Google promised a year ago to provide more privacy to Gmail users, but The Wall Street Journal reports that hundreds of app makers have access to millions of inboxes belonging to Gmail users.
The outside app companies receive access to messages from Gmail users who signed up for things like price-comparison services or automated travel-itinerary planners, according to The Journal.
Some of these companies train software to scan the email, while others enable their workers to pore over private messages, the report says.
What isn’t clear from The Journal’s story is whether Google is doing anything differently than Microsoft or other rival email services.
A year ago, Google promised to stop scanning the inboxes of Gmail users, but the company has not done much to protect Gmail inboxes obtained by outside software developers, according to the newspaper. Gmail users who signed up for “email-based services” like “shopping price comparisons,” and “automated travel-itinerary planners” are most at risk of having their private messages read, The Journal reported.
Hundreds of app developers electronically “scan” inboxes of the people who signed up for some of these programs, and in some cases, employees do the reading, the paper reported. Google declined to comment.
The revelation comes at a bad time for Google and Gmail, the world’s largest email service, with 1.4 billion users. Top tech companies are under pressure in the United States and Europe to do more to protect user privacy and be more transparent about any parties with access to people’s data. The increased scrutiny follows the Cambridge Analytica scandal, in which a data firm was accused of misusing the personal information of more than 80 million Facebook users in an attempt to sway elections.
It’s not news that Google and many top email providers enable outside developers to access users’ inboxes. In most cases, the people who signed up for the price-comparison deals or other programs agreed to provide access to their inboxes as part of the opt-in process.
Gmail’s opt-in alert spells out generally what a user is agreeing to. Google
In Google’s case, outside developers must pass a vetting process, and as part of that, Google ensures they have an acceptable privacy agreement, The Journal reported, citing a Google representative.
What is unclear is how closely these outside developers adhere to their agreements and whether Google does anything to ensure they do, as well as whether Gmail users are fully aware that individual employees may be reading their emails, as opposed to an automated system, the report says.
Mikael Berner, the CEO of Edison Software, a Gmail developer that offers a mobile app for organizing email, told The Journal that its employees had read emails from hundreds of Gmail users as part of an effort to build a new feature. An executive at another company said employees’ reading of emails had become “common practice.”
Companies that spoke to The Journal confirmed that the practice was specified in their user agreements and said they had implemented strict rules for employees regarding the handling of email.
It’s interesting to note that, judging from The Journal’s story, very little indicates that Google is doing anything different from Microsoft or other top email providers. According to the newspaper, nothing in Microsoft or Yahoo’s policy agreements explicitly allows people to read others’ emails.
Which also shows: no one ever reads the end user agreements. I’m pretty sure no-one got the bit where it said: you are also allowing us to read all your emails when they signed up
Samsung’s Messages app bundled with the South Korean giant’s latest smartphones and tablets may silently send people’s private photos to random contacts, it is claimed.
An unlucky bunch of Sammy phone fans – including owners of Galaxy S9, S9+ and Note 8 gadgets – have complained on Reddit and the official support forums that the application texted their snaps without permission.
One person said the app sent their photo albums to their girlfriend at 2.30am without them knowing – there was no trace of the transfer on the phone, although it showed up in their T-Mobile US account. The pictures, like the recipients, are seemingly picked at random from handheld’s contacts, and the messages do not appear in the application’s sent box. The seemingly misbehaving app is the default messaging tool on Samsung’s Android devices.
“Last night around 2:30am, my phone sent [my girlfriend] my entire photo gallery over text but there was no record of it on my messages app,” complained one confused Galaxy S9+ owner. “However, there was record of it [in my] T-Mobile logs.”
Another S9+ punter chipped in: “Oddly enough, my wife’s phone did that last night, and mine did it the night before. I think it has something to do with the Samsung SMS app being updated from the Galaxy Store. When her phone texted me her gallery, it didn’t show up on her end – and vice versa.”
Security researchers say the Diameter protocol used with today’s 4G (LTE) telephony and data transfer standard is vulnerable to the same types of vulnerabilities as the older SS7 standard used with older telephony standards such as 3G, 2G, and earlier.
Both Diameter and SS7 (Signaling System No. 7) have the same role in a telephony network. Their purpose is to serve as an authentication and authorization system inside a network and between different telephony networks (providers).
SS7 was developed in the 1970s and has been proven insecure for almost two decades [1, 2, 3, 4, 5]. Because of this, starting with the rollout of 4G (LTE) networks, SS7 was replaced with the Diameter protocol, an improved inter and intra-network signaling protocol that’s also slated to be used with the upcoming 5G standard.
The difference between these two is that while SS7 did not use any type of encryption for its authentication procedures, leading to the easy forgery of authentication and authorization messages, Diameter supports TLS/DTLS (for TCP or SCTP, respectively) or IPsec.
4G operators often misconfigure Diameter
But according to research published last month by Positive Technologies detailing Diameter’s use among mobile networks across the globe, the protocol’s features are rarely used.
In practice telecom operators almost never use encryption inside the network, and only occasionally on its boundaries. Moreover, encryption is based on the peer-to-peer principle, not end-to-end. In other words, network security is built on trust between operators and IPX providers.
The incorrect use of Diameter leads to the presence of several vulnerabilities in 4G networks that resemble the ones found in older networks that use SS7, and which Diameter was supposed to prevent.
