tracking errors but may also have to contend with big blind spots because of their proximity to, say, a parking garage or control tower.

And in every case, he said, simple geometry could begin to reveal important clues about a pilot’s location, too. When a drone is far enough away, motion along a pilot’s line of sight can be harder for the pilot to detect than motion perpendicular to their line of sight. This also could become a significant factor in an AI algorithm working to discover pilot location from a particular drone flight pattern.

The sum total of these various terrain-specific and terrain-agnostic effects, then, could be a giant finger pointing to the operator. This AI application would also be unaffected by any relay towers or other signal spoofing mechanisms the pilot may have put in place.

Weiss said his group tested their drone tracking algorithm using Microsoft Research’s open source drone and autonomous vehicle simulator AirSim. The group presented their work-in-progress at the Fourth International Symposium on Cyber Security, Cryptology and Machine Learning at Ben-Gurion University earlier this month.

Their paper boasts a 73 per cent accuracy rate in discovering drone pilots’ locations. Weiss said that in the few weeks since publishing that result, they’ve now improved the accuracy rate to 83 per cent.

Now that the researchers have proved the algorithm’s concept, Weiss said, they’re hoping next to test it in real-world airport settings. “I’ve already been approached by people who have the flight permissions,” he said. “I am a university professor. I’m not a trained pilot. Now people that do have the facility to fly drones [can] run this physical experiment.”

Source: Attention Rogue Drone Pilots: AI Can See You! – IEEE Spectrum

Libraries lend books, and must continue to lend books: Internet Archive responds to greedy publishers’ lawsuit

Posted on by

Yesterday, the Internet Archive filed our response to the lawsuit brought by four commercial publishers to end the practice of Controlled Digital Lending (CDL), the digital equivalent of traditional library lending. CDL is a respectful and secure way to bring the breadth of our library collections to digital learners. Commercial ebooks, while useful, only cover a small fraction of the books in our libraries. As we launch into a fall semester that is largely remote, we must offer our students the best information to learn from—collections that were purchased over centuries and are now being digitized. What is at stake with this lawsuit? Every digital learner’s access to library books. That is why the Internet Archive is standing up to defend the rights of  hundreds of libraries that are using Controlled Digital Lending.

The publishers’ lawsuit aims to stop the longstanding and widespread library practice of Controlled Digital Lending, and stop the hundreds of libraries using this system from providing their patrons with digital books. Through CDL, libraries lend a digitized version of the physical books they have acquired as long as the physical copy doesn’t circulate and the digital files are protected from redistribution. This is how Internet Archive’s lending library works, and has for more than nine years. Publishers are seeking to shut this library down, claiming copyright law does not allow it. Our response is simple: Copyright law does not stand in the way of libraries’ rights to own books, to digitize their books, and to lend those books to patrons in a controlled way.

“The Authors Alliance has several thousand members around the world and we have endorsed the Controlled Digital Lending as a fair use,” stated Pamela Samuelson, Authors Alliance founder and Richard M. Sherman Distinguished Professor of Law at Berkeley Law. “It’s really tragic that at this time of pandemic that the publishers would try to basically cut off even access to a digital public library like the Internet Archive…I think that the idea that lending a book is illegal is just wrong.”

These publishers clearly intend this lawsuit to have a chilling effect on Controlled Digital Lending at a moment in time when it can benefit digital learners the most. For students and educators, the 2020 fall semester will be unlike any other in recent history. From K-12 schools to universities, many institutions have already announced they will keep campuses closed or severely limit access to communal spaces and materials such as books because of public health concerns. The conversation we must be having is: how will those students, instructors and researchers access information — from textbooks to primary sources? Unfortunately, four of the world’s largest book publishers seem intent on undermining both libraries’ missions and our attempts to keep educational systems operational during a global health crisis.

The publishers’ lawsuit does not stop at seeking to end the practice of Controlled Digital Lending. These publishers call for the destruction of the 1.5 million digital books that Internet Archive makes available to our patrons. This form of digital book burning is unprecedented and unfairly disadvantages people with print disabilities. For the blind, ebooks are a lifeline, yet less than one in ten exists in accessible formats. Since 2010, Internet Archive has made our lending library available to the blind and print disabled community, in addition to sighted users. If the publishers are successful with their lawsuit, more than a million of those books would be deleted from the Internet’s digital shelves forever.

I call on the executives at Hachette, HarperCollins, Wiley, and Penguin Random House to come together with us to help solve the pressing challenges to access to knowledge during this pandemic. Please drop this needless lawsuit.

Source: Libraries lend books, and must continue to lend books: Internet Archive responds to publishers’ lawsuit – Internet Archive Blogs

Telegram hits out at Apple’s app store ‘tax’ in latest EU antitrust complaint

Posted on by

Apple has another antitrust charge on its plate. Messaging app Telegram has joined Spotify in filing a formal complaint against the iOS App Store in Europe — adding its voice to a growing number of developers willing to publicly rail against what they decry as Apple’s app “tax”.

