Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Biden executive order aims to stop a few countries from buying Americans’ personal data – a watered down EU GDPR

Posted on by

[…]

President Joe Biden will issue an executive order that aims to limit the mass-sale of Americans’ personal data to “countries of concern,” including Russia and China. The order specifically targets the bulk sale of geolocation, genomic, financial, biometric, health and other personally identifying information.

During a briefing with reporters, a senior administration official said that the sale of such data to these countries poses a national security risk. “Our current policies and laws leave open access to vast amounts of American sensitive personal data,” the official said. “Buying data through data brokers is currently legal in the United States, and that reflects a gap in our national security toolkit that we are working to fill with this program.”

Researchers and privacy advocates have long warned about the national security risks posed by the largely unregulated multibillion-dollar data broker industry. Last fall, researchers at Duke University reported that they were able to easily buy troves of personal and health data about US military personnel while posing as foreign agents.

Biden’s executive order attempts to address such scenarios. It bars data brokers and other companies from selling large troves of Americans’ personal information to countries or entities in Russia, China, Iran, North Korea, Cuba and Venezuela either directly or indirectly.

[…]

As the White House points out, there are currently few regulations for the multibillion-dollar data broker industry. The order will do nothing to slow the bulk sale of Americans’ data to countries or companies not deemed to be a security risk. “President Biden continues to urge Congress to do its part and pass comprehensive bipartisan privacy legislation, especially to protect the safety of our children,” a White House statement says.

Source: Biden executive order aims to stop Russia and China from buying Americans’ personal data

Too little, not enough, way way way too late.

AI outperforms humans in standardized tests of creative potential

Posted on by

[…]

Divergent thinking is characterized by the ability to generate a unique solution to a question that does not have one expected solution, such as “What is the best way to avoid talking about politics with my parents?” In the study, GPT-4 provided more original and elaborate answers than the human participants

[…]

The three tests utilized were the Alternative Use Task, which asks participants to come up with creative uses for everyday objects like a rope or a fork; the Consequences Task, which invites participants to imagine possible outcomes of hypothetical situations, like “what if humans no longer needed sleep?”; and the Divergent Associations Task, which asks participants to generate 10 nouns that are as semantically distant as possible. For instance, there is not much semantic distance between “dog” and “cat” while there is a great deal between words like “cat” and “ontology.”

Answers were evaluated for the number of responses, length of response and semantic difference between words. Ultimately, the authors found that “Overall, GPT-4 was more original and elaborate than humans on each of the divergent thinking tasks, even when controlling for fluency of responses. In other words, GPT-4 demonstrated higher creative potential across an entire battery of divergent thinking tasks.”

This finding does come with some caveats. The authors state, “It is important to note that the measures used in this study are all measures of creative potential, but the involvement in creative activities or achievements are another aspect of measuring a person’s creativity.” The purpose of the study was to examine human-level creative potential, not necessarily people who may have established creative credentials.

Hubert and Awa further note that “AI, unlike humans, does not have agency” and is “dependent on the assistance of a human user. Therefore, the creative potential of AI is in a constant state of stagnation unless prompted.”

Also, the researchers did not evaluate the appropriateness of GPT-4 responses. So while the AI may have provided more responses and more original responses, human participants may have felt they were constrained by their responses needing to be grounded in the real world.

[…]

Whether the tests are perfect measures of human creative potential is not really the point. The point is that large language models are rapidly progressing and outperforming humans in ways they have not before. Whether they are a threat to replace human creativity remains to be seen. For now, the authors continue to see “Moving forward, future possibilities of AI acting as a tool of inspiration, as an aid in a person’s creative process or to overcome fixedness is promising.”

Source: AI outperforms humans in standardized tests of creative potential | ScienceDaily

Investigators seek push notification metadata in 130 cases – this is scarier than you think

Posted on by

More than 130 petitions seeking access to push notification metadata have been filed in US courts, according to a Washington Post investigation – a finding that underscores the lack of privacy protection available to users of mobile devices.

The poor state of mobile device privacy has provided US state and federal investigators with valuable information in criminal investigations involving suspected terrorism, child sexual abuse, drugs, and fraud – even when suspects have tried to hide their communications using encrypted messaging.

But it also means that prosecutors in states that outlaw abortion could demand such information to geolocate women at reproductive healthcare facilities. Foreign governments may also demand push notification metadata from Apple, Google, third-party push services, or app developers for their own criminal investigations or political persecutions. Concern has already surfaced that they may have done so for several years.

In December 2023, US senator Ron Wyden (D-OR) sent a letter to the Justice Department about a tip received by his office in 2022 indicating that foreign government agencies were demanding smartphone push notification records from Google and Apple.

[…]

Apple and Google operate push notification services that relay communication from third-party servers to specific applications on iOS and Android phones. App developers can encrypt these messages when they’re stored (in transit they’re protected by TLS) but the associated metadata – the app receiving the notification, the time stamp, and network details – is not encrypted.

[…]

push notification metadata is extremely valuable to marketing organizations, to app distributors like Apple and Google, and also to government organizations and law enforcement agencies.

“In 2022, one of the largest push notification companies in the world, Pushwoosh, was found to secretly be a Russian company that deceived both the CDC and US Army into installing their technology into specific government apps,” said Edwards.

“These types of scandals are the tip of the iceberg for how push notifications can be abused, and why countless serious organizations focus on them as a source of intelligence,” he explained.

“If you sign up for push notifications, and travel around to unique locations, as the messages hit your device, specific details about your device, IP address, and location are shared with app stores like Apple and Google,” Edwards added. “And the push notification companies who support these services typically have additional details about users, including email addresses and user IDs.”

