Senate Votes to Allow FBI to Look at US citizen Web Browsing History Without a Warrant

Posted on by

The US Senate has voted to give law enforcement agencies access to web browsing data without a warrant, dramatically expanding the government’s surveillance powers in the midst of the COVID-19 pandemic.

The power grab was led by Senate majority leader Mitch McConnell as part of a reauthorization of the Patriot Act, which gives federal agencies broad domestic surveillance powers. Sens. Ron Wyden (D-OR) and Steve Daines (R-MT) attempted to remove the expanded powers from the bill with a bipartisan amendment.

But in a shock upset, the privacy-preserving amendment fell short by a single vote after several senators who would have voted “Yes” failed to show up to the session, including Bernie Sanders. 9 Democratic senators also voted “No,” causing the amendment to fall short of the 60-vote threshold it needed to pass.

“The Patriot Act should be repealed in its entirety, set on fire and buried in the ground,” Evan Greer, the deputy director of Fight For The Future, told Motherboard. “It’s one of the worst laws passed in the last century, and there is zero evidence that the mass surveillance programs it enables have ever saved a single human life.”

Source: Senate Votes to Allow FBI to Look at Your Web Browsing History Without a Warrant – VICE

Saturn has a hexagon vortex 18 layers thick the larger than the earth over its pole packed with hydrocarbon ice crystals.

Posted on by

The giant hexagon-shaped storm raging atop Saturn’s North Pole is made out of frozen hydrocarbon ice suspended in seven hazy layers stacked on top of one another, according to a study published in Nature Communications on Friday.

The swirling six-sided wonder, which El Reg once dubbed the hexacane, has perplexed scientists since its discovery in the 1980s by NASA’s Voyager 1 and 2 spacecraft. The strange vortex has sides measuring about 14,500 kilometres long – more than the diameter of Earth – and remains intact despite winds that reach 400 kilometres per hour rippling through the ringed giant.

Now, a group of astronomers have analysed images taken from NASA’s Cassini probe to reveal the hexacane’s tower-like structure in more detail.

“The Cassini images have enabled us to discover that, just as if a sandwich had been formed, the hexagon has a multi-layered system of at least seven mists that extend from the summit of its clouds to an altitude of more than 300 km above them,” said Agustín Sánchez-Lavega, a physics professor at the University of Basque Country, Spain, who led the study. “Other cold worlds, such as Saturn’s satellite Titan or the dwarf planet Pluto, also have layers of hazes, but not in such numbers nor as regularly spaced out”.

hexacane

A picture of the different layers in Saturn’s hexagonal storm
Click to enlarge … Image Credit: GCP/UPV/EHU/NASA/ESA

Each layer is estimated to be seven to 18 kilometres thick, and is made up of tiny micrometre-sized frozen hydrocarbon crystals, including propyne, propane, and diacetylene, and possibly acetylene and benzene at the top. Each particle is estimated to have a diameter of 0.07 to 1.4 micrometres. The layers appear hazy as the concentration of particles suspended in each one varies.

Source: There’s a world out there with a hexagon vortex over its pole packed with hydrocarbon ice crystals. That planet is Saturn • The Register

5 minutes with a Thunderbolt machine leaves it completely open using Thunderspy – evil maids don’t need much knowledge

Posted on by

Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.

Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

We have found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection.

We have developed a free and open-source tool, Spycheck, to determine if your system is vulnerable. If it is found to be vulnerable, Spycheck will guide you to recommendations on how to help protect your system.

[…]

These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.

All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign. Users are therefore strongly encouraged to determine whether they are affected using Spycheck, a free and open-source tool we have developed that verifies whether their systems are vulnerable to Thunderspy. If it is found to be vulnerable, Spycheck will guide users to recommendations on how to help protect their system.

[…]

The Thunderspy vulnerabilities have been discovered and reported by Björn Ruytenberg. Please cite this work as:

Björn Ruytenberg. Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020. https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf

Source: Thunderspy – When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

Gigantic new 3D map traces every neuron in a tiny mouse brain | Live Science

Posted on by

Researchers at the Allen Institute for Brain Science, a Seattle nonprofit dedicated to neuroscience, have been painstakingly recording every brain cell and every connection between those neurons in mice for the past several years. The result represents major progress since an earlier, simpler map they released in 2016. The now-complete map encompasses about 100 million cells, the institute reported in a paper published today (May 7) in the journal Cell.

[…]

Typically, researchers trace connections between brain cells using thin slices of tissue that can be imaged and explored layer by layer. To build a comprehensive, three-dimensional map, the Allen Institute team instead broke the mouse brain into “voxels” — 3D pixels — and then mapped the cells and connections within each voxel.

The result comprises an “average” of the brains of 1,675 laboratory mice, to make sure the map was as standard as possible.

Mice are common “model organisms” in neuroscience. Their brains have fairly similar structures to humans’, they can be trained, they breed easily, and researchers have already developed robust understandings of how their brains work.

The hope is that the map will bring that understanding to a new level, the Allen Institute said. In doing so, neuroscientists will have a tool with which to develop new research programs and accelerate research already underway. The institute compared its achievement to 1990s-era efforts to sequence different organisms’ DNA for the first time, projects that transformed the way biologists work

Source: Gigantic new 3D map traces every neuron in a tiny mouse brain | Live Science

Oil Crash Busted Broker’s Computers and Inflicted Big Losses

Posted on by

Syed Shah usually buys and sells stocks and currencies through his Interactive Brokers account, but he couldn’t resist trying his hand at some oil trading on April 20, the day prices plunged below zero for the first time ever. The day trader, working from his house in a Toronto suburb, figured he couldn’t lose as he spent $2,400 snapping up crude at $3.30 a barrel, and then 50 cents. Then came what looked like the deal of a lifetime: buying 212 futures contracts on West Texas Intermediate for an astonishing penny each.