Researchers say that the Diameter misconfigurations they’ve spotted inside 4G networks are in many cases unique per each network but they usually repeat themselves to have them organized in five classes of attacks: (1) subscriber information disclosure, (2) network information disclosure, (3) subscriber traffic interception, (4) fraud, and (5) denial of service.
1+2) Subscriber and network information disclosure
The first two, subscriber and network information disclosure, allow an attacker to gather operational information about the user’s device, subscriber profile, and information about the mobile network in general.
Such vulnerabilities can reveal the user’s IMSI identifier, device addresses, network configuration, or even his geographical location —helping an attacker track users of interest as they move about.
3) Subscriber traffic interception
The third vulnerability, subscriber traffic interception, is only theoretically possible because both SMS and call transmission often establish channels with previous-generation protocols that do not use the Diameter protocol for authentication.
Nonetheless, Positive Technologies researchers warn that if the attacker is set on SMS and call interception, he can at any time downgrade a Diameter-capable 4G connection to a previous-generation connection and use flaws in SS7 and other protocols to carry out his attack.
For example, SMS interception is possible because most 4G networks send SMS messages via a 3G channel where SS7 is used instead of Diameter for user and network authentication, while phone call channels are handled via VoLTE, a protocol that has been proven insecure and susceptible to such attacks in 2015.
Even if networks handle SMS and phone calls via a pure 4G channel, then the attacker only needs to pose as an inferior network to carry out a MitM attack via an older protocol.
4) Fraud
Attackers can also use Diameter flaws to allow free use of the mobile network for a specific subscriber profile, leading to financial losses for the operator.
There are two types of such attacks, each of which is based on modifying the subscriber profile. The first type involves modifying the billing parameters stored in the subscriber profile and is quite difficult to implement in practice, since it requires knowledge of the operator’s network configuration on the part of the attacker. The values of these parameters are not standardized and depend on the specific operator; they could not be retrieved from a subscriber profile in any of the tested networks. The second type of attack is the use of services beyond restrictions, causing direct financial damage to the operator.
5) Denial of service attacks
Last but not least, Diameter flaws allow denial-of-service attacks that prevent a 4G user from accessing certain 4G features or allow an attacker to limit the speed of certain features, causing problems for a connected device.
Positive Technologies experts warn that the denial-of-service Diameter vulnerabilities “could lead to sudden failure of ATMs, payment terminals, utility meters, car alarms, and video surveillance.”
This is because these types of devices often use 4G SIM card modules to connect to their servers when located in a remote area where classic Internet connections are not possible.
All mobile networks are vulnerable to either SS7 or Diameter flaws
The cyber-security firm says that from all the mobile networks it analyzed in the past years, since it began looking into SS7 and Diameter vulnerabilities, all mobile networks it examined are vulnerable to one or another, or both, leading to unique cases where any mobile networks it inspected ws vulnerable to some sort of network-level hacking.
Positive Technologies warns that with the rise of Internet of Things devices, some of which rely on 4G connections when a WiFi network is not in range, such flaws are the equivalent of having an open door for hackers to target such equipment via the 4G network.
“Such frightening consequences are only the tip of the iceberg,” experts wrote in their latest Diameter report. The company, which is known for providing security testing and monitoring of mobile networks, urges 4G operators to get with the times and invest into the security of their networks.
The “Diameter Vulnerabilities Exposure Report 2018” is available for download here. Positive Technologies previous analyzed the SS7 protocol in 2016 and the Diameter protocol in 2017.
In March 2018, ENISA (European Union Agency for Network and Information Security) published an official advisory about SS7 and Diameter vulnerabilities in modern 4G networks.
China has developed a new portable laser weapon that can zap a target from nearly a kilometre away, according to researchers involved in the project.
The ZKZM-500 laser assault rifle is classified as being “non-lethal” but produces an energy beam that cannot be seen by the naked eye but can pass through windows and cause the “instant carbonisation” of human skin and tissues.
Ten years ago its capabilities would have been the preserve of sci-fi films, but one laser weapons scientist said the new device is able to “burn through clothes in a split second … If the fabric is flammable, the whole person will be set on fire”.
“The pain will be beyond endurance,” according to the researcher who had took part in the development and field testing of a prototype at the Xian Institute of Optics and Precision Mechanics at the Chinese Academy of Sciences in Shaanxi province.
The 15mm calibre weapon weighs three kilos (6.6lb), about the same as an AK-47, and has a range of 800 metres, or half a mile, and could be mounted on cars, boats and planes.
It is now ready for mass production and the first units are likely to be given to anti-terrorism squads in the Chinese Armed Police.
In the event of a hostage situation it could be used to fire through windows at targets and temporarily disable the kidnappers while other units move in to rescue their captives.
It could also be used in covert military operations. The beam is powerful enough to burn through a gas tank and ignite the fuel storage facility in a military airport. If you like researching and owning guns but haven’t get in to it, this might be a bit to heavy to get, you can start with a only bb guns to feel how it is and then get one of this awesome instruments.
Because the laser has been tuned to an invisible frequency, and it produces absolutely no sound, “nobody will know where the attack came from. It will look like an accident,” another researcher said. The scientists requested not to be named due to the sensitivity of the project.
