Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again

Posted on by

Right on cue, Cisco on Wednesday patched a security vulnerability in some of its network switches that can be exploited by miscreants to commandeer the IT equipment and spy on people.

This comes immediately after panic this week over a hidden Telnet-based diagnostic interface was found in Huawei gateways. Although that vulnerability was real, irritating, and eventually removed at Vodafone’s insistence, it was dubbed by some a hidden backdoor perfect for Chinese spies to exploit to snoop on Western targets.

Which, of course, comes as America continues to pressure the UK and other nations to outlaw the use of Huawei gear from 5G networks over fears Beijing would use backdoors baked into the hardware to snatch Uncle Sam’s intelligence.

Well, if a non-internet-facing undocumented diagnostic Telnet daemon is reason enough to kick Huawei kit out of Western networks, surely this doozy from Cisco is enough to hoof American equipment out of British, European and other non-US infrastructure? Fair’s fair, no?

US tech giant Cisco has issued a free fix for software running on its Nexus 9000 series machines that can be exploited to log in as root and hijack the device for further mischief and eavesdropping. A miscreant just needs to be able to reach the vulnerable box via IPv6. It’s due to a default SSH key pair hardcoded into the software

Source: Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again • The Register

Apple killing right to repair bill

Posted on by

The bill has been pulled by its sponsor, Susan Talamantes-Eggman: “It became clear that the bill would not have the support it needed today, and manufacturers had sown enough doubt with vague and unbacked claims of privacy and security concerns,” she said. Her full statement has been added at the end of the piece.

In recent weeks, an Apple representative and a lobbyist for CompTIA, a trade organization that represents big tech companies, have been privately meeting with legislators in California to encourage them to kill legislation that would make it easier for consumers to repair their electronics, Motherboard has learned.

According to two sources in the California State Assembly, the lobbyists have met with members of the Privacy and Consumer Protection Committee, which is set to hold a hearing on the bill Tuesday afternoon. The lobbyists brought an iPhone to the meetings and showed lawmakers and their legislative aides the internal components of the phone. The lobbyists said that if improperly disassembled, consumers who are trying to fix their own iPhone could hurt themselves by puncturing the lithium-ion battery, the sources, who Motherboard is not naming because they were not authorized to speak to the media, said.

The argument is similar to one made publicly by Apple executive Lisa Jackson in 2017 at TechCrunch Disrupt, when she said the iPhone is “too complex” for normal people to repair them.

[…]

a few weeks after CompTIA and 18 other trade organizations associated with big tech companies—including CTIA and the Entertainment Software Association—sent letters in opposition of the legislation to members of the Assembly’s Privacy and Consumer Protection Committee. One copy of the letter, addressed to committee chairperson Ed Chau and obtained by Motherboard, urges the chairperson “against moving forward with this legislation.” CTIA represents wireless carriers including Verizon, AT&T, and T-Mobile, while the Entertainment Software Association represents Nintendo, Sony, Microsoft, and other video game manufacturers.

“With access to proprietary guides and tools, hackers can more easily circumvent security protections, harming not only the product owner but also everyone who shares their network,” the letter, obtained by Motherboard, stated. “When an electronic product breaks, consumers have a variety of repair options, including using an OEM’s [original equipment manufacturer] authorized repair network.”

Experts, however, say Apple’s and CompTIA’s warnings are far overblown. People with no special training regularly replace the batteries or cracked screens in their iPhones, and there are thousands of small, independent repair companies that regularly fix iPhones without incident. The issue is that many of these companies operate in a grey area because they are forced to purchase replacement parts from third parties in Shenzhen, China, because Apple doesn’t sell them to independent companies unless they become part of the “Apple Authorized Service Provider Program,” which limits the types of repairs they are allowed to do and requires companies to pay Apple a fee to join.

“To suggest that there are safety and security concerns with spare parts and manuals is just patently absurd,” Nathan Proctor, director of consumer rights group US PIRG’s right to repair campaign told Motherboard in a phone call. “We know that all across the country, millions of people are doing this for themselves. Millions more are taking devices to independent repair technicians.”

