n undersea fiberoptic cable located between mainland Norway and the Svalbard archipelago in the Arctic Ocean has been put out of action in a still-mysterious incident. The outage on the subsea communications cable — the furthest north of its kind anywhere in the world — follows an incident last year in which different cables linking an undersea surveillance network off the Norwegian coast were severed, a story that we covered in detail at the time.
The latest disruption involves one of two fiberoptic cables that enable communications between the Norwegian mainland and Norwegian-administered Svalbard that lies between the mainland and the North Pole. The outage occurred on the morning of January 7, but was first widely reported yesterday. The extent of the damage is not clear from the official press release from Space Norway, the country’s space agency, which maintains the cables primarily in support of the Svalbard Satellite Station (SvalSat), but it is significant enough that it is expected to require the services of an ocean-going cable-laying vessel.
Bjoertvedt/Wikimedia Commons
The Svalbard Satellite Station atop the mountain of Platåberget on the island of Spitsbergen in Svalbard, Norway.
In addition to the SvalSat facilities, the fiber-optic cables provide broadband internet to Svalbard. The SvalSat site consists of more than 100 satellite antennas on a mountain plateau and is the largest commercial ground station of its kind.
Being located between mainland Norway and the North Pole means that SvalSat is in much demand with operators of polar-orbiting satellites, being one of only two ground stations from which data can be downloaded from these types of satellites on each of the Earth’s rotations.
Space Norway, which operates the undersea cables, confirms that the second is still functioning normally, but the loss of the first means there is now no redundancy available until repairs can be made.
The Federal Aviation Administration has finally put out an official statement regarding a still very mysterious ground stop order that it issued to all aircraft in the western U.S. and Hawaii yesterday around 2:30 PM PST. While the incident is now confirmed, there are still a significant number of unanswered questions, including the most important one: what triggered this decision in the first place? You can get up to speed first on what The War Zone had been able to determine in our initial reporting here
The Federal Aviation Administration (FAA) issued their statement just before 9:40 AM PST this afternoon, over 20 hours after the order was sent. The War Zone had already reached out to the FAA with a number of basic questions regarding the event, but we have still not received a direct response.
FAA’s full statement, so far, regarding this incident, is as follows:
As a matter of precaution, the FAA temporarily paused departures at some airports along the West Coast on Monday night. Full operations resumed in less than 15 minutes. The FAA regularly takes precautionary measures. We are reviewing the process around this ground stop as we do after all such events.
This statement is immediately curious for a number of reasons. For one, publicly available recordings of air traffic controllers on the ground talking with pilots at the time show that this pause was not limited to the West Coast of the continental United States. For instance, pilots in Honolulu, Hawaii were given similar instructions.
HONOLULU TOWER advising HAL278 that the ground stop orders came from the FAA Command Center. They never gave a reason for the ground stop. pic.twitter.com/XasWmFwGap
One source, a pilot flying into Yuma, Arizona, which lies around 150 miles inland from the West Coast, told The War Zone that the alert had been described to them as “national ground stop.” This also highlights that we know that the stop order did not only impact departures. Other air traffic control recordings make clear that even some aircraft were ordered to land as soon as possible, as well.
Re: the west coast ground stop of air traffic today, here’s Burbank ATC telling a pilot due to a national security issue he can’t just fly around to avoid the stop, and needs to land. “I need you to go ahead and land at Van Nuys at this time.” pic.twitter.com/hQPnvTxnf7
The FAA statement makes no mention of what prompted it to take this “precaution,” either. Air traffic controllers at Burbank in California can be heard in one recording referencing an unspecified “national security threat.”
Just a few minutes before they told that aircraft they weren’t allowing aircraft to maneuver in the area due to a “national security threat” and it had to land, another plane that had just taken off was told it had to turn around and land. “Something’s going on.” pic.twitter.com/KAWGM3ZWuf
There had been reports, as well as general speculation, that the ground stop may have been related to a North Korean missile launch that occurred right at almost the same time that FAA issued its order. This was not entirely out of the realm of reason.
White House National Security Advisor Jake Sullivan has invited major tech firms to discuss ways that the cybersecurity of open-source software can be improved, Bloomberg reported on Thursday.
According to Bloomberg, the tech firms include “major software companies and developers.” Cloud providers are also reportedly among the invited companies.
Anne Neuberger, deputy national security advisor for cyber and emerging technology, will reportedly host a one-day discussion in January with representatives of the invited tech companies. The discussion will involve “company officials responsible for open-source projects and security,” according to Reuters.