Edwards continued that other identifiers may further deprive people of privacy, noting that advertising identifiers can be connected to push notification identifiers. He pointed to Pushwoosh as an example of a firm that built its push notification ID using the iOS advertising ID.

“The simplest way to think about push notifications,” he said, is “they are just like little pre-scheduled messages from marketing vendors, sent via mobile apps. The data that is required to ‘turn on any push notification service’ is quite invasive and can unexpectedly reveal/track your location/store your movement with a third-party marketing company or one of the app stores, which is merely a court order or subpoena away from potentially exposing those personal details.”

Source: Investigators seek push notification metadata in 130 cases • The Register

Also see: Governments, Apple, Google spying on users through push notifications – they all go through Apple and Google servers (unencrypted?)!

Apple reverses hissy fit decision to remove Home Screen web apps in EU

Posted on by

baby throwing a tantrum

Apple has reversed its decision to limit the functionality of Home Screen web apps in Europe following an outcry from the developer community and the prospect of further investigation.

“We have received requests to continue to offer support for Home Screen web apps in iOS, therefore we will continue to offer the existing Home Screen web apps capability in the EU,” the iPhone giant said in an update to its developer documentation on Friday.

“This support means Home Screen web apps continue to be built directly on WebKit and its security architecture, and align with the security and privacy model for native apps on iOS.”

Apple said Home Screen web app support would return with the general availability of iOS 17.4, presently in beta testing and due in the next few days.

[…]

In January, Apple said it would make several changes to its iOS operating system to comply with the law. These include: Allowing third-party app stores; making its NFC hardware accessible to third-party developers for contactless payment applications; and supporting third-party browser engines as alternatives to Safari’s WebKit.

Last month, with the second beta release of iOS 17.4, it became clear Apple would impose a cost for its concessions. The iCloud goliath said, “to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.”

Essentially, Apple has to support third-party browser engines in the EU, the biz didn’t want PWAs to use those non-WebKit engines, and so it chose to just banish the web apps from its Home Screen. Now it’s changed its mind and allowed the apps to stay albeit using WebKit.

For those not in the know: The Home Screen web apps feature refers to one of the capabilities afforded to Progressive Web Apps that makes them perform and appear more like native iOS apps. It allows web apps or websites to be opened from an iOS device and take over the whole screen, just like a native app, instead of loading within a browser window.

[…]

Apple’s demotion of Home Screen web apps broke settings integration, browser storage, push notifications, icon badging, share-to-PWA, app shortcuts, and device APIs.

“Cupertino’s attempt to scuttle PWAs under cover of chaos is exactly what it appears to be: a shocking attempt to keep the web from ever emerging as a true threat to the App Store and blame regulators for Apple’s own malicious choices,”

[…]

In response to Apple’s about-face, OWA credited both vocal protests from developers and the reported decision by regulators to open an investigation into Apple’s abandonment of Home Screen web app support.

[…]

“This simply returns us back to the status quo prior to Apple’s plan to sabotage web apps for the EU,” the group said. “Apple’s over-a-decade suppression of the web in favor of the App Store continues worldwide, and their attempt to destroy web apps in the EU is just their latest attempt.

“If there is to be any silver lining, it is that this has thoroughly exposed Apple’s genuine fear of a secure, open and interoperable alternative to their proprietary App Store that they can not control or tax.”

[…]

Source: Apple reverses decision to remove Home Screen web apps in EU • The Register

Apple has thrown a real tantrum about being forced to comply with the DMCA and whilst hammering hands and feet and rolling on the floor like a toddler who can’t get their way has broken a lot of stuff. Turns out they are now kind of fixing some of it.

See also: Shameless Insult, Malicious Compliance, Junk Fees, Extortion Regime: Industry Reacts To Apple’s Proposed Changes Over Digital Markets Act

HDMI Forum blocks AMD open sourcing drivers due to 2.1

Posted on by

stop using hdmi

As spotted by Linux benchmarking outfit Phoronix, AMD is having problems releasing certain versions of open-source drivers it’s developed for its GPUs – because, according to the Ryzen processor designer, the HDMI Forum won’t allow the code to be released as open source. Specifically, we’re talking about AMD’s FOSS drivers for HDMI 2.1 here.

For some years, AMD GPU customers running Linux have faced difficulties getting high-definition, high-refresh-rate displays connected over HMDI 2.1 to work correctly.

[,…]

The issue isn’t missing drivers: AMD has already developed them under its GPU Open initiative. As AMD developer Alex Deucher put it in two different comments on the Freedesktop.org forum:

HDMI 2.1 is not available on Linux due to the HDMI Forum.

The HDMI Forum does not currently allow an open source HDMI 2.1 implementation.

The High-Definition Multimedia Interface is not just a type of port into which to plug your monitor. It’s a whole complex specification, of which version 2.1, the latest, was published in 2017.

[…]

HDMI cables are complicated things, including copyright-enforcing measures called High-bandwidth Digital Content Protection (HDCP) – although some of those were cracked way back in 2010. As we reported when it came out, you needed new cables to get the best out of HDMI 2.1. Since then, that edition was supplemented by version 2.1b in August 2023 – so now, you may need even newer ones.

This is partly because display technology is constantly improving. 4K displays are old tech: We described compatibility issues a decade ago, and covered 4K gaming the following year.

Such high-quality video brings two consequences. On the one hand, the bandwidth the cables are expected to carry has increased substantially. On the other, some forms of copying or duplication involving a reduction in image quality – say, halving the vertical and horizontal resolution – might still result in an perfectly watchable quality copy.

