Everyone is mad about Apple’s App Store guidelines right now, especially when it comes to cloud gaming services. Microsoft isn’t bringing Project xCloud to iOS. Google’s Stadia app can’t let iPhone users actually play games. Facebook also had to axe the ability to play games for its Facebook Gaming iOS app to be allowed in the App Store. And that doesn’t even take into account the number of smaller, non-gaming app developers who have had their apps kicked out of the App Store after seemingly arbitrary enforcement of Apple’s guidelines. But Fortnite developer Epic Games took a bold step toward telling Apple what it thinks of the company’s App Store policies, possibly attempting a loophole to get around things. Fortnite has now been kicked out of both Apple and Google’s stores, and Epic is now suing Apple.
Yesterday, Epic Games introduced the ability to pay the company directly for V-Bucks in the Fortnite app on the App Store and in Google Play store for Android, bypassing the in-app payment methods in both apps. On top of that, Epic Games is giving users a 20% discount for using the direct payment method. According to Apple, in a statement to the Verge, this is in violation of App Store guidelines, which states that apps offering in-game currency for real money cannot use a direct payment method.
[…]
Before removal, a screenshot of the Fornite app on iOS clearly showed that users have the option to either purchase V-bucks through the App Store or send a direct payment to Epic Games.
“Today, we’re also introducing a new way to pay on iOS and Android: Epic direct payment. When you choose to use Epic direct payments, you save up to 20% as Epic passes along payment processing savings to you,” Epic Games announced in a press release this morning.
Image: Epic Games
Google’s policies also seem to prevent developers from using anything but an in-app payment system.
[…]
Epic Games pointed out that both Apple and Google collect a 30% fee, and that if users choose to pay through either store’s app they will not benefit from the 20% discount—hence the lower price on the direct payment option.
“If Apple or Google lower their fees on payments in the future, Epic will pass along the savings to you.”
Damn, Epic. Shots fired.
[…]
The problem for Apple is that both it and Google have policies related to purchases that are consumed outside of their respective app stores. Both allow users to make payments outside of the app.
[…]
Fortnite is available on multiple platforms: PC, Mac, Xbox, PlayStation, Nintendo Switch, Android, and iOS, and users can link their profiles together so they can play with the same account across all platforms. This means that someone could purchase V-Bucks through the Android and iOS apps and spend them at a later date from their console or PC. So technically those users appear to be purchasing “goods or services” that can be consumed outside of the app.
[…]
Epic has taken legal action to end Apple’s anti-competitive restrictions on mobile device marketplaces. The papers are available to read here.
From the legal filing: “Rather than tolerate this healthy competition and compete on the merits of its offering, Apple responded by removing Fortnite from sale on the App Store, which means that new users cannot download the app, and users who have already downloaded prior versions of the app from the App Store cannot update it to the latest version. This also means that Fortnite players who downloaded their app from the App Store will not receive updates to Fortnite through the App Store, either automatically or by searching the App Store for the update. Apple’s removal of Fortnite is yet another example of Apple flexing its enormous power in order to impose unreasonable restraints and unlawfully maintain its 100% monopoly over the iOS In-App Payment Processing Market.”
And the fallout has been some compelling entertainment in these quarantine times: Apple swiftly kicked Fortnite from its store, then Epic struck back with a lawsuit and arranged an in-game event to screen a video satirizing Apple’s iconic 1984 commercial to mobilize its fanbase against the company, throwing in a #FreeFortnite hashtag to boot.
[…]
ust as it did with Apple, Epic Games has now filed a lawsuit against Google over alleged antitrust violations just hours after Fortnite was dropped from the Play Store. The suit alleges that Google’s stipulations about in-app purchases constitute a monopoly in clear violation of both the Sherman Act and California’s Cartwright Act.
Epic’s complaint is nearly identical to the lawsuit against Apple that it filed earlier today following Fortnite’s removal from the company’s app store. Only the lawsuit’s introductions differ significantly, with the one against Apple referencing its aforementioned 1984 ad and the one against Google recalling the infamous “Don’t Be Evil” mantra the company was founded upon.
“Twenty-two years later, Google has relegated its motto to nearly an afterthought, and is using its size to do evil upon competitors, innovators, customers, and users in a slew of markets it has grown to monopolize,” the suit argues.
Following a year-long investigation into the company, Reuters reports Russia’s Federal Antimonopoly Service (FAS) has found the iPhone-maker abused its dominant position in the mobile app marketplace and will order Apple to resolve multiple regulatory breaches.
The agency started investigating the tech giant after developer Kaspersky Lab filed a complaint over the rejection of its Safe Kids app from the App Store. At the time, Apple said the software put “user’s safety and privacy at risk.” The agency ruled Apple forces developers to distribute to their apps through the App Store and then unlawfully blocks them. A spokesperson for Apple told Reuters the company plans to appeal the ruling.
The decision comes as Apple faces increasing scrutiny over its gatekeeping of the App Store in both the US and EU. When Tim Cook testified before the House Judiciary Antitrust Subcommittee at the end of July, lawmakers asked the executive about the company’s decisions to block some competitors from its digital marketplace. Cook was also asked about the ongoing 30 percent cut the company takes from third-party app sales, a rate many developers argue is too high. Apple was again in the spotlight earlier this month after it said it would not allow Microsoft’s Project xCloud on iOS since its App Store guidelines require developers to submit games individually for review.
In December 2019 I wrote about The Growing Problem of Malicious Relays on the Tor Network with the motivation to rise awareness and to improve the situation over time. Unfortunately instead of improving, things have become even worse, specifically when it comes to malicious Tor exit relay activity.