What he didn’t know was oil’s first trip into negative pricing had broken Interactive Brokers Group Inc. Its software couldn’t cope with that pesky minus sign, even though it was always technically possible — though this was an outlandish idea before the pandemic — for the crude market to go upside down. Crude was actually around negative $3.70 a barrel when Shah’s screen had it at 1 cent. Interactive Brokers never displayed a subzero price to him as oil kept diving to end the day at minus $37.63 a barrel.

At midnight, Shah got the devastating news: he owed Interactive Brokers $9 million. He’d started the day with $77,000 in his account.

“I was in shock,” the 30-year-old said in a phone interview. “I felt like everything was going to be taken from me, all my assets.”

Breach of zero burned some Interactive Brokers customers

To be clear, investors who were long those oil contracts had a brutal day, regardless of what brokerage they had their account in. What set Interactive Brokers apart, though, is that its customers were flying blind, unable to see that prices had turned negative, or in other cases locked into their investments and blocked from trading. Compounding the problem, and a big reason why Shah lost an unbelievable amount in a few hours, is that the negative numbers also blew up the model Interactive Brokers used to calculate the amount of margin — aka collateral — that customers needed to secure their accounts.

Thomas Peterffy, the chairman and founder of Interactive Brokers, says the journey into negative territory exposed bugs in the company’s software. “It’s a $113 million mistake on our part,” the 75-year-old billionaire said in an interview Wednesday. Since then, his firm revised its maximum loss estimate to $109.3 million. It’s been a moving target from the start; on April 21, Interactive Brokers figured it was down $88 million from the incident.

Customers will be made whole, Peterffy said. “We will rebate from our own funds to our customers who were locked in with a long position during the time the price was negative any losses they suffered below zero.”

[…]

Besides locking up because of negative prices, a second issue concerned the amount of money Interactive Brokers required its customers to have on hand in order to trade. Known as margin, it’s a vital risk measure to ensure traders don’t lose more than they can afford. For the 212 oil contracts Shah bought for 1 cent each, the broker only required his account to have $30 of margin per contract. It was as if Interactive Brokers thought the potential loss of buying at one cent was one cent, rather than the almost unlimited downside that negative prices imply, he said.

“It seems like they didn’t know it could happen,” Shah said.

But it was known industrywide that CME Group Inc.’s benchmark oil contracts could go negative. Five days before the mayhem, the owner of the New York Mercantile Exchange, where the trading took place, sent a notice to all its clearing-member firms advising them that they could test their systems using negative prices. “Effective immediately, firms wishing to test such negative futures and/or strike prices in their systems may utilize CME’s ‘New Release’ testing environments” for crude oil, the exchange said.

Interactive Brokers got that notice, Peterffy said. But he says the firm needed more time to upgrade its trading platform.

Source: How to Trade Oil With Negative Prices: Interactive Brokers – Bloomberg

Cognizant expects to lose between $50m and $70m following ransomware attack

Posted on by

IT services provider Cognizant said in an earnings call this week that a ransomware incident that took place last month in April 2020 will negatively impact its Q2 revenue.

“While we anticipate that the revenue impact related to this issue will be largely resolved by the middle of the quarter, we do anticipate the revenue and corresponding margin impact to be in the range of $50 million to $70 million for the quarter,” said Karen McLoughlin, Cognizant Chief Financial Officer in an earnings call yesterday.

McLoughlin also expects the incident to incur additional and unforeseen legal, consulting, and other costs associated with the investigation, service restoration, and remediation of the breach.

The Cognizant CFO says the company has now fully recovered from the ransomware infection and restored the majority of its services.

Incident only impacted internal network

Speaking on the ransomware attack, Cognizant CEO Brian Humphries said the incident only impacted its internal network, but not customer systems.

More precisely, Humphries said the ransomware incident impacted (1) Cognizant’s select system supporting employees’ work from home setups and (2) the provisioning of laptops that Cognizant was using to support its work from home capabilities during the COVID-19 pandemic.

[…]

Cognizant held meetings with customers, however, the meetings did not go smoothly as Cognizant avoided sharing any actual details of what had happened.

ZDNet learned of the incident as it was going on, at the time, on April 17, when several disgruntled customers had reached out to this reporter about the company attempting to hide a major security breach under the guise of “technical issues” and cutting off access to a series of services.

Initially, customers feared that a hacker had either stole user data from servers, or a ransomware incident had taken place, and the ransomware spread to customer servers, encrypting their data and the servers becoming inaccessible.

Customers were thrown in full paranoia mode after Cognizant sent an internal alert to all customers, urging clients to block traffic for a list of IP addresses.

[…]

Cognizant losses from the incident are in the same range reported last year by aluminum producer Norsk Hydro, which reported that a March 2019 ransomware incident would cause total revenue losses of more than $40 million, a number it later adjusted to nearly $70 million during the year.

Humphries said that Cognizant is now working to address the concerns of customers who opted to suspend Cognizant services in the wake of the ransomware attack, which also impacted Cognizant’s current bottom line.

Cognizant reported a Q1 2020 revenue of $4.2 billion, up 2.8% over Q1 2019.

The number of SEC filings listing ransomware as a major forward-looking risk factor to companies’ profits has skyrocketed in recent years from 3 filings in 2014 to 1,139 in 2019, and already 743 in 2020. Companies are seeing today ransomware attacks as a real risk for their bottom lines as ransomware incidents tend to cause reputational damage to stock prices and financial losses due to lost revenue as most victims take weeks and months to fully recover.

