The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

BAE Systems uses MAGMA demonstrator to roll and pitch jet aircraft without using moving surfaces

Posted on by
In a series of ground-breaking flight trials that took place in the skies above north-west Wales, the MAGMA unmanned aerial vehicle (UAV) demonstrated two innovative flow control technologies which could revolutionise future aircraft design.
MAGMA, designed and developed by researchers at The University of Manchester in collaboration with engineers from BAE Systems, successfully trialled the two ‘flap-free’ technologies earlier this month at the Llanbedr Airfield.
The technologies have been designed to improve the control and performance of aircraft. By replacing moving surfaces with a simpler ‘blown air’ solution, the trials have paved the way for engineers to create better performing aircraft that are lighter, more reliable and cheaper to operate. The technologies could also improve an aircraft’s stealth as they reduce the number of gaps and edges that currently make aircraft more observable on radar.
Developing such technologies helps to ensure the UK has the right technologies and skills in place for the future and could be applied to the development of a Future Combat Air System. It is the latest technological breakthrough to come from a number of BAE Systems collaborations with academia and industry, that will help the UK to deliver more advanced capability, more quickly, and through shared investment.
[…]
The technologies demonstrated in the trials were:
  • Wing Circulation Control: Taking air from the aircraft engine and blowing it supersonically through narrow slots around a specially shaped wing tailing edge in order to control the aircraft.
  • Fluidic Thrust Vectoring: Controlling the aircraft by blowing air jets inside the nozzle to deflect the exhaust jet and generate a control force.
The trials form part of a long-term collaboration between BAE Systems, academia and the UK government to explore and develop flap-free flight technologies, and the data will be used to inform future research programmes. Other technologies to improve the aircraft performance are being explored in collaboration with NATO Science and Technology Organisation.

Source: MAGMA: the future of flight | Newsroom | BAE Systems | International

Tractors, not phones, will (maybe) get America a right-to-repair law at this rate: Bernie slams ‘truly insane’ situation

Posted on by

A person’s “right to repair” their own equipment may well become a US election issue, with presidential candidate Bernie Sanders making it a main talking point during his tour of Iowa.

“Are you ready for something truly insane?” the veteran politician’s account tweeted on Sunday, “Farmers aren’t allowed to repair their own tractors without paying an authorized John Deere repair agent.”

The tweet links to a clip of a recent Sanders rally during which he told the crowd to cheers: “Unbelievably, farmers are unable to even repair their own tractors, and tractors cost what – at least $150,000 – people are spending $150,000 for a piece of machinery. You know what I think? The person who buys that machinery has a right to fix the damn piece of machinery.”

The right-to-repair was also highlighted as one of Sanders’ key policies issues in his plan to “revitalize rural America,” and he promised: “When we are in the White House, we will pass a national right-to-repair law that gives every farmer in America full rights over the machinery they buy.”

Source: Tractors, not phones, will (maybe) get America a right-to-repair law at this rate: Bernie slams ‘truly insane’ situation • The Register

There is hope yet…

First private Japanese rocket reaches space

Posted on by

Japan can finally include itself among the ranks of countries with successful private spaceflight outfits. Interstellar Technologies has successfully launched its MOMO-3 sounding rocket into space, with the vehicle easily crossing the Kármán line (62 miles in altitude) before splashing into the Pacific. It’s a modest start — the rocket only stayed aloft for 8 minutes and 35 seconds — but it’s also a relief after Interstellar’s previous two attempts ended in failure.

There was a fair amount riding on the mission. Interstellar’s ultimate aim is to ferry small satellites into orbit at a fraction of the cost of government launches, and this takes the company one step closer to achieving its dream. It also relieves some of the pressure on Interstellar founder Takafumi Horie. There had been skepticism about the Livedoor creator’s spaceflight chops given his controversial entrepreneurial history (including a conviction for accounting fraud). This shows that his initiative can work on a basic level — the challenge is translating a test like this into a full-fledged business.

Source: First private Japanese rocket reaches space

‘They’re Basically Lying’ – (Mental) Health Apps Caught Secretly Sharing Data

Posted on by

“Free apps marketed to people with depression or who want to quit smoking are hemorrhaging user data to third parties like Facebook and Google — but often don’t admit it in their privacy policies, a new study reports…” writes The Verge.