The rifles will be powered by a rechargeable lithium battery pack similar to those found in smartphones. It can fire more than 1,000 “shots”, each lasting no more than two seconds.
The prototype was built by ZKZM Laser, a technology company owned by the institute in Xian. A company representative confirmed that the firm is now seeking a partner that has a weapons production licence or a partner in the security or defence industry to start large-scale production at a cost of 100,000 yuan (US$15,000) a unit.
For the past two days, secure email provider ProtonMail has been fighting off DDoS attacks that have visibly affected the company’s services, causing short but frequent outages at regular intervals.
“The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes,” a ProtonMail spokesperson said describing the attacks.
The email provider claims to “have traced the attack back to a group that claims to have ties to Russia,” a statement that some news outlets took at face value and ran stories misleading readers into thinking this was some kind of nation-state-planned cyber-attack.
But in reality, the DDoS attacks have no ties to Russia, weren’t even planned to in the first place, and the group behind the attacks denounced being Russian, to begin with.
Small hacker group behind ProtonMail DDoS attacks
Responsible for the attacks is a hacker group named Apophis Squad. In a private conversation with Bleeping Computer today, one of the group’s members detailed yesterday’s chain of events.
The Apophis member says they targeted ProtonMail at random while testing a beta version of a DDoS booter service the group is developing and preparing to launch.
The group didn’t cite any reason outside “testing” for the initial and uncalled for attack on ProtonMail, which they later revealed to have been a 200 Gbps SSDP flood, according to one of their tweets.
“After we sent the first attack, we downed it for 60 seconds,” an Apophis Squad member told us. He said the group didn’t intend to harass ProtonMail all day yesterday or today but decided to do so after ProtonMail’s CTO, Bart Butler, responded to one of their tweets calling the group “clowns.”
This was a questionable response on the part of the ProtonMail CTO, as it set the hackers against his company even more.
“So we then downed them for a few hours,” the Apophis Squad member said. Subsequent attacks included a whopping TCP-SYN flood estimated at 500 Gbps, as claimed by the group…
…and NTP and CLDAP floods, as observed by a security researcher at NASK and confirmed by another Apophis Squad member.
The attacks also continued today when the group launched another DDoS attack consisting of a TCP-SYN flood estimated at between 50 and 70 Gbps…
… and another CHARGEN flood estimated at 2 Gbps.
Radware, the company which was involved in mitigating the attacks on ProtonMail’s infrastructure, could not confirm the 500 Gbps DDoS attack at the time of writing but confirmed the multi-vector assault.
“We can’t confirm attack size as it varied at different points in the attack,” a Radware spokesperson said. “However we can confirm that the attack was high volumetric, multi-vector attack. It included several UDP reflection attacks, multiple TCP bursts, and Syn floods.”
In addition to targeting ProtonMail, the group also targeted Tutanota, for unknown reasons, but these attacks stopped shortly after. Tutanota execs not goading the hackers might have played a role.
Hackers deny Russian connection
The Apophis Squad group is by no means a sophisticated threat. They are your typical 2018 hacker group that hangs out in Discord channels and organizes DDoS attacks for, sometimes, childish reasons.
The group is currently developing a DDoS booter service, which they were advertising prior to yesterday’s attacks on Twitter and on Discord, claiming to be able to launch DDoS attacks using protocols such as NTP, DNS, SSDP, Memcached, LDAP, HTTP, CloudFlare bypass, VSE, ARME, Torshammer, and XML-RPC.
Their Twitter timeline claims the group is based in Russia, and so does their domain, but in a private conversation the group said this wasn’t accurate.
“We aint russian [sic],” the group told us.
“We believe the attackers to be based in the UK,” a Radware spokesperson told Bleeping Computer via email today.
If the ProtonMail DDoS attack later proves to have been of 500 Gbps, it will be one of the biggest DDoS attacks recorded, following similar DDoS attacks of 1.7 Tbps (against a yet to be named US service provider) and 1.3 Tbps (against GitHub).
Almost all Android devices released since 2012 are vulnerable to a new vulnerability named RAMpage, an international team of academics has revealed today.
The vulnerability, tracked as CVE-2018-9442, is a variation of the Rowhammer attack.
Rowhammer is a hardware bug in modern memory cards. A few years back researchers discovered that when someone would send repeated write/read requests to the same row of memory cells, the write/read operations would create an electrical field that would alter data stored on nearby memory.
The first Rowhammer attack on Android devices was named DRammer, and it could modify data on Android devices and root Android smartphones. Today, researchers expanded on that initial work.
According to a research paper published today, a team of eight academics from three universities and two private companies revealed a new Rowhammer-like attack on Android devices named RAMpage.
“RAMpage breaks the most fundamental isolation between user applications and the operating system,” researchers said. “While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.”
“This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents,” the research team said.
RAMpage may also impact Apple devices, PCs, and VMs
Research into the RAMpage vulnerability is still in its early stages, but the team says the attack can take over Android-based smartphones and tablets.
The researcher team also believes RAMpage may also affect Apple devices, home computers, or even cloud servers.
Nametests.com, the website behind the quizzes, recently fixed a flaw that publicly exposed information of their more than 120 million monthly users — even after they deleted the app. At my request, Facebook donated $8,000 to the Freedom of the Press Foundation as part of their Data Abuse Bounty Program.