The White House’s invitation to tech companies comes a few weeks after the discovery of a critical vulnerability in Log4j, a widely used open-source tool. In a letter to the invited tech firms, Sullivan reportedly stated that the popularity of open-source software projects and the fact that they’re maintained by volunteers is a “combination that is a key national security concern, as we are experiencing with the Log4j vulnerability.”
A real problem is that due to rabid insistence by hard core FOSS advocates who are usually tenured at a university and thus have a good salary, Open source maintainers are not really allowed to make any money, whilst uptake and complexity of their software has grown massively, making it an uphill slog maintaining the software for no renumeration whatsoever.
A Russian court fined Alphabet Inc.’s Google 7.2 billion rubles ($98 million) and Meta Platforms Inc. 2 billion rubles Friday for failing to remove banned content, the largest such penalties yet, as the authorities escalate a crackdown on foreign technology companies.
The fines were due to the companies’ repeated failure to comply with orders to take down content and based on a percentage of their annual earnings in Russia, the federal communications watchdog said in a statement. Google and Meta could face more fines if they don’t remove the material, it said.
[…]
The government is also pushing tech companies to comply with its increasingly strict laws on localizing data storage. This year, Google and Apple Inc. removed a protest-voting app from their Russian stores during parliamentary elections after the authorities threatened to imprison their local staff.
Until the latest rulings, however, fines for failure to remove content were generally insignificant. In September, Russia’s federal communications watchdog said companies that did not delete content could face fines of 5% to 20% of their annual local revenue.
Google earned revenues in Russia of about 85 billion rubles in 2020, according to the Spark-Interfax database.
“For some reason, the company fulfills decisions of American and European courts unquestioningly,” Anton Gorelkin, a ruling party deputy in the lower house of parliament who sits on the Information Policy committee, wrote on Telegram after the Google ruling was announced Friday. “If the turnover fine doesn’t bring Google to its senses, I’m afraid that some very unpleasant measures will be taken.”
The Dutch antitrust authority has found that Apple’s rules requiring software developers to use its in-app payment system are anti-competitive and ordered it to make changes, four people familiar with the matter said, in the latest regulatory setback for the iPhone maker.
Apple’s app-store payment policies, in particular its requirement that app developers exclusively use its payment system where commissions range between 15% and 30%, have long drawn complaints from developers.
[…]
The Netherlands’ Authority for Consumers and Markets (ACM) last month informed the U.S. technology giant of its decision, making it the first antitrust regulator to make a finding the company has abused market power in the app store, though Apple is facing challenges in multiple countries.
ACM has not levied a fine against Apple, but demanded changes to the in-app payment system, the people said. The decision has not been seen by Reuters.
An ACM spokesperson declined to comment, saying that the matter is currently under legal review. The regulator has previously said it expects to publish its decision this year.
OLED EX (the EX stands for Evolution and eXperience, unfortunately) promises to boost maximum brightness, enhance picture quality, and allow for smaller display bezels. The underlying technology—millions of individual self-lit pixels—hasn’t changed, but the use of an isotope called deuterium combined with algorithmic image processing can increase brightness by up to 30% over conventional OLED displays, LG claims.
As boring as that may sound, the science behind it is actually pretty fascinating. LG found a way to extract deuterium, a rather scarce isotope (there is one deuterium atom in 6,000 hydrogen atoms) that’s twice as heavy as hydrogen from water, then applied it to its TV’s OLED elements. LG says stabilized deuterium compounds let the display emit brighter light while improving efficiency over time.
Moving to the second change, LG is using a “personalized” machine learning algorithm that predicts the usage of each light-emitting diode (on up to 8K TVs) based on your viewing habits, then “precisely controls the display’s energy input to more accurately express the details and colors of the video content being played.”
The news comes via internal documents shared with The T-Mo Report, embedded below. They state that there was “unauthorized activity” on some customer accounts. That activity was either the viewing of customer proprietary network information (CPNI), an active SIM swap by a malicious actor, or both.
This comes just on the heels of a previous breach back in August. This time around, though, the damage appears to be much less severe. It seems only a small subset of customers are affected. There is no further detail about what exactly happened, with the documents simply saying that some info was leaked.
Affected customers fall into one of three categories. First, a customer may have only been affected by a leak of their CPNI. This information may include the billing account name, phone numbers, number of lines on the account, account numbers, and rate plan info. That’s not great, but it’s much less of an impact than the breach back in August had, which leaked customer social security numbers.
The second category an affected customer might fall into is having their SIM swapped. This is where a malicious actor will change the physical SIM card associated with a phone number in order to obtain control of said number. This can, and often does, lead to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number. The document says that customers affected by a SIM swap have now had that action reversed.