“You don’t have to be a user of Facebook’s or Google’s services for them to have enough breadcrumbs to ID you,” warns Slashdot schwit1. From the article: By intercepting the data transmissions, they discovered that 92 percent of the 36 apps shared the data with at least one third party — mostly Facebook- and Google-run services that help with marketing, advertising, or data analytics. (Facebook and Google did not immediately respond to requests for comment.) But about half of those apps didn’t disclose that third-party data sharing, for a few different reasons: nine apps didn’t have a privacy policy at all; five apps did but didn’t say the data would be shared this way; and three apps actively said that this kind of data sharing wouldn’t happen. Those last three are the ones that stood out to Steven Chan, a physician at Veterans Affairs Palo Alto Health Care System, who has collaborated with Torous in the past but wasn’t involved in the new study. “They’re basically lying,” he says of the apps.

Part of the problem is the business model for free apps, the study authors write: since insurance might not pay for an app that helps users quit smoking, for example, the only ways for free app developer to stay afloat is to either sell subscriptions or sell data. And if that app is branded as a wellness tool, the developers can skirt laws intended to keep medical information private.
A few apps even shared what The Verge calls “very sensitive information” like self reports about substance use and user names.

Source: ‘They’re Basically Lying’ – Mental Health Apps Caught Secretly Sharing Data – Slashdot

Aweigh – open source navigation system without satellites

Posted on by

Aweigh is an open navigation system that does not rely on satellites: it is inspired by the mapping of celestial bodies and the polarized vision of insects. Ancient seafarers and desert ants alike use universally accessible skylight to organize, orient, and place themselves in the world. Aweigh is a project that learns from the past and from the microscopic to re-position individuals in the contemporary technological landscape.

Networked technolgies that we increasingly rely on undergo changes that are often beyond our control. Most smartphone users require government-run satellites to get around day by day, while consequences of Brexit are calling into question the UK’s access to the EU’s new satellite system, Project Galileo. Aweigh is a set of tools and blueprints that aims to open modern technologies to means of democratization, dissemination, and self-determination.

These tools were designed to depend only on publicly available materials and resources: digital fabrication machines, open-source code, packaged instructions, and universally accessible sky light. Aweigh is inspired by ancient navigation devices that use the process of taking angular measurements between the earth and various celestial bodies as reference points to find one’s position. Combining this process with the polarization of sunlight observed in insect eyes, the group developed a technology that calculates longitude and latitude in urban as well as off-grid areas.

Source: Aweigh

Unsecured MS cloud database removed after exposing details on 80 million US households

Posted on by

the addresses and demographic details of more than 80 million US households were exposed on an unsecured database stored on the cloud, independent security researchers have found.

The details included names, ages and genders as well as income levels and marital status. The researchers, led by Noam Rotem and Ran Locar, were unable to identify the owner of the database, which until Monday was online and required no password to access. Some of the information was coded, like gender, marital status and income level. Names, ages and addresses were not coded.

The data didn’t include payment information or Social Security numbers. The 80 million households affected make up well over half of the households in the US, according to Statista.

“I wouldn’t like my data to be exposed like this,” Rotem said in an interview with CNET. “It should not be there.”

Rotem and his team verified the accuracy of some data in the cache but didn’t download the data to minimize the invasion of privacy of those listed, he said.

[…]

Unlike a hack, you don’t need to break into a computer system to access an exposed database. You simply need to find the IP address, the numerical code assigned to any given web page.

[…]

Rotem found that the data was stored on a cloud service owned by Microsoft. Securing the data is up to the organization that created the database, and not Microsoft itself.

“We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured,” a Microsoft spokesperson told CNET in a statement Monday.

The server hosting the data came online in February, Rotem found, and he discovered it in April using tools he developed to search for and catalog unsecured databases.

Source: Cloud database removed after exposing details on 80 million US households – CNET

Color-Changing LEDs Pave the Way to Impossibly High Screen Resolutions

Posted on by

An international collaboration between several universities around the world has led to an innovation in LEDs that could potentially result in a giant leap forward when it comes to increasing the resolution on TV screens and mobile devices. For the first time ever, a single LED can now change color all by itself.