[…]
While loading a test, the website would fetch my personal information and display it on the webpage. Here’s where it got my personal information from:
In theory, every website could have requested this data. Note that the data also includes a ‘token’ which gives access to all data the user authorised the application to access, such as photos, posts and friends.
I was shocked to see that this data was publicly available to any third-party that requested it.
In a normal situation, other websites would not be able to access this information. Web browsers have mechanisms in place to prevent that from happening. In this case however, the data was wrapped in something called javascript, which is an exception to this rule.
One of the basic principles of javascript is that it can be shared with other websites. Since NameTests displayed their user’s personal data in javascript file, virtually any website could access it when they would request it.
o verify it would actually be that easy to steal someone’s information, I set up a website that would connect to NameTests and get some information about my visitor. NameTests would also provide a secret key called an access token, which, depending on the permissions granted, could be used to gain access to a visitor’s posts, photos and friends. It would only take one visit to our website to gain access to someone’s personal information for up to two months.
Video proof:
An unauthorised website getting access to my Facebook information
As you can see in the video, NameTests would still reveal your identity even after deleting the app. In order to prevent this from happening, the user would have had to manually delete the cookies on their device, since NameTests.com does not offer a log out functionality.
Starting yesterday, there have been numerous reports of people’s Windows computers being infected with something called “All-Radio 4.27 Portable”. After researching this, it has been determined that seeing this program is a symptom of a much bigger problem on your computer.
All-Radio 4.27 Portable
If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send send out spam.
Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help at this time. Due to this and the amount of malware installed, if you are infected I suggest that you reinstall Windows from scratch if possible.
Furthermore, some of the VirusTotal scans associated with this infection have indicated that an information stealing Trojan could have been installed as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected.
Adidas AG ADDYY 2.03% said Thursday that a “few million” customers shopping on its U.S. website may have had their data exposed to an unauthorized party.
Neither the specific number of users affected nor the time frame of the potential breach were immediately disclosed, but the German sportswear maker said it became aware of the issue on Tuesday and has begun a forensic review.
Adidas said they are alerting “certain customers who purchased on adidas.com/US” and that, according to the company’s preliminary examination, data affected include contact information, usernames and encrypted passwords.
“Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted,” the company said.
Once aboard, CIMON—short for Crew Interactive MObile companioN—will assist the crew with its many activities. The point of this pilot project is to see if an artificially intelligent bot can improve crew efficiency and morale during longer missions, including a possible mission to Mars. What’s more, activities and tasks performed by ISS crew members are starting to get more complicated, so an AI could help. CIMON doesn’t have any arms or legs, so it can’t assist with any physical tasks, but it features a language user interface, allowing crew members to verbally communicate with it. The bot can display repair instructions on its screen, and even search for objects in the ISS. With a reduced workload, astronauts will hopefully experience less stress and have more time to relax.
CIMON with its development team prior to launch.
Image: DLR
CIMON was built by Airbus under a contract awarded by the German Aerospace Center (DLR). It has 12 internal fans, which allows the bot to move in all directions as it floats in microgravity. CIMON can move freely, and perform rotational movements such as shaking its head back-and-forth in disapproval. CIMON’s AI language and comprehension system is derived from IBM’s Watson Technology, and it responds to commands in English. CIMON cost less than $6 million to build, and less than two years to develop.
The pilot project will be led by DLR astronaut Alexander Gerst, who arrived on the ISS about a month ago. CIMON is already familiar with Gerst’s face and voice, so the bot will work best with him, at least initially. The German astronaut will use CIMON to see if the bot will increase his efficiency and effectiveness as he works on various experiments.
Indeed, with CIMON floating nearby, the ISS astronauts could easily call upon the bot for assistance, which they can do by calling out its name. They can request that CIMON display documents and media in their field of view, or record and playback experiments with its onboard camera. In general, the bot should speed up tasks on the ISS that require hands-on work.
The round robot features no sharp edges, so it poses no threat to equipment or crew. Should it start to go squirrely and use it’s best HAL-9000 imitation to say something like, “I’m sorry, Alexander, I’m afraid I can’t do that,” the bot is equipped with a kill switch. But hopefully it won’t come to that; unlike HAL, CIMON has been programmed with an ISTJ personality, meaning “introverted, sensing, thinking, and judging.” Its developers chose a face to make it more personable and relatable, and it can even sense the tone of the crew’s conversation. CIMON smiles when the mood is upbeat, and frowns or cries when things are sad. It supposedly behaves like R2D2, and can even quote famous sci-fi movies like E.T. the Extra-Terrestrial.
We have a project running in production on Google Cloud (GCP) that is used to monitor hundreds of wind turbines and scores of solar plants scattered across 8 countries. We have control centers with wall-to-wall screens with dashboards full of metrics that are monitored 24/7. Asset Managers use this system to monitor the health of individual wind turbines and solar strings in real time and take immediate corrective maintenance. Development and Forecasting teams use the system to run algorithms on data in BigQuery. All these actions translate directly to revenue. We deal in a ‘wind/solar energy’ — a perishable commodity. If we over produce, we cannot store and sell later. If we under produce, there are penalties to be paid. For this reason assets need to be monitored 24/7 to keep up/down with the needs of the power grid and the power purchase agreements made.