Tor exit relays are the last hop in the chain of 3 relays and the only type of relay that gets to see the connection to the actual destination chosen by the Tor Browser user. The used protocol (i.e. http vs. https) by the user decides whether a malicious exit relay can actually see and manipulate the transferred content or not.
[…]
One key question of malicious relay analysis always is: What hosting companies did they use? So here is a break down by used internet service provider. It is mostly OVH (one of the — generally speaking — largest ISPs used for Tor relays). Frantech, ServerAstra and Trabia Network are also known providers for relays. “Nice IT Services Group” looks interesting, since I’ve never seen relays on this obscure network before the attacker added some of his relays there on 2020–04–16.
[…]
The full extend of their operations is unknown, but one motivation appears to be plain and simple: profit.
They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays. They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings. It is hard to detect for Tor Browser users that do not specifically look for the “https://” in the URL bar.
[…]
There are established countermeasures, namely HSTS Preloading and HTTPS Everywhere, but in practice many website operators do not implement them and leave their users vulnerable to this kind of attack. This kind of attack is not specific to Tor Browser. Malicious relays are just used to gain access to user traffic. To make detection harder, the malicious entity did not attack all websites equally. It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.
The malicious Tor relay operator discussed in this blog post controlled over 23% of the entire Tor network exit capacity (as of 2020–05–22)
The malicious operator demonstrated to recover their capacity after initial removal attempts by Tor directory authorities.
There are multiple indicators that suggest that the attacker still runs >10% of the Tor network exit capacity (as of 2020–08–08)
The reoccurring events of large scale malicious Tor relay operations make it clear that current checks and approaches for bad-relays detection are insufficient to prevent such events from reoccurring and that the threat landscape for Tor users has changed.
Multiple specific countermeasures have been proposed to tackle the ongoing issue of malicious relay capacity.
It is up to the Tor Project and the Tor directory authorities to act to prevent further harm to Tor users.
The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case. This judgment declared that this framework is no longer a valid mechanism to transfer personal data from the European Union to the United States.
The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades.
More than 3.7 million. That’s the latest number of surveillance cameras, baby monitors, doorbells with webcams, and other internet-connected devices found left open to hijackers via two insecure communications protocols globally, we’re told.
This is up from estimates of a couple of million last year. The protocols are CS2 Network P2P, used by more than 50 million devices worldwide, and Shenzhen Yunni iLnkP2P, used by more than 3.6 million. The P2P stands for peer-to-peer. The devices’ use of the protocols cannot be switched off.
The upshot is Internet-of-Things gadgets using vulnerable iLnkP2P implementations can be discovered and accessed by strangers, particularly if the default password has not been changed or is easily guessed. Thus miscreants can abuse the protocol to spy on poorly secured cameras and other equipment dotted all over the world (CVE-2019-11219). iLnkP2P connections can also be intercepted by eavesdroppers to snoop on live video streams, login details, and other data (CVE-2019-11220).
Meanwhile, CS2 Network P2P can fall to the same sort of snooping as iLnkP2P (CVE-2020-9525, CVE-2020-9526). iLnkP2P is, we’re told, functionally identical to CS2 Network P2P though there are some differences.
The bugs were found by Paul Marrapese, who has a whole site, hacked.camera, dedicated to the vulnerabilities. “As of August 2020, over 3.7 million vulnerable devices have been found on the internet,” reads the site, which lists affected devices and advice on what to do if you have any at-risk gear. (Summary: throw it away, or try firewalling it off.)
He went public with the CS2 Network P2P flaws this month after being told in February by the protocol’s developers the weaknesses will be addressed in version 4.0. In 2019, he tried to report the iLnkP2P flaws to developers Shenzhen Yunni, received no response, and went public with those bugs in April that year.
At this year’s DEF CON hacking conference, held online last week, Marrapese gave an in-depth dive into the insecure protocols, which you can watch below.
“When hordes of insecure things get put on the internet, you can bet the end result is not going to be pretty,” Marrapese, a red-team member at an enterprise cloud biz, told his web audience. “A $40 purchase from Amazon is all you need to start hacking into devices.”
The protocols use UDP port 32100, and are outlined here by Fabrizio Bertone, who reverse engineered them in 2017. Essentially, they’re designed to let non-tech-savvy owners access their devices, wherever they are. The equipment contacts central servers to announce they’re powered up, and they stay connected by sending heartbeat messages to the servers. These cloud-hosted servers thus know which IP addresses the gadgets are using, and stay in constant touch with the devices.
When a user wants to connect to their device, and starts an app to log into their gadget, the servers will tell the app how to connect to the camera, or whatever it may be, either via the local network or over the internet. If need be, the device and app will be instructed to use something called UDP hole punching to talk to each other through whatever NATs may be in their way, or via a relay if that doesn’t work. This allows the device to be used remotely by the app without having to, say, change any firewall or NAT settings on their home router. The app and device find a way to talk to each other.
“In the context of IoT, P2P is a feature that lets people to connect to their device anywhere in the world without any special setup,” Marrapese said. “You have to remember, some folks don’t even know how to log into their routers, never mind forward a port.”
In the case of iLnkP2P, it turned out it was easy to calculate the unique IDs of strangers’ devices, and thus use the protocol to find and connect to them. The IDs are set at the factory and can’t be changed. Marrapese was able to enumerate millions of gadgets, and use their IP addresses to approximate their physical location, showing equipment scattered primarily across Asia, the UK and Europe, and North America. Many accept the default password, and thus can be accessed by miscreants scanning the internet for vulnerable P2P-connected cameras and the like. According to Marrapese, thousands of new iLnkP2P-connected devices appear online every month.