The current design and chemical makeup of LEDs limit the technology to producing light in just a single color. “But Andrew, what about my color-changing LED smart bulbs,” you’re probably asking. Those actually rely on a cluster of LEDs inside that each produce either red, green, or blue light. When their individual intensities are adjusted, the colors that each light produces mix to produce an overall shade of light. LED-backlit LCD TVs work in a similar fashion, but to produce one-colored pixel, three filtered LEDs are required. Even the next big breakthrough in flatscreen TV technology, MicroLEDs, require a trio of ultra-tiny light-producing diodes to create a single pixel, which limits how many can be squeezed into a given area, and resolution.

In a paper recently published to the ACS Photonics Journal, researchers from Lehigh University and West Chester University in Pennsylvania, Osaka University in Japan, and the University of Amsterdam, detail a new approach to making LEDs that uses a rare earth ion called Europium that when paired with Gallium Nitride (an alternative to silicon that’s now showing up in electronics other than LEDs, like Anker’s impossibly tiny PowerPort Atom PD 1 laptop charger) allows the LED’s color to be adjusted on the fly. The secret sauce is how power is used to excite the Europium and Gallium Nitride-different ratios and intensities of current can be selectively applied to produce the emission of three primary colors: red, blue, and green.

Using this approach, LED lightbulbs with specific color temperatures could be produced and sold at much cheaper price points since the colors from multiple tint-specific LEDs don’t have to be mixed. The technology could yield similar benefits for TVs and the screens that end up in mobile devices. Instead of three LEDs (red, green, and blue) needed to generate every pixel, a single Europium-based LED could do the job. Even more exciting than cheaper price tags is the fact that replacing three LEDs with just one could result in a display with three times the resolution. Your eyes probably wouldn’t be able to discern that many pixels on a smartphone screen, but in smaller displays, like those used in the viewfinders of digital cameras, a significant step in resolution would be a noticeable improvement.

Source: Color-Changing LEDs Pave the Way to Impossibly High Screen Resolutions

Personal information on sites about faith, illness, sexual orientation, addiction, schools in NL is directly passed on to advertisers without GDPR consent.

Posted on by

Websites met informatie over gevoelige onderwerpen lappen de privacywet massaal aan hun laars. Dat zegt de Consumentenbond. Veel sites plaatsen zonder toestemming cookies van advertentienetwerken, waardoor die zeer persoonlijke informatie over de bezoekers in handen krijgen.

Onderzoekers van de Consumentenbond zochten in maart en april op onderwerpen binnen de categorieën geloof, jeugd, medisch en geaardheid. Via zoekvragen over onder meer depressie, verslaving, seksuele geaardheid en kanker kwamen zij op 106 websites.

Bijna de helft van die sites plaatste bij bezoek direct, dus zonder toestemming van de bezoeker, een of meer advertentiecookies, bijna altijd van Google. Websites als CIP.nl, Refoweb.nl en scholieren.com plaatsten er zelfs tientallen. Ouders.nl maakte het helemaal bont en plaatste maar liefst 37 cookies.

Ook een flink aantal instellingen voor geestelijke gezondheidszorg viel op. Onder andere ggzdrenthe.nl, connection-sggz.nl, parnassiagroep.nl en lentis.nl volgden ongevraagd het surfgedrag van hun bezoekers en speelden deze informatie door naar Google.

De privacywet AVG is nu een jaar van kracht, maar het is volgens de bond zorgwekkend hoe slecht de wet wordt nageleefd.

Source: ‘Persoonlijke informatie niet veilig bij sites over geloof, ziekte en geaardheid’ – Emerce

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again

Posted on by

Right on cue, Cisco on Wednesday patched a security vulnerability in some of its network switches that can be exploited by miscreants to commandeer the IT equipment and spy on people.

This comes immediately after panic this week over a hidden Telnet-based diagnostic interface was found in Huawei gateways. Although that vulnerability was real, irritating, and eventually removed at Vodafone’s insistence, it was dubbed by some a hidden backdoor perfect for Chinese spies to exploit to snoop on Western targets.

