The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

This VR video player lets you watch videos in 6dof + Touch things with your hands (haptic feedback) – VR has found it’s porn case

Posted on by

*Quest 1, 2, pro standalone only atm, PCVR coming soon*

Touchly lets you watch any VR180 video in 6dof and interact with the environment. Standard playback in most VR formats is also supported.And it’s out now for free in the App Lab! https://www.oculus.com/experiences/quest/5564815066942737/

Note: Videos need to be processed with our converter beforehand to be seen in volumetric mode.

Join us at discord: https://discord.gg/WrGQA4H4

[…]

It requires both left and right videos to generate the depth map. I’m not sure if that requires a ML model or can be done with regular video filtering algorithms.

The video is preprocessed with the depthmap added as a “third view” in a SBS video. So speed isn’t an issue.

Source: This VR video player lets you watch videos in 6dof + Touch things with your hands (haptic feedback) : virtualreality

Now that VR has porn and  you can touch the models, it will finally explode

Physicists solve 50-year lightning mystery – why does it zigzag and what does it have to do with thunder

Posted on by

[…]

For the past 50 years, scientists around the world have debated why lightning zig-zags and how it is connected to the thunder cloud above.

There hasn’t been a definitive explanation until now, with a University of South Australia plasma physicist publishing a landmark paper that solves both mysteries.

[…]

The answer? Singlet-delta metastable oxygen molecules.

Basically, lightning happens when electrons hit oxygen molecules with enough energy to create high energy singlet delta oxygen molecules. After colliding with the molecules, the “detached” electrons form a highly conducting step—initially luminous—that redistributes the , causing successive steps.

The conducting column connecting the step to the cloud remains dark when electrons attach to neutral , followed by immediate detachment of the electrons by singlet delta molecules.

[…]

he paper, “Toward a theory of stepped leaders in ” is published in the Journal of Physics D: Applied Physics. It is authored by Dr. John Lowke and Dr. Endre Szili from the Future Industries Institute at the University of South Australia.

More information: John J Lowke et al, Toward a theory of “stepped-leaders” of lightning, Journal of Physics D: Applied Physics (2022). DOI: 10.1088/1361-6463/aca103

Source: Physicists strike gold, solving 50-year lightning mystery

Bright light from black holes caused by particle shock waves

Posted on by

Beams of electrons smash into slower-moving particles causing a shock wave which results in electromagnetic radiation across frequency bands from X-rays to visible light, according to a research paper published in Nature this week.

Astronomers first observed quasi-stellar radio sources or quasars in the early 1960s. This new class of astronomical objects was a puzzle. They looked like stars, but they also radiated very brightly at radio frequencies, and their optical spectra contained strange emission lines not associated with “normal” stars. In fact, these strange objects are gigantic black holes at the center of distant galaxies.

Particle acceleration in the jet emitted by a supermassive black hole. Liodakis et al/Nature

Particle acceleration in the jet emitted by a supermassive black hole. Illustration credit: Liodakis et al/Nature

Advances in radio-astronomy and X-ray-observing satellites have helped scientists understand that the anomalous radiation is caused by a stream of charged particles accelerated close to the speed of light. If it points at Earth, the generating quasar can be called a blazar. Electromagnetic radiation from them can be observed from radio waves through the visible spectrum to very high-frequency gamma rays.

[…]

By comparing polarized X-rays data with data about optical polarized visible light, the scientists reached the conclusion that the electromagnetic radiation resulted from a shock wave in the stream of charged particles emitting from the blackhole (see figure).

In an accompanying article, Lea Marcotulli, NASA Einstein Postdoctoral Fellow at Yale University, said: “Such shock waves occur naturally when particles travelling close to the speed of light encounter slower-moving material along their path. Particles traveling through this shock wave lose radiation rapidly and efficiently – and, in doing so, they produce polarized X-rays. As the particles move away from the shock, the light they emit radiates with progressively lower frequencies, and becomes less polarized.”

[…]

In December last year, a SpaceX Falcon 9 rocket launched NASA’s IXPE mission into orbit from Florida’s Kennedy Space Center. It is designed to observe the remnants of supernovae, supermassive black holes, and other high-energy objects.

[…]

Source: Bright light from black holes caused by particle shock waves • The Register

Omega Recreated the James Bond Opening on $7,600 Seamaster watch

Posted on by

[…] The standard version of the Omega Seamaster Diver 300M 60 Years Of James Bond watch features a design that aBlogtoWatch describes as, “a blend between the original Omega Seamaster Diver 300M that appeared in GoldenEye and the latest edition from No Time To Die.” In other words, it’s a not an exact recreation of the piece that Brosnan wore in GoldenEye, but incorporates elements from several watches featured in various Bond films. On the front, the only hint that this watch is in any way Bond themed is the number 60 appearing at top of the dial, where there is normally a triangle.

A close-up of the sapphire crystal window on the Omega Seamaster Diver 300M 60 Years Of James Bond watch's caseback.
Image: Omega

It’s only when you flip the watch over that its Bond theming is far more apparent. The caseback features a sapphire glass window revealing an animation recreating the iconic opening of Bond films where the silhouetted character walks on screen as seen through the barrel of a gun. But there’s no LCD or OLED screens here. The Seamaster Diver 300M is a purely mechanical timepiece, so to create the animation, Omega leveraged the moiré effect where interference patterns from spiral patterns on spinning discs reveal the sequence of a simple four-frame animation of Bond walking in. And because the animation mechanism is tied to the watch’s moving second-hand, it perpetually plays in a loop as long as the watch has power and is keeping time.