[…]

“The security of devices is not related to diagnostics and service manuals, they’re related to poor code with vulnerabilities, weak authentication, devices deployed by default to be vulnerable,” Roberts told Motherboard. “We all know there’s no debate. Security for connected devices has nothing to do with repair.”

Source: Apple Is Telling Lawmakers People Will Hurt Themselves if They Try to Fix iPhones – Motherboard

Wow, this is simply ridiculous. Profiteering by the large companies at the expense of smaller companies seems to be something the US government absolutely loves.

Dell laptops and computers vulnerable to remote hijacks via Dell admin tool

Posted on by

A vulnerability in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems.

Dell has released a patch for this security flaw on April 23; however, many users are likely to remain vulnerable unless they’ve already updated the tool –which is used for debugging, diagnostics, and Dell drivers auto-updates.

The number of impacted users is believed to be very high, as the SupportAssist tool is one of the apps that Dell will pre-install on all Dell laptops and computers the company ships with a running Windows OS (systems sold without an OS are not impacted).

CVE-2019-3719

According to Bill Demirkapi, a 17-year-old security researcher from the US, the Dell SupportAssist app is vulnerable to a “remote code execution” vulnerability that under certain circumstances can allow attackers an easy way to hijack Dell systems.

The attack relies on luring users on a malicious web page, where JavaScript code can trick the Dell SupportAssist tool into downloading and running files from an attacker-controlled location.

Because the Dell SupportAssist tool runs as admin, attackers will have full access to targeted systems, if they manage to get themselves in the proper position to execute this attack.

Attack requires LAN/router compromise

“The attacker needs to be on the victim’s network in order to perform an ARP Spoofing Attack and a DNS Spoofing Attack on the victim’s machine in order to achieve remote code execution,” Demirkapi told ZDNet today in an email conversation.

This might sound hard, but it isn’t as complicated as it appears.

Two scenarios in which the attack could work include public WiFi networks or large enterprise networks where there’s at least one compromised machine that can be used to launch the ARP and DNS attacks against adjacent Dell systems running the SupportAssist tool.

Source: Dell laptops and computers vulnerable to remote hijacks | ZDNet

Sapa Profiles / Hydro Extrusion falsified aluminium tensile strength for profit, causes $700m in losses in NASA launches, years of science crashing and burning

Posted on by

The space agency eggheads pointed the finger of blame at the aluminium manufacturer after probing two failed science missions: the February 24, 2009 fruitless launch of the Orbiting Carbon Observatory, and the March 4, 2011 doomed launch of the Glory satellite, designed for monitoring atmospheric pollutants.

In both cases, the rocket fairing, which is the nose cone protecting the satellite payload, failed to separate after liftoff. As a result, the Orbiting Carbon Observatory (OCO) plunged into the ocean off the Antarctic, and Glory swiftly crashed into the Pacific, after their rockets fell back to Earth, the satellites still attached.

The blunders were traced back to the fairing release mechanism, and specifically the aluminium (or aluminum in Freedom Language) used in this component. It was supplied by Sapa Profiles Inc, of Oregon, USA, now renamed Hydro Extrusion Portland, Inc. NASA’s boffins said the metals used were not up to specification, and called in the Feds.

Subsequent checks appeared to show that Sapa had been falsifying its materials testing reports for profit. The metal was supposed to have a particular tensile strength, however, company employees fudged the tests to increase profit margins, investigators said.

Source: NASA fingers the cause of two bungled satellite launches, $700m in losses, years of science crashing and burning… • The Register

Yep, That SpaceX Crew Capsule Was Definitely Destroyed During Failed Ground Test, Company Confirms

Posted on by

After weeks of speculation, SpaceX has finally admitted that a Crew Dragon capsule was destroyed during a test of system’s abort thrusters on April 20. No cause was given for the anomaly, nor were any new details disclosed about possible delays to NASA’s languishing Commercial Crew Program.

Speaking to reporters at a NASA briefing held earlier this week, Hans Koenigsmann, the vice president of build and flight reliability at SpaceX, said the mishap is “certainly not great news,” in terms of the company’s plan to launch astronauts into space later this year, as CBS News reports. The purpose of the briefing was to discuss an upcoming cargo launch to the ISS, but the incident, in which a Crew Dragon capsule got torched just prior to the firing of launch-abort thrusters, dominated much of the discussion.