President Trump said Monday that TikTok will be shut down in the U.S. if it hasn’t been bought by Microsoft or another company by Sept. 15, and argued — without elaborating — that the U.S. Treasury should get “a very substantial portion” of the sale fee.
Why it matters: Trump appears to have backed off his threat to immediately ban TikTok after speaking with Microsoft CEO Satya Nadella, who said Sunday that the company will pursue discussions with TikTok’s Chinese parent company ByteDance to purchase the app in the U.S.
The big picture: TikTok has come under intense scrutiny in the U.S. due to concerns that the vast amounts of data it collects could be accessed by the Chinese government, potentially posing a national security threat.
Negotiations between TikTok and Microsoft will be overseen by a special government panel called the Committee on Foreign Investment in the United States (CFIUS), Reuters reports.
What he’s saying: Trump appeared to suggest on Monday that Microsoft would have to pay the U.S. government in order to complete the deal, but did not explain the precedent for such an action. He also argued that Microsoft should buy all of TikTok, not just 30% of the company.
“I don’t mind if, whether it’s Microsoft or somebody else, a big company, a secure company, a very American company, buy it. It’s probably easier to buy the whole thing than to buy 30% of it. How do you do 30%? Who’s going to get the name? The name is hot, the brand is hot,” Trump said.
“A very substantial portion of that price is going to have to come into the Treasury of the United States. Because we’re making it possible for this deal to happen. Right now they don’t have any rights, unless we give it to them. So if we’re going to give them the rights, it has to come into this country. It’s a little bit like the landlord/tenant,” he added.
Our thought bubble, via Axios’ Dan Primack: Trump’s inexplicable claim that part of Microsoft’s purchase price would have to go to the Treasury is skating very close to announcing extortion.
Misconfigured AWS S3 storage buckets exposing massive amounts of data to the internet are like an unexploded bomb just waiting to go off, say experts.
The team at Truffle Security said its automated search tools were able to stumble across some 4,000 open Amazon-hosted S3 buckets that included data companies would not want public – things like login credentials, security keys, and API keys.
In fact, the leak hunters say that exposed data was so common, they were able to count an average of around 2.5 passwords and access tokens per file analyzed per repository. In some cases, more than 10 secrets were found in a single file; some files had none at all.
These credentials included SQL Server passwords, Coinbase API keys, MongoDB credentials, and logins for other AWS buckets that actually were configured to ask for a password.
That the Truffle Security team was able to turn up roughly 4,000 insecure buckets with private information shows just how common it is for companies to leave their cloud storage instances unguarded.
Though AWS has done what it can to get customers to lock down their cloud instances, finding exposed storage buckets and databases is pretty trivial for trained security professionals to pull off.
In some cases, the leak-hunters have even partnered up with law firms, collecting referral fees when they send aggrieved customers to take part in class-action lawsuits against companies that exposed their data.
Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a ‘Severe’ security risk.
The HOSTS file is a text file located at C:\Windows\system32\driver\etc\HOSTS and can only be edited by a program with Administrator privileges.
[…]
Microsoft now detects HOSTS files that block Windows telemetry
Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a ‘SettingsModifier:Win32/HostsFileHijack’ threat.
When detected, if a user clicks on the ‘See details’ option, they will simply be shown that they are affected by a ‘Settings Modifier’ threat and has ‘potentially unwanted behavior,’ as shown below.
SettingsModifier:Win32/HostsFileHijack detection
BleepingComputer first learned about this issue from BornCity, and while Microsoft Defender detecting HOSTS hijacks is not new, it was strange to see so many people suddenly reporting the detection [1, 2, 3, 4, 5].
While a widespread infection hitting many consumers simultaneously in the past is not unheard of, it is quite unusual with the security built into Windows 10 today.
[…]
Microsoft had recently updated their Microsoft Defender definitions to detect when their servers were added to the HOSTS file.
Users who utilize HOSTS files to block Windows 10 telemetry suddenly caused them to see the HOSTS file hijack detection.
In our tests, some of the Microsoft hosts detected in the Windows 10 HOSTS file include the following:
If you decide to clean this threat, Microsoft will restore the HOSTS file back to its default contents.
Default Windows 10 HOSTS file
Users who intentionally modify their HOSTS file can allow this ‘threat,’ but it may enable all HOSTS modifications, even malicious ones, going forward.
So only allow the threat if you 100% understand the risks involved in doing so.
BleepingComputer has reached out to Microsoft with questions regarding this new detection.
A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.
ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.
According to a review, the list includes:
IP addresses of Pulse Secure VPN servers
Pulse Secure VPN server firmware version
SSH keys for each server
A list of all local users and their password hashes
Admin account details
Last VPN logins (including usernames and cleartext passwords)
VPN session cookies
Image: ZDNet
Bank Security, a threat intelligence analyst specialized in financial crime and the one who spotted the list earlier today and shared it with ZDNet, made an interesting observation about the list and its content.
The security researcher noted that all the Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the CVE-2019-11510 vulnerability.
Bank Security believes that the hacker who compiled this list scanned the entire internet IPv4 address space for Pulse Secure VPN servers, used an exploit for the CVE-2019-11510 vulnerability to gain access to systems, dump server details (including usernames and passwords), and then collected all the information in one central repository.
Based on timestamps in the list (a collection of folders), the dates of the scans, or the date the list was compiled, appear to between June 24 and July 8, 2020.
With over 3 billion users globally, smartphones are an integral, almost inseparable part of our day-to-day lives.