OMEGA Seamaster Diver 300M 60 Years Of James Bond – Stainless Steel

It’s a fun design element not only because of how subtly it’s executed, but also how it leverages what makes traditional timepieces appealing to many collectors: the complicated mechanics inside that make them work. Unfortunately, with a $7,600 price tag, the Seamaster Diver 300M 60 Years Of James Bond is not really affordable for most Bond fans.

Source: Omega Recreated the James Bond Opening on This $7,600 Watch

Ticketmaster’s Taylor Swift fiasco sparks Senate antitrust hearing

Posted on by
NEW YORK, NEW YORK - JULY 10: Taylor Swift performs onstage as Taylor Swift, Dua Lipa, SZA and Becky G perform at The Prime Day concert, presented by Amazon Music at on July 10, 2019 at Hammerstein Ballroom in New York City. (Photo by Kevin Mazur/Getty Images for Amazon )
Kevin Mazur via Getty Images

Ticketmaster’s chaotic handling of Taylor Swift’s tour ticket sales has brought the company under increased scrutiny, including from lawmakers. Sens. Amy Klobuchar (D-MN) and Mike Lee (R-UT), the chair and ranking member of the Senate Judiciary Subcommittee on Competition Policy, Antitrust and Consumer Rights, have announced a hearing to gather evidence on competition in the ticketing industry. They have yet to confirm when the hearing will take place or the witnesses that the committee will call upon.

Swift’s fans overwhelmed Ticketmaster’s systems in the gold rush for tickets to her first tour in five years. Ticketmaster says presale codes went out to 1.5 million people, but 14 million (including “a staggering number” of bots) tried to buy tickets. The company said it was slammed with 3.5 billion total system requests, four times its previous peak. When fans were able to make it to the seat selection screen, many effectively had tickets snatched out of their hands as tried to put them in their carts.

There was supposed to be a general sale for the remaining tickets last Friday, but Ticketmaster canceled that, citing “extraordinarily high demands on ticketing systems and insufficient remaining ticket inventory to meet that demand.” Even though the level of interest in Swift’s stadium shows was evidently through the roof, Ticketmaster’s management of the process has raised a lot of questions. Swift said Ticketmaster assured her and her team that it could handle the demand. However, she said the mayhem “pissed me off.”

[…]

“Last week, the competition problem in ticketing markets was made painfully obvious when Ticketmaster’s website failed hundreds of thousands of fans hoping to purchase concert tickets. The high fees, site disruptions and cancellations that customers experienced shows how Ticketmaster’s dominant market position means the company does not face any pressure to continually innovate and improve,” Klobuchar said in a statement. “That’s why we will hold a hearing on how consolidation in the live entertainment and ticketing industry harms customers and artists alike. When there is no competition to incentivize better services and fair prices, we all suffer the consequences.”

Source: Ticketmaster’s Taylor Swift fiasco sparks Senate antitrust hearing | Engadget

The problems with monopolies / duopolies are wide and varied and not only limited to big tech or aircraft builders

Meta researchers create AI that masters Diplomacy, tricking human players | Ars Technica

Posted on by

On Tuesday, Meta AI announced the development of Cicero, which it claims is the first AI to achieve human-level performance in the strategic board game Diplomacy. It’s a notable achievement because the game requires deep interpersonal negotiation skills, which implies that Cicero has obtained a certain mastery of language necessary to win the game.

[…]

Cicero learned its skills by playing an online version of Diplomacy on webDiplomacy.net. Over time, it became a master at the game, reportedly achieving “more than double the average score” of human players and ranking in the top 10 percent of people who played more than one game.

To create Cicero, Meta pulled together AI models for strategic reasoning (similar to AlphaGo) and natural language processing (similar to GPT-3) and rolled them into one agent. During each game, Cicero looks at the state of the game board and the conversation history and predicts how other players will act. It crafts a plan that it executes through a language model that can generate human-like dialogue, allowing it to coordinate with other players.

A block diagram of Cicero, the <em>Diplomacy</em>-playing bot, provided by Meta.
Enlarge / A block diagram of Cicero, the Diplomacy-playing bot, provided by Meta.
Meta AI

Meta calls Cicero’s natural language skills a “controllable dialogue model,” which is where the heart of Cicero’s personality lies. Like GPT-3, Cicero pulls from a large corpus of Internet text scraped from the web. “To build a controllable dialogue model, we started with a 2.7 billion parameter BART-like language model pre-trained on text from the Internet and fine tuned on over 40,000 human games on webDiplomacy.net,” writes Meta.

Further Reading

AI ruined chess. Now it’s making the game beautiful again

The resulting model mastered the intricacies of a complex game. “Cicero can deduce, for example, that later in the game it will need the support of one particular player,” says Meta, “and then craft a strategy to win that person’s favor—and even recognize the risks and opportunities that that player sees from their particular point of view.”

Meta’s Cicero research appeared in the journal Science under the title, “Human-level play in the game of Diplomacy by combining language models with strategic reasoning.”