[…]

As we have noted before, we prefer DisplayPort to HDMI, and one reason is that you can happily drive an HDMI monitor from a DisplayPort output using a cheap cable, or if you have an HDMI cable to hand, an inexpensive adapter. We picked a random example which is a bargain at under $5.

But the converse does not hold. You can’t drive a DisplayPort screen from an HDMI port. That needs an intelligent adaptor which can resample the image and regenerate a display. Saying that, they are getting cheaper, and for lower-quality video such as old VGA or SCART outputs, these days, a circa-$5 microcontroller board such as a Raspberry Pi Pico can do the job, and you can build your own.

Source: HDMI Forum ‘blocks AMD open sourcing its 2.1 drivers’ • The Register

Coinbase pulls rug. Crypto holder trading is disabled and all assets shown $0 to users. Bitcoin is shooting up currently at $61k highly volatile and history repeats itself. PTSD from GME buy button disable is real. Not your wallet, not your money.

Posted on by

Coinbase is pulling the rug right now.

Check their sub and witness the fire.

Update:
They are now excusing it all with this error.

Update 2:
I argue it is fully artificial override since when loading the webpage it does momentarily flicker your true asset value and it gets then updated to zero when page finishes loading, even after one purges the browser data. So their data comes through, it is just forced to go zero to disable trading. I wait to be debunked. I do have some funds over there purely for science.

Update 3:
I now see my assets again after 70 minutes since the initial downtime began, missing a lot of “valuable” volatility.
Trading is still disabled though.
And in particular BTC-USD advanced trading doesn’t seem to load whatsoever.

Update 4:
Mainstream seems to be making articles now to ensure people their assets are all “wasted” yet safe.
https://www.bnnbloomberg.ca/coinbase-tells-users-your-assets-are-safe-as-some-see-0-balance-1.2040524

…issues with Coinbase may have more significance these days, considering the outsized role the company plays in helping to manage the new spot-Bitcoin ETFs. Coinbase provides a variety of services to the fund issuers, including serving as custodian for eight of the 10 spot Bitcoin ETFs.

Source: Coinbase pulling the rug right now. Crypto holder trading is disabled and all assets shown $0 to users. Bitcoin is shooting up currently at $61k highly volatile and history repeats itself. PTSD from GME buy button disable is real. Not your wallet, not your money. : Superstonk

Basically trading from Coinbase has been suspended now that BTC is flying up. A bit like how Robin Hood and a few other traders stopped people from selling Gamestop when it flew up.

Scammers Are Now Scanning Faces To Defeat Age verification Biometric Security Measures

Posted on by

For quite some time now we’ve been pointing out the many harms of age verification technologies, and how they’re a disaster for privacy. In particular, we’ve noted that if you have someone collecting biometric information on people, that data itself becomes a massive risk since it will be targeted.

And, remember, a year and a half ago, the Age Verification Providers Association posted a comment right here on Techdirt saying not to worry about the privacy risks, as all they wanted to do was scan everyone’s face to visit a website (perhaps making you turn to the left or right to prove “liveness”).

Anyway, now a report has come out that some Chinese hackers have been tricking people into having their faces scanned, so that the hackers can then use the resulting scan to access accounts.

Attesting to this, cybersecurity company Group-IB has discovered the first banking trojan that steals people’s faces. Unsuspecting users are tricked into giving up personal IDs and phone numbers and are prompted to perform face scans. These images are then swapped out with AI-generated deepfakes that can easily bypass security checkpoints

The method — developed by a Chinese-based hacking family — is believed to have been used in Vietnam earlier this month, when attackers lured a victim into a malicious app, tricked them into face scanning, then withdrew the equivalent of $40,000 from their bank account. 

Cool cool, nothing could possibly go wrong in now requiring more and more people to normalize the idea of scanning your face to access a website. Nothing at all.

And no, this isn’t about age verification, but still, the normalization of facial scanning is a problem, as it’s such an obvious target for scammers and hackers.

Source: As Predicted: Scammers Are Now Scanning Faces To Defeat Biometric Security Measures | Techdirt

EU to hit Apple with first ever fine in €500mn music streaming penalty

Posted on by

apple and google as monopoly characters holding big bags of cash in front of a store

Brussels is to impose its first ever fine on tech giant Apple for allegedly breaking EU law over access to its music streaming services, according to five people with direct knowledge of the long-running investigation.

The fine, which is in the region of €500mn and is expected to be announced early next month, is the culmination of a European Commission antitrust probe into whether Apple has used its own platform to favour its services over those of competitors.

The probe is investigating whether Apple blocked apps from informing iPhone users of cheaper alternatives to access music subscriptions outside the App Store. It was launched after music-streaming app Spotify made a formal complaint to regulators in 2019.

The Commission will say Apple’s actions are illegal and go against the bloc’s rules that enforce competition in the single market, the people familiar with the case told the Financial Times. It will ban Apple’s practice of blocking music services from letting users outside its App Store switch to cheaper alternatives.

Brussels will accuse Apple of abusing its powerful position and imposing anti-competitive trading practices on rivals, the people said, adding that the EU would say the tech giant’s terms were “unfair trading conditions”.

It is one of the most significant financial penalties levied by the EU on big tech companies. A series of fines against Google levied over several years and amounting to about €8bn are being contested in court.

Apple has never previously been fined for antitrust infringements by Brussels, but the company was hit in 2020 with a €1.1bn fine in France for alleged anti-competitive behaviour. The penalty was revised down to €372mn after an appeal.