The final category is simply both of the other two. Affected customers could have had both their private CPNI viewed as well as their SIM card swapped.
[…] Beginning on Jan. 31, hosts will only see the initials of guests’ first names until they confirm a booking request, Airbnb announced in a December news announcement spotted by the Verge. After a host confirms the booking, the guest’s full name will appear. The change to how names are displaced will be in place for at least two years.
“While we have made progress, we have much more to do and continue working with our Hosts and guests, and with civil rights leaders to make our community more inclusive,” Airbnb said.
In its announcement, the company said the update is consistent with the voluntary settlement agreement it reached with individuals in Oregon in 2019 “who raised concerns regarding the way guests’ names are displayed when they seek to book a listing.”
According to the Oregonian, in 2017 Portland resident Patricia Harrington filed a lawsuit against Airbnb. She claimed that because Airbnb requires guests to disclose their full name and include a photo, which hosts’ review before they accept a booking, the company was allowing hosts to discriminate against Black guests. This constituted a violation of Oregon’s public accommodation laws, she alleged.
Airbnb settled the lawsuit, which included two more Black women in Oregon, in 2019. By that time, Harrington had died.
The lawsuit’s claims weren’t wrong. Black guests have been sounding the alarm about discrimination on the platform for years and even created a hashtag: #AirbnbWhileBlack. In 2016, a Harvard Business School study even found that requests from guests with African American names were roughly 16% less likely to be accepted by hosts than identical guests with distinctively white names.
[…]
“Given that the impact of this change is unknown, the implementation will be limited,” Airbnb spokesperson Liz DeBold Fusco said in an email. “We will evaluate the impact of this change to understand if there are learnings from this work that can inform future efforts to fight bias.”
Game-making platform and fledgling metaverse Roblox made the news yesterday as the focus of a New York Times report about a ‘90s era tax cut that’s spun out of control. Originally created to foster investment in small businesses, the Qualified Small Business Stock, or Q.S.B.S., exemption has transformed into a way for ultra-wealthy businesses to avoid paying taxes on huge amounts of profits.
I’d say it seemed like a good idea at the time, but it really wasn’t. Launched in 1993, the Qualified Small Business Stock exemption was presented as a means to get more people investing in start-ups by shielding some of a company’s profits from taxation. Originally the exemption meant an investor would be shielded from paying taxes on half of profits up to 10 million dollars, but that was eventually changed to exempt the entire 10 million
[…]
the U.S. tax system for voting into being a loophole-laden exemption that would eventually be so abused that participating in it would be considered a right-of-passage for Silicon Valley’s ultra-wealthy. The problem with the Q.S.B.S. exemption is that it can be cloned. All it takes is gifting stock to friends and family. Though they haven’t invested in the company, they nevertheless still qualify for the exemption, so you can ensure that large chunks of money stay within close orbit of your control without needing to pay taxes on said cash.
According to financial reports and the New York Times’ sources, Roblox founder David Baszucki has been able to multiply the exemption 12 times over, gifting stock to his wife, his four children, and various other relatives. In the fall of 2020, months before Roblox went public, Baszucki’s mother-in-law started giving away shares to relatives. Since they were gifted, those shares also qualified for the exemption. In March of 2021, Robloxwent public, valued at 45 billion.
While this all sounds horrible and super-cheaty, there’s nothing at all illegal about this practice. It has a name, stacking, but is also known as peanut-buttering
The United Kingdom’s National Crime Agency and National Cyber Crime Unit have uncovered a colossal trove of stolen passwords.
We know this because Troy Hunt, of Have I Been Pwned (HIBP) fame, yesterday announced the agency has handed them over to his service, which lets anyone conduct a secure search of stolen passwords to check if their credentials have been exposed.
The NCA shared 585,570,857 with HIBP, and Hunt said 225,665,425 were passwords that he hasn’t seen before in the 613 million credentials HIBP already stored before the NCA handed over this new batch.
The NCA sent Hunt a statement explaining how it found the passwords:
During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown.
The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain and could be accessed by other 3rd parties to commit further fraud or cyber offences.
The NCA’s statement to Hunt did not reveal the source of the password trove, or how it was discovered. Hunt did reveal the following were found among the newly compromised passwords.
flamingo228
Alexei2005
91177700
123Tests
aganesq
Today’s release brings the total Pwned Passwords count to 847,223,402, a 38 percent increase over the last release. 5,579,399,834 occurrences of a compromised password are represented across HIBP.