[…]

Meta provided a detailed site to explain how Cicero works and has also open-sourced Cicero’s code on GitHub. Online Diplomacy fans—and maybe even the rest of us—may need to watch out.

Source: Meta researchers create AI that masters Diplomacy, tricking human players | Ars Technica

Mercedes locks faster acceleration behind a yearly $1,200 subscription – the car can already go faster, they slowed you down

Posted on by

Mercedes is the latest manufacturer to lock auto features behind a subscription fee, with an upcoming “Acceleration Increase” add-on that lets drivers pay to access motor performance their vehicle is already capable of.

The $1,200 yearly subscription improves performance by boosting output from the motors by 20–24 percent, increasing torque, and shaving around 0.8 to 0.9 seconds off 0–60 mph acceleration when in Dynamic drive mode (via The Drive). The subscription doesn’t come with any physical hardware upgrades — instead, it simply unlocks the full capabilities of the vehicle, indicating that Mercedes intentionally limited performance to later sell as an optional extra. Acceleration Increase is only available for the Mercedes-EQ EQE and Mercedes-EQ EQS electric car models.

[…]

This comes just months after BMW sparked outrage by similarly charging an $18 monthly subscription in some countries for owners to use the heated seats already installed within its vehicles, just one of many features paywalled by the car manufacturer since 2020. BMW had previously also tried (and failed) to charge its customers $80 a month to access Apple CarPlay and Android Auto — features that other vehicle makers have included for free.

Source: Mercedes locks faster acceleration behind a yearly $1,200 subscription – The Verge

So they are basically saying you don’t really own the product you spent around $100 000,- to buy.

Unstable Diffusion Discord Server – AI generated NSFW

Posted on by

Unstable Diffusion is a server dedicated to the creation and sharing of AI generated NSFW.

We will seek to provide resources and mutual assistance to anyone attempting to make erotica, we will share prompts and artwork and tools specifically designed to get the most out of your generations, whether you’re using tools from the present or ones which may not have been invented as of this writing.

Source: Join Unstable Diffusion Discord Server | The #1 Discord Server List

Yes, these people are doing pretty strange things. It’s fun.

Token tactics: How to prevent, detect, and respond to cloud token theft

Posted on by

[…] Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.

[…]

Tokens are at the center of OAuth 2.0 identity platforms, such as Azure Active Directory (Azure AD). To access a resource (for example, a web application protected by Azure AD), a user must present a valid token. To obtain that token, the user must sign into Azure AD using their credentials. At that point, depending on policy, they may be required to complete MFA. The user then presents that token to the web application, which validates the token and allows the user access.

Flowchart for Azure Active Directory issuing tokens.
Figure 1. OAuth Token flow chart

When Azure AD issues a token, it contains information (claims) such as the username, source IP address, MFA, and more. It also includes any privilege a user has in Azure AD. If you sign in as a Global Administrator to your Azure AD tenant, then the token will reflect that. Two of the most common token theft techniques DART has observed have been through adversary-in-the-middle (AitM) frameworks or the utilization of commodity malware (which enables a ‘pass-the-cookie’ scenario).

[…]

When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token.

Flowchart describing how an adversary in the middle attack works.
Figure 3. Adversary-in-the-middle (AitM) attack flowchart

If a regular user is phished and their token stolen, the attacker may attempt business email compromise (BEC) for financial gain.

[…]

A “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies.

[…]

Commodity credential theft malware like Emotet, Redline, IcedID, and more all have built-in functionality to extract and exfiltrate browser cookies. Additionally, the attacker does not have to know the compromised account password or even the email address for this to work those details are held within the cookie.

[…]

Recommendations

Protect

Organizations can take a significant step toward reducing the risk of token theft by ensuring that they have full visibility of where and how their users are authenticating. To access critical applications like Exchange Online or SharePoint, the device used should be known by the organization. Utilizing compliance tools like Intune in combination with device based conditional access policies can help to keep devices up to date with patches, antivirus definitions, and EDR solutions. Allowing only known devices that adhere to Microsoft’s recommended security baselines helps mitigate the risk of commodity credential theft malware being able to compromise end user devices.

For those devices that remain unmanaged, consider utilizing session conditional access policies and other compensating controls to reduce the impact of token theft:

Protect your users by blocking initial access:

  • Plan and implement phishing resistant MFA solutions such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.
    • While this may not be practical for all users, it should be considered for users of significant privilege like Global Admins or users of high-risk applications.
  • Users that hold a high level of privilege in the tenant should have a segregated cloud-only identity for all administrative activities, to reduce the attack surface from on-premises to cloud in the event of on-premises domain compromise and abuse of privilege. These identities should also not have a mailbox attached to them to prevent the likelihood of privileged account compromise via phishing techniques.

[…]

In instances of token theft, adversaries insert themselves in the middle of the trust chain and often subsequently circumvent security controls. Having visibility, alerting, insights, and a full understanding of where security controls are enforced is key. Treating both identity providers that generate access tokens and their associated privileged identities as critical assets is strongly encouraged.

[…]

Source: Token tactics: How to prevent, detect, and respond to cloud token theft – Microsoft Security Blog

ID.me Lied About Its Facial Recognition Tech

Posted on by

[…] New evidence shows that ID.me “inaccurately overstated its capacity to conduct identity verification services to the Internal Revenue Service (IRS) and made baseless claims about the amount of federal funds lost to pandemic fraud in an apparent attempt to increase demand for its identity verification services,” according to a new report from the two U.S. House of Representatives committees overseeing the government’s COVID-19 response.

