The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

“Parallel Reality” Display Shows Different Info to Different People at Same Time

Posted on by

Imagine if you, me and a dozen other people were standing in a room staring at the same screen—but the screen showed something different to each of us, simultaneously.

A California-based tech company called Misapplied Sciences has made this possible. They’ve developed a “parallel reality” display “enabled by a new pixel that has unprecedented capabilities,” they write. “These pixels can simultaneously project up to millions of light rays of different colors and brightness. Each ray can then be software-directed to a specific person.”

They’ve partnered with Delta Airlines, who will be installing a parallel reality display at Detroit Metropolitan Airport this month. Customers who opt in to using it, either by scanning their boarding pass or by enrolling in Delta’s app-based facial recognition program (no thanks!) will look at the screen and see only the flight and baggage claim information relevant to their trip. A person standing five feet away will see nothing but their own information.

Up to 100 viewers can be accommodated by the single screen. Delta refers to the technology as “mind-bending” and states that the display will be in Concourse A of the McNamara Terminal starting on June 29th.

Source: “Parallel Reality” Display Shows Different Info to Different People at Same Time – Core77

Ubisoft Teaches Customers They Don’t Own All That DLC They ‘Bought’

Posted on by

While we were just discussing how everyone occasionally gets reminded that for many digital goods these days you simply don’t actually own what you’ve bought, all thanks to Sony disappearing a bunch of purchased movies and shows from its PlayStation platform, this conversation has been going on for a long, long time. Whereas the expectation by many people is that buying a digital good carries similar ownership rights as it would a physical good, instead there are discussions of “licensing” buried in the Ts and Cs that almost nobody reads. The end result is a massive disconnect between what people think they’re paying for and what they actually are paying for.

Take Ubisoft DLC for instance. Lots of people bought DLC for titles like Assassin’s Creed 3 or Far Cry 3 for the PC versions of those games… and recently found out that all that purchased DLC is simply going away with Ubisoft shutting game servers down.

According to Ubisoft’s announcement, “the installation and access to downloadable content (DLC) will be unavailable” on the PC versions of the following games as of September 1, 2022:

Assassin’s Creed 3
Assassin’s Creed: Brotherhood
Driver San Francisco
Far Cry 3
Prince of Persia: The Forgotten Sands
Silent Hunter 5

DLC for the console versions of these games (which is verified through the console platform stores and not Ubisoft’s UPlay platform) will be unaffected, when applicable. Assassin’s Creed III and Far Cry 3 are also available on PC in remastered re-releases that will not be affected by this server shutdown (though the remastered “Classic Edition” of Far Cry 3 is currently unavailable for purchase from Ubisoft’s own website).

A notable addition to all of this is that the full version of Assassin’s Creed Liberation HD was on sale merely days ago on Steam’s Summer Sale, but that title is going to disappear from Steam entirely on September 1st as well. Read that again. The public bought a game title on Steam for 75% off, thinking it was a great deal, only to subsequently learn that they have 60 days to play the damned thing before it becomes unplayable.

This is not tenable. The consumer can only be jerked around so much before a clapback occurs and losing purchased assets based on the whim of the company that sold them isn’t going to be tolerated forever. And while I’m loathe to be one of the “there should be a law!” guys, well, there should be legal ramifications for this sort of thing. There are other options out there that would not remove purchased items from people, be it local installations, allowing fans in the public to host their own servers, etc.

Instead, Ubisoft appears to be joining a list of companies that believes it can sell you something and then take it away, all while including that same something in some bundled release afterwards.

Source: Ubisoft Teaches Customers They Don’t Own All That DLC They ‘Bought’ | Techdirt

Apple AirTags Hacked And Cloned With Voltage Glitching

Posted on by

[…]

researchers have shown that it’s possible to clone these devices, as reported by Hackster.io.

The research paper explains the cloning process, which requires physical access to the hardware. To achieve the hack, the Nordic nRF52832 inside the AirTag must be voltage glitched to enable its debug port. The researchers were able to achieve this with relatively simple tools, using a Pi Pico fitted with a few additional components.

With the debug interface enabled, it’s simple to extract the microcontroller’s firmware. It’s then possible to clone this firmware onto another tag. The team also experimented with other hacks, like having the AirTag regularly rotate its ID to avoid triggering anti-stalking warnings built into Apple’s tracing system.

As the researchers explain, it’s clear that AirTags can’t really be secure as long as they’re based on a microcontroller that is vulnerable to such attacks. It’s not the first AirTag cloning we’ve seen either. They’re an interesting device with some serious privacy and safety implications, so it pays to stay abreast of developments in this area.

[…]

Source: Apple AirTags Hacked And Cloned With Voltage Glitching | Hackaday

Lenovo fixes trio of UEFI vulnerabilities – fortunately not for Thinkpads though

Posted on by

[…]

“The vulnerabilities,” explained the ESET Research team, “can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.”

“It’s a typical UEFI ‘double GetVariable’ vulnerability,” the team added, before giving a hat tip to efiXplorer.

Lenovo has published an advisory on the matter this week: the CVE identifiers are CVE-2022-1890, CVE-2022-1891, CVE-2022-1892. All are related to buffer overflows and carry the risk that an attacker with local privileges will be able to execute arbitrary code. Their severity was rated as medium.

As for mitigation, updating the firmware is pretty much all customers can do, although not all products are affected by all three vulnerabilities. All of the products, however, do seem to be hit by CVE-2022-1892, a buffer overflow in the SystemBootManagerDxe driver.