A spokesperson for Telegram confirmed the complaint to TechCrunch, pointing us to this public Telegram post where founder, Pavel Durov, sets out seven reasons why he thinks iPhone users should be concerned about the company’s behavior.

These range from the contention that Apple’s 30% fee on app developers leads to higher prices for iPhone users; to censorship concerns, given Apple controls what’s allowed (and not allowed) on its store; to criticism of delays to app updates that flow from Apple’s app review process; to the claim that the app store structure is inherently hostile to user privacy, given that Apple gets full visibility of which apps users are downloading and engaging with.

This week Durov also published a blog post in which he takes aim at a number of “myths” he says Apple uses to try to justify the 30% app fee — such as a claim that iOS faces plenty of competition for developers; or that developers can choose not to develop for iOS and instead only publish apps for Android.

“Try to imagine Telegram or TikTok as Android -only apps and you will quickly understand why avoiding Apple is impossible,” he writes. “You can’t just exclude iPhone users. As for the iPhone users, the costs for consumers to switch from an iPhone to an Android is so high that it qualifies as a monopolistic lock-in” — citing a study done by Yale University to bolster that claim.

“Now that anti-monopoly investigations against Apple have started in the EU and the US, I expect Apple to double down on spreading such myths,” Durov adds. “We shouldn’t sit idly and let Apple’s lobbyists and PR agents do their thing. At the end of the day, it is up to us – consumers and creators – to defend our rights and to stop monopolists from stealing our money. They may think they have tricked us into a deadlock, because we’ve already bought a critical mass of their devices and created a critical mass of apps for them. But we shouldn’t be giving them a free ride any longer.”

Source: Telegram hits out at Apple’s app store ‘tax’ in latest EU antitrust complaint | TechCrunch

Top antitrust Democrat: There’s a case to break up Facebook – The guys were rambling, the women clear. Apple dodges most bullets, CEOs acting like confused guilty schoolboys

Posted on by

Rep. David Cicilline (D-R.I.), who ended Wednesday’s hearing by saying some Big Tech companies need to be broken up, told Axios that Facebook in particular lacks significant competitors and should not have been allowed to buy Instagram and WhatsApp.

Why it matters: Cicilline chairs the antitrust subcommittee, which has been looking into competition issues in the digital space.

“Mr. Zuckerberg acknowledged in this hearing that his acquisition of WhatsApp and Instagram were part of a plan to both buy a competitor and also maintain his money, power, or his dominance. That’s classic monopoly behavior.”

— Cicilline said on the “Axios Re:Cap” podcastCicilline’s criticisms weren’t limited to Facebook, pointing to the power Google and Amazon also hold in their respective markets.

  • “I think what we saw today was confirmation that these large technology platforms have enduring monopoly power,” he said in the interview with Axios’ Dan Primack.

The big picture: A key issue remains whether existing antitrust law is broad enough to address the modern tech industry, especially companies that provide their products at no direct charge to consumers.

  • “Congress is going to have to ‘think outside the box’ in a comprehensive way about what antitrust laws should look like in the 21st century,” Neguse told Axios’ Ashley Gold after the hearing.

What’s next: The committee plans to develop a set of recommendations and issue them in a final report as soon as late August, according to Cicilline.

You can listen to the podcast here.

Source: Top antitrust Democrat: There’s a case to break up Facebook – Axios

The antitrust session was quite bizarre – the CEOs were running with canned lines which made no sense in their context, they were stumbling, they refused to answer questions, even those which were favorible to their cause. Only one senator was clearly in the pocket of the big tech, the rest were firmly against. One male senator thought Google was targetting him personally and one male couldn’t understand why fake news sites didn’t get high search rankings and were banned by Facebook. It was a laugh if these companies didn’t wield such power. They raised almost all the points I raised in my talk last year.

NASA sends Perseverance Rover to Mars – with a little helicopter on it!

Posted on by

The Mars 2020 mission with its Perseverance rover is part of NASA’s Mars Exploration Program, a long-term effort of robotic exploration of the Red Planet. The Mars 2020 mission addresses high-priority science goals for Mars exploration, including key Astrobiology questions about the potential for life on Mars. The mission takes the next step by not only seeking signs of habitable conditions on Mars in the ancient past, but also searching for signs of past microbial life itself. The Perseverance rover introduces a drill that can collect core samples of the most promising rocks and soils and set them aside in a “cache” on the surface of Mars. A future mission could potentially return these samples  to Earth.  That would help scientists study the samples in laboratories with special room-sized equipment that would be too large to take to Mars. The mission also provides opportunities to gather knowledge and demonstrate technologies that address the challenges of future human expeditions to Mars. These include testing a method for producing oxygen from the Martian atmosphere, identifying other resources (such as subsurface water), improving landing techniques, and characterizing weather, dust, and other potential environmental conditions that could affect future astronauts living and working on Mars.