The report also said that ID.me—which received $45 million in COVID relief funds from at least 25 state agencies—misrepresented the excessively long wait times it forced on people trying to claim emergency benefits like unemployment insurance and Child Tax Credit payments. Wait times for video chats were as long as 4 to 9 hours in some states.

[…]

The IRS and other government agencies said they would stop using ID.me earlier this year after widespread backlash from benefits recipients and politicians. Members of Congress later called on the Federal Trade Commission (FTC) to investigate the company’s practices. In that letter, congress members noted inconsistencies the company had made in describing its facial recognition system, which used a massive facial recognition database to identify benefits recipients.

“Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed,” the letter stated.

Source: ID.me Lied About Its Facial Recognition Tech, Congress Says

Spinning Language Models: backdooring AI learning to output propaganda

Posted on by

We investigate a new threat to neural sequence-to-sequence (seq2seq) models: training-time attacks that cause models to “spin” their outputs so as to support an adversary-chosen sentiment or point of view — but only when the input contains adversary-chosen trigger words. For example, a spinned summarization model outputs positive summaries of any text that mentions the name of some individual or organization.
Model spinning introduces a “meta-backdoor” into a model. Whereas conventional backdoors cause models to produce incorrect outputs on inputs with the trigger, outputs of spinned models preserve context and maintain standard accuracy metrics, yet also satisfy a meta-task chosen by the adversary.
Model spinning enables propaganda-as-a-service, where propaganda is defined as biased speech. An adversary can create customized language models that produce desired spins for chosen triggers, then deploy these models to generate disinformation (a platform attack), or else inject them into ML training pipelines (a supply-chain attack), transferring malicious functionality to downstream models trained by victims.
To demonstrate the feasibility of model spinning, we develop a new backdooring technique. It stacks an adversarial meta-task onto a seq2seq model, backpropagates the desired meta-task output to points in the word-embedding space we call “pseudo-words,” and uses pseudo-words to shift the entire output distribution of the seq2seq model. We evaluate this attack on language generation, summarization, and translation models with different triggers and meta-tasks such as sentiment, toxicity, and entailment. Spinned models largely maintain their accuracy metrics (ROUGE and BLEU) while shifting their outputs to satisfy the adversary’s meta-task. We also show that, in the case of a supply-chain attack, the spin functionality transfers to downstream models.

Source: [2112.05224] Spinning Language Models: Risks of Propaganda-As-A-Service and Countermeasures

Fix the Android Security Flaw That Lets Anyone Unlock Your Phone

Posted on by

[…] If an attacker inserts their own SIM into a target’s Android, then enters the wrong SIM PIN three times, they can enter their SIM’s PUK to be able to create a new SIM PIN. Once they do, they bypass the lock screen entirely and access the phone. You can watch the hypothetical attack play out in the video below:

Pixel 6 Full Lockscreen Bypass POC

Schütz brought this flaw to Google’s attention back in June of this year, but it took the company five months to finally push a patch.[…]

Source: Fix the Android Security Flaw That Lets Anyone Unlock Your Phone

Russian software disguised as American finds its way into U.S. Army, CDC apps

Posted on by

Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

[…]

The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country’s main combat training bases.

[…]

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.

Pushwoosh’s founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. “I am proud to be Russian and I would never hide this.”

He said the company “has no connection with the Russian government of any kind” and stores its data in the United States and Germany.

Cybersecurity experts said storing data overseas would not prevent Russian intelligence agencies from compelling a Russian firm to cede access to that data, however.

[…]

Pushwoosh code was installed in the apps of a wide array of international companies, influential non-profits and government agencies from global consumer goods company Unilever Plc (ULVR.L) and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britain’s Labour Party.

[…]

Pushwoosh code has been embedded into almost 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh’s website says it has more than 2.3 billion devices listed in its database.

“Pushwoosh collects user data including precise geolocation, on sensitive and governmental apps, which could allow for invasive tracking at scale,” said Jerome Dangu, co-founder of Confiant, a firm that tracks misuse of data collected in online advertising supply chains.

[…]

Pushwoosh never mentioned it was Russian-based in eight annual filings in the U.S. state of Delaware, where it is registered, an omission which could violate state law.

Instead, Pushwoosh listed an address in Union City, California as its principal place of business from 2014 to 2016. That address does not exist, according to Union City officials.

Pushwoosh used LinkedIn accounts purportedly belonging to two Washington, D.C.-based executives named Mary Brown and Noah O’Shea to solicit sales. But neither Brown nor O’Shea are real people, Reuters found.

[…]

Source: Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps | Reuters

Google Settles 40 States’ Location Data Suit for only $392 Million

Posted on by

Google agreed to a $391.5 million dollar settlement on Monday to end a lawsuit accusing the tech giant of tricking users with location data privacy settings that didn’t actually turn off data collection. The payout, the result of a suit brought by 40 state attorneys general, marks one of the biggest privacy settlements in history. Google also promised to make additional changes to clarify its location tracking practices next year.

“For years Google has prioritized profit over their users’ privacy,” said Ellen Rosenblum, Oregon’s attorney general who co-lead the case, in a press release. “They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and used that information for advertisers.”