As the mobile market continues to grow, vendors race to provide new features, new capabilities and better technological innovations in their latest devices. To support this relentless drive for innovation, vendors often rely on third parties to provide the required hardware and software for phones. One of the most common third-party solutions is the Digital Signal Processor unit, commonly known as DSP chips.
In this research dubbed “Achilles” we performed an extensive security review of a DSP chip from one of the leading manufacturers: Qualcomm Technologies. Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more.
More than 400 vulnerable pieces of code were found within the DSP chip we tested, and these vulnerabilities could have the following impact on users of phones with the affected chip:
Attackers can turn the phone into a perfect spying tool, without any user interaction required – The information that can be exfiltrated from the phone include photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
Attackers may be able to render the mobile phone constantly unresponsive – Making all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.
Malware and other malicious code can completely hide their activities and become un-removable.
We disclosed these findings with Qualcomm, who acknowledged them, notified the relevant device vendors and assigned them with the following CVE’s : CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.
New York state is introducing a bill that would make it easier to sue big tech companies for alleged abuses of their monopoly powers.
New York is America’s financial center and one of its most important tech hubs. If successfully passed, the law could serve as a model for future legislation across the country. It also comes as a federal committee is conducting an anti-trust investigation into tech giants amid concerns that their unmatched market power is suppressing competition.
Bill S8700A, now being discussed by New York’s senate consumer protection committee, would update New York’s antiquated antitrust laws for the 21st century, said the bill’s sponsor, Senator Mike Gianaris.
“Their power has grown to dangerous levels and we need to start reining them in,” he said.
New York’s antitrust laws currently require two players to collaborate in a conspiracy to conduct anticompetitive behavior such as price setting. In other cases companies may underprice products to the point where they are even incurring a loss just to drive others out of the market – anticompetitive behavior that New York’s laws would currently struggle to prosecute.
“Our laws on antitrust in New York are a century old and they were built for a completely different economy,” said Gianaris. “Much of the problem today in the 21st century is unilateral action by some of these behemoth tech companies and this bill would allow, for the first time, New York to engage in antitrust enforcement for unilateral action.”
The bill will probably be discussed when New York’s senate returns to work in August but is unlikely to pass before next year. It has the support of New York’s attorney general, Letitia James.
All the planets of our solar system are encased in a magnetic bubble, carved out in space by the Sun’s constantly outflowing material, the solar wind. Outside this bubble is the interstellar medium — the ionized gas and magnetic field that fills the space between stellar systems in our galaxy. One question scientists have tried to answer for years is on the shape of this bubble, which travels through space as our Sun orbits the center of our galaxy. Traditionally, scientists have thought of the heliosphere as a comet shape, with a rounded leading edge, called the nose, and a long tail trailing behind.
Research published in Nature Astronomy in March and featured on the journal’s cover for July provides an alternative shape that lacks this long tail: the deflated croissant.
An updated model suggests the shape of the Sun’s bubble of influence, the heliosphere (seen in yellow), may be a deflated croissant shape, rather than the long-tailed comet shape suggested by other research.
Credits: Opher, et al
The shape of the heliosphere is difficult to measure from within. The closest edge of the heliosphere is more than ten billion miles from Earth. Only the two Voyager spacecraft have directly measured this region, leaving us with just two points of ground-truth data on the shape of the heliosphere.
[…]
“There are two fluids mixed together. You have one component that is very cold and one component that is much hotter, the pick-up ions,” said Opher, a professor of astronomy at Boston University. “If you have some cold fluid and hot fluid, and you put them in space, they won’t mix — they will evolve mostly separately. What we did was separate these two components of the solar wind and model the resulting 3D shape of the heliosphere.”
Considering the solar wind’s components separately, combined with Opher’s earlier work using the solar magnetic field as a dominant force in shaping the heliosphere, created a deflated croissant shape, with two jets curling away from the central bulbous part of the heliosphere, and notably lacking the long tail predicted by many scientists.
“Because the pick-up ions dominate the thermodynamics, everything is very spherical. But because they leave the system very quickly beyond the termination shock, the whole heliosphere deflates,” said Opher.
The shape of our shield
The shape of the heliosphere is more than a question of academic curiosity: The heliosphere acts our solar system’s shield against the rest of the galaxy.
Our heliosphere blocks many cosmic rays, shown as bright streaks in this animated image, from reaching the planets of our solar system.
Credits: NASA’s Goddard Space Flight Center/Conceptual Image Lab
Energetic events in other star systems, like supernova, can accelerate particles to nearly the speed of light. These particles rocket out in all directions, including into our solar system. But the heliosphere acts as a shield: It absorbs about three-quarters of these tremendously energetic particles, called galactic cosmic rays, that would make their way into our solar system.
Those that do make it through can wreak havoc. We’re protected on Earth by our planet’s magnetic field and atmosphere, but technology and astronauts in space or on other worlds are exposed. Both electronics and human cells can be damaged by the effects of galactic cosmic rays — and because galactic cosmic rays carry so much energy, they’re difficult to block in a way that’s practical for space travel. The heliosphere is spacefarers’ main defense against galactic cosmic rays, so understanding its shape and how that influences the rate of galactic cosmic rays pelting our solar system is a key consideration for planning robotic and human space exploration.
The heliosphere’s shape is also part of the puzzle for seeking out life on other worlds. The damaging radiation from galactic cosmic rays can render a world uninhabitable, a fate avoided in our solar system because of our strong celestial shield. As we learn more about how our heliosphere protects our solar system — and how that protection may have changed throughout the solar system’s history — we can look for other star systems that might have similar protection. And part of that is the shape: Are our heliospheric lookalikes long-tailed comet shapes, deflated croissants, or something else entirely?