The EU’s action against Apple will reignite the war between Brussels and Big Tech at a time when companies are being forced to show how they are complying with landmark new rules aimed at opening competition and allowing small tech rivals to thrive.

Companies that are defined as gatekeepers, including Apple, Amazon and Google, need to fully comply with these rules under the Digital Markets Act by early next month.

The act requires these tech giants to comply with more stringent rules and will force them to allow rivals to share information about their services.

[…]

Source: EU to hit Apple with first ever fine in €500mn music streaming penalty

You can now mark up your Google Docs with handwritten notes on Android devices

Posted on by

Google Docs is getting an annotation feature that will let you mark up your documents just like you might with a pen and paper. With today’s update, announced at MWC 2024, Google Docs users on Android devices can use a finger or stylus to write notes, highlight text and circle words to their heart’s desire. Google says the feature will work on Android tablets and smartphones, so it’s got some real potential to give devices like foldables even more of a productivity boost. It should also make for a smoother way to sign digital documents.

Android users will have access to multiple pen colors and highlighters with the new annotation tool for Google Docs, which is good news for anyone who loves color-coding their notes. If the popularity of digital notebooks like reMarkable’s tablets or Amazon’s Kindle Scribe has taught us anything, it’s that, as speedy as typing may be, plenty of people still prefer writing by hand when it’s an option. The only thing this update seems to be missing is the ability to convert handwriting to text, which would allow for more extensive writing tasks.

[…]

Source: You can now mark up your Google Docs with handwritten notes on Android devices

Reggaeton Be Gone – use a Raspberry Pi to jam bluetooth speakers when reggaeton music comes on

Posted on by

[…]

Consider this scenario: Your wall-to-wall neighbor loves to blast Reggaeton music at full volume through a Bluetooth speaker every morning at 9 am. You have two options:

  • A. Knock on their door and politely ask them to lower the volume.
  • B. Build an AI device that can handle the situation more creatively.

Reggaeton Be Gone (the name is a homage to Tv-B-Gone device) will monitor room audio, it will identify Reggaeton genre with Machine Learning and trigger comm requests and packets to the Bluetooth speaker with the high goal of disabling it or at least disturbing the sound so much that the neighbor won’t have other option that turn it off.

[…]

Plans to make your own in the Source: Reggaeton Be Gone – Hackster.io

Nintendo files lawsuit against creators of Yuzu emulator

Posted on by

yuzu nintendo switch emulator on android[…]

The 41-page lawsuit was filed against Tropic Haze, the company that makes Yuzu. (Nintendo also specifically references a person aliased as Bunnei, who leads development on Yuzu.) Yuzu is a free emulator that was released in 2018 months after the Nintendo Switch originally launched. The same folks who made Citra, a Nintendo 3DS emulator, made this one. Basically, it’s a piece of software that lets people play Nintendo Switch games on Windows PC, Linux, and Android devices. (It also runs on Steam Deck, which Valve showed — then wiped — in a Steam Deck video clip.) Emulators aren’t necessarily illegal, but pirating games to play on them is. But Nintendo said in its lawsuit that there’s no way to legal way to use Yuzu.

Nintendo argued that Yuzu executes codes that “defeat” Nintendo’s security measures, including decryption using “an illegally-obtained copy of prod.keys.”

“In other words, without Yuzu’s decryption of Nintendo’s encryption, unauthorized copies of games could not be played on PCs or Android devices,” Nintendo wrote in the lawsuit. As to the alleged damages created by Yuzu, Nintendo pointed to the release of The Legend of Zelda: Tears of the Kingdom. Tears of the Kingdom leaked almost two weeks earlier than the game’s May 12 release date. The pirated version of the game spread quickly; Nintendo said it was downloaded more than 1 million times before Tears of the Kingdom’s release date. People used Yuzu to play the game; Nintendo said more than 20% of download links pointed people to Yuzu.

Though Yuzu doesn’t give out pirated copies of games, Nintendo repeatedly said that most ROM sites point people toward Yuzu to play whatever games they’ve downloaded.

[…]

Nintendo is asking the court to shut down the emulator, and for damages. Polygon has reached out to Nintendo and Tropic Haze for comment.

The Tears of the Kingdom publisher is notoriously strict with its intellectual property. Nintendo’s won several lawsuits targeting pirated game sites like RomUniverse, where it was awarded more than $2 million in damages. Nintendo also notoriously went after an alleged Nintendo Switch hacker named Gary Bowser, who was arrested and charged for selling Switch hacks. Though he’s been released from prison, Bowser still owes Nintendo $10 million; he paid Nintendo $175 while in prison from money he earned working in the prison library and kitchen.

Source: Nintendo files lawsuit against creators of Yuzu emulator – Polygon

So if all the links point to the pirated copy of the game, why don’t Nintendo sue Google and Baidu and Yandex and all the other search engines that provide the links? Because they are huge and have massive lawyer engines. And Yuzu doesn’t. And also because providing links is not illegal, as has been seen again and again. Also, creating emulators is not illegal either, but the lawsuits will probably suffocate the company. The law is seriously broken.

Meta will start collecting much more “anonymized” data about Quest headset usage

Posted on by

Meta will soon begin “collecting anonymized data” from users of its Quest headsets, a move that could see the company aggregating information about hand, body, and eye tracking; camera information; “information about your physical environment”; and information about “the virtual reality events you attend.”