[…]

The attorneys’ investigation into Google and subsequent lawsuit came after a 2018 report that found Google’s Location History setting didn’t stop the company’s location tracking, even though the setting promised that “with Location History off, the places you go are no longer stored.” Google quickly updated the description of its settings, clarifying that you actually have to turn off a completely different setting called Web & App Activity if you want the company to stop following you around.

[…]

Despite waves of legal and media attention, Google’s location settings are still confusing, according to experts in interface design. The fine print makes it clear that you need to change multiple settings if you don’t want Google collecting data about everywhere you go, but you have to read carefully. It remains to be seen how clearly the changes the company promised in the settlement will communicate its data practices.

[…]

 

Source: Google Settles 40 States’ Location Data Suit for $392 Million

Introducing Shufflecake: plausible deniability for multiple hidden filesystems on Linux

Posted on by

Today we are excited to release Shufflecake, a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes. Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under the GNU General Public License v3.0 or superior.

[…]

Shufflecake is a tool for Linux that allows creation of multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes. Each volume is encrypted with a different secret key, scrambled across the empty space of an underlying existing storage medium, and indistinguishable from random noise when not decrypted. Even if the presence of the Shufflecake software itself cannot be hidden – and hence the presence of secret volumes is suspected – the number of volumes is also hidden. This allows a user to create a hierarchy of plausible deniability, where “most hidden” secret volumes are buried under “less hidden” decoy volumes, whose passwords can be surrendered under pressure. In other words, a user can plausibly “lie” to a coercive adversary about the existence of hidden data, by providing a password that unlocks “decoy” data. Every volume can be managed independently as a virtual block device, i.e. partitioned, formatted with any filesystem of choice, and mounted and dismounted like a normal disc. The whole system is very fast, with only a minor slowdown in I/O throughput compared to a bare LUKS-encrypted disk, and with negligible waste of memory and disc space.

You can consider Shufflecake a “spiritual successor” of tools such as Truecrypt and Veracrypt, but vastly improved. First of all, it works natively on Linux, it supports any filesystem of choice, and can manage up to 15 nested volumes per device, so to make deniability of the existence of these partitions really plausible.

[…]

Source: Introducing Shufflecake: plausible deniability for multiple hidden filesystems on Linux – Kudelski Security Research

AG Recruitment hires Seasonal workers, makes them pay a year’s salary on flights, then dumps them after 2 months leaving them hugely in debt

Posted on by

Nepali workers hired to pick fruit on British farms say they have been left thousands of pounds in debt after being sent home only weeks after they arrived.

The fruit pickers were recruited under the government’s seasonal worker scheme and say they were offered work for six months. But less than two months after arriving, they were told they were no longer needed and instructed to book flights home.

[…]

Even those workers who did not seek the services of recruitment agents paid about £1,500 each for plane tickets and visa fees before setting foot in the UK. One said that while he had just about managed to pay off his debts, he could not afford the airline charges, which could be as high as £200, to change his return flight,

[…]

The findings will fuel concerns about the treatment of migrant workers under the UK’s seasonal worker scheme [which] allows people to work on UK farms for a maximum of six months. Under the scheme, they cannot stay long-term, claim benefits or bring their families.

The number of seasonal work visas issued by the Home Office each year has surged since their launch in 2019, from 2,500 in the first year to an estimated 40,000 in 2022, including many from outside Europe. But the scheme has been blighted by claims of exploitation, with reports earlier this year alleging some workers from Nepal and Indonesia were being charged steep recruitment fees by third-party job brokers, placing them at risk of debt bondage.

[…]

Documents seen by the Observer show the workers were initially told they would be coming to the UK to work on a farm for six months. But about 10 days before they set out, they were informed that this placement had been cancelled and that they would now go to a different farm.

The workers, who had already bought flights and visas, were told the new placement would be for two months rather than six, but say they believed that, after it ended, they would be transferred to another farm. Emails from AG show they were assured there would be “a lot of work” and the chance to earn “good money”.

The workers subsequently travelled to the UK and began work at a farm run by Gaskains in Faversham, Kent. But when those shifts ended less than two months later, they were told by AG that there was nowhere else for them to go.

[…]

Workers questioned why they were recruited near the end of the season and say they would not have come had they known there would only be two months’ work.

“They must know the season is about to end. We didn’t realise that as [it was] the first time we were coming here,” said Kamal*, who is planning to sell off some family land to cover the debts he accrued to come to work in the UK. “Why did they hire us during the end of the season? It would have been better if they hadn’t hired us at all.”

[…]

he early termination of the workers’ jobs would have left them in “complete shock”. “If they manage to buy new flights in time to avoid eviction, that wipes out most of what they earned. But if they can’t, they risk sleeping rough and working illegally on the black market, where they are completely vulnerable,” she said.

[…]

the company said workers were required to “maintain communication with their sponsor as per immigration rules” and could be blacklisted from future work with AG if they did not. It added that it was not responsible for costs incurred by workers for changing their return tickets.

[…]

Source: Seasonal fruit pickers left thousands in debt after being sent home early from UK farms | Immigration and asylum | The Guardian

In England they need a new law forcing care homes to allow visitors for their residents

Posted on by

[…]

The care minister Helen Whately said stopping relatives from visiting loved ones in care homes as a precaution against the spread of Covid-19 showed “a lack of humanity”. Legislation is being planned to give care home residents and hospital patients the legal right to see guests, according to the Times, prompting fury from the care sector.