A group of nearly a dozen lawmakers led by member of Congress Anna Eshoo wrote to the California Department of Motor Vehicles (DMV) on Wednesday looking for answers on how and why the organization sells the personal data of residents. The letter comes after Motherboard revealed last year that the DMV was making $50 million annually from selling drivers’ information.
The news highlights how selling personal data is not limited to private companies, but some government entities follow similar practices too.
“What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear,” the letter, signed by congress members including Ted Lieu, Barbara Lee, and Mike Thompson, as well as California Assembly members Kevin Mullin and Mark Stone, reads.
Specifically, the letter asks what types of organizations has the DMV disclosed drivers’ data to in the past three years. Motherboard has previously reported on how other DMVs around the country sold such information to private investigators, including those hired to spy on suspected cheating spouses. In an earlier email to Motherboard, the California DMV said data requesters may include insurance companies, vehicle manufacturers, and prospective employers.
The information sold in general by DMVs includes names, physical addresses, and car registration information. Multiple other DMVs previously confirmed they have cut-off access to some clients after they abused the data.
On Wednesday, the California DMV said in an emailed statement, “The DMV does not sell driver information for marketing purposes or to generate revenue outside of the cost of administering its requester program—which only provides certain driver and vehicle related information as statutorily required.”
“The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program,” the statement added.
“In today’s ever-increasing digital world, our private information is too often stolen, abused, used for profit or grossly mishandled,” the new letter from lawmakers reads. “It’s critical that the custodians of the personal information of Americans—from corporations to government agencies—be held to high standards of data protection in order to restore the right of privacy in our country.”
In a draft law seen by AFP, the country’s environment ministry has drawn up a number of new measures to protect insects, ranging from partially outlawing spotlights to increased protection of natural habitats.
“Insects play an important role in the ecosystem…but in Germany, their numbers and their diversity has severely declined in recent years,” reads the draft law, for which the ministry hopes to get cabinet approval by October.
The changes put forward in the law include stricter controls on both lighting and the use of insecticides.
Light traps for insects are to be banned outdoors, while searchlights and sky spotlights would be outlawed from dusk to dawn for ten months of the year.
The draft also demands that any new streetlights and other outdoor lights be installed in such a way as to minimise the effect on plants, insects and other animals.
The use of weed-killers and insecticides would also be banned in national parks and within five to ten metres of major bodies of water, while orchards and dry-stone walls are to be protected as natural habitats for insects.
The proposed reforms are part of the German government’s more general “insect protection action plan”, which was announced last September under growing pressure from environmental and conservation activists.
A massive hack has hit Reddit today after tens of Reddit channels have been hacked and defaced to show messages in support of Donald Trump’s reelection campaign.
The hacks are still ongoing at the time of writing, but we were told Reddit’s security team is aware of the issue and has already begun restoring defaced channels.
A partial list of impacted channels (subreddits) is available below. This includes Reddit channels for the NFL, many TV shows, The Pirate Bay, Disneyland, Disney’s Avengers, several city channels, and more. Combined, the channels have tens of millions of subscribers.
The Reddit security team said the hack took place after the intruder(s) took over subreddit moderator accounts. Several moderators have also come forward to admit that their accounts have been hacked and that they did not use two-factor authentication. Channel owners who are having problems have been asked to report problems in this Reddit ModSupport thread.
An account on Twitter took credit for the hack. However, the account’s owners did not respond to a request for comment so ZDNet can verify its claims. The account is now suspended.
Image: ZDNet
The Reddit hack also comes after Reddit banned r/The_Donald, a channel for Donald Trump supporters, in late June. Reddit said it took the decision to ban the channel for breaking its community rules after reports of harassment, bullying, and threats of violence.
Today’s stunt is reminiscent to a similar one that took place at the end of June and the start of July, when more than 1,800 Roblox accounts were hacked and defaced with a similar pro-Trump reelection message.
The nation’s largest private equity firm is interested in buying your DNA data. The going rate: $261 per person. That appears to be what Blackstone, the $63 billion private equity giant, is willing to pay for genetic data controlled by one of the major companies gathering it from millions of customers.
Earlier this week, Blackstone announced it was paying $4.7 billion to acquire Ancestry.com, a pioneer in pop genetics that was launched in the 1990s to help people find out more about their family heritage.
Ancestry’s customers get an at-home DNA kit that they send back to the company. Ancestry then adds that DNA information to its database and sends its users a report about their likely family history. The company will also match you to other family members in its system, including distant cousins you may or may not want to hear from. And for up to $400 a year, you can continue to search Ancestry’s database to add to your knowledge of your family tree.
Ancestry has some information, mostly collected from public databases, on hundreds of millions of individuals. But its most valuable information is that of the people who have taken its DNA tests, which totals 18 million. And at Blackstone’s $4.7 billion purchase price that translates to just over $250 each.
In an attempt to correct the perception of a small but very vocal minority that claims Facebook’s silencing conservative voices on its platforms, the company’s reportedly swung too far in the opposite direction and essentially gave a free pass to conservative pages to spew their bullshit online.
According to leaked documents reviewed by NBC, Facebook relaxed its fact-checking rules for conservative news outlets and personalities, including Breitbart and former Fox News stooges Diamond and Silk, so that they wouldn’t be penalized for spreading misinformation. This report comes just a day after a Buzzfeed exposé detailing how a Facebook employee was allegedly fired after collecting evidence of this preferential treatment of right-wing pages.