In an email sent to Quest users Monday, Meta notes that it currently collects “the data required for your Meta Quest to work properly.” Starting with the next software update, though, the company will begin collecting and aggregating “anonymized data about… device usage” from Quest users. That anonymized data will be used “for things like building better experiences and improving Meta Quest products for everyone,” the company writes.

A linked help page on data sharing clarifies that Meta can collect anonymized versions of any of the usage data included in the “Supplemental Meta Platforms Technologies Privacy Policy,” which was last updated in October. That document lists a host of personal information that Meta can collect from your headset, including:

  • “Your audio data, when your microphone preferences are enabled, to animate your avatar’s lip and face movement”
  • “Certain data” about hand, body, and eye tracking, “such as tracking quality and the amount of time it takes to detect your hands and body”
  • Fitness-related information such as the “number of calories you burned, how long you’ve been physically active, [and] your fitness goals and achievements”
  • “Information about your physical environment and its dimensions” such as “the size of walls, surfaces, and objects in your room and the distances between them and your headset”
  • “Voice interactions” used when making audio commands or dictations, including audio recordings and transcripts that might include “any background sound that happens when you use those services” (these recordings and transcriptions are deleted “immediately” in most cases, Meta writes)
  • Information about “your activity in virtual reality,” including “the virtual reality events you attend”

The anonymized collection data is used in part to “analyz[e] device performance and reliability” to “improve the hardware and software that powers your experiences with Meta VR Products.”

What does Meta know about what you're doing in VR?
Enlarge / What does Meta know about what you’re doing in VR?
Meta

Meta’s help page also lists a small subset of “additional data” that headset users can opt out of sharing with Meta. But there’s no indication that Quest users can opt out of the new anonymized data collection policies entirely.

These policies only seem to apply to users who make use of a Meta account to access their Quest headsets, and those users are also subject to Meta’s wider data-collection policies. Those who use a legacy Oculus account are subject to a separate privacy policy that describes a similar but more limited set of data-collection practices.

Not a new concern

Meta is clear that the data it collects “is anonymized so it does not identify you.” But here at Ars, we’ve long covered situations where data that was supposed to be “anonymous” was linked back to personally identifiable information about the people who generated it. The FTC is currently pursuing a case against Kochava, a data broker that links de-anonymized geolocation data to a “staggering amount of sensitive and identifying information,” according to the regulator.

Concerns about VR headset data collection dates back to when Meta’s virtual reality division was still named Oculus. Shortly after the launch of the Oculus Rift in 2016, Senator Al Franken (D-Minn.) sent an open letter to the company seeking information on “the extent to which Oculus may be collecting Americans’ personal information, including sensitive location data, and sharing that information with third parties.”

In 2020, the company then called Facebook faced controversy for requiring Oculus users to migrate to a Facebook account to continue using their headsets. That led to a temporary pause of Oculus headset sales in Germany before Meta finally offered the option to decouple its VR accounts from its social media accounts in 2022.

Source: Meta will start collecting “anonymized” data about Quest headset usage | Ars Technica

$500 drone calculates its position with camera, Google Maps

Posted on by

[…]

A team of drone enthusiasts have built a sub-$500 drone that uses a camera and Google Maps to provide itself with GPS co-ordinates, removing the need for a GPS satellite signal. And all of this was done in 24 hours during the El Segundo Defense Tech Hackathon.

[…]

The drone uses a camera mounted underneath it to position itself with imagery from Google Maps highlighting similarities in the images to get a rough estimate of the co-ordinates

[…]

Google Maps allows users to download segments of maps ahead of time, usually for use when you are travelling or camping out in remote areas.

[…]

Without needing to rely on an external constellation of satellites, the GPS-free drone can continue operating on missions in GPS-denied environments, such as remote areas or those that have been jammed. Unlike Skydio’s approach, which uses cameras to position itself, using imagery that doesn’t rely on light to work means this drone can fly anywhere in the world it has imagery for at any time of the day or night.

[…]

Source: $500 drone calculates its position with camera, Google Maps

Vietnam to collect biometrics – even DNA – for new ID cards. Centralised databases never leak.

Posted on by

The Vietnamese government will begin collecting biometric information from its citizens for identification purposes beginning in July this year.

Prime minister Pham Minh Chinh instructed the nation’s Ministry of Public Security to collect the data in the form of iris scans, voice samples and actual DNA, in accordance with amendments to Vietnam’s Law on Citizen Identification.

The ID cards are issued to anyone over the age of 14 in Vietnam, and are optional for citizens between the ages of 6 and 14, according to a government news report.

Ammendments to the Law on Citizen Identification that allow collection of biometrics passed on November 27 of last year.

The law allows recording of blood type among the DNA-related information that will be contained in a national database to be shared across agencies “to perform their functions and tasks.”

The ministry will work with other parts of the government to integrate the identification system into the national database.

As for how the information will be collected, the amendments state:

Biometric information on DNA and voice is collected when voluntarily provided by the people or the agency conducting criminal proceedings or the agency managing the person to whom administrative measures are applied in the process of settling the case according to their functions and duties whether to solicit assessment or collect biometric information on DNA, people’s voices are shared with identity management agencies for updating and adjusting to the identity database.

Vietnam’s future identity cards will incorporate the functions of health insurance cards, social insurance books, driver’s licenses, birth certificates, and marriage certificates, as defined by the amendment.

There are approximately 70 million adults in Vietnam as of 2022, making the collection and safeguarding of such data no small feat.

The Reg is sure the personal information on all those citizens will be just fine – personal data held by governments for ID cards certainly never leaks.

[…]

Source: Vietnam to collect biometrics – even DNA – for new ID cards • The Register

Absolutely retarded.