[…]

While official visiting restrictions in England have been lifted, some care homes and hospitals are refusing to allow visitors or are imposing stringent Covid-19 conditions. One care home has even stopped phone calls between residents and loved ones for fear that handsets could get infected.

[…]

“There are lots of complicated things around the edges, but at the centre there’s this clear message that people should not be separated from those that they love during times of their greatest need.

“And Covid has shown why that needs to be enshrined in law. It’s very easy to sweep away these human rights.”

[…]

Source: Care homes in England ‘risk being vilified’ if forced to allow visitors | Social care | The Guardian

Apple Vanquishes Evil YouTube Account Full Of Old Apple WWDC Videos

Posted on by

Many of you are likely to be familiar with WWDC, Apple’s Worldwide Developer Conference. This is one of those places where you get a bunch of Apple product reveals and news updates that typically result in the press tripping all over themselves to bow at the altar of an iPhone 300 or whatever. The conference has been going on for decades and one enterprising YouTube account made a point of archiving video footage from past events so that any interested person could go back and see the evolution of the company.

Until now, that is, since Apple decided to copyright-strike Brendan Shanks account to hell.

 

Now, he’s going to be moving the videos over to the Internet Archive, but that will take time and I suppose there’s nothing keeping Apple from turning its copyright guns to that site as well. In the meantime, this treasure trove of videos that Apple doesn’t seem to want to bother hosting itself is simply gone.

Now, did Shanks have permission from Apple to post those videos? He says no. Does that mean that Apple can take copyright action on them? Sure does! But why is the question. Why are antiquated videos interesting mostly to hobbyists worth all this chaos and bad PR?

The videos in question were decades-old recordings of WWDC events.

Due to the multiple violations, not only were the videos removed, but Shanks’ YouTube channel has been disabled. In addition to losing the archive, Shanks also lost his personal YouTube account, as well as his YouTube TV, which he’d just paid for.

And so here we are again, with a large company killing off a form of preservation effort in the name of draconian copyright enforcement. Good times.

Source: Apple Vanquishes Evil YouTube Account Full Of Old Apple WWDC Videos | Techdirt

Lenovo driver goof poses security risk for users of 25 notebook models

Posted on by

More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday.

At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI secure boot can be serious because they make it possible for attackers to install malicious firmware that survives multiple operating system reinstallations.

[…]

Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer’s device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it’s the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward.

[…]

Disabling the UEFI Secure Boot frees attackers to execute malicious UEFI apps, something that’s normally not possible because secure boot requires UEFI apps to be cryptographically signed. Restoring the factory-default DBX, meanwhile, allows attackers to load vulnerable bootloaders. In August, researchers from security firm Eclypsium identified three prominent software drivers that could be used to bypass secure boot when an attacker has elevated privileges, meaning administrator on Windows or root on Linux.

The vulnerabilities can be exploited by tampering with variables in NVRAM, the non-volatile RAM that stores various boot options. The vulnerabilities are the result of Lenovo mistakenly shipping Notebooks with drivers that had been intended for use only during the manufacturing process. The vulnerabilities are:

  • CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices may allow an attacker with elevated privileges to modify secure boot settings by changing an NVRAM variable.
  • CVE-2022-3431: A potential vulnerability in a driver used during the manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify the secure boot setting by altering an NVRAM variable.
  • CVE-2022-3432: A potential vulnerability in a driver used during the manufacturing process on the Ideapad Y700-14ISK that was mistakenly not deactivated may allow an attacker with elevated privileges to modify the secure boot setting by adjusting an NVRAM variable.

Lenovo is patching only the first two. CVE-2022-3432 will not be patched because the company no longer supports the Ideapad Y700-14ISK, the end-of-life notebook model that’s affected. People using any of the other vulnerable models should install patches as soon as practical.

Source: Lenovo driver goof poses security risk for users of 25 notebook models | Ars Technica

FTC Restores Rigorous Enforcement of Law Banning Unfair Methods of Competition, Might give them some teeth against mono/duopolists

Posted on by

The Federal Trade Commission issued a statement today that restores the agency’s policy of rigorously enforcing the federal ban on unfair methods of competition. Congress gave the FTC the unique authority to identify and police against these practices, beyond what the other antitrust statutes cover. But in recent years the agency has not always carried out that responsibility consistently. The FTC’s previous policy restricted its oversight to a narrower set of circumstances, making it harder for the agency to challenge the full array of anticompetitive behavior in the market. Today’s statement removes this restriction and declares the agency’s intent to exercise its full statutory authority against companies that use unfair tactics to gain an advantage instead of competing on the merits.

“When Congress created the FTC, it clearly commanded us to crack down on unfair methods of competition,” said FTC Chair Lina M. Khan. “Enforcers have to use discretion, but that doesn’t give us the right to ignore a central part of our mandate. Today’s policy statement reactivates Section 5 and puts us on track to faithfully enforce the law as Congress designed.”

Congress passed the Federal Trade Commission Act in 1914 because it was unhappy with the enforcement of the Sherman Act, the original antitrust statute. Section 5 of the FTC Act bans “unfair methods of competition” and instructs the Commission to enforce that prohibition.

