The Linkielist

Linking ideas with the world

The Linkielist

Linksys forces password reset for Smart Wi-Fi accounts after router DNS hack pointed users at COVID-19 malware

Posted on by

Router biz Linksys has reset all its customers’ Smart Wi-Fi account passwords after cybercrims accessed a bunch and redirected hapless users to COVID-19 themed malware.

The mass reset took place after all user accounts were locked on 2 April, following infosec firm Bitdefender revealing that malicious persons were pwning Linksys devices through cred-stuffing attacks.

Hackers with access to Linksys Smart Wi-Fi accounts were changing home routers’ DNS server settings. Compromised users’ attempts to reach domains ranging from Disney, pornography, and Amazon AWS were redirected to a webpage peddling a coronavirus-themed app “that displays a message purportedly from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19.”

The app was hosted on Bitbucket, a Git-style collaboration tool. Instead of health advice it dispensed the Oski info-stealing malware, which helps itself to one’s login credentials for various services, including cryptocurrency wallets.

Linksys customers were told of the password reset by the firm earlier this week, along with cryptic and confusing references to “the COVID-19 malware”. Affected users must now change their passwords the next time they log into the Linksys Smart Wi-Fi app.

Source: Linksys forces password reset for Smart Wi-Fi accounts after router DNS hack pointed users at COVID-19 malware • The Register

60,000 Eastern Europeans to be flown in to pick fruit and veg – turns out they weren’t stealing jobs then, brexit!

Posted on by

Air Charter Service has told the BBC that the first flight will land on Thursday in Stansted carrying 150 Romanian farm workers.

The firm told the BBC that the plane is the first of up to six set to operate between mid-April and the end of June.

Government department Defra said it was encouraging people across the UK “to help bring the harvest in”.

British farmers recently warned that crops could be left to rot in the field because of a shortage of seasonal workers from Eastern Europe. Travel restrictions due to the coronavirus lockdown have meant most workers have stayed at home.

Several UK growers have launched a recruitment drive, calling for local workers to join the harvest to prevent millions of tonnes of fruit and vegetables going to waste. However concerns remain that they won’t be able to fulfil the demand on farms.

Source: Eastern Europeans to be flown in to pick fruit and veg – BBC News

Over 500,000 Zoom accounts sold on hacker forums, some being given away for free

Posted on by

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Cybersecurity intelligence firm Cyble told BleepingComputer that around April 1st, 2020, they began to see free Zoom accounts being posted on hacker forums to gain an increased reputation in the hacker community.

Zoom accounts offered to gain reputation
Zoom accounts offered to gain reputation

These accounts are shared via text sharing sites where the threat actors are posting lists of email addresses and password combinations.

In the below example, 290 accounts related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and many more were released for free.

Zoom accounts offered for free
Zoom accounts offered for free

BleepingComputer has contacted random email addresses exposed in these lists and has confirmed that some of the credentials were correct.

One exposed user told BleepingComputer that the listed password was an old one, which indicates that some of these credentials are likely from older credential stuffing attacks.

Accounts sold in bulk

After seeing a seller posting accounts on a hacker forum, Cyble reached out to purchase a large number of accounts in bulk so that they could be used to warn their customers of the potential breach.

Cyble was able to purchase approximately 530,000 Zoom credentials for less than a penny each at $0.0020 per account.

The purchased accounts include a victim’s email address, password, personal meeting URL, and their HostKey.

Source: Over 500,000 Zoom accounts sold on hacker forums, the dark web

Medical Device ‘Jailbreak’ Could Help Solve the Dangerous Shortage of Ventilators

Posted on by

Security researcher Trammell Hudson analyzed the AirSense 10 — the world’s most widely used CPAP — and made a startling discovery. Although its manufacturer says the AirSense 10 would require “significant rework to function as a ventilator,” many ventilator functions were already built into the device firmware. Its manufacturer, ResMed, says the $700 device solely functions as a continuous positive airway pressure machine used to treat sleep apnea. It does this by funneling air into a mask. ResMed says the device can’t work as a bilevel positive airway pressure device, which is a more advanced machine that pushes air into a mask and then pulls it back out. With no ability to work in both directions or increase the output when needed, the AirSense 10 can’t be used as the type of ventilator that could help patients who are struggling to breathe. After reverse-engineering the firmware, Hudson says the ResMed claim is simply untrue.