Norton antivirus’s inbuilt cryptominer has re-entered the public consciousness after a random Twitter bod expressed annoyance at how difficult it is to uninstall.
The addition of Ncrypt.exe, Norton 360’s signed cryptocurrency-mining binary, to installations of Norton antivirus isn’t new – but it seems to have taken the non-techie world a few months to realise what’s going on.
Back in June, NortonLifeLock, owner of the unloved PC antivirus product, declared it was offering Ethereum mining as part of its antivirus suite. NortonLifeLock’s pitch, as we reported, was that people dabbling in cryptocurrency mining probably weren’t paying attention to security – so what better way than to take up a cryptocurrency miner than installing one from a trusted consumer security brand?
In return for you installing their cryptominer on your home PC, NortonLifeLock skims off a mere 15 per cent of whatever digital currency you generate. While this compares well to the 100 per cent takings that criminals covertly deploying cryptominers help themselves to, some might say it’s a bit excessive for minimal effort on Norton’s part.
[…]
“If you have turned on Norton Crypto, but you no longer want to use the feature, you can disable it through your Norton Crypto dashboard,” says the FAQ on Norton’s website.
Uninstalling it altogether takes a bit more persistence, it appears, with users needing to disable Norton Product Tamper Protection (intended to protect the antivirus product from being disabled or deleted by malware) before going through the usual Windows uninstallation steps.
Norton isn’t alone: last year a maker of Wi-Fi routers offered to mine cryptocurrency on users’ devices if they supplied connectivity to the general public.
Kinetic Architecture is a concept on which buildings are designed to allow parts of the structure to move. CyberPowerPC took this idea and created a KINETIC chassis with 18 individually controlled articulating vents that open and close automatically, all based on the computer’s current internal ambient temperatures.
“We are entering 2022 with some of our most sophisticated and elegant designs ever. For discriminating gamers our PC Master Builders are ready to hand-build and test new gaming PCs that are ultra-clean, streamlined, and deliver maximum performance for those who want something truly unique.”
Eric Cheung, CyberPowerPC CEO
The vents aren’t a simple case of opening and closing either and adjust based on every degree of internal temperature by opening to varying degrees. Users can customize and adjust the temperature ranges as well, and a quick button will allow you to fully open or close the vents instantly. The KINETIC chassis supports full ATX size motherboards, up to seven 120mm or five 140mm fans, and most extended length graphics cards.
Key features of the CyberPowerPC KINETIC chassis include:
18 Individually actuating vents that adjust in real time to ambient case temperatures.
Maximizes airflow and cooling case temps are high.
Reduces noise and dust when case temps are low.
Temperature sensor ranges can be adjusted to fit your needs.
Available in both black and white mid-tower options.
The CyberPowerPC KINETIC Series PC case will ship in Q3 2022 from CyberPowerPC.com and CyberPowerPC’s network of authorized retailers and distributors. The chassis is backed by a one-year warranty and lifetime technical support. The suggested MSRP is US$249.
Google and Facebook have come a little unstuck in the cookie department as French watchdog Commission Nationale de l’Informatique et des Libertés (CNIL) slapped the pair with a €150m and €60m fine respectively.
The CNIL kicked off its investigations after receiving complaints regarding the way cookies can be refused on facebook.com, youtube.com and google.fr. The crux of the matter is that while there is a button to permit immediate acceptance of cookies, there is not the equivalent to refuse them as easily. “Several clicks are required to refuse all cookies, against a single one to accept them,” explained the CNIL.
“The restricted committee,” it went on, “considered that this process affects the freedom of consent: since, on the internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favor of consent. This constitutes an infringement of Article 82 of the French Data Protection Act.”
Researchers were able to identify 74 species of animals by looking for DNA in air samples collected at two zoos. The experiment shows that free-floating DNA could be used to track wild animals, including endangered or invasive species, without needing to observe them directly.
Environmental DNA (eDNA) has shaken up how animal populations can be monitored, managed, and conserved. Instead of having to find physical evidence of animals—scales, fur, feces, or sightings—researchers can rely on the microscopic bits of genetic material that fall off creatures as they move around their environment. Merely taking a soil or water sample can give researchers a sense of an entire ecosystem.
But researchers have wondered whether air could provide the same level of information as soil and water. Last year, a UK-based team detected naked mole rat DNA by sampling air from the rodents’ burrows in a lab setting. (They also detected human DNA, presumably from the researchers who worked in the lab.) But proving the method’s success in open air was a different beast. To test the technique further, two research teams used a setting that included unmistakeable subjects: zoos in England and Denmark. Their twopapers are published today in Current Biology.