Which, of course, comes as America continues to pressure the UK and other nations to outlaw the use of Huawei gear from 5G networks over fears Beijing would use backdoors baked into the hardware to snatch Uncle Sam’s intelligence.

Well, if a non-internet-facing undocumented diagnostic Telnet daemon is reason enough to kick Huawei kit out of Western networks, surely this doozy from Cisco is enough to hoof American equipment out of British, European and other non-US infrastructure? Fair’s fair, no?

US tech giant Cisco has issued a free fix for software running on its Nexus 9000 series machines that can be exploited to log in as root and hijack the device for further mischief and eavesdropping. A miscreant just needs to be able to reach the vulnerable box via IPv6. It’s due to a default SSH key pair hardcoded into the software

Source: Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again • The Register

Apple killing right to repair bill

Posted on by

The bill has been pulled by its sponsor, Susan Talamantes-Eggman: “It became clear that the bill would not have the support it needed today, and manufacturers had sown enough doubt with vague and unbacked claims of privacy and security concerns,” she said. Her full statement has been added at the end of the piece.

In recent weeks, an Apple representative and a lobbyist for CompTIA, a trade organization that represents big tech companies, have been privately meeting with legislators in California to encourage them to kill legislation that would make it easier for consumers to repair their electronics, Motherboard has learned.

According to two sources in the California State Assembly, the lobbyists have met with members of the Privacy and Consumer Protection Committee, which is set to hold a hearing on the bill Tuesday afternoon. The lobbyists brought an iPhone to the meetings and showed lawmakers and their legislative aides the internal components of the phone. The lobbyists said that if improperly disassembled, consumers who are trying to fix their own iPhone could hurt themselves by puncturing the lithium-ion battery, the sources, who Motherboard is not naming because they were not authorized to speak to the media, said.

The argument is similar to one made publicly by Apple executive Lisa Jackson in 2017 at TechCrunch Disrupt, when she said the iPhone is “too complex” for normal people to repair them.

[…]

a few weeks after CompTIA and 18 other trade organizations associated with big tech companies—including CTIA and the Entertainment Software Association—sent letters in opposition of the legislation to members of the Assembly’s Privacy and Consumer Protection Committee. One copy of the letter, addressed to committee chairperson Ed Chau and obtained by Motherboard, urges the chairperson “against moving forward with this legislation.” CTIA represents wireless carriers including Verizon, AT&T, and T-Mobile, while the Entertainment Software Association represents Nintendo, Sony, Microsoft, and other video game manufacturers.

“With access to proprietary guides and tools, hackers can more easily circumvent security protections, harming not only the product owner but also everyone who shares their network,” the letter, obtained by Motherboard, stated. “When an electronic product breaks, consumers have a variety of repair options, including using an OEM’s [original equipment manufacturer] authorized repair network.”

Experts, however, say Apple’s and CompTIA’s warnings are far overblown. People with no special training regularly replace the batteries or cracked screens in their iPhones, and there are thousands of small, independent repair companies that regularly fix iPhones without incident. The issue is that many of these companies operate in a grey area because they are forced to purchase replacement parts from third parties in Shenzhen, China, because Apple doesn’t sell them to independent companies unless they become part of the “Apple Authorized Service Provider Program,” which limits the types of repairs they are allowed to do and requires companies to pay Apple a fee to join.

“To suggest that there are safety and security concerns with spare parts and manuals is just patently absurd,” Nathan Proctor, director of consumer rights group US PIRG’s right to repair campaign told Motherboard in a phone call. “We know that all across the country, millions of people are doing this for themselves. Millions more are taking devices to independent repair technicians.”

[…]

“The security of devices is not related to diagnostics and service manuals, they’re related to poor code with vulnerabilities, weak authentication, devices deployed by default to be vulnerable,” Roberts told Motherboard. “We all know there’s no debate. Security for connected devices has nothing to do with repair.”

Source: Apple Is Telling Lawmakers People Will Hurt Themselves if They Try to Fix iPhones – Motherboard

Wow, this is simply ridiculous. Profiteering by the large companies at the expense of smaller companies seems to be something the US government absolutely loves.

Dell laptops and computers vulnerable to remote hijacks via Dell admin tool

Posted on by

A vulnerability in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems.