‘No one understands outsourcing the management of .nl domains to Amazon’

Posted on by

At the beginning of February, SIDN was in the news after announcing that it wanted to outsource part of its services to Amazon Web Services, the American web giant. According to SIDN, the reason for the outsourcing was that implementation on its own servers had become too expensive and too labor-intensive.

Van Eeten: ‘SIDN has not provided any explanation as to how on earth it ended up at Amazon. I can imagine that they don’t feel like dealing with all that iron (servers) and can’t find staff. But then there are numerous Dutch providers who say: ‘Just leave it to us. Then we will arrange everything.’

Van Eeten also does not understand why the registration system used by SIDN would be so demanding. ‘In principle it seems quite simple, I estimate a few hundred accounts on a database. I don’t see any reason why a Dutch cloud service couldn’t handle that.’

The criticism is partly a matter of timing: five years ago there would have been a lot less fuss about it. Van Eeten: ‘But in recent years the question has increasingly arisen whether it is wise to outsource more and more digital services to a handful of American companies. That discussion is about digital sovereignty. And that has become quite a thing in Europe.’

Source: ‘No one understands outsourcing the management of .nl domains to Amazon’ – Emerce

It’s completely nuts that a technical organisation says they can’t be technical – and is washing its hands of running the most popular TLD per capita population in the world!

Wyze says camera breach let 13,000 customers briefly see into other people’s homes

Posted on by

Last week, co-founder David Crosby said that “so far” the company had identified 14 people who were able to briefly see into a stranger’s property because they were shown an image from someone else’s Wyze camera. Now we’re being told that number of affected customers has ballooned to 13,000.

The revelation came from an email sent to customers entitled “An Important Security Message from Wyze,” in which the company copped to the breach and apologized, while also attempting to lay some of the blame on its web hosting provider AWS.

“The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused.

The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation.

As it did before, Wyze is chalking up the incident to “a third-party caching client library” that was recently integrated into its system.

This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.

But it was too late to prevent an estimated 13,000 people from getting an unauthorized peek at thumbnails from a stranger’s homes. Wyze says that 1,504 people tapped to enlarge the thumbnail, and that a few of them caught a video that they were able to view. It also claims that all impacted users have been notified of the security breach, and that over 99 percent of all of its customers weren’t affected.

[…]

Source: Wyze says camera breach let 13,000 customers briefly see into other people’s homes – The Verge

Which it’s better to store stuff on your own NAS hardware instead of some vendor’s cloud.

Chinese and US researchers show new side channel can reproduce fingerprints by listening to swiping sounds on screen

Posted on by

An interesting new attack on biometric security has been outlined by a group of researchers from China and the US. PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound [PDF] proposes a side-channel attack on the sophisticated Automatic Fingerprint Identification System (AFIS). The attack leverages the sound characteristics of a user’s finger swiping on a touchscreen to extract fingerprint pattern features. Following tests, the researchers assert that they can successfully attack “up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%.” This is claimed to be the first work that leverages swiping sounds to infer fingerprint information.

[…]

the PrintListener paper says that “finger-swiping friction sounds can be captured by attackers online with a high possibility.” The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where users carelessly perform swiping actions on the screen while the device mic is live. Hence the side-channel attack name – PrintListener.

[…]

Source: Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen — Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks | Tom’s Hardware

Four-day week made permanent for most UK firms in world’s biggest trial

Posted on by

Of the 61 organisations that took part in a six-month UK pilot in 2022, 54 (89%) are still operating the policy a year later, and 31 (51%) have made the change permanent.

More than half (55%) of project managers and CEOs said a four-day week – in which staff worked 100% of their output in 80% of their time – had a positive impact on their organisation, the report found.

For 82% this included positive effects on staff wellbeing, 50% found it reduced staff turnover, while 32% said it improved job recruitment. Nearly half (46%) said working and productivity improved.

[…]

The four-day working week report, by the thinktank Autonomy and researchers from the University of Cambridge, the University of Salford and Boston College in the US, found that “many of the significant benefits found during the initial trial have persisted 12 months on”, although they noted that it was a small sample size.

Almost all (96%) of staff said their personal life had benefited, and 86% felt they performed better at work, while 38% felt their organisation had become more efficient, and 24% said it had helped with caring responsibilities.

Organisations reduced working hours by an average of 6.6 hours to reach a 31.6-hour week. Most gave their staff one full day off a week, either universal or staggered. The report found that protected days off were more effective than those on which staff were “on call” or sometimes expected to work.

The most successful companies made their four-day week “clear, confident and well-communicated”, and co-designed their policies between staff and management, thinking carefully about how to adapt work processes, the authors wrote.

[…]

 

Source: Four-day week made permanent for most UK firms in world’s biggest trial | Work-life balance | The Guardian

Varda Space, Rocket Lab nail first-of-its-kind spacecraft landing in Utah, bring back space grown drugs

Posted on by

A spacecraft containing pharmaceutical drugs that were grown on orbit has finally returned to Earth today after more than eight months in space.

Varda Space Industries’ in-space manufacturing capsule, called Winnebago-1, landed in the Utah desert at around 4:40 p.m. EST. Inside the capsule are crystals of the drug ritonavir, which is used to treat HIV/AIDS. It marks a successful conclusion of Varda’s first experimental mission to grow pharmaceuticals on orbit, as well as the first time a commercial company has landed a spacecraft on U.S. soil, ever.