[…]
To run their experiment, the scientists used a fan with a filter, drawing in air from within and around the zoo. The team then used polymerase chain reaction (PCR)—the same tech used in many covid-19 tests—to amplify the genetic information on the filter, essentially creating many copies of the genetic material they found. They were able to identify 25 species in the UK and 49 species in Denmark. In the UK study, eight of the identified species were animals native to the area rather than zoo inhabitants, while six non-zoo animals were detected in the Denmark study.
Elizabeth Clare, author of one of the studies, samples air for environmental DNA.Photo: Elizabeth Clare
[…]
The closer to extinction a species creeps, the harder it is for it to be monitored. eDNA methods make that conservation work easier. It means keeping track of the last vaquitas and perhaps settling the debate over the fate of the ivory-billed woodpecker.
Airborne DNA still requires more research, but Clare noted how quickly waterborne DNA became a widely used method in conservation. Perhaps the latest innovation in DNA surveys will happen sooner than we think.
Snap is suing the US Patent and Trademark Office (USPTO) for rejecting its application to trademark the word “spectacles” for its digital eyewear camera device. But the USPTO has maintained that “spectacles” is a generic term for smart glasses and that Snap’s version “has not acquired distinctiveness,” as required for a trademark.
In its complaint filed Wednesday in US District Court in California, Snap claims that the Spectacles name “evokes an incongruity between an 18th century term for corrective eyewear and Snap’s high-tech 21st century smart glasses. SPECTACLES also is suggestive of the camera’s purpose, to capture and share unusual, notable, or entertaining scenes (i.e., “spectacles”) and while also encouraging users to make ‘spectacles’ of themselves.”
Snap first introduced its camera-equipped Spectacles in 2016 (“a wearable digital video camera housed in a pair of fashionable sunglasses,” according to its complaint), which can take photos and videos while the user wears them and connects with the Snap smartphone app. Despite selling them both online and in pop-up vending machines around the world, the first iteration of Spectacles mostly flopped with consumers. In its 2017 third-quarter earnings report, Snap said it had lost nearly $40 million on some 300,000 unsold Spectacles.
Snap’s new complaint posits that there’s been enough media coverage of Spectacles, bolstered by some industry awards and its own marketing including social media, to support its claim that consumers associate the word “spectacles” with the Snap brand. Snap first filed a trademark application for Spectacles in September 2016, “for use in connection with wearable computer hardware” and other related uses “among consumer electronics devices and displays.”
During several rounds of back-and-forth with the company since then, the USPTO has maintained that the word “spectacles” appeared to be “generic in connection with the identified goods,” i.e. the camera glasses. Snap continued to appeal the agency’s decision.
In a November 2021 opinion, the USPTO’s Trademark Trial and Appeal Board (pdf) upheld the decision, reiterating that the word “spectacles” was a generic term that applied to all smart glasses, not just Snap’s version. Despite the publicity Snap claimed its Spectacles had received from its marketing and social media, the board noted in its opinion that Spectacles’ “social media accounts have an underwhelming number of followers, and the number of followers is surprisingly small,” which didn’t support the company’s argument that there had been a high enough level of consumer exposure to Snap’s Spectacles to claim that consumers associated the word with Snap’s brand.
Electric- and hydrogen-powered truck startup Nikola has agreed to a $125 million settlement over charges that it defrauded investors after misleading them about its products, technical advances and financial prospects.
Nikola violated the antifraud and disclosure control provisions of the federal securities laws, the Securities and Exchange Commission said Tuesday.
In July the founder and one-time chair of Nikola, Trevor Milton, was freed on $100 million bail after pleading not guilty to charges alleging he lied about the company.
The U.S. Attorney’s Office in Manhattan, New York, charged Milton, 39, with two counts of securities fraud and wire fraud. He resigned as chairman in September.
The SEC said in its order that Milton embarked on a public-relations campaign aimed at inflating and maintaining Nikola’s stock price before the company had produced a vehicle.
The SEC also found that Milton misled investors about Nikola’s technological advancements, in-house production capabilities, hydrogen production, truck reservations and orders, and financial outlook. In addition, it found that Nikola misled investors by misrepresenting or omitting information about the refueling time of its prototype vehicles, as well as the economic risks and benefits associated with a potential partnership with General Motors.
Amazon’s crucial web services business AWS has experienced problems today due to a power outage, affecting services like Slack, Imgur, and the Epic Games store for some users. It’s not looking good if you’re working from home, with some Slack users unable to view or upload images and work management tool Asana also hit by the outages.