To demonstrate his findings, Hudson on Tuesday is releasing a patch that he says unlocks the hidden capabilities buried deep inside the AirSense 10. The patch is dubbed Airbreak in a nod to jailbreaks that hobbyists use to remove technical barriers Apple developers erect inside iPhones and iPads. Whereas jailbreaks unlock functions that allow the installation of unauthorized apps and the accessing of log files and forensic data, Airbreak allows the AirSense 10 to work as a bilevel positive airway pressure machine, a device that many people refer to as a BiPAP. “Our changes bring the AirSense S10 to near feature parity with BiPAP machines from the same manufacturer, boost the maximum pressure output available, and provide a starting point to add more advanced emergency ventilator functionality,” Hudson and other researchers wrote on their website disclosing the findings. The researchers say Airbreak isn’t ready to be used on any device to treat a patient suffering from COVID-19 — it’s simply to prove that the AirSense 10 does have the ability to provide emergency ventilator functions, and to push ResMed to release its own firmware update that unlocks the ventilator functions.

Source: Medical Device ‘Jailbreak’ Could Help Solve the Dangerous Shortage of Ventilators – Slashdot

It’s nice to say this, but the respiration functions on the Airsense are probably not medically validated and thus not necessarily safe to use. When does fairly safe become acceptable in an emergency?

Apple: We respect your privacy so much we’ve revealed a little about what we can track when you use Maps

Posted on by

Apple has released a set of “Mobility Trends Reports” – a trove of anonymised and aggregated data that describes how people have moved around the world in the three months from 13 January to 13 April.

The data measures walking, driving and public transport use. And as you’d expect and as depicted in the image atop this story, human movement dropped off markedly as national coronavirus lockdowns came into effect.

Apple has explained the source of the data as follows:

This data is generated by counting the number of requests made to Apple Maps for directions in select countries/regions and cities. Data that is sent from users’ devices to the Maps service is associated with random, rotating identifiers so Apple doesn’t have a profile of your movements and searches. Data availability in a particular country/region or city is subject to a number of factors, including minimum thresholds for direction requests made per day.

Apple justified the release by saying it thinks it’ll help governments understand what its citizens are up to in these viral times. The company has also said this is a limited offer – it won’t be sharing this kind of analysis once the crisis passes.

But the data is also a peek at what Apple is capable of. And presumably also what Google, Microsoft, Waze, Mapquest and other spatial services providers can do too. Let’s not even imagine what Facebook could produce. ®

Source: Apple: We respect your privacy so much we’ve revealed a little about what we can track when you use Maps • The Register

‘Crime against humanity’: Trump (the man who mismanaged Corona most in!) condemned for WHO funding freeze

Posted on by

Leading health experts have labelled Donald Trump’s decision to cut funding to the World Health Organization (WHO) as a “crime against humanity” and a “damnable” act that will cost lives.

The move also drew a rebuke from the head of the United Nations, who said the WHO was “absolutely critical to the world’s efforts to win the war against Covid-19”.

Late on Tuesday Trump declared US funding would be put on hold for 60-90 days pending a review “to assess the World Health Organization’s role in severely mismanaging and covering up the spread of the coronavirus”. The US is the single largest contributor to the WHO.

Richard Horton, the editor-in-chief of the Lancet medical journal, wrote that Trump’s decision was “a crime against humanity … Every scientist, every health worker, every citizen must resist and rebel against this appalling betrayal of global solidarity.”

Antonio Guterres, the UN secretary general, said it was “not the time” to cut funding or to question errors. “Once we have finally turned the page on this epidemic, there must be a time to look back fully to understand how such a disease emerged and spread its devastation so quickly across the globe, and how all those involved reacted to the crisis,” said Guterres.