The mishap occurred at Cape Canaveral’s Landing Zone 1 on April 20 during static ground tests of the system’s boosters. The Crew Dragon was reportedly engulfed in flames and thick orange-black smoke, which was probably toxic, could be seen for miles. Both NASA and SpaceX have been tight-lipped about the incident, but Koenigsmann shared some new information with reporters during the briefing.

Tests of the system’s smaller, maneuvering Draco thrusters were done earlier in the day without incident, he said. It was when the focus shifted to the system’s larger SuperDraco boosters—a series of eight thrusters tied to the abort system—that things went sideways.

“At the test stand, we powered up Dragon, it powered up as expected, we completed tests with the Draco thrusters—the smaller thrusters that are also on the cargo Dragon,” said Koenigsmann per CBS News. “And then just before we wanted to fire the SuperDracos there was an anomaly and the vehicle was destroyed.”

Source: Yep, That SpaceX Crew Capsule Was Definitely Destroyed During Failed Ground Test, Company Confirms

Kremlin signs total internet surveillance and censorship system into law, from Nov 1st.

Posted on by

Russia’s internet iron curtain has been formally signed into law by President Putin. The nation’s internet service providers have until 1 November to ensure they comply.

The law will force traffic through government-controlled exchanges and eventually require the creation of a national domain name system.

The bill has been promoted as advancing Russian sovereignty and ensuring Runet, Russia’s domestic internet, remains functioning regardless of what happens elsewhere in the world. The government has claimed “aggressive” US cybersecurity policies justify the move.

Control of exchanges is seen as an easy way for the Russian government to increase its control over what data its citizens can see, and what they can post. The Kremlin wants all data required by the network to be stored within Russian borders.

ISPs will only be allowed to connect to other ISPs, or peer, through approved exchanges. These exchanges will have to include government-supplied boxes which can block data traffic as required.

There have been widespread protests within the country against the law.

Source: Having a bad day? Be thankful you don’t work at a Russian ISP: Kremlin signs off Pootynet restrictions • The Register

Dark Net’s Wall Street Market Falls to Police

Posted on by

Police from around the world shut down the biggest active black market on the dark web this month, according to announcements from law enforcement agencies in the United States, Germany, and the Netherlands released on Friday.

Wall Street Market, as the black market site was known, was the target of a 1.5-year-long multinational investigation. Three Germans were arrested on April 23 and 24 inside Germany for their alleged role in creating and administering the site that sold illegal drugs, documents, weapons, and data.

“WSM was one of the largest and most voluminous darknet marketplaces of all time,” FBI Special Agent Leroy Shelton wrote in the criminal complaint released on Friday.

[…]

Wall Street Market had 1.15 million customer accounts and 5,400 registered sellers, according to the U.S. Justice Department. However, don’t take those numbers to be accurate census accounts—users are anonymous, sellers and buyers both often create multiple accounts, and there’s no way to get a realistic count on the number of individuals active on a market like this.

A better way to understand the scale of a black market like this is to look at the actual money involved. Last month, Wall Street Market administrators stole around $11 million from user accounts, authorities say.

“An ‘exit scam’ was allegedly conducted last month when the WSM administrators took all of the virtual currency held in marketplace escrow and user accounts—believed by investigators to be approximately $11 million—and then diverted the money to their own accounts.

Source: Dark Net’s Wall Street Market Falls to Police

Amazing AI Generates Entire Bodies of People Who Don’t Exist

Posted on by

A new deep learning algorithm can generate high-resolution, photorealistic images of people — faces, hair, outfits, and all — from scratch.

The AI-generated models are the most realistic we’ve encountered, and the tech will soon be licensed out to clothing companies and advertising agencies interested in whipping up photogenic models without paying for lights or a catering budget. At the same time, similar algorithms could be misused to undermine public trust in digital media.

[…]

In a video showing off the tech, the AI morphs and poses model after model as their outfits transform, bomber jackets turning into winter coats and dresses melting into graphic tees.

Specifically, the new algorithm is a Generative Adversarial Network (GAN). That’s the kind of AI typically used to churn out new imitations of something that exists in the real world, whether they be video game levels or images that look like hand-drawn caricatures.