The disclosure follows another three vulnerabilities patched in April, also concerned with UEFI on Lenovo kit. UEFI, or Unified Extensible Firmware Interface, is the glue connecting a device’s firmware with the operating system on top. A vulnerability there could potentially be exploited before a device gets a chance to boot its operating system and fire up malware protections, allowing the computer to become deeply infected and compromised.

ESET research noted that the flaws were a result of “insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable.”

ThinkPad hardware is not affected, probably to the relief of harassed enterprise administrators around the world. Other Lenovo device users should check the list and perform a firmware update if needed.

[…]

Source: Lenovo fixes trio of UEFI vulnerabilities • The Register

Nokia Launches 8″ T10 Tablet

Posted on by
Nokia T10 tablet has been officially launched by the company via a press release. It is the second tablet by Nokia’s new home, HMD Global, on the market. The device is being touted as a sturdy and portable Android slate with multiple years of software upgrades. The Nokia T10 has arrived as a mid-range Android tablet for global markets.
Specifications, Features
The Nokia T10 tablet comes with an 8-inch HD display. The slate boots Android 12 out-of-the-box. It will be getting two years of major Android OS updates and at least three years of monthly security updates for Android. The slate is powered by the Unisoc T606 processor, which is accompanied by up to 4GB of RAM and 64GB of internal storage. There also are dual stereo speakers with OZO playback to provide an immersive media experience.
[…]
The device has an 8MP primary shooter and a 2MP selfie camera, which supports face unlock functionality. In the connectivity department, the Nokia T10 comes with 4G LTE, dual-band Wi-Fi, Bluetooth, GPS with GLONASS, and a built-in FM radio receiver.
Lastly, the slate is fuelled by a beefy 5,250 mAh battery, which supports 10W charging technology. Nokia T10
Price, Availability The Nokia T10 Android tablet’s base variant will be available from $159

Source: Nokia T10 Tablet With 8-Inch Screen Launched; Pricing & Features – Gizbot News

Unfortunately the screen for the T10 is only 1200 x 800. I really like the 8″ form  factor though.

The T20 has a 10″ display

Display Type IPS LCD, 400 nits (typ)
Size 10.4 inches, 307.9 cm2 (~78.9% screen-to-body ratio)
Resolution 1200 x 2000 pixels, 5:3 ratio (~224 ppi density)
Protection Scratch-resistant glass
Platform OS Android 11
Chipset Unisoc T610 (12 nm)
CPU Octa-core (2×1.8 GHz Cortex-A75 & 6×1.8 GHz Cortex-A55)
GPU Mali-G52 MP2

source: gsmarena

Hasbro will 3D-print your face onto its iconic action figures

Posted on by

Have you ever wanted to see your own face on the body of a Power Ranger or a Ghostbuster? Thanks to an ingenious partnership between Hasbro and 3D-printing specialists Formlabs, now you can. The Hasbro Selfie Series will let would-be heroes take a scan of their face with their phone and have a custom-made, look-a-like action figure delivered at some point afterward. In this initial blast, you can opt to become an X-Wing Pilot, Ghostbuster, Power Ranger or Snake Eyes from GI Joe, amongst others.

It’s part of Formlabs’ growing project to turn 3D printing into a technological cul-de-sac into a viable way of making customized, mass-market products. The company has already teamed up with Sennheiser to make 3D-printed earbuds, and has branched out into making jewelry moulds, ventilator parts and false teeth. It also teamed up with Gillette to create customized razor handles which were manufactured using Formlabs’ industrial printers.

Hasbro’s Brian Chapman explained that, a few years ago, the company ran a competition at a comic-con to make custom action figures for five winners. They found the interest in the promo was so enormous that the company has always had an eye on developments in the 3D printing market.

Unfortunately, while it’s been announced today, the Hasbro Selfie Series won’t actually let you start scanning your head for a little while. In order to start, you’ll need to download Hasbro Pulse, the company’s dedicated mobile app, and get your face ready to be immortalized. Scans will open up closer to the expected ship date in the Fall, after which point you’ll be asked to pony up $60 (plus taxes) and wait for your six-inch, “collector-grade” figure to arrive. Unfortunately, for now, the offering is only available to customers in the US, but hopefully over time, we’ll see this make its way across the world.

Source: Hasbro will 3D-print your face onto its iconic action figures | Engadget

X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities

Posted on by

[…] CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server’s Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Hopefully though in 2022 you aren’t relying on your xorg-server running as root.

Fixes for these XKB vulnerabilities have been patched in X.Org Server Git and xorg-server 21.1.4 point release is expected soon with these fixes. Both vulnerabilities were discovered by Trend Micro’s Zero Day Initiative.

More details in today’s X.Org Security Advisory.

Update: X.Org Server 21.1.4 is now available. In addition to these security fixes there is also a large number of XQuartz fixes from Apple, a GCC 12 build fix in the render code, a possible crash fix in the PRESENT code, and various other small fixes.

Source: X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities – Phoronix

Supremes ‘doxxed’ after overturning Roe v Wade

Posted on by

The US Supreme Court justices who overturned Roe v. Wade last month may have been doxxed – had their personal information including physical and IP addresses, and credit card info revealed – according to threat intel firm Cybersixgill.

As expected, the fallout from the controversial ruling, which reversed the court’s 1973 decision that federally protected access to abortion, has been immense, creating deep ripples across the cybersphere where data privacy concerns abound.

[…]

In a twist on using personal data for questionable purposes, it appears some hacktivists are taking matters into their own hands and seemingly leaked private information about five conservative Supremes: Justices Samuel Alito, Clarence Thomas, Neil Gorsuch, Brett Kavanaugh and Amy Coney Barrett, according to research published today by Cybersixgill’s security research lead Dov Lerner.