Dell has released a patch for this security flaw on April 23; however, many users are likely to remain vulnerable unless they’ve already updated the tool –which is used for debugging, diagnostics, and Dell drivers auto-updates.

The number of impacted users is believed to be very high, as the SupportAssist tool is one of the apps that Dell will pre-install on all Dell laptops and computers the company ships with a running Windows OS (systems sold without an OS are not impacted).

CVE-2019-3719

According to Bill Demirkapi, a 17-year-old security researcher from the US, the Dell SupportAssist app is vulnerable to a “remote code execution” vulnerability that under certain circumstances can allow attackers an easy way to hijack Dell systems.

The attack relies on luring users on a malicious web page, where JavaScript code can trick the Dell SupportAssist tool into downloading and running files from an attacker-controlled location.

Because the Dell SupportAssist tool runs as admin, attackers will have full access to targeted systems, if they manage to get themselves in the proper position to execute this attack.

Attack requires LAN/router compromise

“The attacker needs to be on the victim’s network in order to perform an ARP Spoofing Attack and a DNS Spoofing Attack on the victim’s machine in order to achieve remote code execution,” Demirkapi told ZDNet today in an email conversation.

This might sound hard, but it isn’t as complicated as it appears.

Two scenarios in which the attack could work include public WiFi networks or large enterprise networks where there’s at least one compromised machine that can be used to launch the ARP and DNS attacks against adjacent Dell systems running the SupportAssist tool.

Source: Dell laptops and computers vulnerable to remote hijacks | ZDNet

Sapa Profiles / Hydro Extrusion falsified aluminium tensile strength for profit, causes $700m in losses in NASA launches, years of science crashing and burning

Posted on by

The space agency eggheads pointed the finger of blame at the aluminium manufacturer after probing two failed science missions: the February 24, 2009 fruitless launch of the Orbiting Carbon Observatory, and the March 4, 2011 doomed launch of the Glory satellite, designed for monitoring atmospheric pollutants.

In both cases, the rocket fairing, which is the nose cone protecting the satellite payload, failed to separate after liftoff. As a result, the Orbiting Carbon Observatory (OCO) plunged into the ocean off the Antarctic, and Glory swiftly crashed into the Pacific, after their rockets fell back to Earth, the satellites still attached.

The blunders were traced back to the fairing release mechanism, and specifically the aluminium (or aluminum in Freedom Language) used in this component. It was supplied by Sapa Profiles Inc, of Oregon, USA, now renamed Hydro Extrusion Portland, Inc. NASA’s boffins said the metals used were not up to specification, and called in the Feds.

Subsequent checks appeared to show that Sapa had been falsifying its materials testing reports for profit. The metal was supposed to have a particular tensile strength, however, company employees fudged the tests to increase profit margins, investigators said.

Source: NASA fingers the cause of two bungled satellite launches, $700m in losses, years of science crashing and burning… • The Register

Yep, That SpaceX Crew Capsule Was Definitely Destroyed During Failed Ground Test, Company Confirms

Posted on by

After weeks of speculation, SpaceX has finally admitted that a Crew Dragon capsule was destroyed during a test of system’s abort thrusters on April 20. No cause was given for the anomaly, nor were any new details disclosed about possible delays to NASA’s languishing Commercial Crew Program.

Speaking to reporters at a NASA briefing held earlier this week, Hans Koenigsmann, the vice president of build and flight reliability at SpaceX, said the mishap is “certainly not great news,” in terms of the company’s plan to launch astronauts into space later this year, as CBS News reports. The purpose of the briefing was to discuss an upcoming cargo launch to the ISS, but the incident, in which a Crew Dragon capsule got torched just prior to the firing of launch-abort thrusters, dominated much of the discussion.

The mishap occurred at Cape Canaveral’s Landing Zone 1 on April 20 during static ground tests of the system’s boosters. The Crew Dragon was reportedly engulfed in flames and thick orange-black smoke, which was probably toxic, could be seen for miles. Both NASA and SpaceX have been tight-lipped about the incident, but Koenigsmann shared some new information with reporters during the briefing.