Source: Overview – NASA Mars

Quick Facts

  • Mission Name: Mars 2020
  • Rover Name: Perseverance
  • Main Job: The Perseverance rover will seek signs of ancient life and collect rock and soil samples for possible return to Earth.
  • Launched: July 30, 2020 4:50 a.m. PDT / 7:50 a.m. EDT
  • Launch Location: Cape Canaveral Air Force Station, Florida
  • Landing: Feb. 18, 2021
  • Landing Site: Jezero Crater, Mars
  • Mission Duration: At least one Mars year (about 687 Earth days)
  • Tech Demo: The Mars Helicopter is a technology demonstration, hitching a ride on the Perseverance rover.
  • Fact Sheet
  • Launch Press Kit

secret police Federal officer louts to pull out of Portland in a major reversal for Trump administration

Posted on by

The Trump administration is to pull federal paramilitaries out of Portland starting on Thursday in a major reversal after weeks of escalating protests and violence.

Oregon’s governor, Kate Brown, said she agreed to the pullout in talks with Vice-President Mike Pence.

Brown said state and city police officers will replace Department of Homeland Security agents in guarding the federal courthouse that has become the flashpoint for the protests.

“These federal officers have acted as an occupying force, refused accountability, and brought violence and strife to our community,” the governor said. The head of the US homeland security department said agents would stay near the courthouse until they were sure the plan was working.

Donald Trump said the pullout will not begin until the courthouse is protected. “We’re not leaving until they secure their city. We told the governor, we told the mayor: secure your city,” said the president.

But the announcement is a significant retreat by the administration after Trump sent federal forces to Portland at the beginning of July to end months of Black Lives Matter protests he described as having dragged the city into anarchy.

Instead of quelling the unrest, the arrival of paramilitaries fuelled some of the biggest demonstrations since daily protests following the killing of George Floyd, a Black American, by a white police officer in Minneapolis in May.

The situation escalated particularly after agents in camouflage were filmed snatching protesters from the streets in unmarked vans.

1:57
Portland protests: why Trump has sent in federal agents – video report

Far from imposing order, the federal force, drawn from the border patrol, immigration service and US Marshals, was largely trapped inside the federal courthouse they were ostensibly there to protect, emerging each night to fire waves of teargas, baton rounds and stun grenades in street battles with the protesters. But the demonstrators retained ultimate control of the streets.

Anger at the presence of the paramilitaries brought thousands of people out each night and acted as a lightning rod for broader discontent with Trump, including over his chaotic and divisive handling of the coronavirus epidemic which has killed nearly 150,000 Americans and shows no signs of abating.

Source: Federal officers to pull out of Portland in a major reversal for Trump administration | US news | The Guardian

Australian government sues Google for misleading consumers in Doubleclick data collection

Posted on by

The Australian government has filed its second lawsuit against Google in less than a year over privacy concerns, this time alleging the tech giant misled Australian consumers in an attempt to gather information for targeted ads. The Australian Competition and Consumers Commission (ACCC), the country’s consumer watchdog, says Google didn’t obtain explicit consent from consumers to collect personal data, according to a statement.

The ACCC cites a 2016 change to Google’s policy in which the company began collecting data about Google account holders’ activity on non-Google sites. Previously, this data was collected by ad-serving technology company DoubleClick and was stored separately, not linked to users’ Google accounts. Google acquired DoubleClick in 2008, and the 2016 change to Google’s policy meant Google and DoubleClick’s data on consumers were combined. Google then used the beefed-up data to sell even more targeted advertising.

From June 2016 to December 2018, Google account holders were met with a pop-up that explained “optional features” to accounts regarding how the company collected their data. Consumers could click “I agree,” and Google would begin collecting a “wide range of personally identifiable information” from them, according to the ACCC. The lawsuit contends that the pop-up didn’t adequately explain what consumers were agreeing to.

“The ACCC considers that consumers effectively pay for Google’s services with their data, so this change introduced by Google increased the ‘price’ of Google’s services, without consumers’ knowledge,” said ACCC Chair Rod Sims. Had more consumers sufficiently understood Google’s change in policy, many may not have consented to it, according to the ACCC.

Google told the Associated Press it disagrees with the ACCC’s allegations, and says Google account holders had been asked to “consent via prominent and easy-to-understand notifications.” It’s unclear what penalty the ACCC is seeking with the lawsuit.

Last October, the ACCC sued Google claiming the company misled Android users about the ability to opt out of location tracking on phones and tablets. That case is headed to mediation next week, according to a February Computer World article.

Source: Australian government sues Google for misleading consumers in data collection | Engadget