Source: Cognizant expects to lose between $50m and $70m following ransomware attack | ZDNet

One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch

Posted on by

Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices.

It appears no user interaction is required: if Samsung’s messaging app bundled with phones since 2015 receives a booby-trapped MMS, it will parse it automatically before the user even opens it. This will trigger a vulnerability in the Skia graphics library, used by the app to decode the message’s embedded Qmage image. The end result is code execution on the device, allowing the miscreant who sent it to potentially snoop on their victim and come up with other mischief.

The remote-code execution flaw, labeled SVE-2020-16747, was discovered and reported by Google Project Zero’s Mateusz Jurczyk. You can find an in-depth explanation of the bug here.

Samsung has pushed out updates to supported phones to squash the bug, which should be installed ASAP before someone weaponizes an exploit for this programming blunder. If you are still waiting for a patch, switching your default message app to another messaging application, and not Samsung’s, and disabling automatic MMS parsing, may help.

The patch coincides with Android’s monthly release of security fixes: all owners of devices running supported versions of Android will want to check for and install relevant updates in May’s patch batch.

This latest wedge includes fixes for a remote code execution flaw in the Android AAC decoder (CVE-2020-0103) and a critical Android framework elevation-of-privilege bug (CVE-2020-0096) that together can be exploited to gain total control of the device.

The other vulnerabilities at the 01 patch level are as follows. For the Android framework, two additional elevation-of-privilege bugs (CVE-2020-0097, CVE-2020-0098) that grant malware already on the device not-quite-total control over a device, and for the media framework, one EoP flaw (CVE-2020-0094) and three information disclosure bugs (CVE-2020-0093, CVE-2020-0100, CVE-2020-0101).

The Android system patches cover the aforementioned AAC remote code bug as well as four EoP (CVE-2020-0102, CVE-2020-0109, CVE-2020-0105, CVE-2020-0024) and three information disclosure bugs (CVE-2020-0092, CVE-2020-0106, CVE-2020-0104) holes.

At the 05 level, patches for components outside of the core Android package, fixes were posted for two kernel flaws allowing EoP (CVE-2020-0110) and information disclosure (CVE-2019-19536). Four fixes were posted for information disclosure bugs in MediaTek components (CVE-2020-0064, CVE-2020-0065, CVE-2020-0090, CVE-2020-0091).

A total of 18 patches were posted for flaws in Qualcomm components, though the details on those bugs were not given.

Those with supported Google-branded devices should get the May fixes directly from the Chocolate Factory, while other Android devices should see the fixes come from their respective vendors and carriers. This can happen anywhere from immediately to several weeks from now, to never, depending on the supplier.

Source: One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch • The Register

Privacy Enhancements for Android

Posted on by

Privacy Enhancements for Android (PE for Android) is a platform for exploring concepts in regulating access to private information on mobile devices. The goal is to create an extensible privacy system that abstracts away the details of various privacy-preserving technologies. PE for Android allows app developers to safely leverage state-of-the-art privacy techniques without knowledge of esoteric underlying technologies. Further, PE for Android helps users to take ownership of their private information by presenting them with more intuitive controls and permission enforcement. The platform was developed as a fork of the Android Open Source Project (AOSP) release for Android 9 “Pie” and can be installed as a Generic System Image (GSI) on a Project Treble-compliant device.

Source: Privacy Enhancements for Android

Under DARPA’s Brandeis program, a team of researchers led by Two Six Labs and Raytheon BBN Technologies have developed a platform called Privacy Enhancements for Android (PE for Android) to explore more expressive concepts in regulating access to private information on mobile devices. PE for Android seeks to create an extensible privacy system that abstracts away the details of various privacy-preserving technologies, allowing application developers to utilize state-of-the-art privacy techniques, such as secure multi-party computation and differential privacy, without knowledge of their underlying esoteric technologies. Importantly, PE for Android allows mobile device users to take ownership of their private information by presenting them with more intuitive controls and permission enforcement options.

Source: Researchers on DARPA’s Brandeis Program Enhance Privacy Protections for Android Applications

GitHub blasts code-scanning tool into all open-source projects

Posted on by

GitHub has made its automated code-scanning tools available to all open-source projects free of charge.

The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects.

The feature, based on the code-checking tools GitHub bought last year when it gobbled up UK-based Semmle, automatically graphs and scans code when a new push request is made and checks it for a number of common errors that can cause security vulnerabilities.

GitHub senior product manager Justin Hutchings told The Register that a key component of the Semmle (and now GitHub) scanning was CodeQL, the query language that graphs and then checks code for mistakes.

“It turns out that capability is extremely useful in security,” said Hutchings. “Most security problems are bad data flow or bad data usage in one way or another.”

While the feature itself will be new to GitHub, the underlying Semmle tools have been in use for years, which is why GitHub believes they’ll hit the ground running when they launch for free with open-source projects and as an add-on for the paid (enterprise), closed-source part of GitHub.

Although the code-scanning feature could be seen as most beneficial to smaller projects without enough work hours needed to thoroughly check for bugs, Hutchings noted that by making the feature cloud-based, bigger developers are also getting something on their wishlist.

“A lot of our commercial customers are excited about being able to run this at scale on our cloud,” he told us.

“Security analysis is compute intensive, you are dealing with millions of lines of code. You want to do this rapidly and we are finally bringing this capability into a hosted cloud environment, so they can scale up more quickly than they could previously.”

In addition to scanning for security bugs, GitHub is also adding the option for commercial developers to scan offline repositories and for exposed secrets (keys, credentials, etc) that could lead to network breaches and data leaks if let out onto the public internet. Previously limited to public repositories (such as AWS or Google Cloud), the secret-scanning feature will now be able to run on private GitHub repositories.