Per its standards, Facebook issues strikes to pages that have repeatedly spread inaccurate or misleading information as determined by the company’s millions of fact-checking partners (news outlets, politicians, influencers, etc.). If an account receives two strikes in a 90-day period, it receives a “repeat offender” status and can be shadowbanned or even temporarily lose advertising privileges. Facebook employees work with fact-checking partners to triage these misinformation flags, with high-priority issues receiving an “escalation” tag that then pushes them on to company higher-ups for review.
According to an archive of these escalations with the last six months that was leaked to NBC, Facebook employees in the misinformation escalations team waived strikes issued to some conservative pages under direct oversight from senior leadership. Roughly two-thirds of the cases listed concerned conservative pages, including those of Donald Trump Jr., Eric Trump, and Gateway Pundit.
An odd piece of news if not propoganda considering the big tech companies were slammed during their hearings buy the conspiracy seeing anti-vaxxer senators in the room
Your Google Home speaker may have been quietly recording sounds around your house without your permission or authorization, it was revealed this week.
The Chocolate Factory admitted it had accidentally turned on a feature that allowed its voice-controlled AI-based assistant to activate and snoop on its surroundings. Normally, the device only starts actively listening in and making a note of what it hears after it has heard wake words, such as “Ok, Google” or “Hey, Google,” for privacy reasons. Prior to waking, it’s constantly listening out for those words, but is not supposed to keep a record of what it hears.
Yet punters noticed their Google Homes had been recording random sounds, without any wake word uttered, when they started receiving notifications on their phone that showed the device had heard things like a smoke alarm beeping, or glass breaking in their homes – all without giving their approval.
Google said the feature had been accidentally turned on during a recent software update, and it has now been switched off, Protocol reported. It may be that this feature is or was intended to be used for home security at some point: imagine the assistant waking up whenever it hears a break in, for instance. Google just bought a $450m, or 6.6 per cent, stake in anti-burglary giant ADT.
The attorney general of New York took action Thursday to dissolve the National Rifle Association following an 18-month investigation that found evidence the powerful gun rights group is “fraught with fraud and abuse.”
Attorney General Letitia James claims in a lawsuit filed Thursday that she found financial misconduct in the millions of dollars and that it contributed to a loss of more than $64 million over a three-year period.
The suit alleges that top NRA executives misused charitable funds for personal gain, awarded contracts to friends and family members, and provided contracts to former employees to ensure loyalty.
Seeking to dissolve the NRA is the most aggressive sanction James could have sought against the not-for-profit organization, which James has jurisdiction over because it is registered in New York. James has a wide range of authorities relating to nonprofits in the state, including the authority to force organizations to cease operations or dissolve. The NRA is all but certain to contest it.
The NRA said in a statement that the legal action was political, calling it a “baseless premeditated attack on our organization and the Second Amendment freedoms it fights to defend… we not only will not shrink from this fight – we will confront it and prevail.”
“The NRA’s influence has been so powerful that the organization went unchecked for decades while top executives funneled millions into their own pockets,” James said in a statement. “The NRA is fraught with fraud and abuse, which is why, today, we seek to dissolve the NRA, because no organization is above the law.”
James’ complaint names the National Rifle Association as a whole but also names four current and former NRA executives: Executive Vice President Wayne LaPierre, general counsel John Frazer, former Chief Financial Officer Woody Phillips and former chief of staff Joshua Powell.
Spotify CEO Daniel Ek discussed streaming and sustainability in a recent interview with Music Ally published on Thursday. Ek denied criticisms that Spotify pays insufficient royalties to artists, and insisted that the role of the musician had changed in today’s “future landscape.”
Ek claimed that a “narrative fallacy” had been created and caused music fans to believe that Spotify doesn’t pay musicians enough for streams of their music. “Some artists that used to do well in the past may not do well in this future landscape,” Ek said, “where you can’t record music once every three to four years and think that’s going to be enough.”
What is required from successful musicians, Ek insisted, is a deeper, more consistent, and prolonged commitment than in the past. “The artists today that are making it realize that it’s about creating a continuous engagement with their fans. It is about putting the work in, about the storytelling around the album, and about keeping a continuous dialogue with your fans.”
A German court has sided with Google and rejected requests to wipe entries from search results. The cases hinged on whether the right to be forgotten outweighed the public’s right to know.
Germany’s highest court agreed on Monday with lower courts and rejected the two plaintiffs’ appeals over privacy concerns.
In the first case, a former managing director of a charity had demanded Google remove links to certain news articles that appeared in searches of his name. The articles from 2011 reported that the charity was in financial trouble and that the manager had called in sick. He later argued in court that information on his personal health issues should not be divulged to the public years later.
The court ruled that whether links to critical articles have to be removed from the search list always depends on a comprehensive consideration of fundamental rights in the individual case.
A second case was referred to the European Court of Justice. It concerned two leaders of a financial services company that sought to have links to negative reports about their investment model removed. The couple had argued that the US-based websites, which came up in the searches for their names, were full of fake news and sought to market other financial services providers.
[…]
Links are only be deleted from searches in Europe but would appear as normal in other regions. Any data “forgotten” by Google, which mostly provides links to material published by others, is only removed from its search results, not from the internet.
The cases stem from a 2014 ruling in the European Court of Justice (ECJ), which found that EU citizens had the right to request search engines, such as Alphabet’s Google and Microsoft’s Bing, remove “inaccurate, inadequate, irrelevant or excessive” search results linked to their name. The case centered on a Spaniard who found that when his name was Googled, it returned links to an advertisement for a property auction related to an unpaid social welfare debt. He argued the debt had long since been settled.