Although Chief Justice John Roberts voted with the majority, the doxxers didn’t expose his personal data.

Lerner, who told The Register he found the doxes on “various dark web forums,” said the “most notable” dox happened on June 30, and alleges to include physical addresses, IP addresses, and credit card information, including CVV (which the doxers called “little funny 3 numbers on the back”) and expiration date.

[…]

Source: Supremes ‘doxxed’ after overturning Roe v Wade • The Register

Maybe this is an expression of the right to bear arms.

Amazon Ring Tells Sen. Markey It Won’t Enhance Doorbell Privacy, will listen in to long range conversations

Posted on by

Ring is rejecting the request of a U.S. senator to introduce privacy-enhancing changes to its flagship doorbell video camera after product testing showed the device capable of recording conversations well beyond the doorsteps of its many millions of customers. Security and privacy experts expressed alarm at the quality of the distant recordings, raising concerns about the potential for blackmail, stalking, and other forms of invasion

In a letter to the company last month, Sen. Ed Markey, a Democrat of Massachusetts, said Ring was capturing “significant amounts of audio on private and public property adjacent to dwellings with Ring doorbells,” putting the right to “assemble, move, and converse without being tracked” at risk.

Markey did not asked the company to adjust the range of the device, but adjust the doorbell’s settings so audio wouldn’t be recorded by default. Ring, which was acquired by retail giant Amazon in 2018, rejected the idea, arguing that doing so would be a “negative experience” for customers, who might easily get confused by the settings “in an emergency situation.” What’s more, Ring appeared to reject a request never to link the devices to voice recognition software, offering only that it hasn’t done so thus far.

Experts such as Matthew Guariglia, a policy analyst at the Electronic Frontier Foundation, have said the device is particularly harmful to the privacy of individuals who live in close quarters — think apartment buildings and condos — where they may be unknowingly recorded the moment they open their doors.

[…]

Source: Amazon Ring Tells Sen. Markey It Won’t Enhance Doorbell Privacy

Google files a lawsuit that could kick Tinder out of the Play Store because Match refuses to pay illegally forced fees

Posted on by

Google has counter-sued Match seeking monetary damages and a judgement that would let it kick Tinder and the group’s other dating apps out of the Play Store, Bloomberg has reported. Earlier this year, Match sued Google alleging antitrust violations over a decision requiring all Android developers to process “digital goods and services” payments through the Play Store billing system.

Following the initial lawsuit in May, Google and Match reached a temporary agreement allowing Match to remain on the Play Store and use its own payments system. Google also agreed to make a “good faith” effort to address Match’s billing concerns. Match, in turn, was to make an effort to offer Google’s billing system as an alternative.

However, Google parent Alphabet claims that Match Group now wants to avoid paying “nothing at all” to Google, including its 15 to 30 percent Play Store fees, according to a court filing. “Match Group never intended to comply with the contractual terms to which it agreed… it would also place Match Group in an advantaged position relative to other app developers,” the document states.

Match group said that Google’s Play Store policies violate federal and state laws. “Google doesn’t want anyone else to sue them so their counterclaims are designed as a warning shot,” Match told Bloomberg in a statement. “We are confident that our suit, alongside other developers, the US Department of Justice and 37 state attorneys general making similar claims, will be resolved in our favor early next year.”

Match is referring to an antitrust action launched last year by States and the federal government probing Google’s Play Store fees. Shortly before that, Google dropped its fee on app developer revenue to 15 percent on the first $1 million, and 30 percent after that. At the same time, it announced it would enforce a policy requiring all developers to process payments through the Play Store’s billing system. Earlier this year, a Senate bill moved forward targeting in-app payments in both Google and Apple’s stores.

Source: Google files a lawsuit that could kick Tinder out of the Play Store | Engadget

Greedy bastards at Google – nope, you can’t force a marketplace on people and you can’t force these fees on them either.

A Bored Chinese Housewife Spent Years Falsifying Russian History on Wikipedia

Posted on by

Posing as a scholar, a Chinese woman spent years writing alternative accounts of medieval Russian history on Chinese Wikipedia, conjuring imaginary states, battles, and aristocrats in one of the largest hoaxes on the open-source platform.

The scam was exposed last month by Chinese novelist Yifan, who was researching for a book when he came upon an article on the Kashin silver mine.

Discovered by Russian peasants in 1344, the Wikipedia entry goes, the mine engaged more than 40,000 slaves and freedmen, providing a remarkable source of wealth for the Russian principality of Tver in the 14th and 15th centuries as well as subsequent regimes. The geological composition of the soil, the structure of the mine, and even the refining process were fleshed out in detail in the entry.

Yifan thought he’d found interesting material for a novel. Little did he know he’d stumbled upon an entire fictitious world constructed by a user known as Zhemao. It was one of 206 articles she has written on Chinese Wikipedia since 2019, weaving facts into fiction in an elaborate scheme that went uncaught for years and tested the limits of crowdsourced platforms’ ability to verify information and fend off bad actors.

[…]

Yifan was tipped off when he ran the silver mine story by Russian speakers and fact-checked Zhemao’s references, only to find that the pages or versions of the books she cited did not exist. People he consulted also called out her lengthy entries on ancient conflicts between Slavic states, which could not be found in Russian historical records. “They were so rich in details they put English and Russian Wikipedia to shame,” Yifan wrote on Zhihu, a Chinese site similar to Quora, where he shared his discovery last month and caused a stir.