This addition, Hutchings said, is not just a security feature but also a stability feature, as it helps developers keep up with security policies that require changing keys at regular intervals by tracking and logging the changes. In this way, developers can avert outages and downtime that might otherwise occur when keys changes don’t get properly reported and handled.

Source: GitHub blasts code-scanning tool into all open-source projects • The Register

Very cloudy indeed!

Nervous, Adobe? It took 16 years, but open-source vector graphics editor Inkscape v1.0 now works properly on macOS

Posted on by

Open-source, cross-platform vector drawing package Inkscape has reached its version 1.0 milestone after many years of development.

Inkscape can be seen as an alternative to commercial products such as Adobe Illustrator or Serif Affinity Designer – though unlike Inkscape, neither of those run on Linux. The native format of Inkscape is SVG (Scalable Vector Graphics), the web standard.

[…]

Inkscape 1.0 is most significant for Mac users. Previous releases for macOS required a compatibility component called XQuartz, which enables applications designed for the X windowing system to run on macOS Quartz, part of Apple’s Core Graphics framework. This is no longer required and Inkscape 1.0 is now a native macOS application – though it is not all good news. The announcement noted: “This latest version is labelled as ‘preview’, which means that additional improvements are scheduled for the next versions.”

[…]

Inkscape 1.0 seems polished and professional. Adobe, which sells Illustrator on a subscription basis starting at £19 (if you inhale the rest of the Creative Cloud), will likely not be worried, but apart from the cost saving there are advantages in simpler applications that are relatively lightweight and easy to learn, as well as running well on Linux.

Source: Nervous, Adobe? It took 16 years, but open-source vector graphics editor Inkscape now works properly on macOS • The Register

Hackers hide web skimmer behind a website’s favicon

Posted on by

a hacker group created a fake icons hosting website in order to disguise malicious code meant to steal payment card data from hacked websites.

The operation is what security researchers refer to these days as a web skimming, e-skimming, or a Magecart attack.

Hackers breach websites and then hide malicious code on its pages, code that records and steals payment card details as they’re entered in checkout forms.

[…]

Hackers created a fake icons hosting portal

In a report published today, US-based cybersecurity firm Malwarebytes said it detected one such group taking its operations to a whole new level of sophistication with a new trick.

The security firm says it discovered this group while investigating a series of strange hacks, where the only thing modified on the hacked sites was the favicon — the logo image shown in browser tabs.

The new favicon was a legitimate image file hosted on MyIcons.net, with no malicious code hidden inside it. However, while the change looked innocent, Malwarebytes said that web skimming code was still loaded on hacked sites, and there was clearly something strange with the new favicon.

[…]

The trick, according to Malwarebytes, was that the MyIcons.net website served a legitimate favicon file for all a website’s pages, except on pages that contained checkout forms.

On these pages, the MyIcons.net website would secretly switch the favicon with a malicious JavaScript file that created a fake checkout form and stole user card details.

Malwarebytes said that site owners investigating the incident and accessing the MyIcons.net website would find a fully-working icon hosting portal, and would be misled to believe it’s a legitimate site.

However, the security firm says MyIcons.net was actually a clone of the legitimate IconArchive.com portal, and that its primary role was to be a decoy.

Furthermore, the site was also hosted on servers used previously in other web skimming operations, as reported by fellow cybersecurity firm Sucuri a few weeks before.

Source: Hackers hide web skimmer behind a website’s favicon | ZDNet

Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache

Posted on by

The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned.

The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.

ZDNet has obtained copies of both data sets. We received the entire 44 million records released online today, but we also received a sample of 55 million user records that were part of the 115 million data dump. Based on the data sets, we can conclude that the two are the same.

According to our analysis of the leaked files, the data contained both personally-identifiable and telephony-related information. This includes the likes of:

  • Customer full names
  • Home addresses (city, region, street name)
  • National identification (CNIC) numbers
  • Mobile phone numbers
  • Landline numbers
  • Dates of subscription

The data included details for both Pakistani home users and local companies alike.

Details for companies matched public records and public phone numbers listed on companies’ websites. In addition, ZDNet also verified the validity of the leaked data with multiple Pakistani users.

Source: Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache | ZDNet

Jet propulsion by microwave air plasma in the atmosphere: AIP Advances: Vol 10, No 5

Posted on by

We propose a prototype design of a propulsion thruster that utilizes air plasma induced by microwave ionization. Such a jet engine simply uses only air and electricity to produce high temperature and pressurized plasma for jet propulsion. We used a home-made device to measure the lifting force and jet pressure at various settings of microwave power and the air flow rate. We demonstrated that, given the same power consumption, its propulsion pressure is comparable to that of conventional airplane jet engines using fossil fuels. Therefore, such a carbon-emission free thruster could potentially be used as a jet thruster in the atmosphere.

[…]

n this report, we consider a microwave air plasma jet thruster using high-temperature and high-pressure plasma generated by a 2.45 GHz microwave ionization chamber for injected pressurized air. We propose a simple prototype plasma jet thruster that can generate approximately 10 N of thrust at 400 W using 0.5 l/s for the airflow, corresponding to the lifting force of 28 N/kW and a jet pressure of 2.4 × 104 N/m2. At a higher microwave power or greater airflow, propulsion forces and jet pressures comparable to those of commercial airplane jet engines can be achieved.

[…]

When high-power microwave is generated using microwave sources arranged in parallel, higher heat is also generated. At this time, the method of measuring the propulsive force with a steel ball is no longer applicable. How to deal with the impact of high temperature on equipment and how to evaluate the driving force are challenges that require further research

Source: Jet propulsion by microwave air plasma in the atmosphere: AIP Advances: Vol 10, No 5

No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body

Posted on by

You can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. Not if you need to be compliant with European data protection law.