YouTube is embroiled in a very public spat with songwriters and music publishers in Denmark, via local collection society Koda.
According to Koda – Denmark’s equivalent of ASCAP/BMI (US) or PRS For Music (UK) – YouTube has threatened to remove “Danish music content” (ie. music written by Danish songwriters) from its service.
The cause of this threat is a disagreement between the two parties over the remuneration of songwriters and publishers in the market.
YouTube and Koda’s last multi-year licensing deal expired in April. Since then, the two parties have been operating under a temporary license agreement.
At the same time, Polaris, the umbrella body for collection societies in the Nordics, has been negotiating with YouTube over a new Scandinavia-wide licensing agreement.
But in a statement to media today (July 31), Koda claims YouTube is insisting that – in order to extend its temporary deal in Denmark – Koda must now agree to a near-70% reduction in payments to composers and songwriters.
YouTube has fired back at this claim, suggesting that under its existing temporary deal with Koda (which expires today), the body “earned back less than half of the guarantee payments” handed over by the service.
[…] wait – how on earth does a guarantee payment relate to the amount you renumerate people?
In response to Koda’s refusal to agree to YouTube’s proposed deal, Koda claims that “on the evening of Thursday 30 July, Google announced that they will soon remove all Danish music content on YouTube”.
Reports out of Denmark suggest YouTube may pull the plug on this content as soon as this Saturday.
[…]
“While we’ve had productive conversations we have been unable to secure a fair and equitable agreement before our existing one expired. They are asking for substantially more than what we pay our other partners. This is not only unfair to our other YouTube partners and creators, it is unhealthy for the wider economics of our industry.
“Without a new license, we’re unable to make their content available in Denmark. Our doors remain open to Koda to bring their content back to YouTube.”
YouTube added in a statement to MBW: “We take copyright law very seriously. As our license expires today and since we have been unable to secure an agreement we will remove identified Koda content from the platform.”
Koda says it “cannot accept” YouTube’s terms, and that as a result “Google have now unilaterally decided that Koda’s members cannot have their content shown on YouTube”.
[…]
Koda’s media director, Kaare Struve, said: “Google have always taken an ‘our way or the highway’ approach, but even for Google, this is a low point.
“Of course, Google know that they can create enormous frustration among our members by denying them access to YouTube – and among the many Danes who use YouTube every day.
“We can only suppose that by doing so, YouTube hope to be able to push through an agreement, one where they alone dictate all terms.”
Koda says that ever since its first agreement with YouTube was signed in 2013, “the level of payments received from YouTube has been significantly lower than the level of payment [distributed] by subscription-based services”.
Koda’s CEO, Gorm Arildsen, said: “It is no secret that our members have been very dissatisfied with the level of payment received for the use of their music on YouTube for many years now. And it’s no secret that we at Koda have actively advocated putting an end to the tech giants’ free-ride approach and underpayment for artistic content in connection with the EU’s new Copyright Directive.
“The fact that Google now demands that the payments due from them should be reduced by almost 70% in connection with a temporary contract extension seems quite bizarre.”
Well guys, I reccommend you move over to Vimeo. At least that way you’re helping to break the monopoly. Not that I believe in the slightest that Koda is working in the best interests of artists as much as it’s filling its’ own pockets, but there you go.
The minute details of rogue drone’s movements in the air may unwittingly reveal the drone pilot’s location—possibly enabling authorities to bring the drone down before, say, it has the opportunity to disrupt air traffic or cause an accident. And it’s possible without requiring expensive arrays of radio triangulation and signal-location antennas.
So says a team of Israeli researchers who have trained an AI drone-tracking algorithm to reveal the drone operator’s whereabouts, with a better than 80 per cent accuracy level. They are now investigating whether the algorithm can also uncover the pilot’s level of expertise and even possibly their identity.
[…]
Depending on the specific terrain at any given airport, a pilot operating a drone near a camouflaging patch of forest, for instance, might have an unobstructed view of the runway. But that location might also be a long distance away, possibly making the operator more prone to errors in precise tracking of the drone. Whereas a pilot operating nearer to the runway may not make those same tracking errors but may also have to contend with big blind spots because of their proximity to, say, a parking garage or control tower.
And in every case, he said, simple geometry could begin to reveal important clues about a pilot’s location, too. When a drone is far enough away, motion along a pilot’s line of sight can be harder for the pilot to detect than motion perpendicular to their line of sight. This also could become a significant factor in an AI algorithm working to discover pilot location from a particular drone flight pattern.
The sum total of these various terrain-specific and terrain-agnostic effects, then, could be a giant finger pointing to the operator. This AI application would also be unaffected by any relay towers or other signal spoofing mechanisms the pilot may have put in place.
Weiss said his group tested their drone tracking algorithm using Microsoft Research’s open source drone and autonomous vehicle simulator AirSim. The group presented their work-in-progress at the Fourth International Symposium on Cyber Security, Cryptology and Machine Learning at Ben-Gurion University earlier this month.
Their paper boasts a 73 per cent accuracy rate in discovering drone pilots’ locations. Weiss said that in the few weeks since publishing that result, they’ve now improved the accuracy rate to 83 per cent.
Now that the researchers have proved the algorithm’s concept, Weiss said, they’re hoping next to test it in real-world airport settings. “I’ve already been approached by people who have the flight permissions,” he said. “I am a university professor. I’m not a trained pilot. Now people that do have the facility to fly drones [can] run this physical experiment.”