Tests of the system’s smaller, maneuvering Draco thrusters were done earlier in the day without incident, he said. It was when the focus shifted to the system’s larger SuperDraco boosters—a series of eight thrusters tied to the abort system—that things went sideways.

“At the test stand, we powered up Dragon, it powered up as expected, we completed tests with the Draco thrusters—the smaller thrusters that are also on the cargo Dragon,” said Koenigsmann per CBS News. “And then just before we wanted to fire the SuperDracos there was an anomaly and the vehicle was destroyed.”

Source: Yep, That SpaceX Crew Capsule Was Definitely Destroyed During Failed Ground Test, Company Confirms

Kremlin signs total internet surveillance and censorship system into law, from Nov 1st.

Posted on by

Russia’s internet iron curtain has been formally signed into law by President Putin. The nation’s internet service providers have until 1 November to ensure they comply.

The law will force traffic through government-controlled exchanges and eventually require the creation of a national domain name system.

The bill has been promoted as advancing Russian sovereignty and ensuring Runet, Russia’s domestic internet, remains functioning regardless of what happens elsewhere in the world. The government has claimed “aggressive” US cybersecurity policies justify the move.

Control of exchanges is seen as an easy way for the Russian government to increase its control over what data its citizens can see, and what they can post. The Kremlin wants all data required by the network to be stored within Russian borders.

ISPs will only be allowed to connect to other ISPs, or peer, through approved exchanges. These exchanges will have to include government-supplied boxes which can block data traffic as required.

There have been widespread protests within the country against the law.

Source: Having a bad day? Be thankful you don’t work at a Russian ISP: Kremlin signs off Pootynet restrictions • The Register

Dark Net’s Wall Street Market Falls to Police

Posted on by

Police from around the world shut down the biggest active black market on the dark web this month, according to announcements from law enforcement agencies in the United States, Germany, and the Netherlands released on Friday.

Wall Street Market, as the black market site was known, was the target of a 1.5-year-long multinational investigation. Three Germans were arrested on April 23 and 24 inside Germany for their alleged role in creating and administering the site that sold illegal drugs, documents, weapons, and data.

“WSM was one of the largest and most voluminous darknet marketplaces of all time,” FBI Special Agent Leroy Shelton wrote in the criminal complaint released on Friday.

[…]

Wall Street Market had 1.15 million customer accounts and 5,400 registered sellers, according to the U.S. Justice Department. However, don’t take those numbers to be accurate census accounts—users are anonymous, sellers and buyers both often create multiple accounts, and there’s no way to get a realistic count on the number of individuals active on a market like this.

A better way to understand the scale of a black market like this is to look at the actual money involved. Last month, Wall Street Market administrators stole around $11 million from user accounts, authorities say.

“An ‘exit scam’ was allegedly conducted last month when the WSM administrators took all of the virtual currency held in marketplace escrow and user accounts—believed by investigators to be approximately $11 million—and then diverted the money to their own accounts.

Source: Dark Net’s Wall Street Market Falls to Police

Amazing AI Generates Entire Bodies of People Who Don’t Exist

Posted on by

A new deep learning algorithm can generate high-resolution, photorealistic images of people — faces, hair, outfits, and all — from scratch.

The AI-generated models are the most realistic we’ve encountered, and the tech will soon be licensed out to clothing companies and advertising agencies interested in whipping up photogenic models without paying for lights or a catering budget. At the same time, similar algorithms could be misused to undermine public trust in digital media.

[…]

In a video showing off the tech, the AI morphs and poses model after model as their outfits transform, bomber jackets turning into winter coats and dresses melting into graphic tees.

Specifically, the new algorithm is a Generative Adversarial Network (GAN). That’s the kind of AI typically used to churn out new imitations of something that exists in the real world, whether they be video game levels or images that look like hand-drawn caricatures.

Source: Amazing AI Generates Entire Bodies of People Who Don’t Exist

Security lapse exposed a Chinese smart city surveillance system

Posted on by

Smart cities are designed to make life easier for their residents: better traffic management by clearing routes, making sure the public transport is running on time and having cameras keeping a watchful eye from above.

But what happens when that data leaks? One such database was open for weeks for anyone to look inside.

Security researcher John Wethington found a smart city database accessible from a web browser without a password. He passed details of the database to TechCrunch in an effort to get the data secured.