The official AWS service health dashboard blamed the issues on power outages in a single data center, affecting one Availability Zone (USE1-AZ4) within the US-EAST-1 Region. At 9:13AM ET, Amazon said it had restored power to the affected servers, and by 12:28PM ET, it had “restored underlying connectivity to the majority of the remaining” systems. However, users may still be experiencing issues as services and servers are relaunched.
According to court documents, Ishii switched the transfer address for a Sony Life transaction to use a Silvergate Bank account under his control..
Ishii later converted the stolen funds into more than 3879 bitcoins via A Coinbase set up to automatically transfer all added funds to an offline cryptocurrency cold wallet with a Bitcoin address of bc1q7rhc02dvhmlfu8smywr9mayhdph85jlpf6paqu.
After converting the money to cryptocurrency, Ishii also tried persuading his supervisor and several Sony Life executives not to help investigators by emailing them a ransom note typed in English and Japanese.
“If you accept the settlement, we will return the funds back. If you are going to file criminal charges, it will be impossible to recover the funds,” the note read.
“We might go down behind all of this, but one thing is for sure, you are going to be right there next to us. We strongly recommend to stop communicate (sic) with any third parties including law enforcement.”
Cryptocurrency seized following FBI investigation
However, on December 1, following an investigation in collaboration with Japanese law enforcement authorities, the FBI seized the 3879.16242937 BTC in Ishii’s wallet after obtaining the private key, which made it possible to transfer all the bitcoins to the FBI’s bitcoin wallet.
“Sony and Citibank immediately contacted and cooperated with law enforcement as soon as the theft was detected, and the FBI worked in partnership with both to locate the funds,” explained FBI Special Agent in Charge Suzanne Turner.
“Second, the FBI’s footprint internationally through our Legal Attaché offices and the pre-existing relationships we have established in foreign countries – in this instance with Japan – enabled law enforcement to coordinate and identify the subject.”
Tokyo’s Metropolitan Police Department arrested the 32-year-old Ishii the same day and criminally charged him on suspicion of obtaining $154 million dollars following fraudulent money transfers from mid-May.
[…] researchers managed to technically deconstruct just how one of the company’s notorious “zero-click” attacks work. Indeed, researchers with Google’s Project Zero published a detailed break-down that shows how an NSO exploit, dubbed “FORCEDENTRY,” can swiftly and silently take over a phone.
[…]
Initial details about it were captured by Citizen Lab, a research unit at the University of Toronto that has frequently published research related to NSO’s activities. Citizen Lab researchers managed to get ahold of phones that had been subjected to the company’s “zero-click” attacks and, in September, published initial research about how they worked. Around the same time, Apple announced it was suing NSO and also published security updates to patch the problems associated with the exploit.
Citizen Lab ultimately shared its findings with Google’s researchers who, as of last week, finally published their analysis of the attacks. As you might expect, it’s pretty incredible—and frightening—stuff.
[…]
Probably the most terrifying thing about FORCEDENTRY is that, according to Google’s researchers, the only thing necessary to hack a person was their phone number or their AppleID username.
Using one of those identifiers, the wielder of NSO’s exploit could quite easily compromise any device they wished. The attack process was simple: What appeared to be a GIF was texted to the victim’s phone via iMessage. However, the image in question was not actually a GIF; instead, it was a malicious PDF that had been dressed up with a .gif extension. Within the file was a highly sophisticated malicious payload that could hijack a vulnerability in Apple’s image processing software and use it to quickly take over valuable resources within the targeted device.
[…]
what FORCEDENTRY did was exploit a zero-day vulnerability within Apple’s image rendering library, CoreGraphics—the software that iOS uses to process on-device imagery and media. That vulnerability, officially tracked as CVE-2021-30860, is associated with an old piece of free, open-source code that iOS was apparently leveraging to encode and decode PDF files—the Xpdf implementation of JBIG2.
Here’s where the attack gets really wild, though. By exploiting the image processing vulnerability, FORCEDENTRY was able to get inside the targeted device and use the phone’s own memory to build a rudimentary virtual machine, basically a “computer within a computer.” From there, the machine could “bootstrap” NSO’s Pegasus malware from within, ultimately relaying data back to whoever had deployed the exploit.
[…]
The vulnerability related to this exploit was fixed in Apple’s iOS 14.8 update (issued in September), though some computer researchers have warned that if a person’s phone was compromised by Pegasus prior to the update, a patch may not do all that much to keep intruders out.
When someone buys a new car, they generally expect to be getting a vehicle that’s fully up-to-date, not one built with leftover parts. Tesla customers who don’t read the fine print, though, could accidentally end up paying the price for a “new” Model 3 with a years-old battery, one which Tesla acknowledges may have already lost almost an eighth of its total capacity.