Yesterday, the Internet Archive filed our response to the lawsuit brought by four commercial publishers to end the practice of Controlled Digital Lending (CDL), the digital equivalent of traditional library lending. CDL is a respectful and secure way to bring the breadth of our library collections to digital learners. Commercial ebooks, while useful, only cover a small fraction of the books in our libraries. As we launch into a fall semester that is largely remote, we must offer our students the best information to learn from—collections that were purchased over centuries and are now being digitized. What is at stake with this lawsuit? Every digital learner’s access to library books. That is why the Internet Archive is standing up to defend the rights of hundreds of libraries that are using Controlled Digital Lending.
The publishers’ lawsuit aims to stop the longstanding and widespread library practice of Controlled Digital Lending, and stop the hundreds of libraries using this system from providing their patrons with digital books. Through CDL, libraries lend a digitized version of the physical books they have acquired as long as the physical copy doesn’t circulate and the digital files are protected from redistribution. This is how Internet Archive’s lending library works, and has for more than nine years. Publishers are seeking to shut this library down, claiming copyright law does not allow it. Our response is simple: Copyright law does not stand in the way of libraries’ rights to own books, to digitize their books, and to lend those books to patrons in a controlled way.
“The Authors Alliance has several thousand members around the world and we have endorsed the Controlled Digital Lending as a fair use,” stated Pamela Samuelson, Authors Alliance founder and Richard M. Sherman Distinguished Professor of Law at Berkeley Law. “It’s really tragic that at this time of pandemic that the publishers would try to basically cut off even access to a digital public library like the Internet Archive…I think that the idea that lending a book is illegal is just wrong.”
These publishers clearly intend this lawsuit to have a chilling effect on Controlled Digital Lending at a moment in time when it can benefit digital learners the most. For students and educators, the 2020 fall semester will be unlike any other in recent history. From K-12 schools to universities, many institutions have already announced they will keep campuses closed or severely limit access to communal spaces and materials such as books because of public health concerns. The conversation we must be having is: how will those students, instructors and researchers access information — from textbooks to primary sources? Unfortunately, four of the world’s largest book publishers seem intent on undermining both libraries’ missions and our attempts to keep educational systems operational during a global health crisis.
The publishers’ lawsuit does not stop at seeking to end the practice of Controlled Digital Lending. These publishers call for the destruction of the 1.5 million digital books that Internet Archive makes available to our patrons. This form of digital book burning is unprecedented and unfairly disadvantages people with print disabilities. For the blind, ebooks are a lifeline, yet less than one in ten exists in accessible formats. Since 2010, Internet Archive has made our lending library available to the blind and print disabled community, in addition to sighted users. If the publishers are successful with their lawsuit, more than a million of those books would be deleted from the Internet’s digital shelves forever.
I call on the executives at Hachette, HarperCollins, Wiley, and Penguin Random House to come together with us to help solve the pressing challenges to access to knowledge during this pandemic. Please drop this needless lawsuit.
Apple has another antitrust charge on its plate. Messaging app Telegram has joined Spotify in filing a formal complaint against the iOS App Store in Europe — adding its voice to a growing number of developers willing to publicly rail against what they decry as Apple’s app “tax”.
A spokesperson for Telegram confirmed the complaint to TechCrunch, pointing us to this public Telegram post where founder, Pavel Durov, sets out seven reasons why he thinks iPhone users should be concerned about the company’s behavior.
These range from the contention that Apple’s 30% fee on app developers leads to higher prices for iPhone users; to censorship concerns, given Apple controls what’s allowed (and not allowed) on its store; to criticism of delays to app updates that flow from Apple’s app review process; to the claim that the app store structure is inherently hostile to user privacy, given that Apple gets full visibility of which apps users are downloading and engaging with.
This week Durov also published a blog post in which he takes aim at a number of “myths” he says Apple uses to try to justify the 30% app fee — such as a claim that iOS faces plenty of competition for developers; or that developers can choose not to develop for iOS and instead only publish apps for Android.
“Try to imagine Telegram or TikTok as Android -only apps and you will quickly understand why avoiding Apple is impossible,” he writes. “You can’t just exclude iPhone users. As for the iPhone users, the costs for consumers to switch from an iPhone to an Android is so high that it qualifies as a monopolistic lock-in” — citing a study done by Yale University to bolster that claim.
“Now that anti-monopoly investigations against Apple have started in the EU and the US, I expect Apple to double down on spreading such myths,” Durov adds. “We shouldn’t sit idly and let Apple’s lobbyists and PR agents do their thing. At the end of the day, it is up to us – consumers and creators – to defend our rights and to stop monopolists from stealing our money. They may think they have tricked us into a deadlock, because we’ve already bought a critical mass of their devices and created a critical mass of apps for them. But we shouldn’t be giving them a free ride any longer.”
![Illustration for article titled Fortnite May Have Just Laid the Perfect Antitrust Trap for Apple—and They Fell For It [Another Update: Google Just Kicked Fortnite Out of Its App Store, Too]](https://i.kinja-img.com/gawker-media/image/upload/c_scale,f_auto,fl_progressive,pg_1,q_80,w_1600/rspnkr8m877mdpwia6sm.jpg)
![a city at night: Sundown could mean bright lights must go out in future for German cities like capital Berlin.]({"default":{"load":"default","w":"77","h":"51","src":"//img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17BlkE.img?h=511&w=768&m=6&q=60&o=f&l=f"},"size3column":{"load":"default","w":"62","h":"42","src":"//img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17BlkE.img?h=416&w=624&m=6&q=60&o=f&l=f"},"size2column":{"load":"default","w":"62","h":"42","src":"//img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17BlkE.img?h=416&w=624&m=6&q=60&o=f&l=f"}})