That’s the unambiguous message from the European Data Protection Board (EDPB), which has published updated guidelines on the rules around online consent to process people’s data.

Under pan-EU law, consent is one of six lawful bases that data controllers can use when processing people’s personal data.

But in order for consent to be legally valid under Europe’s General Data Protection Regulation (GDPR) there are specific standards to meet: It must be clear and informed, specific and freely given.

Hence cookie walls that demand ‘consent’ as the price for getting inside the club are not only an oxymoron but run into a legal brick wall.

No consent behind a cookie wall

The regional cookie wall has been crumbling for some time, as we reported last year — when the Dutch DPA clarified its guidance to ban cookie walls.

The updated guidelines from the EDPB look intended to hammer the point home. The steering body’s role is to provide guidance to national data protection agencies to encourage a more consistent application of data protection rules.

The EDPB’s intervention should — should! — remove any inconsistencies of interpretation on the updated points by national agencies of the bloc’s 27 Member States. (Though compliance with EU data protection law tends to be a process; aka it’s a marathon not a sprint, though on the cookie wall issues the ‘runners’ have been going around the tracks for a considerable time now.)

As we noted in our report on the Dutch clarification last year, the Internet Advertising Bureau Europe was operating a full cookie wall — instructing visitors to ‘agree’ to its data processing terms if they wished to view the content.

The problem that we pointed out is that that wasn’t a free choice. Yet EU law requires a free choice for consent to be legally valid. So it’s interesting to note the IAB Europe has, at some point since, updated its cookie consent implementation — removing the cookie wall and offering a fairly clear (if nudged) choice to visitors to either accept or deny cookies for “aggregated statistics”…

As we said at the time the writing was on the wall for consent cookie walls.

The EDPB document includes the below example to illustrate the salient point that consent cookie walls do not “constitute valid consent, as the provision of the service relies on the data subject clicking the ‘Accept cookies’ button. It is not presented with a genuine choice.”

It’s hard to get clearer than that, really.

Scrolling never means ‘take my data’

A second area to get attention in the updated guidance, as a result of the EDPB deciding there was a need for additional clarification, is the issue of scrolling and consent.

Simply put: Scrolling on a website or digital service can not — in any way — be interpreted as consent.

Or, as the EDPB puts it, “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action” [emphasis ours].

Source: No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body | TechCrunch

Google Lens can now copy and paste handwritten notes to your computer

Posted on by

Google has added a very useful feature to Google Lens, its multipurpose object recognition tool. You can now copy and paste handwritten notes from your phone to your computer with Lens, though it only works if your handwriting is neat enough.

In order to use the new feature, you need to have the latest version of Google Chrome as well as the standalone Google Lens app on Android or the Google app on iOS (where Lens can be accessed through a button next to the search bar). You’ll also need to be logged in to the same Google account on both devices.

That done, simply point your camera at any handwritten text, highlight it on-screen, and select copy. You can then go to any document in Google Docs, hit Edit, and then Paste to paste the text. And voila — or, viola, depending on your handwriting.

Copy and pasting with Google Lens.
Gif: Google

In our tests, the feature was pretty hit or miss. If you don’t write neatly, you’ll definitely get some typos. But it’s still a cool feature that’s especially useful at a time when a lot of people are now working from home and relying on endless to-do lists to bring some sense of order to their day.

Source: Google Lens can now copy and paste handwritten notes to your computer – The Verge

Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

Posted on by

There’s a hacker/security researcher with the Twitter handle GreenTheOnly that has been doing some interesting work with used Tesla parts. This time specifically, he’s acquired three Tesla Model 3 integrated media control units (MCU) and Autopilot (HW) units (known as the ICE computer, just for Models 3 and Y), and a Model X MCU unit. These were purchased off eBay, and despite having been reset, Green found that plenty of private owner information and passwords were still easily recoverable from the units.

[…]

There’s a number of reasons why Tesla owners may need to replace these units: if you’re adding on Autopilot to an existing car, for example, some early models had data-logging issues that caused failure after a few years, and various other wear-and-tear and failure issues.

Once he had the units, Green found that there was a surprising amount of data still on them, from what appear to be debugging screenshots taken every time a Model 3 starts up:

…to far more compromising data, which he described to InsideEVs:

“…owner’s home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.”

That’s a security hole big enough to drive a Model X through, even with the Falcon Doors stuck open. And, speaking of the Model X, the unit he got from that model was physically crushed, but data was still recoverable.

Green gave more details on his Twitter feed, clarifying that the Spotify passwords are stored as plain text, and that the Netflix and Gmail passwords are stored in cookie format:

The ability to get calendar events and owner’s phone book and call history are also huge security breaches, too.

When owners decide to upgrade their cars’ computer, Tesla will only let them keep their original hardware for, according to a Tesla owners’ forum, a $1,000 fee. Yes, it’s strange to have to pay the company to take hardware that you should have owned when you bought your car, but Tesla has a history with non-traditional ideas of just what you think you’ve bought with your car.

Source: Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

Amazon Sued for Acting Like Users Own “Purchased” Movies (Spoiler Alert: You Don’t)

Posted on by

The question of whether you own your digital purchases, or whether you’re simply licensing that content from whatever tech giant du jour hosts it, has always been a bit of a black box for consumers. Recently, this lack of transparency has prompted one California user to file a lawsuit against Amazon for saying customers can “purchase” movies on Prime Video when, in actuality, the company can cut off access to that content at its discretion.