What happened.
Early today morning (28 June 2018) i receive an alert from Uptime Robot telling me my entire site is down. I receive a barrage of emails from Google saying there is some ‘potential suspicious activity’ and all my systems have been turned off. EVERYTHING IS OFF. THE MACHINE HAS PULLED THE PLUG WITH NO WARNING.
[…]
Customer service chat is off. There’s no phone to call. I have an email asking me to fill in a form and upload a picture of the credit card and a government issued photo id of the card holder. Great, let’s wake up the CFO who happens to be the card holder.
We will delete project within 3 business days.
“We will delete your project unless the billing owner corrects the violation by filling out the Account Verification Form within three business days. This form verifies your identity and ownership of the payment instrument. Failure to provide the requested documents may result in permanent account closure.”
What if the card holder is on leave and is unreachable for three days? We would have lost everything — years of work — millions of dollars in lost revenue.
I fill in the form with the details and thankfully within 20 minutes all the services started coming alive. The first time this happened, we were down for a few hours. In all we lost everything for about an hour. An automated email arrives apologizing for ‘inconvenience’ caused. Unfortunately The Machine has no understanding of the ‘quantum of inconvenience’ caused.
[…]
This is the first project we built entirely on the Google Cloud. All our previous works were built on AWS. In our experience AWS handles billing issues in a much more humane way. They warn you about suspicious activity and give you time to explain and sort things out. They don’t kick you down the stairs.
I hope GCP team is listening and changes things for better. Until then i’m never building any project on GCP.
With the UK at the forefront as the framework nation, the JEF can now deploy over 10,000 personnel from across the nine nations.
Speaking at the event at Lancaster House today Defence Secretary Gavin Williamson said:
Our commitment today sends a clear message to our allies and adversaries alike – our nations will stand together to meet new and conventional challenges and keep our countries and our citizens safe and secure in an uncertain world.
We are judged by the company we keep, and while the Kremlin seeks to drive a wedge between allies old and new alike, we stand with the international community united in support of international rules.
Launched in 2015, the joint force has continued to develop so that it’s able to respond rapidly, anywhere in the world, to meet global challenges and threats ranging from humanitarian assistance to conducting high intensity combat operations.
The JEF, made up of nine northern European allies Denmark, Estonia, Finland, Latvia, Lithuania, The Netherlands, Norway and Sweden, is more than a simple grouping of military capabilities. It represents the unbreakable partnership between UK and our like-minded northern European allies, born from shared operational experiences and an understanding of the threats and challenges we face today.
In May this year, the JEF demonstrated it readiness with a live capability demonstration on Salisbury Plain. It featured troops from the nine JEF nations, including troops from the UK Parachute Regiment, the Danish Jutland Dragoon Regiment, the Lithuanian “Iron Wolf” Brigade and the Latvian Mechanised Infantry Brigade, which conducted urban combat operations with air support provided by Apaches, Chinooks, Wildcats and Tornados.
This is not a standing force, but one where each time it is deployed is created by the countries deciding whether to (or not) add earmarked forces to the structure.
The search giant said Wednesday it’s beginning public testing of the software, which debuted in May and which is designed to make calls to businesses and book appointments. Duplex instantly raised questions over the ethics and privacy implications of using an AI assistant to hold lifelike conversations for you.
Google says its plan is to start its public trial with a small group of “trusted testers” and businesses that have opted into receiving calls from Duplex. Over the “coming weeks,” the software will only call businesses to confirm business and holiday hours, such as open and close times for the Fourth of July. People will be able to start booking reservations at restaurants and hair salons starting “later this summer.”
Using data collected by NASA’s late-great Cassini space probe, scientists have detected traces of complex organic molecules seeping out from Enceladus’ ice-covered ocean. It’s yet another sign that this intriguing Saturnian moon has what it takes to sustain life.
If life exists elsewhere in our Solar System, chances are it’s on Enceladus. The moon features a vast, warm subterranean ocean, one sandwiched between an icy crust and a rocky core. Previous research shows this ocean contains simple organic molecules, minerals, and molecular hydrogen—an important source of chemical energy. On Earth, hydrothermal processes near volcanic vents are known to sustain complex ecosystems, raising hopes that something similar is happening on Enceladus.
New research published today in Nature suggests Enceladus’ ocean also contains complex organic molecules—yet another sign that this moon contains the basic conditions and chemical ingredients to support life. Now, this isn’t proof that life exists on this icy moon, but it does show that Enceladus’ warm, soupy ocean is capable of producing complex and dynamic molecules, and the kinds of chemical reactions required to produce and sustain microbial life.
Google’s entire Home infrastructure has suffered a serious outage, with millions of customers on Wednesday morning complaining that their smart devices have stopped working.
At the time of writing, the cloud-connected gadgets are still hosed, the service is still down, and the system appears to have been knackered for at least the past 10 hours. The clobbbered gizmos can’t respond to voice commands, can’t control other stuff in your home, and so on.
Chromecasts can’t stream video, and Home speakers respond to commands with: “Sorry, something went wrong. Try again in a few seconds.”
Users in Google’s home state of California started complaining that their Google Home, Mini, and Chromecast devices were not working properly around midnight Pacific Time on Tuesday, and the issue cropped up in every country in which the Google Home devices are sold.