The scale of the scam came to light after a group of volunteer editors and other Wikipedians, such as Yip, combed through her past contributions to nearly 300 articles.

One of her longest articles was almost the length of “The Great Gatsby.” With the formal, authoritative tone of an encyclopedia, it detailed three Tartar uprisings in the 17th century that left a lasting impact on Russia, complete with a map she made. In another entry, she shared rare images of ancient coins, which she claimed to have obtained from a Russian archaeological team.

[…]

Source: A Bored Chinese Housewife Spent Years Falsifying Russian History on Wikipedia

Brilliant – and she’s not the only one!

Joshua Schulte: Former CIA hacker convicted of Vault 7 data leak

Posted on by

[…]

Joshua Schulte was convicted of sending the CIA’s “Vault 7” cyber-warfare tools to the whistle-blowing platform. He had denied the allegations.

The 2017 leak of some 8,761 documents revealed how intelligence officers hacked smartphones overseas and turned them into listening devices.

Prosecutors said the leak was one of the most “brazen” in US history.

Damian Williams, the US attorney for the Southern District of New York, said Mr Schulte’s actions had “a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm”.

Mr Schulte, who represented himself at the trial in Manhattan federal court, now faces decades in prison. He also faces a separate trial on charges of possessing images and videos of child abuse, to which he has pleaded not guilty.

After joining the CIA in 2010, Mr Schulte soon achieved the organisation’s highest security clearance. He went on to work at the agency’s headquarters in Langley, Virginia, designing a suite of programmes used to hack computers, iPhones and Android phones and even smart TVs.

Prosecutors alleged in 2016 that he transmitted the stolen information to Wikileaks and then lied to FBI agents about his role in the leak.

They added that he was seemingly motivated by anger over a workplace dispute in which his employer ignored his complaints. The software engineer had been struggling to meet deadlines and Assistant US Attorney Michael Lockard said one of his projects was so far behind schedule that he had earned the nickname “Drifting Deadline”.

The prosecutors said he wanted to punish those he perceived to have wronged him and said in “carrying out that revenge, he caused enormous damage to this country’s national security”.

But Mr Schulte said the government had no evidence that he was motivated by revenge and called the argument “pure fantasy”. In his closing argument, he claimed that “hundreds of people had access” to the leaked files and that “hundreds of people could have stolen it”.

“The government’s case is riddled with reasonable doubt,” he added.

[…]

Source: Joshua Schulte: Former CIA hacker convicted of ‘brazen’ data leak – BBC News

Amazon’s Ring gave a record amount of doorbell footage to the US government in 2021

Posted on by

Ring, the maker of internet-connected video doorbells and security cameras, said in its latest transparency report that it turned over a record amount of doorbell footage and other information to U.S. authorities last year.

The Amazon-owned company said in two biannual reports covering 2021 that it received 3,147 legal demands, an increase of about 65% on the year earlier, up from about 1,900 legal demands in 2020.

More than 85% of the legal demands processed were by way of court-issued search warrants, allowing Ring to turn over both information about a Ring user and video footage from those accounts. Ring said it turned over user content in response to about four out of 10 demands it received during the year.

Transparency reports allow U.S. companies to disclose the number of legal law orders they are given over a particular time period, often six-months or a year. But Ring has been criticized for having unusually cozy relationships with about 2,200 police departments around the United States, latest figures show, allowing police to request video doorbell camera footage from homeowners.

Ring said it also notified 648 users during the year that their user information had been requested by law enforcement. According to its law enforcement guidelines, Ring notifies users before disclosing their user information, such as name, address, email address and billing information, unless it is prohibited by way of a secrecy order.

In a new breakout, Ring also revealed it received 2,774 preservation orders, which allow police departments and law enforcement agencies to ask Amazon — not demand — to preserve a user’s account for up to six months to allow the requesting agency to gather enough information to a court-issued order, such as a search warrant.

Amazon executive Brian Huseman told lawmakers in a letter published Wednesday that Ring shared doorbell footage at least 11 times with U.S. authorities so far in 2022 without the consent of the device’s owner, reports Politico. According to the letter, Amazon said it “made a good-faith determination that there was an imminent danger of death or serious physical injury to a person requiring disclosure of information without delay.” Under emergency disclosure orders, companies can respond with data when a requesting agency doesn’t have the time to obtain a court order.

Ring has not yet revealed how many times it has disclosed user data under emergency circumstances in previous years, including its most recent transparency report.

Source: Amazon’s Ring gave a record amount of doorbell footage to the government in 2021 | TechCrunch

BMW Heated Seats Subscription Is Real And It Costs $18 Per Month. Also heated steering wheel, paid separately. In a car you own and paid for the heated seats and wheel.

Posted on by

[…]

On its ConnectedDrive Store in South Korea, BMW owners can pay a monthly fee to have a creature comfort such as heated seats. It costs ₩24,000 or approximately $18 at current exchange rates. Alternatively, you can get a one-year plan for $176 or a three-year subscription for $283.

The BMW ConnectedDrive Store is a portal used by existing owners to download a variety of apps. It’s all done over the air, without having to visit a dealer to have the new software installed. With heated seats, the German luxury brand is kind enough to provide a one-month test period free of charge. Should you want the feature permanently, that’ll set you back $406.

A similar subscription plan is offered for a heated steering wheel and it costs $10 per month, $92 annually, and $161 for three years. You can also buy it outright for $222. Do you want wireless Apple CarPlay? That’ll be $305. The store also allows BMW customers to upgrade the headlights to include a high-beam assistant, additional safety systems, and the camera-based Driver Recorder.