The capsule will now be sent back to Varda’s facilities in Los Angeles for analysis, and the vials of ritonavir will be shipped to a research company called Improved Pharma for post-flight characterization, Varda said in a statement. The company will also be sharing all the data collected through the mission with the Air Force and NASA, per existing agreements with those agencies.

The first-of-its-kind reentry and landing is also a major win for Rocket Lab, which partnered with Varda on the mission. Rocket Lab hosted Varda’s manufacturing capsule inside its Photon satellite bus; through the course of the mission, Photon provided power, communications, attitude control and other essential operations. At the mission’s conclusion, the bus executed a series of maneuvers and de-orbit burns that put the miniature drug lab on the proper reentry trajectory. The final engine burn was executed shortly after 4 p.m. EST.

[…]

Source: Varda Space, Rocket Lab nail first-of-its-kind spacecraft landing in Utah | TechCrunch

Universal Antivenom for Snake Bites Might Soon Be a Reality

Posted on by

[…]

a team of scientists says they’ve created a lab-made antibody geared to counteract toxic bites from a wide variety of snakes. In early tests with mice, the uber-antivenom appeared to work as intended.

Snake antivenom is typically derived from the antibodies of horses or other animals that produce a strong immune response to snake toxins. These donated antibodies can be highly effective at preventing serious injury and death from a snakebite, but they come with serious limitations.

The chemical makeup of one species’s toxin can vary significantly from another’s, for instance, so antibodies to one specific toxin provide little protection against others. Manufacturers can try to work around this by inoculating animals with several toxins at once, but this method has drawbacks, such as needing a higher dose of antivenom since only some of the antibodies will have any effect.

[…]

Though snake toxins are remarkably complex and different from one another, even within the same class, the team managed to find sections of these toxins that were pretty similar across different species.

The scientists produced a variety of 3FTx toxins in the lab and then screened them against a database of more than 50 billion synthetic antibodies, looking for ones that could potentially neutralize several toxins at once. After a few rounds of selection, they ultimately identified one antibody that seemed to broadly neutralize at least five different 3FTx variants, called 95Mat5. They then put the antibody to a real-life test, finding that it fully protected mice from dying from the toxins of the many-banded krait, Indian spitting cobra, and black mamba, in some cases better than conventional antivenom; it also offered some protection against venom from the king cobra.

[…]

As seen with the king cobra, the 95Mat5 antibody alone may not work against every elapid snake. And it wouldn’t protect against bites from viper snakes, the other major family of venomous snakes. But the team’s process of identifying broadly neutralizing antibodies—adapted from similar research on the HIV virus—could be used to find other promising antivenom candidates.

[…]

Source: Universal Antivenom for Snake Bites Might Soon Be a Reality

Video generation models as world simulators by OpenAI Sora

Posted on by

[…]

Our largest model, Sora, is capable of generating a minute of high fidelity video. Our results suggest that scaling video generation models is a promising path towards building general purpose simulators of the physical world.

This technical report focuses on (1) our method for turning visual data of all types into a unified representation that enables large-scale training of generative models, and (2) qualitative evaluation of Sora’s capabilities and limitations. Model and implementation details are not included in this report.

[…]

Sampling flexibility

Sora can sample widescreen 1920x1080p videos, vertical 1080×1920 videos and everything inbetween. This lets Sora create content for different devices directly at their native aspect ratios. It also lets us quickly prototype content at lower sizes before generating at full resolution—all with the same model.

[…]

Source: Video generation models as world simulators

Canadian college M&M Vending machines secretly scanning faces – revealed by error message

Posted on by

[…]

The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a facial recognition application that nobody expected to be part of the process of using a vending machine.

Reddit post shows error message displayed on a University of Waterloo vending machine (cropped and lightly edited for clarity).
Enlarge / Reddit post shows error message displayed on a University of Waterloo vending machine (cropped and lightly edited for clarity).
SquidKid47 on Reddit

“Hey, so why do the stupid M&M machines have facial recognition?” SquidKid47 pondered.

The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.

Stanley sounded alarm after consulting Invenda sales brochures that promised “the machines are capable of sending estimated ages and genders” of every person who used the machines without ever requesting consent.

This frustrated Stanley, who discovered that Canada’s privacy commissioner had years ago investigated a shopping mall operator called Cadillac Fairview after discovering some of the malls’ informational kiosks were secretly “using facial recognition software on unsuspecting patrons.”

Only because of that official investigation did Canadians learn that “over 5 million nonconsenting Canadians” were scanned into Cadillac Fairview’s database, Stanley reported. Where Cadillac Fairview was ultimately forced to delete the entire database, Stanley wrote that consequences for collecting similarly sensitive facial recognition data without consent for Invenda clients like Mars remain unclear.

Stanley’s report ended with a call for students to demand that the university “bar facial recognition vending machines from campus.”

A University of Waterloo spokesperson, Rebecca Elming, eventually responded, confirming to CTV News that the school had asked to disable the vending machine software until the machines could be removed.

[…]

Source: Vending machine error reveals secret face image database of college students | Ars Technica

iOS and Android users face scans used to break into bank accounts

Posted on by

[…]

GoldPickaxe and GoldPickaxe.iOS target Android and iOS respectively, tricking users into performing biometric verification checks that are ultimately used to bypass the same checks employed by legitimate banking apps in Vietnam and Thailand – the geographic focus of these ongoing attacks.

The iOS version is believed only to be targeting users in Thailand, masquerading as the Thai government’s official digital pensions app. That said, some think it has also made its way to Vietnam. This is because very similar attacks, which led to the theft of tens of thousands of dollars, were reported in the region earlier this month.