But it was only when the United States started waking up on Wednesday morning – the US has the vast majority of Google Home devices – that the reports started flooding in, pointing to an outage of the entire system.
Google has confirmed the devices are knackered, but has so far provided no other information, saying only that it is investigating the issue.
[…]
Updated to add
Google has issued the following statement:
We’re aware of an issue affecting some Google Home and Chromecast users. Some users are back online and we are working on a broader fix for all affected users. We will continue to keep our customers updated.
The web giant then followed up with more details – try rebooting to pick up a software fix, or wait up to six hours to get the update:
We’ve identified a fix for the issue impacting Google Home and Chromecast users and it will be automatically rolled out over the next 6 hours. If you would like an immediate fix please follow the directions to reboot your device. If you’re still experiencing an issue after rebooting, contact us at Google Home Support. We are really sorry for the inconvenience and are taking steps to prevent this issue from happening in the future.
You may have seen the ads that Facebook has been running on TV in a full-court press to apologize for abusing users privacy. They’re embarrassing. And, it turns out, they may be a sign of things to come. Based on a recently published patent application, Facebook could one day use ads on television to further violate your privacy once you’ve forgotten about all those other times.
First spotted by Metro, the patent is titled “broadcast content view analysis based on ambient audio recording.” (PDF) It describes a system in which an “ambient audio fingerprint or signature” that’s inaudible to the human ear could be embedded in broadcast content like a TV ad. When a hypothetical user is watching this ad, the audio fingerprint could trigger their smartphone or another device to turn on its microphone, begin recording audio and transmit data about it to Facebook.
Diagram of soundwave containing signal, triggering device, and recording ambient audio.
Everything in the patent is written in legalese and is a bit vague about what happens to the audio data. One example scenario imagines that various ambient audio would be eliminated and the content playing on the broadcast would be identified. Data would be collected about the user’s proximity to the audio. Then, the identifying information, time, and identity of the Facebook user would be sent to the social media company for further processing.
In addition to all the data users voluntarily give up, and the incidental data it collects through techniques like browser fingerprinting, Facebook would use this audio information to figure out which ads are most effective. For example, if a user walked away from the TV or changed the channel as soon as the ad began to play, it might consider the ad ineffective or on a subject the user doesn’t find interesting. If the user stays where they are and the audio is loud and clear, Facebook could compare that seeming effective ad with your other data to make better suggestions for its advertising clients.
An example of a broadcasting device communicating with the network and identifying various users in a household.
Five consumer privacy groups have asked the European Data Protection Board to investigate how Facebook, Google, and Microsoft design their software to see whether it complies with the General Data Protection Regulation (GDPR).
Essentially, the tech giants are accused of crafting their user interfaces so that netizens are fooled into clicking away their privacy, and handing over their personal information.
In a letter sent today to chairwoman Andrea Jelinek, the BEUC (Bureau Européen des Unions de Consommateurs), the Norwegian Consumer Council (Forbrukerrådet), Consumers International, Privacy International and ANEC (just too damn long to spell out) contend that the three tech giants “employed numerous tricks and tactics to nudge or push consumers toward giving consent to sharing as much data for as many purposes as possible.”
The letter coincides with the publication a Forbrukerrådet report, “Deceived By Design,” that claims “tech companies use dark patterns to discourage us from exercising our rights to privacy.”
Dark patterns here refers to app interface design choices that attempt to influence users to do things they may not want to do because they benefit the software maker.
The report faults Google, Facebook and, to a lesser degree, Microsoft for employing default settings that dispense with privacy. It also says they use misleading language, give users an illusion of control, conceal pro-privacy choices, offer take-it-or-leave it choices and use design patterns that make it more laborious to choose privacy.
It argues that dark patterns deprive users of control, a central requirement under GDPR.
As an example of linguistic deception, the report cites Facebook text that seeks permission to use facial recognition on images:
If you keep face recognition turned off, we won’t be able to use this technology if a stranger uses your photo to impersonate you. If someone uses a screen reader, they won’t be told when you’re in a photo unless you’re tagged.
The way this is worded, the report says, pushes Facebook users to accept facial recognition by suggesting there’s a risk of impersonation if they refuse. And it implies there’s something unethical about depriving those forced to use screen readers of image descriptions, a practice known as “confirmshaming.”
Ticketmaster on Wednesday disclosed a data breach reportedly caused by malware infecting a customer support system outsourced to an external company.
In a statement, Ticketmaster said some of its customer data may have been accessed by an unknown intruder. Email notifications were sent to customers who purchased tickets between February and June 23, 2018, the company said
Names, addresses, email addresses, telephone numbers, and payment card details may have been compromised.
A little-known, Florida-based marketing firm called Exactis may be responsible for a significant amount of personal data being exposed. According to a report from Wired, the firm left 340 million individual records on a publicly accessible server that any person could have gotten ahold of.
The leak was discovered earlier this month by security researcher Vinny Troia, founder of the New York-based security firm Night Lion Security. He reported his find to the FBI and Exactis earlier this week, and while the company has since protected the data, it’s unclear just how long it sat exposed.
So just how bad is the leak? It’s pretty bad! The data stored on the server amounts to about two terabytes worth of personal information.