Source: Amazing AI Generates Entire Bodies of People Who Don’t Exist

Security lapse exposed a Chinese smart city surveillance system

Posted on by

Smart cities are designed to make life easier for their residents: better traffic management by clearing routes, making sure the public transport is running on time and having cameras keeping a watchful eye from above.

But what happens when that data leaks? One such database was open for weeks for anyone to look inside.

Security researcher John Wethington found a smart city database accessible from a web browser without a password. He passed details of the database to TechCrunch in an effort to get the data secured.

[…]

he system monitors the residents around at least two small housing communities in eastern Beijing, the largest of which is Liangmaqiao, known as the city’s embassy district. The system is made up of several data collection points, including cameras designed to collect facial recognition data.

The exposed data contains enough information to pinpoint where people went, when and for how long, allowing anyone with access to the data — including police — to build up a picture of a person’s day-to-day life.

A portion of the database containing facial recognition scans (Image: supplied)

The database processed various facial details, such as if a person’s eyes or mouth are open, if they’re wearing sunglasses, or a mask — common during periods of heavy smog — and if a person is smiling or even has a beard.

The database also contained a subject’s approximate age as well as an “attractive” score, according to the database fields.

But the capabilities of the system have a darker side, particularly given the complicated politics of China.

The system also uses its facial recognition systems to detect ethnicities and labels them — such as “汉族” for Han Chinese, the main ethnic group of China — and also “维族” — or Uyghur Muslims, an ethnic minority under persecution by Beijing.

Where ethnicities can help police identify suspects in an area even if they don’t have a name to match, the data can be used for abuse.

The Chinese government has detained more than a million Uyghurs in internment camps in the past year, according to a United Nations human rights committee. It’s part of a massive crackdown by Beijing on the ethnic minority group. Just this week, details emerged of an app used by police to track Uyghur Muslims.

We also found that the customer’s system also pulls in data from the police and uses that information to detect people of interest or criminal suspects, suggesting it may be a government customer.

Facial recognition scans would match against police records in real time (Image: supplied)

Each time a person is detected, the database would trigger a “warning” noting the date, time, location and a corresponding note. Several records seen by TechCrunch include suspects’ names and their national identification card number.

Source: Security lapse exposed a Chinese smart city surveillance system – TechCrunch

Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation after being held for 2 years by US. Forced confession, maybe?

Posted on by

Marcus Hutchins, the British security researcher who shot to fame after successfully halting the Wannacry ransomware epidemic, has pleaded guilty to crafting online bank-account-raiding malware.

For nearly two years now, Hutchins, 24, has been under house arrest in the US after being collared at Las Vegas airport by FBI agents acting on a tip-off. The Brit, who was at the time trying to fly back home to Blighty after attending the Black Hat and DEF CON security conferences, was accused of creating and selling the Kronos banking trojan, and denied any wrongdoing.

The US government subsequently piled on charges, and it now appears that the pressure has been too much: on Friday this week, Hutchins accepted a plea deal [PDF], and admitted two charges of malware development.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” he said in a statement.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Each of the two counts carries a maximum penalty of five years behind bars, a $250,000 fine, and a year of probation. As with most plea deals, he’s likely to get less than that, though he may still spend some time in an American cooler.

While being held in jail after his arrest, Hutchins apparently admitted creating the software nasty. According to the Feds, the Brit at one point told an unnamed associate over a recorded telephone line: “I used to write malware, they picked me up on some old shit,” later adding: “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Now the FBI have their guilty plea, and Hutchins – a professional malware reverse-engineer these days – is facing an uncertain future. But you have to wonder if it was all really worth it for the US authorities. After all, plenty of today’s cyber-security engineers and researchers have toyed with writing malware, even for research purposes. Thus, a stretch behind bars would be a very hard sentence for an offense committed when he was a teen.

Source: Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation

Hackers take control of top level domains to perform massive man in the middle attack

Posted on by

The discovery of a new, sophisticated team of hackers spying on dozens of government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet’s cybersecurity that experts have warned about for years: DNS hijacking, a technique that meddles with the fundamental address book of the internet. Researchers at Cisco’s Talos security division on Wednesday revealed that a hacker group it’s calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organtaizations.