[…]

he system monitors the residents around at least two small housing communities in eastern Beijing, the largest of which is Liangmaqiao, known as the city’s embassy district. The system is made up of several data collection points, including cameras designed to collect facial recognition data.

The exposed data contains enough information to pinpoint where people went, when and for how long, allowing anyone with access to the data — including police — to build up a picture of a person’s day-to-day life.

A portion of the database containing facial recognition scans (Image: supplied)

The database processed various facial details, such as if a person’s eyes or mouth are open, if they’re wearing sunglasses, or a mask — common during periods of heavy smog — and if a person is smiling or even has a beard.

The database also contained a subject’s approximate age as well as an “attractive” score, according to the database fields.

But the capabilities of the system have a darker side, particularly given the complicated politics of China.

The system also uses its facial recognition systems to detect ethnicities and labels them — such as “汉族” for Han Chinese, the main ethnic group of China — and also “维族” — or Uyghur Muslims, an ethnic minority under persecution by Beijing.

Where ethnicities can help police identify suspects in an area even if they don’t have a name to match, the data can be used for abuse.

The Chinese government has detained more than a million Uyghurs in internment camps in the past year, according to a United Nations human rights committee. It’s part of a massive crackdown by Beijing on the ethnic minority group. Just this week, details emerged of an app used by police to track Uyghur Muslims.

We also found that the customer’s system also pulls in data from the police and uses that information to detect people of interest or criminal suspects, suggesting it may be a government customer.

Facial recognition scans would match against police records in real time (Image: supplied)

Each time a person is detected, the database would trigger a “warning” noting the date, time, location and a corresponding note. Several records seen by TechCrunch include suspects’ names and their national identification card number.

Source: Security lapse exposed a Chinese smart city surveillance system – TechCrunch

Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation after being held for 2 years by US. Forced confession, maybe?

Posted on by

Marcus Hutchins, the British security researcher who shot to fame after successfully halting the Wannacry ransomware epidemic, has pleaded guilty to crafting online bank-account-raiding malware.

For nearly two years now, Hutchins, 24, has been under house arrest in the US after being collared at Las Vegas airport by FBI agents acting on a tip-off. The Brit, who was at the time trying to fly back home to Blighty after attending the Black Hat and DEF CON security conferences, was accused of creating and selling the Kronos banking trojan, and denied any wrongdoing.

The US government subsequently piled on charges, and it now appears that the pressure has been too much: on Friday this week, Hutchins accepted a plea deal [PDF], and admitted two charges of malware development.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” he said in a statement.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Each of the two counts carries a maximum penalty of five years behind bars, a $250,000 fine, and a year of probation. As with most plea deals, he’s likely to get less than that, though he may still spend some time in an American cooler.

While being held in jail after his arrest, Hutchins apparently admitted creating the software nasty. According to the Feds, the Brit at one point told an unnamed associate over a recorded telephone line: “I used to write malware, they picked me up on some old shit,” later adding: “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Now the FBI have their guilty plea, and Hutchins – a professional malware reverse-engineer these days – is facing an uncertain future. But you have to wonder if it was all really worth it for the US authorities. After all, plenty of today’s cyber-security engineers and researchers have toyed with writing malware, even for research purposes. Thus, a stretch behind bars would be a very hard sentence for an offense committed when he was a teen.

Source: Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation

Hackers take control of top level domains to perform massive man in the middle attack

Posted on by

The discovery of a new, sophisticated team of hackers spying on dozens of government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet’s cybersecurity that experts have warned about for years: DNS hijacking, a technique that meddles with the fundamental address book of the internet. Researchers at Cisco’s Talos security division on Wednesday revealed that a hacker group it’s calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organtaizations.

In the process, they went so far as to compromise multiple country-code top-level domains — the suffixes like .co.uk, or .ru, that end a foreign web address — putting all the traffic of every domain in multiple countries at risk. The hackers’ victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet’s directory system, hackers were able to silently use “man-in-the-middle” attacks to intercept all internet data from email to web traffic sent to those victim organizations.