One of the most unusual items found in the BMW ConnectedDrive Store is called IconicSounds Sport. It essentially plays fake engine noises through the car’s speakers should you be willing to pay $138 to have the feature permanently. There are no monthly or yearly subscription plans available for this “feature.”

[…]

We can already imagine a smartphone-like jailbreak to unlock these goodies without having to pay the automaker. Doing so will likely result in voiding the warranty after taking down the automaker’s paywall. Even if someone is willing to wait until the warranty expires, chances are that person will hack the car the very next day to “download” all the available features.

Of course, this isn’t something new as upgrades through the OBD port have been around for many years, especially for VAG products.

Source: BMW Heated Seats Subscription Is Real And It Costs $18 Per Month

Wait, so you actually already paid for these features when you bought the car but to use them you have to keep paying?

As for the hacks, you can change the actual sound output here: Engine Sound Setting Coding Tutorial w/ Bimmercode

You Don’t Own What You’ve Bought: Sony Removes 100s Of Movies Bought Through PS Store

Posted on by

We have done many, many posts explaining how, unfortunately, it seems the idea of a person owning the things they’ve bought has become rather passe. While in the age of antiquity, which existed entire tens of years ago, you used to be able to own things, these days you merely license them under Ts and Cs that are either largely ignored and clicked through or that are indecipherable, written in the otherwise lost language known as “Lawyer-ese”. The end result is a public that buys things, thinks they retain ownership over them, only to find out that the provider of the things alters them, limits their use, or simply erases them from being.

Take anyone who bought a movie distributed by StudioCanal in Germany and Austria through Sony’s Playstation store, for instance. Sony previously had a deal to make those movie titles available in its store, but declined to continue offering movies and shows in 2021, stating that streaming services had made the deal un-competitive.

Sony’s PlayStation group stopped offering movie and TV show purchases and rentals, as of Aug. 31, 2021, citing the rise of streaming-video services. At the time, Sony assured customers that they “can still access movie and TV content they have purchased through PlayStation Store for on-demand playback on their PS4, PS5 and mobile devices.

And when Sony said that, it apparently forgot to add two very important words to its statement: “for now.” Instead, Sony decided to drop the bomb with yet another statement regarding StudioCanal content in Germany and Austria. It essentially amounts to: hey fuckers, that shit you bought is about to disappear, mmkay bye.

“As of August 31, 2022, due to our evolving licensing agreements with content providers, you will no longer be able to view your previously purchased Studio Canal content and it will be removed from your video library,” the notices read. “We greatly appreciate your continued support.”

Poof, it’s gone! That remark about appreciating the public’s “continued support” seems more like begging than acknowledging reality. Especially once you start asking the questions that immediately leap to mind.

For example: will customers get a refund for the movies that they bought and now can’t access? As per the source article “it’s unclear”, which likely means “hahahahaha nope.” How many movies were delisted? Literally hundreds. Are these just small-time movies? Nope, they include AAA titles like The Hunger Games and John Wick.

And so a whole bunch of people are going to find out that they didn’t buy anything, they rented some movies for a previously indefinite period of time that just became definite, long after the purchase was made. It’s hard to imagine something more anti-consumer than that.

Source: You Don’t Own What You’ve Bought: Sony Removes 100s Of Movies Bought Through PS Store | Techdirt

Leaked Uber files reveal extensive use of ‘kill switch’, Lobbying partners including Macron, tax haven use, etc

Posted on by

A data leak from ride-sharing app Uber revealed activities allegedly geared to avoid regulation and law enforcement – including a “kill switch” that would remotely cut computer access to servers at its headquarters in San Francisco in case of a raid – according to weekend media.

The leak was provided to The Guardian and shared with the nonprofit International Consortium of Investigative Journalists (ICIJ) which helped work though the 124,000 records, which include 83,000 emails, iMessages and WhatsApp exchanges.

The records detail internal conversations within Uber, plus interactions between Uber executives and government officials. The trove contains documents detailing interactions with 30 countries and cover the period 2013 to 2017, when Uber was on the rise and confronting pushback from both regulators and the taxi industry.

The 18.7GB cache reveals that the kill switch used to block authorities from probing Uber’s IT systems – which was already known to a lesser extent – was actually deployed at least 12 times in France, the Netherlands, Belgium, India, Hungary and Romania.

The first instances known of the kill switch being used were in late 2014 in France during two separate raids. A November raid took only 13 minutes between email instructing the action to an IT engineer in Denmark and access being cut.

Emails show the kill switch was used at the command of top-level executives, including none other than former CEO Travis Kalanick, as well as legal staff. Both execs and legal staff were often copied in to emails instructing access cuts.

The kill switch, known internally as Ripley, was used in conjunction with a remote-control program called Casper that cut network access after devices were confiscated by authorities. Because Uber was fond of these justice-obstructing programs and their code names, there was also of course Greyball, revealed in 2017, which blocked cops from booking cabs, lest they were interested in busting unregulated drivers.

Uber learned to predict and prepare for raids, and even issued a manual to employees containing 66 bullet points on how to respond. Titled “Dawn Raid Manual”, it instructed employees to stall by escorting regulators to meeting rooms without files and never to leave them alone.

Employees were also advised to “play dumb” as systems severed their connections to the company’s main IT systems whenever police searched their equipment, as documented in a text exchange between former EMEA head of public policy Mark McGann and current global head of sustainability Thibaud Simphal.

The trove of files goes beyond the technical systems in place to stymie investigations. It also details lobbying efforts, close relationships between execs and public officials including France’s then-economy minister Emmanuel Macron, use of Bermuda as a tax haven, public relations efforts to use violence against its drivers to garner public sympathy, and more.