In the process, they went so far as to compromise multiple country-code top-level domains — the suffixes like .co.uk, or .ru, that end a foreign web address — putting all the traffic of every domain in multiple countries at risk. The hackers’ victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet’s directory system, hackers were able to silently use “man-in-the-middle” attacks to intercept all internet data from email to web traffic sent to those victim organizations.

[…] Cisco Talos said it couldn’t determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cypress, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco’s Craig Williams confirmed that Armenia’s .am top-level domain was one ‘of the “handful” that were compromised, but wouldn’t say which of the other countries’ top-level domains were similarly hijacked.

https://m.slashdot.org/story/354704

Facebook uploaded the contacts of 1.5m people without permission

Posted on by

On Thursday, at just about the same time as the most highly anticipated government document of the decade was released in Washington D.C., Facebook updated a month-old blog post to note that actually a security incident impacted “millions” of Instagram users and not “tens of thousands” as they said at first.

Last month, Facebook announced that hundreds of millions of Facebook and Facebook Lite account passwords were stored in plaintext in a database exposed to over 20,000 employees.

https://www.theregister.co.uk/2019/04/18/facebook_hoovered_up_15m_address_books_without_permission/

‘Millions’ of Instagram Passwords Were Exposed to Facebook Employees In Plaintext

Posted on by
Reply

On Thursday, at just about the same time as the most highly anticipated government document of the decade was released in Washington D.C., Facebook updated a month-old blog post to note that actually a security incident impacted “millions” of Instagram users and not “tens of thousands” as they said at first.

Last month, Facebook announced that hundreds of millions of Facebook and Facebook Lite account passwords were stored in plaintext in a database exposed to over 20,000 employees.

https://gizmodo.com/facebook-picked-a-great-day-to-reveal-that-it-exposed-m-1834147752

hoping no one would notice…

3D-printed heart made using a human patient’s cells – CNN

Posted on by
The process of printing the heart involved a biopsy of the fatty tissue that surrounds abdominal organs. Researchers separated the cells in the tissue from the rest of the contents, namely the extracellular matrix linking the cells. The cells were reprogrammed to become stem cells with the ability to differentiate into heart cells; the matrix was processed into a personalized hydrogel that served as the printing “ink.”
The cells and hydrogel were first used to create heart patches with blood vessels and, from there, an entire heart.
“At this stage, our 3D heart is small, the size of a rabbit’s heart,” Dvir said. “But larger human hearts require the same technology.”

Source: 3D-printed heart made using a human patient’s cells – CNN

Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned

Posted on by

Microsoft says miscreants accessed some of its customers’ webmail inboxes and account data after a support rep’s administrative account was hijacked.

The Redmond software giant has sent Hotmail, MSN, and Outlook cloud users notifications that the unnamed customer support rep’s account was compromised by hackers who would have subsequently gained “limited access” to certain parts of some customer email accounts, including the ability to read messages in particular cases.

In the alert, Microsoft warns its punters that, between January 1 and March 28 of this year, the attacker, or attackers, would have had the ability to extract certain information from their inboxes, including the subject names of messages, folder names, contact lists, and user email address. The intrusion was limited to consumer (read: free) Microsoft email accounts.

While the aforementioned leaked notification claims the hackers would not have been able to read the content of messages, Microsoft would later admit – after media reports over the weekend – that the intruders could have accessed the contents of messages belonging to a subset of those impacted by the admin account hijacking.

Source: Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned • The Register

Wait – support guys can read your emails?!

Internet Explorer exploit is trouble even if you never use the browser

Posted on by

Finally stopped using Internet Explorer? Good! But, now it’s time to completely delete it from your computer, too.

Security researcher John Page has discovered a new security flaw that allows hackers to steal Windows users’ data thanks to Internet Explorer. The craziest part: Windows users don’t ever even have to open the now-obsolete web browser for malicious actors to use the exploit. It just needs to exist on their computer.

“Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally,” writes Page. “This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.”

Basically, what this means is that hackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default.

To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service.