Use of older batteries in new Model 3s was first observed on Twitter, where user William Hummel shared images of a disclaimer on Tesla’s website that notes up to 12 percent reduced range stemming from the cars’ use of batteries built as far back as 2017. These screen captures were not of Tesla’s online configurator as Hummel’s use of “new car” might lead one to believe, but from Tesla’s inventory page, where “new” Model 3s are indeed listed for sale with the range disclaimer shown, along with a partial explanation accessed via the “Learn More” button.
[…]DARPA’s Guaranteeing AI Robustness against Deception (GARD) program […] focuses on a few core objectives. One of which is the development of a testbed for characterizing ML defenses and assessing the scope of their applicability […]
Ensuring that emerging defenses are keeping pace with – or surpassing – the capabilities of known attacks is critical to establishing trust in the technology and ensuring its eventual use. To support this objective, GARD researchers developed a number of resources and virtual tools to help bolster the community’s efforts to evaluate and verify the effectiveness of existing and emerging ML models and defenses against adversarial attacks.
“Other technical communities – like cryptography – have embraced transparency and found that if you are open to letting people take a run at things, the technology will improve,” said Bruce Draper, the program manager leading GARD.
[…]
GARD researchers from Two Six Technologies, IBM, MITRE, University of Chicago, and Google Research have collaboratively generated a virtual testbed, toolbox, benchmarking dataset, and training materials to enable this effort. Further, they have made these assets available to the broader research community via a public repository
[…]
Central to the asset list is a virtual platform called Armory that enables repeatable, scalable, and robust evaluations of adversarial defenses. The Armory “testbed” provides researchers with a way to pit their defenses against known attacks and relevant scenarios. It also provides the ability to alter the scenarios and make changes, ensuring that the defenses are capable of delivering repeatable results across a range of attacks.
Armory utilizes a Python library for ML security called Adversarial Robustness Toolbox, or ART. ART provides tools that enable developers and researchers to defend and evaluate their ML models and applications against a number of adversarial threats, such as evasion, poisoning, extraction, and inference. The toolbox was originally developed outside of the GARD program as an academic-to-academic sharing platform.
[…]
The Adversarial Patches Rearranged In COnText, or APRICOT, benchmark dataset is also available via the repository. APRICOT was created to enable reproducible research on the real-world effectiveness of physical adversarial patch attacks on object detection systems. The dataset lets users project things in 3D so they can more easily replicate and defeat physical attacks, which is a unique function of this resource. “Essentially, we’re making it easier for researchers to test their defenses and ensure they are actually solving the problems they are designed to address,” said Draper.
[…]
Often, researchers and developers believe something will work across a spectrum of attacks, only to realize it lacks robustness against even minor deviations. To help address this challenge, Google Research has made the Google Research Self-Study repository that is available via the GARD evaluation toolkit. The repository contains “test dummies” – or defenses that aren’t designed to be the state-of-the-art but represent a common idea or approach that’s used to build defenses. The “dummies” are known to be broken, but offer a way for researchers to dive into the defenses and go through the process of properly evaluating their faults.
[…]
The GARD program’s Holistic Evaluation of Adversarial Defenses repository is available at https://www.gardproject.org/. Interested researchers are encouraged to take advantage of these resources and check back often for updates.
minDALL-E, named after minGPT, is a 1.3B text-to-image generation model trained on 14 million image-text pairs for non-commercial purposes.
Environment Setup
Basic setup
PyTorch == 1.8.0
CUDA >= 10.1
Other packages
pip install -r requirements.txt
Model Checkpoint
Model structure (two-stage autoregressive model)
Stage1: Unlike the original DALL-E [1], we replace Discrete VAE with VQGAN [2] to generate high-quality samples effectively. We slightly fine-tune vqgan_imagenet_f16_16384, provided by the official VQGAN repository, on FFHQ [3] as well as ImageNet.
Stage2: We train our 1.3B transformer from scratch on 14 million image-text pairs from CC3M [4] and CC12M [5]. For the more detailed model spec, please see configs/dalle-1.3B.yaml.
You can download the pretrained models including the tokenizer from this link. This will require about 5GB space.
Sampling
Given a text prompt, the code snippet below generates candidate images and re-ranks them using OpenAI’s CLIP [6].
This has been tested under a single V100 of 32GB memory. In the case of using GPUs with limited memory, please lower down num_candidates to avoid OOM.