Troia told Wired the database from Exactis appears to have data from “pretty much every US citizen” in it, with approximately 230 million records on American adults and 110 million records on US business contacts. That falls in line with Exactis’ own claim on its website that it has data on 218 million individuals. If the leak is truly as big as estimated, it would make for one of the largest exposures of personal information in recent memory.
Those records contain a variety of data points, including phone numbers, home addresses, and email addresses connected to an individual’s name. It also included more than 400 characteristics about a person, ranging from if the person is a smoker or not, their religion, if they own any pets, if they have kids, their age, gender, etc. It also included interests like scuba diving and plus-sized apparel, per Wired.
Notably, financial information and Social Security numbers were not discovered in the database. (Don’t worry, all that information was likely already exposed by Equifax last year.) That doesn’t mean the information doesn’t have value, though. Were this data to have been accessed by a malicious actor, they could easily pair it with previous breaches to create an even more complete profile of an individual or use it to carry out social engineering attacks.
There are plenty of troubling things about the Exactis leak, not the least of which is the sheer breadth of information exposed. First, there’s the question of just where this small marketing firm based in Palm Coast, Florida got its hands on the personal interests and contact information of hundreds of millions of Americans.
Troia said he didn’t know where the data was coming from exactly, but called it “one of the most comprehensive collections” he’s ever seen. Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center, theorized to Wired that the information may have come from a variety of sources including magazine subscriptions, credit card transaction data, and credit reports.
Then there’s the fact that no one has any idea if this massive database was accessed by anyone prior to Troia. Only Exactis would have any idea how long the server has sat unprotected, and could potentially see who accessed it. The company has not yet publicly responded to the leak and did not respond to request for comment.
Odds are, someone—a hacker or just a random person—likely stumbled across the server before Troia. The security researcher found the database while using the search tool Shodan, which allows just about anyone to scan publicly accessible, internet connected devices. Anyone with access to the same tools could have just as easily discovered the same server Troia found.
These types of leaks, where a server containing sensitive information is left unsecured, happen with surprising regularity. A conservative data firm accidentally leaked information on more than 200 million Americans last year. 12,000 social media influencers had their information exposed in a similar mishap, as did US military veterans and government contractors. All of this goes to show that companies in the business of collecting data aren’t in the business of protecting it.
Virtual Private Networks, a.k.a. VPN, are very handy to make your internet traffic to appear from a different location than you are.
All your traffic is tunneled to an exit point of your choosing, for example a data center in New York City. To Google Photos service you then seem to be located in New York City, USA.
One such easy to use VPN service for android is Tunnelbear but there are many others. Tunnelbear offers 500 MB of free traffic and you don’t need much more than 20MB to get this set-up.
It worked, I got face/people search in my Goole Photos android app and this is how I did it:
In summary you want to delete the Google Photos application data and re-start the application while being connected to the VPN. This will trick Google Photos into believing you are located in US and the feature will be switched on.
Once the feature is switched on you don’t have to re-connect to the VPN; the feature will remain on!
Detailed instructions: delete the data from Google Photos, turn on airplane mode, turn off location services, connect via Tunnelbear, start up Google photos, go through the introductory 4 steps, go into settings and turn on “Group Similar Faces”. Success, you now have your photos organised by many, many different people present in them.
The face categorisation appeared as soon as I connected via VPN. There was no initial time for google to build up a face database for my photos.
This really seems to suggest that all photos added to Google Photos are categorised by face. The search feature is just hidden in certain geographical locations to comply with local laws.
Is this really in the spirit of the law or just cheat? You decide!
Since late 2013, this band of cybercriminals has penetrated the digital inner sanctums of more than 100 banks in 40 nations, including Germany, Russia, Ukraine, and the U.S., and stolen about $1.2 billion, according to Europol, the European Union’s law enforcement agency. The string of thefts, collectively dubbed Carbanak—a mashup of a hacking program and the word “bank”—is believed to be the biggest digital bank heist ever.
[…]
Besides forcing ATMs to cough up money, the thieves inflated account balances and shuttled millions of dollars around the globe. Deploying the same espionage methods used by intelligence agencies, they appropriated the identities of network administrators and executives and plumbed files for sensitive information about security and account management practices.
[…]
For years police and banking-industry sleuths doubted they’d ever catch the phantoms behind Carbanak. Then, in March, the Spanish National Police arrested Ukrainian citizen Denis Katana in the Mediterranean port city of Alicante. The authorities have held him since then on suspicion of being the brains of the operation. Katana’s lawyer, Jose Esteve Villaescusa, declined to comment, and his client’s alleged confederates couldn’t be reached for comment. While Katana hasn’t been charged with a crime, Spanish detectives say financial information, emails, and other data trails show he was the architect of a conspiracy that spanned three continents. And there are signs that the Carbanak gang is far from finished.
[…]
The attackers cased their targets for months, says Kaspersky. The Carbanak crew was looking for executives with the authority to direct the flow of money between accounts, to other lenders, and to ATMs. They were also studying when and how the bank moved money around. The thieves didn’t want to do anything that would catch the eyes of security. State-backed spies use this type of reconnaissance in what’s known as an advanced persistent threat. “In those instances, the attacks are designed to steal data, not get their hands on money,” Emm says. When the time was right, the thieves used the verification codes of bank officers to create legit-looking transactions.