Source: Internet Explorer exploit is trouble even if you never use the browser

Android TV: Everything You Need To Know

Posted on by

Android TV is an operating system designed specifically for SmartTV purposes and is developed by Google. Android TV is basically a smart entertainment platform that comes built into a number of TVs (primarily from Sony, Panasonic, Sharp, etc..) but also in a number of streaming video players like Android TV Boxes and the most popular one, the Nvidia Shield.

To that end, Android TV is considerably similar to iOS or Android. It’s basically an operating system for a TV. It’s capable of supporting various apps, games, and TV shows that you normally navigate with a remote on your TV.

Android TV: Everything You Need To Know

Research Findings May Lead to More Explainable AI | College of Computing

Posted on by

Why did the frog cross the road? Well, a new artificial intelligent (AI) agent that can play the classic arcade game Frogger not only can tell you why it crossed the road, but it can justify its every move in everyday language.

Developed by Georgia Tech, in collaboration with Cornell and the University of Kentucky, the work enables an AI agent to provide a rationale for a mistake or errant behavior, and to explain it in a way that is easy for non-experts to understand.

This, the researchers say, may help robots and other types of AI agents seem more relatable and trustworthy to humans. They also say their findings are an important step toward a more transparent, human-centered AI design that understands people’s preferences and prioritizes people’s needs.

“If the power of AI is to be democratized, it needs to be accessible to anyone regardless of their technical abilities,” said Upol Ehsan, Ph.D. student in the School of Interactive Computing at Georgia Tech and lead researcher.

“As AI pervades all aspects of our lives, there is a distinct need for human-centered AI design that makes black-boxed AI systems explainable to everyday users. Our work takes a formative step toward understanding the role of language-based explanations and how humans perceive them.”

The study was supported by the Office of Naval Research (ONR).

Researchers developed a participant study to determine if their AI agent could offer rationales that mimicked human responses. Spectators watched the AI agent play the videogame Frogger and then ranked three on-screen rationales in order of how well each described the AI’s game move.

Of the three anonymized justifications for each move – a human-generated response, the AI-agent response, and a randomly generated response – the participants preferred the human-generated rationales first, but the AI-generated responses were a close second.

Frogger offered the researchers the chance to train an AI in a “sequential decision-making environment,” which is a significant research challenge because decisions that the agent has already made influence future decisions. Therefore, explaining the chain of reasoning to experts is difficult, and even more so when communicating with non-experts, according to researchers.

[…]

By a 3-to-1 margin, participants favored answers that were classified in the “complete picture” category. Responses showed that people appreciated the AI thinking about future steps rather than just what was in the moment, which might make them more prone to making another mistake. People also wanted to know more so that they might directly help the AI fix the errant behavior.

[…]

The research was presented in March at the Association for Computing Machinery’s Intelligent User Interfaces 2019 Conference. The paper is titled Automated Rationale Generation: A Technique for Explainable AI and its Effects on Human Perceptions. Ehsan will present a position paper highlighting the design and evaluation challenges of human-centered Explainable AI systems at the upcoming Emerging Perspectives in Human-Centered Machine Learning workshop at the ACM CHI 2019 conference, May 4-9, in Glasgow, Scotland.

Source: Research Findings May Lead to More Explainable AI | College of Computing

Pregnancy and parenting club Bounty fined £400,000 for shady data sharing practices of more than 14 million people

Posted on by

The Information Commissioner’s Office has fined commercial pregnancy and parenting club Bounty some £400,000 for illegally sharing personal details of more than 14 million people.

The organisation, which dishes out advice to expectant and inexperienced parents, has faced criticism over the tactics it uses to sign up new members and was the subject of a campaign to boot its reps from maternity wards.

[…]

the business had also worked as a data brokering service until April last year, distributing data to third parties to then pester unsuspecting folk with electronic direct marketing. By sharing this information and not being transparent about its uses while it was extracting the stuff, Bounty broke the Data Protection Act 1998.

Bounty shared roughly 34.4 million records from June 2017 to April 2018 with credit reference and marketing agencies. Acxiom, Equifax, Indicia and Sky were the four biggest of the 39 companies that Bounty told the ICO it sold stuff to.

This data included details of new mother and mothers-to-be but also of very young children’s birth dates and their gender.