[…]

Source: Leaked Uber files reveal extensive use of ‘kill switch’ • The Register

Rolling pwn hack opens Honda cars by listening to keyfob 100 feet away

Posted on by

Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner’s key fob. Dubbed “Rolling Pwn,” the attack allows any individual to “eavesdrop” on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner’s knowledge.

Despite Honda’s dispute that the technology in its key fobs “would not allow the vulnerability,” The Drive has independently confirmed the validity of the attack with its own demonstration.

Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle.

The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a “window,” When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks.

This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.

A similar vulnerability was discovered late last year and added to the Common Vulnerabilities and Exposures database (CVE-2021-46145), and again this year for other Honda-branded vehicles (CVE-2022-27254). However, Honda has yet to address the issue publicly, or with any of the security researchers who have reported it. In fact, when the security researchers responsible for the latest vulnerability reached out to Honda to disclose the bug, they said they were instead told to call customer service rather than submit a bug report through an official channel.

[…]

Source: I Tried the Honda Key Fob Hack on My Own Car. It Totally Worked

First Laser Weapon For A Fighter Delivered To The Air Force

Posted on by

[…] A report today from Breaking Defense confirmed that Lockheed Martin delivered its LANCE high-energy laser weapon to the Air Force in February this year. In this context, LANCE stands for “Laser Advancements for Next-generation Compact Environments.” The recipient for the new weapon is the Air Force Research Laboratory, or AFRL, which is charged with developing and integrating new technologies in the air, space, and cyberspace realms.

Tyler Griffin, a Lockheed executive, had previously told reporters that LANCE “is the smallest, lightest, high-energy laser of its power class that Lockheed Martin has built to date.”

Indeed, Griffin added that LANCE is “one-sixth the size” of a previous directed-energy weapon that Lockheed produced for the Army. That earlier laser was part of the Robust Electric Laser Initiative program and had an output in the 60-kilowatt class. We don’t yet know what kind of power LANCE can produce although there have been suggestions it will likely be below 100 kilowatts.

For LANCE, Lockheed has been drawing from its previous experience in ground-based lasers, like this concept for a Future Mobile Tactical Vehicle armed with a directed-energy weapon. Lockheed Martin

As well as being notably small and light, LANCE has reduced power requirements compared to other previous weapons, a key consideration for a fighter-based laser, especially one that can be mounted within the confines of a pod.

If successful in its defensive mission, it’s feasible that LANCE could go on to inform the development of more offensive-oriented laser weapons, including ones that could engage enemy aircraft and drones at longer ranges than would be the case when targeting a fast-approaching anti-aircraft missile, whether launched from the ground or from an enemy aircraft.

LANCE has been developed under a November 2017 contract that’s part of the Air Force’s wider Self-protect High Energy Laser Demonstrator, or SHiELD, program, something that we have written about in the past.

SHiELD is a collaborative effort that brings together Lockheed Martin, Boeing, and Northrop Grumman. While Lockheed Martin provides the actual laser weapon, in the form of LANCE, Boeing produces the pod that carries it, and Northrop Grumman is responsible for the beam control system that puts the laser onto its target — and then keeps it there.

An engineer looks at a directed-energy system turret in the four-foot transonic wind tunnel at Arnold Air Force Base, Tennessee, in March 2021. U.S. Air Force/Jill Pickett

Kent Wood, acting director of AFRL’s directed energy directorate, told Breaking Defense that the various SHiELD subsystems “represent the most compact and capable laser weapon technologies delivered to date.”

Wood’s statement also indicated that actual test work by AFRL is still at an early stage, referring to “mission utility analyses and wargaming studies” that are being undertaken currently. “Specific targets for future tests and demonstrations will be determined by the results of these studies as well,” he said.

Meanwhile, Lockheed’s Tyler Griffin added that the next stage in the program would see LANCE integrated with a thermal system to manage heating and cooling.

At his stage, we don’t know exactly what aircraft LANCE is intended to equip, once it progresses to flight tests and, hopefully, airborne firing trials. However, Griffin said that “a variety of potential applications and platforms are being considered for potential demonstrations and tests.”

Previous Lockheed Martin concept art has shown the pod carried by an F-16 fighter jet. And, while SHiELD is initially concerned with proving the potential for active defense of fighter jets in high-risk environments, officials have also talked of the possibility of adapting the same technology for larger, slower-moving combat and combat support aircraft, too.

Boeing flew a pre-prototype pod shape — without its internal subsystems — aboard an Air Force F-15 fighter in 2019. During ground tests, meanwhile, a representative laser, known as the Demonstrator Laser Weapon System (DLWS), has already successfully shot down multiple air-launched missiles over White Sands Missile Range in New Mexico, also in 2019.

A decision on the initial test platform for the complete SHiELD system will likely follow once a flight demonstration has been funded, which is currently not the case. Similarly, there is not yet a formal transition plan for how LANCE and SHiELD could evolve into an actual program of record.

[…]

Source: First Laser Weapon For A Fighter Delivered To The Air Force

Microsoft Office 2021 for only $40 before 14 july 2022

Posted on by

Despite the increasing number of more economical options (read also: free) on the market, many people still prefer Microsoft Office over the alternatives available. With millions of users worldwide, the office suite packs programs with powerful functions that enable students, business owners, and professionals to reach peak productivity. From document formatting to presentation building to number crunching, there’s nearly nothing it can’t do in terms of executing digital tasks.