“It is of note that GoldPickaxe.iOS is the first iOS Trojan observed by Group-IB that combines the following functionalities: collecting victims’ biometric data, ID documents, intercepting SMS, and proxying traffic through the victims’ devices,” the researchers said.

“Its Android sibling has even more functionalities than its iOS counterpart, due to more restrictions and the closed nature of iOS.”

[…]

Researchers also found the Android version bore many more disguises than the iOS version – taking the form of more than 20 different government, finance, and utility organizations in Thailand, and allowing attackers to steal credentials for all of these services.

How’d they get on Apple phones?

In the case of iOS, the attackers had to be cunning. Their first method involved the abuse of Apple’s TestFlight platform, which allows apps to be distributed as betas before full release to the App Store.

After this method was stymied, attackers switched to more sophisticated social engineering. This involved influencing users to enroll their devices in an MDM program, allowing the attackers to push bad apps to devices that way.

In all cases, the initial contact with victims was made by the attackers impersonating government authorities on the LINE messaging app, one of the region’s most popular.

[…]

Once the biometrics scans were captured, attackers then used these scans, along with deepfake software, to generate models of the victim’s face.

Attackers would download the target banking app onto their own devices and use the deepfake models, along with the stolen identity documents and intercepted SMS messages, to remotely break into victims’ banks.

[…]

Facial biometrics were only mandated in Thailand last year, with plans first announced in March with an enforcement date set for July. Vietnam is poised to mandate similar controls by April this year.

From July 2023, all Thai banking apps had to comply with the new initiative and replace one-time passcodes with facial biometrics to decrease the threat of financial fraud in the region. This applied specifically to transactions exceeding 50,000 BAT (roughly $1,400).

[…]

Source: Stolen iOS users face scans used to break into bank accounts

Which goes to show – biometrics are unchangeable and so make for a really bad (and potentially dangerous, if people are inclinded to amputate parts of your anatomy) security pass.

Whoops: ‘Smart’ Livall Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers

Posted on by

livall smart helmets

[,,,] a company named Livall makes “smart” bike helmets for skiers and cyclists that includes features like auto-fall detection, GPS location monitoring, and integrated braking lights. The problem: the company apparently didn’t spend enough time securing the company’s app, allowing pretty much anybody to listen in on and track the precise location data of a million customers in real time.

Livall’s smartphone apps feature group audio chats and location data. The problem: Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, found that the chat groups were secured by a six-digit pin code that was very simple to brute force (via Techcrunch):

“That 6 digit group code simply isn’t random enough. We could brute force all group IDs in a matter of minutes.”

Munro also noted that there was nothing to alert a group of cyclists or skiers that someone new had entered the chat, allowing a third party to monitor them in complete silence:

“As soon as one entered a valid group code, one joined the group automatically. There was no further authorisation nor alerts to the other group user. It was therefore trivial to silently join any group, giving us access to any users location and the ability to listen in to any group audio communications.

Whoops a daisy. As with so many modern “smart” tech companies, Munro also notes that Livall only took their findings seriously once they got a prominent security journalist (Zack Whittaker at Techcrunch) involved to bring attention to the problem. Livall finally fixed the problem, but it’s not entirely clear that would have happened without Whittaker’s involvement.

[…]

Source: Whoops: ‘Smart’ Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers | Techdirt

European human rights court says backdooring encrypted comms is against human rights

Posted on by
a picture of an eye staring at your from your mobile phone

The European Court of Human Rights (ECHR) has ruled that laws requiring crippled encryption and extensive data retention violate the European Convention on Human Rights – a decision that may derail European data surveillance legislation known as Chat Control.

The Court issued a decision on Tuesday stating that “the contested legislation providing for the retention of all internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society.”

The “contested legislation” mentioned above refers to a legal challenge that started in 2017 after a demand from Russia’s Federal Security Service (FSB) that messaging service Telegram provide technical information to assist the decryption of a user’s communication. The plaintiff, Anton Valeryevich Podchasov, challenged the order in Russia but his claim was dismissed.

In 2019, Podchasov brought the matter to the ECHR. Russia joined the Council of Europe – an international human rights organization – in 1996 and was a member until it withdrew in March 2022 following its illegal invasion of Ukraine. Because the 2019 case predates Russia’s withdrawal, the ECHR continued to consider the matter.

The Court concluded that the Russian law requiring Telegram “to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users.” As such, the Court considers that requirement disproportionate to legitimate law enforcement goals.

While the ECHR decision is unlikely to have any effect within Russia, it matters to countries in Europe that are contemplating similar decryption laws – such as Chat Control and the UK government’s Online Safety Act.

Chat Control is shorthand for European data surveillance legislation that would require internet service providers to scan digital communications for illegal content – specifically child sexual abuse material and potentially terrorism-related information. Doing so would necessarily entail weakening the encryption that keeps communication private.

Efforts to develop workable rules have been underway for several years and continue to this day, despite widespread condemnation from academics, privacy-oriented orgs, and civil society groups.

Patrick Breyer, a member of the European parliament for the Pirate Party, hailed the ruling for demonstrating that Chat Control is incompatible with EU law.

“With this outstanding landmark judgment, the ‘client-side scanning’ surveillance on all smartphones proposed by the EU Commission in its chat control bill is clearly illegal,” said Breyer.

“It would destroy the protection of everyone instead of investigating suspects. EU governments will now have no choice but to remove the destruction of secure encryption from their position on this proposal – as well as the indiscriminate surveillance of private communications of the entire population!” ®

Source: European human rights court says no to weakened encryption • The Register