Yeah, in case you didn’t know, you don’t really own what you buy on Prime Video. Even though the service bills this content as “Your Video Purchases”, Prime Video’s terms of service outlines how all purchases are really just long-term rentals that can disappear from your library at any time:

“Purchased Digital Content will generally continue to be available to you for download or streaming from the Service, as applicable, but may become unavailable due to potential content provider licensing restrictions or for other reasons, and Amazon will not be liable to you if Purchased Digital Content becomes unavailable for further download or streaming.”

None of this is made apparent unless you go digging into Prime Video’s ToS pages, though, which lawyers for the suit’s plaintiff, Amanda Caudel, argue is Amazon’s attempt to “deceive, mislead and defraud consumers.” Per the class action complaint, as first spotted by TechDirt:

“Reasonable consumers will expect that the use of a “Buy” button and the representation that their Video Content is a “Purchase” means that the consumer has paid for full access to the Video Content and, like any bought product, that access cannot be revoked.

Unfortunately for consumers who chose the “Buy” option, this is deceptive and untrue. Rather, the ugly truth is that Defendant secretly reserves the right to terminate the consumers’ access and use of the Video Content at any time, and has done so on numerous occasions, leaving the consumer without the ability to enjoy their already-bought Video Content.”

Defendant’s representations are misleading because they give the impression that the Video Content is purchased – i.e. the person owns it – when in fact that is not true because Defendant or others may revoke access to the Video Content at any time and for any reason.

And since renting movies for 30 days also costs significantly less than purchasing it on Prime Video, usually around $5 compared to $14.99-19.99, the lawsuit argues that Amazon uses this deceptive distinction to earn profit at the expense of consumers. Particularly since there’s no user agreement that pops up upon purchase to explain to customers that they won’t actually own the video content after hitting “Buy”. There’s no such disclaimer on the movie’s purchase page either.

Source: Amazon Sued for Acting Like Users Own “Purchased” Movies (Spoiler Alert: You Don’t)

IAB Europe Guide to the Post Third-Party Cookie Era

Posted on by

This Guide has been developed by experts from IAB Europe’s Programmatic Trading Committee (PTC) to prepare brands, agencies, publishers and tech intermediaries for the much-anticipated post third-party cookie advertising ecosystem.

It provides background to the current use of cookies in digital advertising today and an overview of the alternative solutions being developed. As solutions evolve, the PTC will be updating this Guide on a regular basis to provide the latest information and guidance on market alternatives to third-party cookies.

The Guide, available below as an e-book or PDF, helps to answer to the following questions:

  • What factors have contributed to the depletion of the third-party cookie?
  • How will the depletion of third-party cookies impact stakeholders and the wider industry including proprietary platforms?
  • How will the absence of third-party cookies affect the execution of digital advertising campaigns?
  • What solutions currently exist to replace the usage of third-party cookies?
  • What industry solutions are currently being developed and by whom?
  • How can I get involved in contributing to the different solutions?

Source: IAB Europe Guide to the Post Third-Party Cookie Era – IAB Europe

Yup, advertisers won’t be able to track you over the internet using 3rd party cookies anymore soon

Air Force Announces it Can Save $7 Million by Adjusting One Plane’s Windshield Wipers

Posted on by

The Air Force recently proved through a series of tests that its KC-135 Stratotanker aircraft can fly more efficiently just by mounting the cockpit window’s wiper blades vertically instead of horizontally. The potential fuel cost savings: about $7 million per year.

Researchers with the Advanced Power and Technology Office, part of the Air Force Research Laboratory, and the Southwest Research Institute, assessed the KC-135 after similar tests were conducted on a commercial McDonnell Douglas MD-11 cargo airliner. The commercial tests showed the new blade direction reduced its flight drag by 1.2%.

“Across the KC-135 fleet, blades are positioned horizontally on the windshield as part of the aircraft’s original 1950s design,” officials said in a news release. “However, as the understanding of aviation aerodynamics advanced, research indicated placing the wipers vertically when not in use could improve aerodynamic efficiency and optimize fuel use.”

[,,,]

The data collected revealed drag was reduced 0.8% just by moving the blade vertically, and 0.2% for a slimmer wiper design on the cockpit’s window.

nose of a KC-135 Stratotanker, as the wiper blades are positioned horizontally
Computational fluid dynamics analysis, conducted by Air Force Research Laboratory and Southwest Research Institute, shows the nose of a KC-135 Stratotanker, as the wiper blades are positioned horizontally, left, and vertically, right. The red indicates an area of high aerodynamic drag. (U.S. Air Force courtesy photo)

“While 1% efficiency may not seem like a lot, it equates to millions of dollars in fuel savings each year, which can then be re-invested into other programs,” Daniel Pike, acquisition manager and chief of future operations for Air Force Operational Energy, said in a statement.

For example, the KC-135 fleet used more than 260 million gallons in fiscal 2019, the service said, citing the Air Force Total Ownership Cost database. That accounts for roughly 14% of the Air Force’s total fuel use across its aircraft fleets.

Source: Air Force Announces it Can Save $7 Million by Adjusting One Plane’s Windshield Wipers | Military.com

Apple sues Corellium for copyright – and sues everybody who talks about Corellium or is / was their customer. Strong arm much?

Posted on by

Last year, Apple accused a cybersecurity startup based in Florida of infringing its copyright by developing and selling software that allows customers to create virtual iPhone replicas. Critics have called the Apple’s lawsuit against the company, called Corellium, “dangerous” as it may shape how security researchers and software makers can tinker with Apple’s products and code.

The lawsuit, however, has already produced a tangible outcome: very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit’s proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.