The only setback? A license can be expensive, especially if you’re the one shouldering the fees instead of your company. If you wish to have access to the suite for personal use, you either have to pay recurring fees for a subscription or cough up hundreds in one go for an annual license. If none of these options appeal to you, maybe this Microsoft Office Home and Business: Lifetime License deal can. For our Deals Day sale, you can grab it on sale for only $39.99 — no coupon needed.

This bundle is designed for families, students, and small businesses who want unlimited access to MS Office apps and email without breaking the bank. The license package includes programs you already likely use on the regular, including Word, Excel, PowerPoint, Outlook, Teams, and OneNote. And with a one-time purchase, you can install it on one Mac computer for lifetime Microsoft Office use at home or work.

Upon purchase, you get access to your software license keys and download links instantly. You also get free updates for life across all programs, along with free customer service that offers the best support in case any of the apps run into trouble. The best part? You only have to pay once and you’re set for life.

The Microsoft Office Home and Business: Lifetime License normally goes for $349, but from today until July 14, you can get it for only $39.99 thanks to the special Deals Day event. Click here for Mac and here for Windows.

Source: Get lifetime access to Microsoft Office for only $40 thanks to this limited-time only deal | Popular Science

FBI and MI5 bosses speak out together: China hacks and steals at massive scale

Posted on by

The directors of the UK Military Intelligence, Section 5 (MI5) and the US Federal Bureau of Investigation on Wednesday shared a public platform for the first time and warned of China’s increased espionage activity on UK and US intellectual property.

Speaking to an audience of business and academic leaders, MI5 director general Ken McCallum and FBI director Chris Wray argued that Beijing’s Made in China 2025 program and other self-sufficiency tech goals can’t be achieved without a boost from illicit activities.

“This means standing on your shoulders to get ahead of you. It means that if you are involved in cutting-edge tech, AI, advanced research or product development, the chances are your know-how is of material interest to the Chinese Communist Party,” said McCallum.

“And if you have, or are trying for, a presence in the Chinese market, you’ll be subject to more attention than you might think,” he added.

The Chinese Government sees cyber as the pathway to cheat and steal on a massive scale

McCallum described China’s efforts to acquire Western expertise, technology, research as a planned and professional “coordinated campaign on a grand scale” that has been strategically executed across decades.

China’s efforts have stepped up significantly, McCallum said, with MI5 running seven times as many investigations against Chinese activity today than in 2018.

“The most game-changing challenge we face comes from the Chinese Communist Party. It’s covertly applying pressure across the globe,” said McCallum. Threats MI5 is working to counter include covert theft of trade secrets, patient cultivation of contacts, and establishing a “debt of obligation.” Advanced persistent threats are deployed when needed, too.

The MI5 director also warned that China was working to change attitudes to suit the Chinese Communist Party’s interests and support it dominating the international order – and playing the long game to normalize mass theft as “the cost of doing business these days.”

Wray added that in the US, China’s efforts spare none and are visible in both big cities and small towns, Fortune 500s and startups, and across everything from aviation, to AI, to pharma.

The FBI director then referred to China’s hacking program as “lavishly resourced” and “bigger than that of every other major country combined.”

“The Chinese Government sees cyber as the pathway to cheat and steal on a massive scale,” said Wray.

Wray said the efforts were not just big, they were effective, offering the following insight on cyber attacks:

Over the last few years, we’ve seen Chinese state-sponsored hackers relentlessly looking for ways to compromise unpatched network devices and infrastructure.

And Chinese hackers are consistently evolving and adapting their tactics to bypass defenses. They even monitor network defender accounts and then modify their campaign as needed to remain undetected.

They merge their customized hacking toolset with publicly available tools native to the network environment—to obscure their activity by blending into the ‘noise’ and normal activity of a network.

However, he warned, it’s not just through hacking that the Chinese state-backed threats act, but “by making investments and creating partnerships that position their proxies to steal valuable technology.”

Wray described all Chinese companies as beholden to the Chinese Communist Party (CCP) in some form, with the government disguising its intent to obtain influence.

Efforts include creating elaborate shell games to outsmart government investment-screening programs, passing statutes like the 2015 critical infrastructure law that requires companies to store data domestically and convenient for government access. He cited a 2020 law that required malware-laden Chinese software be used by foreign companies filing taxes – forcing the companies into installing their own backdoors – as another example of the CCP at work.

On the same day as the two spook bosses issued their warnings, the US National Counterintelligence and Security Center issued a bulletin [PDF] offering more detail of China’s efforts by detailing tactics used by Beijing to infiltrate US business and government for the purpose of exerting influence.

Know your foe

The FBI, NCSC, and MI5 all warned against confusing the Chinese diaspora with the CCP and Beijing.

“If my remarks today elicit accusations of Sinophobia, from an authoritarian CCP, I trust you’ll see the irony,” said Wray.

Liu Pengyu, spokesperson for China’s embassy in Washington, responded on Wednesday denying interference, accusing the US of cyberattacks itself and characterizing criticism as “US politicians who have been tarnishing China’s image and painting China as a threat with false accusations.”

China’s foreign minister Wang Yi and US secretary of state Antony Blinken are scheduled to meet at the G20 Foreign Ministers’ meeting this week. The agenda, according to Chinese state-sponsored media is “to exchange views on current China-US relations and major international and regional issues.”

Source: FBI and MI5 bosses: China cheats and steals at massive scale • The Register

EU will require all new cars to include anti-speeding tech ISA by 2024

Posted on by

Every new car sold in the European Union will soon include anti-speeding technology known as intelligent speed assistance, or ISA. The EU regulation (part of the broader General Vehicle Safety Regulation) goes into effect today, and states that all new models and types of cars introduced to the European market must include an ISA system. The policy doesn’t apply to any new cars that are in showrooms today — at least, not yet. By July 2024, every new car sold in the EU must have a built-in anti-speeding system.