In 2015, however, the Commission issued a statement declaring that it would apply Section 5 using the Sherman Act “rule of reason” test, which asks whether a given restraint of trade is “reasonable” in economic terms. The new statement replaces that policy and explains that limiting Section 5 to the rule of reason contradicted the text of the statute and Congress’s clear desire for it to go beyond the Sherman Act. And it shows how the Commission will police the boundary between fair and unfair competition through both enforcement and rulemaking. The statement makes clear that the agency is committed to protecting markets and keeping up with the evolving nature of anticompetitive behavior.

Unfair methods of competition, the policy statement explains, are tactics that seek to gain an advantage while avoiding competing on the merits, and that tend to reduce competition in the market. The Policy Statement lays out the Commission’s approach to policing them. It is the result of many months of work across agency departments. Staff researched the legislative history of Section 5 and its interpretation across hundreds of Commission decisions, consent orders, and court decisions—including more than a dozen Supreme Court opinions. This rich case history will guide the agency as it implements Section 5. Through enforcement and rulemaking, the Commission will put businesses on notice about how to compete fairly and legally. This is in contrast with the rule of reason, which requires judges to make difficult case-by-case economic predictions.

[…]

Source: FTC Restores Rigorous Enforcement of Law Banning Unfair Methods of Competition | Federal Trade Commission

After years of complaining about the monopolies in big tech and China actually championing business competition with the EU lagging behind, will the US finally get into the game? Better late than never.

Windows 11’s Task Manager is finally getting a search box to help you find misbehaving apps

Posted on by

[…]

Microsoft has started testing a new search and filtering system for the Task Manager on Windows 11. It will allow Windows users to easily search for a misbehaving app and end its process or quickly create a dump file, enable efficiency mode, and more.

“This is the top feature request from our users to filter / search for processes,” explains the Windows Insider team in a blog post. “You can filter either using the binary name, PID or publisher name. The filter algorithm matches the context keyword with all possible matches and displays them on the current page.”

You’ll be able to use the alt + F keyboard shortcut to jump to the filter box in the Task Manager, and results will be filtered into single or groups of processes that you can monitor or take action on.

[…]

Source: Windows 11’s Task Manager is getting a search box to help you find misbehaving apps – The Verge

This is considered a big feature release and it makes you wonder what kind of programmers MS has employed that this has taken so long

New Drug Reverses Neural and Cognitive Effects of a Concussion

Posted on by

UCSF researchers use ISRIB to block the molecular stress response in order to restore cognitive function.

ISRIB, a tiny molecule identified by University of California, San Francisco (UCSF) researchers can repair the neural and cognitive effects of concussion in mice weeks after the damage, according to a new study.

ISRIB blocks the integrated stress response (ISR), a quality control process for protein production that, when activated chronically, can be harmful to cells.

The study, which was recently published in the Proceedings of the National Academy of Sciences, discovered that ISRIB reverses the effects of traumatic brain injury (TBI) on dendritic spines, an area of neurons vital to cognition. The drug-treated mice also showed sustained improvements in working memory.

“Our goal was to see if ISRIB could ameliorate the neural effects of concussion,” said Michael Stryker, Ph.D., a co-senior author of the study and professor of physiology at UCSF. “We were pleased to find the drug was tremendously successful in normalizing neuronal and cognitive function with lasting effects.”

TBI is a leading cause of long-term neurological disability, with patients’ quality of life suffering as a result of difficulties in concentration and memory. It’s also the strongest environmental risk factor for dementia — even a minor concussion boosts an individual’s risk dramatically.

[…]

Using advanced imaging techniques, Frias observed the effects of TBI on dendritic spines, the primary site of excitatory communication between neurons, over the course of multiple days.

In healthy conditions, neurons show a fairly consistent rate of spine formation, maturation, and elimination – dynamics that support learning and memory. But after a single mild concussion, mouse cortical neurons showed a massive burst of newly formed spines and continued to make excessive spines for as long as they were measured.

“Some may find this counterintuitive at first, assuming more dendritic spines would be a good thing for making new memories,” said co-senior author Susanna Rosi, PhD, a professor of physical therapy and neurological surgery at UCSF at the time of the study, now also at Altos Labs. “But in actuality, having all too many new spines is like being in a noisy room – when too many people are talking, you can’t hear the information you need.”

These new spines didn’t stick around for very long, however, and most were removed within days, meaning they hadn’t formed lasting functional synaptic connections.

These aberrant dynamics were rapidly reversed once mice were treated with ISRIB. By blocking the ISR, the drug was able to repair the neuronal structural changes resulting from the brain injury and restore normal rates of spine dynamics. These neuronal structural alterations were also associated with an improvement in performance to normal levels in a behavioral assay of working memory, which persisted for over a month after the final treatment.

“A month in a mouse is several years in a human, so to be able to reverse the effects of concussion in such a lasting way is really exciting,” said Frias.

[…]

Source: New Drug Reverses Neural and Cognitive Effects of a Concussion

Medibank: Hackers release abortion data after stealing Australian medical records

Posted on by

Hackers who stole customer data from Australia’s largest health insurer Medibank have released a file of pregnancy terminations.

It follows Medibank’s refusal to pay a ransom for the data, supported by the Australian government.