Source: Pregnancy and parenting club Bounty fined £400,000 for shady data sharing practices • The Register

Chinese stock photo pusher tries to claim copyright on Event Horizon pic, Chinese Flag

Posted on by

China’s largest stock photo flinger has been forced to backtrack after it tried to put its own price tags on images of the first black hole and the Chinese flag.

Visual China Group reportedly tried to hawk out the first-ever image of a supermassive black hole and its shadow, which was the painstaking work of boffins running the Event Horizon Telescope.

The website is reported to have tried to suck users into payment, describing the picture, on which it affixed its logo, as an “editorial image” and directed users to dial a customer rep to discuss commercial use.

According to Reuters, the firm said it had obtained a non-exclusive editing licence for the project for media use – but it was widely understood the images were released under a Creative Commons licence, specifically CC BY 4.0.

The pic pushers were also said to have drawn criticism for asking for payment for images such as China’s flag and logos of companies including Baidu.

After the Tianjin city branch of China’s internet overseer stepped in, Visual China apologised and said that it would “learn from these lessons” and “seriously rectify” the problem.

Source: Hole lotta crud: Chinese stock photo pusher tries to claim copyright on Event Horizon pic • The Register

Copyright is such a brilliant system!

Script kiddie Hackers publish personal data on thousands of US police officers and federal agents and have more in the pipeline

Posted on by

A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned.

The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA. The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server.

The hackers then put the data up for download on their own website, which we’re also not naming nor linking to given the sensitivity of the data.

The spreadsheets contained about 4,000 unique records after duplicates were removed, including member names, a mix of personal and government email addresses, job titles, phone numbers and their postal addresses. The FBINAA could not be reached for comment outside of business hours. If we hear back, we’ll update.

TechCrunch spoke to one of the hackers, who didn’t identify his or her name, through an encrypted chat late Friday.

“We hacked more than 1,000 sites,” said the hacker. “Now we are structuring all the data, and soon they will be sold. I think something else will publish from the list of hacked government sites.” We asked if the hacker was worried that the files they put up for download would put federal agents and law enforcement at risk. “Probably, yes,” the hacker said.

The hacker claimed to have “over a million data” [sic] on employees across several U.S. federal agencies and public service organizations.

It’s not uncommon for data to be stolen and sold in hacker forums and in marketplaces on the dark web, but the hackers said they would offer the data for free to show that they had something “interesting.”

[…]

The hacker — one of more than ten, they said — used public exploits, indicating that many of the websites they hit weren’t up-to-date and had outdated plugins.

[…]

Their end goal: “Experience and money,” the hacker said.

Source: Hackers publish personal data on thousands of US police officers and federal agents | TechCrunch

AI predicts hospital readmission rates from clinical notes

Posted on by

Electronic health records store valuable information about hospital patients, but they’re often sparse and unstructured, making them difficult for potentially labor- and time-saving AI systems to parse. Fortunately, researchers at New York University and Princeton have developed a framework that evaluates clinical notes (i.e., descriptions of symptoms, reasons for diagnoses, and radiology results) and autonomously assigns a risk score indicating whether patients will be readmitted within 30 days. They claim that the code and model parameters, which are publicly available on Github, handily outperform baselines.

“Accurately predicting readmission has clinical significance both in terms of efficiency and reducing the burden on intensive care unit doctors,” the paper’s authors wrote. “One estimate puts the financial burden of readmission at $17.9 billion dollars and the fraction of avoidable admissions at 76 percent.”

Source: AI predicts hospital readmission rates from clinical notes | VentureBeat

Sonos finally blasted in complaint to UK privacy watchdog – lets hope they do something with it

Posted on by

Sonos stands accused of seeking to obtain “excessive” amounts of personal data without valid consent in a complaint filed with the UK’s data watchdog.

The complaint, lodged by tech lawyer George Gardiner in a personal capacity, challenges the Sonos privacy policy’s compliance with the General Data Protection Regulation and the UK’s implementation of that law.

It argues that Sonos had not obtained valid consent from users who were asked to agree to a new privacy policy and had failed to meet privacy-by-design requirements.

The company changed its terms in summer 2017 to allow it to collect more data from its users – ostensibly because it was launching voice services. Sonos said that anyone who didn’t accept the fresh Ts&Cs would no longer be able to download future software updates.