[…] Cisco Talos said it couldn’t determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cypress, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco’s Craig Williams confirmed that Armenia’s .am top-level domain was one ‘of the “handful” that were compromised, but wouldn’t say which of the other countries’ top-level domains were similarly hijacked.

https://m.slashdot.org/story/354704

Facebook uploaded the contacts of 1.5m people without permission

Posted on by

On Thursday, at just about the same time as the most highly anticipated government document of the decade was released in Washington D.C., Facebook updated a month-old blog post to note that actually a security incident impacted “millions” of Instagram users and not “tens of thousands” as they said at first.

Last month, Facebook announced that hundreds of millions of Facebook and Facebook Lite account passwords were stored in plaintext in a database exposed to over 20,000 employees.

https://www.theregister.co.uk/2019/04/18/facebook_hoovered_up_15m_address_books_without_permission/

‘Millions’ of Instagram Passwords Were Exposed to Facebook Employees In Plaintext

Posted on by
Reply

On Thursday, at just about the same time as the most highly anticipated government document of the decade was released in Washington D.C., Facebook updated a month-old blog post to note that actually a security incident impacted “millions” of Instagram users and not “tens of thousands” as they said at first.

Last month, Facebook announced that hundreds of millions of Facebook and Facebook Lite account passwords were stored in plaintext in a database exposed to over 20,000 employees.

https://gizmodo.com/facebook-picked-a-great-day-to-reveal-that-it-exposed-m-1834147752

hoping no one would notice…

3D-printed heart made using a human patient’s cells – CNN

Posted on by
The process of printing the heart involved a biopsy of the fatty tissue that surrounds abdominal organs. Researchers separated the cells in the tissue from the rest of the contents, namely the extracellular matrix linking the cells. The cells were reprogrammed to become stem cells with the ability to differentiate into heart cells; the matrix was processed into a personalized hydrogel that served as the printing “ink.”
The cells and hydrogel were first used to create heart patches with blood vessels and, from there, an entire heart.
“At this stage, our 3D heart is small, the size of a rabbit’s heart,” Dvir said. “But larger human hearts require the same technology.”

Source: 3D-printed heart made using a human patient’s cells – CNN

Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned

Posted on by

Microsoft says miscreants accessed some of its customers’ webmail inboxes and account data after a support rep’s administrative account was hijacked.

The Redmond software giant has sent Hotmail, MSN, and Outlook cloud users notifications that the unnamed customer support rep’s account was compromised by hackers who would have subsequently gained “limited access” to certain parts of some customer email accounts, including the ability to read messages in particular cases.

In the alert, Microsoft warns its punters that, between January 1 and March 28 of this year, the attacker, or attackers, would have had the ability to extract certain information from their inboxes, including the subject names of messages, folder names, contact lists, and user email address. The intrusion was limited to consumer (read: free) Microsoft email accounts.

While the aforementioned leaked notification claims the hackers would not have been able to read the content of messages, Microsoft would later admit – after media reports over the weekend – that the intruders could have accessed the contents of messages belonging to a subset of those impacted by the admin account hijacking.

Source: Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned • The Register

Wait – support guys can read your emails?!

Internet Explorer exploit is trouble even if you never use the browser

Posted on by

Finally stopped using Internet Explorer? Good! But, now it’s time to completely delete it from your computer, too.

Security researcher John Page has discovered a new security flaw that allows hackers to steal Windows users’ data thanks to Internet Explorer. The craziest part: Windows users don’t ever even have to open the now-obsolete web browser for malicious actors to use the exploit. It just needs to exist on their computer.

“Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally,” writes Page. “This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.”

Basically, what this means is that hackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default.

To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service.

Source: Internet Explorer exploit is trouble even if you never use the browser

Android TV: Everything You Need To Know

Posted on by

Android TV is an operating system designed specifically for SmartTV purposes and is developed by Google. Android TV is basically a smart entertainment platform that comes built into a number of TVs (primarily from Sony, Panasonic, Sharp, etc..) but also in a number of streaming video players like Android TV Boxes and the most popular one, the Nvidia Shield.

To that end, Android TV is considerably similar to iOS or Android. It’s basically an operating system for a TV. It’s capable of supporting various apps, games, and TV shows that you normally navigate with a remote on your TV.

Android TV: Everything You Need To Know