Medibank urged the public to not seek out the files, which contain the names of policy holders rather than patients.

CEO David Koczkaro warned that the data release could stop people from seeking medical attention.

Terminations can occur for a range of reasons including non-viable pregnancy, miscarriages and complications.

“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care,” he said.

The data of 9.7 million Medibank customers was stolen last month – the latest in a string of major data breaches in Australian companies in recent months.

The hackers this week published their first tranche of information after Medibank refused to pay a $10m (£8.7m; A$15.6m) ransom – about $1 for every customer.

Some Australians say they have been targeted by scammers after their medical details were posted online.

Former tennis champion Todd Woodbridge – who is recovering from a heart attack – said he had been pestered by calls from scammers who had known which hospital he had been in.

[…]

The files included people’s health claims data – including medical procedure history – as well as names, addresses, birthdates and government ID numbers.

[…]

Source: Medibank: Hackers release abortion data after stealing Australian medical records – BBC News

Doxxing abortion patients – that’s pretty damn low. Go take out big evil businesses.

Antitrust Lawsuit Says Apple and Amazon Colluded to Raise iPhone, iPad Prices

Posted on by

A new antitrust class-action lawsuit accuses Apple Inc. and Amazon.com of colluding to raise the price of iPhones and iPads,

[…]

The lawsuit, filed in the U.S. District Court for the Western District of Washington accuses Apple and Amazon of seeking to eliminate third-party Apple resellers on Amazon Marketplace in a scheme to stifle competition, and maintain premium pricing for Apple products.

[…]

The lawsuit says the parties’ illegal agreement brought the number of third-party sellers of Apple products on Amazon Marketplace from roughly 600 to just seven sellers – a loss of 98%, and by doing so, Amazon, which was formerly a marginal seller of Apple products, became the dominant seller of Apple products on Amazon Marketplace.

[…]

The lawsuit centers around an agreement made between Apple and Amazon that took effect at the beginning of 2019, the existence of which neither defendant denies. The agreement permitted Apple to limit the number of resellers operating on Amazon’s marketplace, and it offered Amazon in return a discounted wholesale price for a steady stream of iPhones and iPads, allowing it to reap the benefits of limited competition on its own reseller arena.

“From the outset of these discussions, the parties discussed ‘gating’ third-party resellers,” the lawsuit states. “Ultimately Apple proposed, and Amazon agreed, to limit the number of resellers in each country to no more than 20. This arbitrary and purely quantitative threshold excluded even Authorized Resellers of Apple products.”

[…]

According to the lawsuit, available data indicate that there were at least 100 unique resellers offering iPhones and at least 500 resellers of iPads on Amazon’s platform before the agreement, and after, no more than seven remained, a decrease of 98% of third-party Apple product resellers. The lawsuit references that Amazon admitted to Congress that it entered an agreement with Apple that permits only “seven resellers of new Apple products” on its platform.

[…]

 

Source: Antitrust Lawsuit Says Apple and Amazon Colluded to Raise iPhone, iPad Prices | Hagens Berman

Egypt’s COP27 summit app can read your emails and encrypted messages, scan your device, send your location

Posted on by

Western security advisers are warning delegates at the COP27 climate summit not to download the host Egyptian government’s official smartphone app, amid fears it could be used to hack their private emails, texts and even voice conversations.

[…]

The potential vulnerability from the Android app, which has been downloaded thousands of times and provides a gateway for participants at COP27, was confirmed separately by four cybersecurity experts who reviewed the digital application for POLITICO.

The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users’ emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO’s technical review of the application, and two of the outside experts.

The app also provides Egypt’s Ministry of Communications and Information Technology, which created it, with other so-called backdoor privileges, or the ability to scan people’s devices.

On smartphones running Google’s Android software, it has permission to potentially listen into users’ conversations via the app, even when the device is in sleep mode, according to the three experts and POLITICO’s separate analysis. It can also track people’s locations via smartphone’s built-in GPS and Wi-Fi technologies, according to two of the analysts.

The app is nothing short of “a surveillance tool that could be weaponized by the Egyptian authorities to track activists, government delegates and anyone attending COP27,” said Marwa Fatafta, digital rights lead for the Middle East and North Africa for Access Now, a nonprofit digital rights organization.

[…]

Both Google and Apple approved the app to appear in their separate app stores. All of the analysts only reviewed the Android version of the app, and not the separate app created for Apple’s devices. Apple declined to comment on the separate app created for its App Store.

[…]

As part of the smartphone app’s privacy notice, the Egyptian government says it has the right to use information provided by those who have downloaded the app, including GPS locations, camera access, photos and Wi-Fi details.

“Our application reserves the right to access customer accounts for technical and administrative purposes and for security reasons,” the privacy statement said.

Yet the technical review, both by POLITICO and the outside experts of the COP27 smartphone application discovered further permissions that people had granted, unwittingly, to the Egyptian government that were not made public via its public statements.

These included the application having the right to track what attendees did on other apps on their phone; connecting users’ smartphones via Bluetooth to other hardware in ways that could lead to data being offloaded onto government-owned devices; and independently linking individuals’ phones to Wi-Fi networks, or making calls on their behalf without them knowing.

[…]

Source: Egypt’s COP27 summit app is a cyber weapon, experts warn – POLITICO