“The roll out of ISA is a huge step forward for road safety and has the potential to dramatically reduce road traffic injuries and fatalities. Car manufacturers now have the opportunity to maximise the potential ISA presents for creating safer roads for all,” said the European Commission in a press release.

For those unfamiliar with ISA, the term describes a whole raft of systems that can detect road speed limits via front-mounted cameras, GPS data or both. Depending on the specific ISA and how it’s configured by the driver, the technology can provide reminder feedback about the speed limit, automatically adjust cruise control to match the road’s speed or even reduce power to the motor to slow speeding vehicles.

Many drivers in Europe are already using ISA-equipped vehicles, and major automakers such as Honda, Ford, Jeep and Mercedes-Benz sell certain models with these systems in the European market. According to a projection by the EU-funded PROSPER, a scenario such as this one, where ISA becomes mandated, could result in between 26 and 50 percent fewer fatalities.

As Autocar notes, ISA technology still isn’t perfect. During one test, the ISA system was occasionally “slow to respond” and at one point set the speed limit at 60 mph while driving through a quiet English village.

Source: EU will require all new cars to include anti-speeding tech by 2024 | Engadget

So… can you disable ISA easily then? At least it looks like the tech is contained in the car, hopefully not feeding your driving data and location to 3rd parties where it can be sold on and get lost.

Marriott Hotels confirms yet another data breach

Posted on by

Hotel group Marriott International has confirmed another data breach, with hackers claiming to have stolen 20 gigabytes of sensitive data, including guests’ credit card information.

The incident, first reported by Databreaches.net, is said to have happened in June when an unnamed hacking group claimed they used social engineering to trick an employee at a Marriott hotel in Maryland into giving them access to their computer.

[…]

Marriott said the hotel chain identified, and was investigating, the incident before the threat actor contacted the company in an extortion attempt, which Marriott said it did not pay.

The group claiming responsibility for the attack say the stolen data includes guests’ credit card information and confidential information about both guests and employees. Samples of the data provided to Databreaches.net purport to show reservation logs for airline crew members from January 2022 and names and other details of guests, as well as credit card information used to make bookings.

However, Marriott told TechCrunch that its investigation determined that the data accessed “primarily contained non-sensitive internal business files regarding the operation of the property.”

The company said that it is preparing to notify 300-400 individuals regarding the incident, and has already notified relevant law enforcement agencies.

This isn’t the first time Marriott has suffered a significant data breach. Hackers breached the hotel chain in 2014 to access almost 340 million guest records worldwide — an incident that went undetected until September 2018 and led to a £14.4 million ($24 million) fine from the U.K.’s Information Commissioner’s Office. In January 2020, Marriott was hacked again in a separate incident that affected around 5.2 million guests.

[…]

Source: Hotel giant Marriott confirms yet another data breach | TechCrunch

Amazon offers to share data, boost rivals to dodge EU antitrust fines

Posted on by

Amazon (AMZN.O) has offered to share marketplace data with sellers and boost the visibility of rival products on its platform, trying to persuade EU antitrust regulators to close their investigations without a fine by the end of the year, people familiar with the matter said.

The world’s largest online retailer is hoping its concessions will stave off a potential European Union fine that could be as much as 10% of its global turnover, Reuters reported last year. read more

The European Commission in 2020 charged Amazon with using its size, power and data to push its own products and gain an unfair advantage over rival merchants that sell on its online platform.

It also launched an investigation into Amazon’s possible preferential treatment of its own retail offers and those of marketplace sellers that use its logistics and delivery services.

Amazon’s process for choosing which retailer appears in the “buy box” on its website and which generates the bulk of its sales also came under the spotlight.

Amazon has now proposed to allow sellers access to some marketplace data while its commercial arm will not be able to use seller data collected by its retail unit, the people said.

The company will also create a second buy box for rival products in the event an Amazon product appears in the first buy box, the people said.

[…]

Source: Amazon offers to share data, boost rivals to dodge EU antitrust fines | Reuters

No way that this is enough. A marketplace owner has no business offering products on their own marketplace at all. That’s always going to be unfair competition. It also fails to address many of the other monopoly problems, like forcing sellers to exclusively use Amazon or downgrading their search results, forcing sellers to use the Amazon delivery options as well as forcing other delivery parties out of business by delivering under cost price.

China’s cyberspace regulator details data export rules

Posted on by

[…]

The Cyberspace Administration of China’s (CAC) policy was first floated in October 2021 and requires businesses that transfer data offshore to conduct a security review. The requirements kick in when an organization transfers data describing more than 100,000 individuals, or information about critical infrastructure – including that related to communications, finance and transportation. Sensitive data such as fingerprints also trigger the requirement, at a threshold of 10,000 sets of prints.

A Thursday announcement added a detail to the policy: the cutoff date after which the CAC will start counting towards the 100,000 and 10,000 thresholds. Oddly, that date is January 1 … of 2021.

A state official explained in Chinese state-owned media on Thursday that the efforts were necessary due to the digital economy expanding cross-border data activities, and that differences in international legal systems have increased data export security risks, thereby affecting national security and social interest.

The official detailed that the security review should occur prior to signing a contract that includes exporting data overseas. Any approved data export will be valid for two years, at which point the entity must apply again.

[…]

Source: China’s cyberspace regulator details data export rules • The Register