[…]

“I don’t know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible,” the researcher added, referring to Apple’s subpoena to the spanish finance giant Santander Bank, which named an employee who had Tweeted about Corellium.

[…]

A security researcher, who specializes in offensive security and asked to remain anonymous, said that he would definitely “have legal look into it beforehand if I needed [Corellium’s] stuff,” arguing that he’d be wary of Apple getting involved.

Three other researchers who specialize in hacking Apple software declined to comment citing the risk of some sort of retaliation from Apple.

[…]

In January, Apple subpoenaed the defense contractor L3Harris and Santander Bank, requesting information on how they use Corellium, all communications they’ve had with the startup, internal communications about their products, and any contracts they’ve signed with the company, among other information.

Mark Dowd, the founder of Azimuth Security, a cybersecurity startup that specializes in developing hacking tools for governments that’s now part of L3Harris, said last year that he couldn’t comment about Corellium “because [Apple] mention[ed] us in the original filing.” (Dowd did not respond to a request for comment this week.)

[…]

Some researchers, however, are not afraid of Apple. Elias Naur uses Corellium to test code written in the Go language for mobile operating systems. Before Corellium, Naur said he had to test code on two busted old phones plugged in under his couch. Naur said he’s “not worried Apple will come after Corellium’s customers” and is still using the software.

[…]

In this David v. Goliath battle, as Forbes called it, many people are choosing to stay away from David even before seeing who wins.

Source: Apple’s Copyright Lawsuit Has Created a ‘Chilling Effect’ on Security Research – VICE

‘Artificial leaf’ concept inspires research into solar-powered fuel production

Posted on by

Rice University researchers have created an efficient, low-cost device that splits water to produce hydrogen fuel.

The platform developed by the Brown School of Engineering lab of Rice materials scientist Jun Lou integrates catalytic electrodes and that, when triggered by sunlight, produce electricity. The current flows to the catalysts that turn water into hydrogen and oxygen, with a sunlight-to-hydrogen efficiency as high as 6.7%.

This sort of catalysis isn’t new, but the lab packaged a layer and the electrodes into a single module that, when dropped into water and placed in sunlight, produces hydrogen with no further input.

The introduced by Lou, lead author and Rice postdoctoral fellow Jia Liang and their colleagues in the American Chemical Society journal ACS Nano is a self-sustaining producer of that, they say, should be simple to produce in bulk.

“The concept is broadly similar to an artificial leaf,” Lou said. “What we have is an integrated module that turns sunlight into electricity that drives an electrochemical reaction. It utilizes water and sunlight to get chemical fuels.”

Perovskites are crystals with cubelike lattices that are known to harvest light. The most efficient perovskite produced so far achieve an efficiency above 25%, but the materials are expensive and tend to be stressed by light, humidity and heat.

“Jia has replaced the more expensive components, like platinum, in perovskite solar cells with alternatives like carbon,” Lou said. “That lowers the entry barrier for commercial adoption. Integrated devices like this are promising because they create a system that is sustainable. This does not require any external power to keep the module running.”

Liang said the key component may not be the perovskite but the polymer that encapsulates it, protecting the module and allowing to be immersed for long periods. “Others have developed catalytic systems that connect the solar cell outside the water to immersed electrodes with a wire,” he said. “We simplify the system by encapsulating the perovskite layer with a Surlyn (polymer) film.”

The patterned film allows sunlight to reach the solar cell while protecting it and serves as an insulator between the cells and the electrodes, Liang said.

Source: ‘Artificial leaf’ concept inspires research into solar-powered fuel production

New study spotlights the dark side of venture capitalist funding – shows it’s also bad for the bottom line

Posted on by

A new study from The School of Business at Portland State University suggests that the aggressive cultures of private equity firms, like , might spill over into the companies that they fund. Venture capitalists are often the hidden players in decision making, and they are funding startups like Uber, SpaceX and AirBnB.

With money, comes expectations

As a company grows through early developmental milestones, it becomes accountable to key stakeholders.

According to the study, companies often face challenges when balancing the tension between long-term socially responsible strategies and short-term demands associated with .

PSU Associate Professor of Management Theodore Khoury and colleagues published their study, “Is socially responsible? Exploring the imprinting effect of VC funding on CSR practices,” in the Journal of Business Venturing.

The study found that capitalist investors often push a business they are financing to prioritize long-term financially-based goals instead of socially responsible business ones, like fair wages, reducing carbon footprints or improving labor policies.

Venture capitalists often hold a large portion of the equity in the companies in which they invest, which gives them voting power to challenge or advocate for specific strategic directions and influence decisions that might jeopardize company returns.

The prioritization of financial success opens a floodgate, allowing behaviors such as sexual harassment at new companies like Uber to go unchecked.

“We find that venture capitalist-backed companies have poorer socially responsible practice records, which do improve over time, but at a comparatively slower rate than non-venture capitalist-backed companies,” Khoury said.

Unexpected consequence of greed

The PSU study also highlights how venture capitalists’ desires for financial surplus might end up causing more harm than good.

Uber agreed to pay $4.4 million dollars to settle federal charges of fostering a work culture wrought with sexual harassment. It’s just one of the dozens of Silicon Valley companies facing huge fines related to sexual harassment charges.

The researchers assert that socially responsible practices positively impact, rather than reduce, a company’s financial performance.

“Compared to non-venture capitalist-backed companies, venture capitalist-backed companies presented significantly lower assets, sales, tangible assets, inventories, returns on assets, profit margins and debt levels, as well as higher intangibles and current ratios,” the study said.

In addition to financial success, socially responsible practices help satisfy multiple stakeholders (like employees), enhance a ‘s market value, preempt government regulations, reduce risk, develop business resources and lower capital costs.