By the fall of 2014, the authorities realized they were dealing with something new. That October, Keith Gross, chair of the cybersecurity group for a European bank lobby, called a crash meeting with experts from Citigroup, Deutsche Bank, and other major European lenders. In a meeting room at Europol’s fortress-like headquarters in The Hague, Kaspersky researchers briefed the bank officials on what they’d found in Ukraine. “I’ve never seen anything like this before,” Troels Oerting, then the head of Europol’s Cybercrime Centre, told the group. “It’s a well-orchestrated malware attack, it’s very sophisticated, and it’s global.”
So Europol went global, too, enlisting help from law enforcement agencies in Belarus, Moldova, Romania, Spain, Taiwan, the U.S., as well as bank industry representatives. It set up a secure online clearinghouse where investigators could cross-check data and find links between the thefts, says Fernando Ruiz, head of operations in Europol’s cybercrime unit. At the heart of its operation was a lab where technicians dissected the two dozen samples of malware identified in the Carbanak thefts. By isolating unique characteristics in the code, detectives could trace where the programs came from and maybe who was using them. The work led them toward Denis Katana’s apartment in Alicante, a four-hour drive southeast of Madrid. “This is what the Spanish police used to open their investigation,” Ruiz says.
[…]
Yet experts point out that even if Katana was the mastermind, he was just one guy in a crime that surely must have had many authors. Unlike the bank jobs of yore, digital heists are amoeba-like ventures that divide over and over again as the malware proliferates. “We’ve already seen the modification of Carbanak and multiple groups using it,” says Kimberly Goody, an analyst at security software maker FireEye Inc. “Same case with Cobalt.”
In recent weeks, employees at banks in the Russian-speaking world have been receiving emails that appear to be from Kaspersky, the security company that unearthed Carbanak. The messages warn recipients that their PCs have been flagged for possibly violating the law and they should download a complaint letter or face penalties. When they click on the attachment, a version of the Cobalt malware infects their networks. It turns out cyberheists may not die even when their suspected perpetrators are nabbed.
Mumbai has the become the largest Indian city to ban single-use plastics, with residents caught using plastic bags, cups or bottles to face penalties of up to 25,000 rupees (£276) and three months in jail from Monday.
Council inspectors in navy blue jackets have been posted across the city to catch businesses or residents still using plastic bags. Penalties have already kicked in for businesses and several, reportedly including a McDonald’s and Starbucks, have already been fined.
Penalties range from 5,000 rupees for first-time offenders to 25,000 rupees and the threat of three months’ jail for those caught repeatedly using single-use plastics.
“For the pollution situation it’s fine to do this but for the people it is a big problem,” said Kamlash Mohan Chaudhary, a Mumbai resident. “People here carry everything in plastic bags.”
Chaudhary, a taxi driver, said he had started carrying a cloth bag and that his local mutton vendor had begun wrapping the meat in newspaper rather than plastic sheets.
Local media have reported complaints from vendors who say some inspectors are using confusion over the ban to extort money from businesses.
India recently hosted World Environment Day, which this year focused on the epidemic of plastic waste. About 6.3bn tonnes of plastic globally has been discarded into the environment since 1950, most of which will not break down for at least 450 years.
Half of the world’s plastic was created in the past 13 years and about half of that is thought to be for products used once and thrown away, such as bags, cups or straws.
India’s use of plastic is less than half of the global average: about 11kg a year per capita compared with 109kg in the US.
It took nearly a century of trial and error for human scientists to organize the periodic table of elements, arguably one of the greatest scientific achievements in chemistry, into its current form.
A new artificial intelligence (AI) program developed by Stanford physicists accomplished the same feat in just a few hours.
Called Atom2Vec, the program successfully learned to distinguish between different atoms after analyzing a list of chemical compound names from an online database. The unsupervised AI then used concepts borrowed from the field of natural language processing – in particular, the idea that the properties of words can be understood by looking at other words surrounding them – to cluster the elements according to their chemical properties.
“We wanted to know whether an AI can be smart enough to discover the periodic table on its own, and our team showed that it can,” said study leader Shou-Cheng Zhang, the J. G. Jackson and C. J. Wood Professor of Physics at Stanford’s School of Humanities and Sciences.
The bots learn from self-play, meaning two bots playing each other and learning from each side’s successes and failures. By using a huge stack of 256 graphics processing units (GPUs) with 128,000 processing cores, the researchers were able to speed up the AI’s gameplay so that they learned from the equivalent of 180 years of gameplay for every day it trained. One version of the bots were trained for four weeks, meaning they played more than 5,000 years of the game.
[…]
In a match, the OpenAI team initially gives each bot a mandate to do as well as it can on its own, meaning that the bots learned to act selfishly and steal kills from each other. But by turning up a simple metric, a weighted average of the team’s success, the bots soon begin to work together and execute team attacks quicker than humanly possible. The metric was dubbed by OpenAI as “team spirit.”
“They start caring more about team fighting, and saving one another, and working together in these skirmishes in order to make larger advances towards the group goal,” says Brooke Chan, an engineer at OpenAI.
Right now, the bots are restricted to playing certain characters, can’t use certain items like wards that allow players to see more of the map or anything that grants invisibility, or summon other units to help them fight with spells. OpenAI hopes to lift those restrictions by the competition in August.
One such easy to use VPN service for android is 