Sonos denied at the time that this was effectively bricking the system, but whichever way you cut it, the move would deprecate the kit of users that didn’t accept the terms. The app controlling the system would also eventually become non-functional.

Gardiner pointed out, however, that security risks and an interest in properly maintaining an expensive system meant there was little practical alternative other than to update the software.

This resulted in a mandatory acceptance of the terms of the privacy policy, rendering any semblance of consent void.

“I have no option but to consent to its privacy policy otherwise I will have over £3,000 worth of useless devices,” he said in a complaint sent to the ICO and shared with The Register.

Users setting up accounts are told: “By clicking on ‘Submit’ you agree to Sonos’ Terms and Conditions and Privacy Policy.” This all-or-nothing approach is contrary to data protection law, he argued.

Sonos collects personal data in the form of name, email address, IP addresses and “information provided by cookies or similar technology”.

The system also collects data on room names assigned by users, the controller device, the operating system of the device a person uses and content source.

Sonos said that collecting and processing this data – a slurp that users cannot opt out of – is necessary for the “ongoing functionality and performance of the product and its ability to interact with various services”.

But Gardiner questioned whether it was really necessary for Sonos to collect this much data, noting that his system worked without it prior to August 2017. He added that he does not own a product that requires voice recognition.

Source: Turn me up some: Smart speaker outfit Sonos blasted in complaint to UK privacy watchdog • The Register

I am in the exact same position – suddenly I had to accept an invasive change of privacy policy and earlier in March I also had to log in with a Sonos account in order to get the kit working (it wouldn’t update without logging in and the app only showed the login and update page). This is not what I signed up for when I bought the (expensive!) products.

Two out of three hotels accidentally leak guests’ personal data to third parties

Posted on by

Two out of three hotel websites inadvertently leak guests’ booking details and personal data to third-party sites, including advertisers and analytics companies, according to research released by Symantec Corp on Wednesday.

The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Marriott International disclosed one of the worst data breaches in history.

Symantec said Marriott was not included in the study.

Compromised personal information includes full names, email addresses, credit card details and passport numbers of guests that could be used by cybercriminals who are increasingly interested in the movements of influential business professionals and government employees, Symantec said.

“While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether,” said Candid Wueest, the primary researcher on the study.

The research showed compromises usually occur when a hotel site sends confirmation emails with a link that has direct booking information. The reference code attached to the link could be shared with more than 30 different service providers, including social networks, search engines and advertising and analytics services.

Source: Two out of three hotels accidentally leak guests’ personal data: Symantec – Reuters

Increase Your Privacy in Windows 10 With ‘O&O ShutUp10’

Posted on by

You might not even know what options you can tweak (or turn off) in your operating system, which is where the cleverly named O&O ShutUp10 application comes in to play. It’s a simple application that makes it incredibly easy to tweak various aspects of Windows 10 that are normally buried or otherwise inaccessible to regular people. More importantly, the app comes with some helpful warnings so you don’t accidentally disable something you shouldn’t (like automatic updates)

To get started, all you have to do is download the app and run it. That’s it. There’s no installation to speak of, which already makes me thrilled. When the app loads, it’ll look like this:

Illustration for article titled Increase Your Privacy in Windows 10 With 'O&O ShutUp10'
Screenshot: David Murphy (O&O ShutUp10)

You’ll see a bunch of different options you can turn on and off—some might already be enabled—as well as a handy “recommend” column that gives you a little more advice as to whether you should really mess with that setting or not. What I love about O&O ShutUp10, though, is that you can get even more information about what each setting means by simply hovering your mouse over each line and clicking, like so:

Illustration for article titled Increase Your Privacy in Windows 10 With 'O&O ShutUp10'
Screenshot: David Murphy

While you probably shouldn’t just go through and enable everything that’s recommended en masse, I would use that little green checkmark as a guide while you explore the app. Enable any related setting and you’re probably fine. Once you start getting into the yellow “limited” category, however, it gets a bit dicier. You might not want to, for example, disable all apps from accessing your microphone or camera—or maybe you do. Just remember you toggled that setting the next time you’re about to hop on a video conference.

Source: Increase Your Privacy in Windows 10 With ‘O&O ShutUp10’