However, the researchers add that when venture capitalist-backed companies receive funding from firms with a responsible investment orientation and a broader stakeholder view, their socially responsible practice records are significantly better.

“Early-stage imprinting can happen from many sources, but when businesses take funding from certain investors, certain cultures, operating modes and ways of conducting business may start to take shape for the long term to affect a broader group of stakeholders,” Khoury said. “The effects of early-stage imprinting from venture capital funding can be hard to ‘undo,’ and there are social consequences.”

Source: New study spotlights the dark side of venture capitalist funding

Tesla stock rise appears to qualify CEO Musk for $700 million payday – and the chance to buy loats of Tesla stock at low prices

Posted on by

Shares of Tesla Inc (TSLA.O) jumped more than 8% on Monday, putting Tesla’s market capitalization at $141.1 billion at the close. More importantly for Musk, Tesla’s stock market value reached a six-month average of $100.2 billion, according to an analysis of Refinitiv data.

Hitting a six-month average of $100 billion triggers the vesting of the first of 12 tranches of options granted to the billionaire to buy Tesla stock as part of a pay package agreed in 2018. Musk has already met two other requirements by hitting a growth target and far exceeding a one-month average $100 billion market cap.

Each tranche gives Musk the option to buy 1.69 million Tesla shares at $350.02 each. At Tesla’s closing stock price of $761.19, Musk would theoretically be able to sell the shares for a profit of $694 million.

Musk on Friday said on Twitter, “Tesla stock price is too high imo,” using an abbreviation for “in my opinion”.

That tweet sent Tesla’s stock tumbling 10%, shocking shareholders. Tesla, whose California factory is closed as part of the state’s coronavirus-related lockdowns, posted its third quarterly profit in a row last week.

Musk, who is also the majority owner and CEO of the SpaceX rocket maker, receives no salary or cash bonus, only options that vest based on Tesla’s market cap and milestones for revenue and profit growth.

A full payoff of all tranches would surpass anything previously granted to U.S. executives.

When Tesla unveiled Musk’s package in 2018, it said he could theoretically reap as much as $55.8 billion if no new shares were issued. However, Tesla has since issued shares to compensate employees, and last year it sold $2.7 billion in shares and convertible bonds.

Musk’s subsequent options tranches would vest at $50 billion increments of Tesla market capitalization over the agreement’s 10-year period, with the billionaire earning the full package if Tesla’s market capitalization reaches $650 billion and the high tech vehicle maker achieves several revenue and profit targets.

Source: Tesla stock rise appears to qualify CEO Musk for $700 million payday – Reuters

Study reveals single-step strategy for recycling used nuclear fuel

Posted on by

A typical nuclear reactor uses only a small fraction of its fuel rod to produce power before the energy-generating reaction naturally terminates. What is left behind is an assortment of radioactive elements, including unused fuel, that are disposed of as nuclear waste in the United States. Although certain elements recycled from waste can be used for powering newer generations of nuclear reactors, extracting leftover fuel in a way that prevents possible misuse is an ongoing challenge.

Now, Texas A&M University engineering researchers have devised a simple, proliferation-resistant approach for separating out different components of . The one-step chemical reaction, described in the February issue of the journal Industrial & Engineering Chemistry Research, results in the formation of crystals containing all of the leftover nuclear elements distributed uniformly.

The researchers also noted that the simplicity of their recycling approach makes the translation from lab bench to industry feasible.

“Our recycling strategy can be easily integrated into a chemical flow sheet for industrial-scale implementation,” said Johnathan Burns, research scientist in the Texas A&M Engineering Experiment Station’s Nuclear Engineering and Science Center. “In other words, the reaction can be repeated multiple times to maximize fuel recovery yield and further reduce radioactive nuclear waste.”

[…]

For their experiments, they prepared a surrogate solution of uranium, plutonium, neptunium and americium in highly concentrated nitric acid at 60-90 degrees Celsius to mimic dissolving of a real fuel rod in the strong acid. They found when the solution reached , as predicted, that uranium, neptunium, plutonium and americium separated from the solution together, uniformly distributing themselves within the crystals.

Burns noted that this simplified, single-step process is also proliferation-resistant since plutonium is not isolated but incorporated within the uranium crystals.

“The idea is that the reprocessed fuel generated from our prescribed chemical reaction can be used in future generations of reactors, which would not only burn uranium like most present-day reactors but also other heavy elements such as , and americium,” Burns said. “In addition to addressing the fuel recycling problem and reducing proliferation risk, our strategy will drastically reduce nuclear to just the fission products whose radioactivity is hundreds rather than hundreds of thousands of years.”

Source: Study reveals single-step strategy for recycling used nuclear fuel

Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers

Posted on by

Not only can malicious people make airliners climb and dive without pilot input – they can also control where and when they do so, research from Pen Test Partners (PTP) has found.

TCAS spoofing, the practice of fooling collision detection systems aboard airliners, can be controlled to precisely determine whether an airliner fitted with TCAS climbs or descends – and even to produce climb rates of up to 3,000ft/min.

Building on earlier research into the bare-bones concept [PDF], PTP said it had figured out how to shape and control airliners’ automatic TCAS responses so they moved up or down at precisely known points.

In a blog post the firm said: “We rationalised this to the point where we only needed three fake aircraft to provide [a Resolution Advisory] that caused a climb of over 3,000 ft/min.”

[…]

The prospect of a rollercoaster ride is less scary (or realistic) than it might seem; a recent Oxford University study showed that when airliner pilots are presented with too many spoof warnings, they simply disable the system responsible – and look out of the window so they keep flying safely.

Source: Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers • The Register