[…]
Samples (Top-K=256, Temperature=1.0)
“a painting of a {cat, dog} with sunglasses in the frame”
“a large {pink, black} elephant walking on the beach”
Apple’s AirTags and Find My service can be helpful for finding things you lose—but they also introduce a big privacy problem. While those of us on iOS have had some tools for fighting those issues, Apple left those of us on Android without much to work with. A new Android AirTag finder app finally addresses some of those concerns.
How AirTags work
[…]
The Find My network employs the passive use of hundreds of millions of Apple devices to help expand your search. That way, you can locate your lost items even if they’re too far away for traditional wireless tracking. Your lost AirTag may be out of your own phone’s Bluetooth range, but it may not be far from another Apple device.
[…]
The Tracker Detect app comes out of a need for better security in the Find My network. Having such a wide network to track a tiny, easy-to-miss device could make it easy for someone to use AirTags to track someone.
People pointed out this vulnerability pretty soon after Apple announced the AirTags. With more than 113 million iPhones in the U.S., not to mention other Apple devices, the Find My network could be one of the widest tracking systems available. A device as small and easy-to-use as an AirTag on that network could make stalking easier than ever.
That said, Apple has a built-in feature designed to prevent tracking. If your iPhone senses that a strange AirTag, separated from its owner, is following you, it will send you an alert. If that AirTag is not found, it will start to make a sound anywhere from 8 to 24 hours after being separated from its owner.
However, Android users haven’t had these protections. That’s where Tracker Detect comes in; with this new Android AirTag app, you can scan the area to see if anyone may be tracking your location with an AirTag or other Find My-enabled accessory.
The app won’t scan automatically, so you’ll have to look for devices manually. To do that, open the app and tap Scan. Apple says it may take up to 15 minutes to find an AirTag that’s separated from its owner. You can tap Stop Scanning to end the search if you feel safe, and if the app detects something, it will mark it as Unknown AirTag.
Once the app has detected an AirTag, you can have it play a sound through the tag for up to ten minutes to help you find it. When you find the AirTag, you can scan it with an NFC reader to learn more about it.
[…] Researchers at the biotechnology startup Cortical Labs have created “mini-brains“ consisting of 800,000 to one million living human brain cells in a petri dish, New Scientist reports. The cells are placed on top of a microelectrode array that analyzes the neural activity.
[…]
To teach the mini-brains the game, the team created a simplified version of “Pong” with no opponent. A signal is sent to either the right or left of the array to indicate where the ball is, and the neurons from the brain cells send signals back to move the paddle.
“We often refer to them as living in the Matrix,” Kagan told the magazine, in a horrifyingly reference to the 1999 movie in which humans are enslaved by AI overlords in an all-encompassing simulation. “When they are in the game, they believe they are the paddle.”
Well, that’s a scary enough concept to cause some existential panic for anyone.
Faster Than AI
Kagan said that while the mini-brains can’t play the game as well as a human, they do learn faster than some AIs.
“The amazon aspect is how quickly it learns, in five minutes, in real time,” he told New Scientist. “That’s really an amazing thing that biology can do.”
While this is certainly some amazing Twitch fodder, the team at Cortical Labs hope to use their findings to develop sophisticated technology using “live biological neurons integrated with traditional silicon computing,” according to the outfit’s website.
First, come up with a catchy name for a cryptocurrency project. Next, convince the credulous to buy associated digital tokens. Finally, abandon the project and keep investors’ funds.
This “rug pulling” scam lacks sophistication but evidently it works. According to Chainalysis, a blockchain data biz, separating cryptocoin buyers from their money in this manner has become particularly popular in the DeFi (decentralized finance) ecosystem and has contributed to a scam surge.
In a post previewing the company’s 2022 Crypto Crime Report, Chainalysis said scams constituted the largest form of cryptocurrency-based crime, as measured by transaction volume. Cryptocurrency investors – if that’s the right term – lost over $7.7bn worth of digital whatever in 2021.
That’s up 81 per cent from 2020, but 2020, amid the COVID-19 pandemic, was an unusual year. This year was not quite as bad as 2019, which was close to $10bn worth of scams. But there were more scams overall (3,300 in 2021, up from 2,052 in 2020), albeit with shorter lifespans (~70 days in 2021, compared to ~192 in 2020 and to around ~2,369 in 2013).
Take-the-money-and-run gambits should not to be confused with losses attributable to security shortcomings at DeFi services that let hackers steal funds, like the recent theft of some $120m in tokens from BadgerDAO or the $31m taken from MonoX. That’s a separate dumpster fire.
Bjoertvedt/Wikimedia Commons