“The lessons learned will be essential to effectively address similar challenges, as they may arise in the future. But now is not that time … It is also not the time to reduce the resources for the operations of the World Health Organization or any other humanitarian organization in the fight against the virus.”

Echoing Guterres’s plea, Dr Amesh Adalja, a senior scholar at the Johns Hopkins University Center for Health Security, said the WHO did make mistakes and may need reform but that work needed to take place after the crisis had passed. “It’s not the middle of a pandemic that you do this type of thing,” he said.

Dr Nahid Bhadelia, an infectious disease doctor and associate professor at Boston University’s school of medicine, said the cut was “an absolute disaster. WHO is a global technical partner, the platform through which sovereign countries share data/technology, our eyes on the global scope of this pandemic.”

Laurie Garrett, a former senior fellow of the Council on Foreign Relations, said the decision was a “damnable” act by a “spiteful” Trump and would cost lives. “Meanwhile, WHO is the only lifeline most African, Latin American and Asia Pacific nations have.”

Lawrence Gostin, the director of the WHO centre on public health and human rights, predicted the US would ultimately lose out because other countries would step into the vacuum with increased funding. “In global health and amidst a pandemic, America will lose its voice,” said Gostin.

The WHO has come under fire over some aspects of its handling of the pandemic, and has been accused of being too deferential to China, considering the Communist party’s early suppression of information and punishment of whistleblowers. Much of the focus of the criticism has been on a 14 January tweet from the WHO that said “preliminary investigations conducted by the Chinese authorities have found no clear evidence of human-to-human transmission”. But WHO officials also told their counterparts in technical briefings on 10 and 11 January, and briefed the press on 14 January, that human-to-human transmission was a strong possibility given the experience of past coronavirus epidemics and urged suitable precautions.

The WHO has also been attacked over its continuing exclusion of Taiwan from membership because Beijing considers it to be Chinese territory. Trump’s decision to cut funding was welcomed in some quarters, including by the Hong Kong democracy activist Joshua Wong, who called the WHO an “arm of Chinese diplomacy”.

Trump’s pronouncement came amid sustained criticism of his failure to prepare for the epidemic, which has infected more than 600,000 people and killed more than 24,000 inside his country. The US is the worst affected country in the world in terms of infection numbers. On Wednesday it was reported that $1,200 relief cheques for as many as 70 million people could be delayed for several days because Trump wanted his name printed on them.

Source: ‘Crime against humanity’: Trump condemned for WHO funding freeze | World news | The Guardian

Foreign Spies Target Zoom, U.S. Intel Officials Say

Posted on by

As much of the world works from home, an explosion of video conference calls has provided a playground not just for Zoombombers, phishermen and cybercriminals, but also for spies. Everyone from top business executives to government officials and scientists are using conferencing apps to stay in touch during the new coronavirus lockdowns and U.S. counterintelligence agencies have observed the espionage services of Russia, Iran, and North Korea attempting to spy on Americans’ video chats, three U.S. intelligence officials tell TIME.

But the cyberspies that have moved fastest and most aggressively during the pandemic, the intelligence officials say, have been China’s. “More than anyone else, the Chinese are interested in what American companies are doing,” said one of the three. And that, in turn, has some U.S. counterintelligence officials worrying about one video conference platform in particular: Zoom. While the Chinese, Russians, and others are targeting virtually every tool Americans and others are using now that they’re forced to work from home, Zoom is an attractive target, especially for China, the intelligence officials and internet security researchers say.

Source: Foreign Spies Target Zoom, U.S. Intel Officials Say | Time

Redox-Flow Cell Stores Renewable Energy as Hydrogen

Posted on by

The solution, some propose, is to store energy chemically—in the form of hydrogen fuel—rather than electrically. This involves using devices called electrolyzers that make use of renewable energy to split water into hydrogen and oxygen gas.

“Hydrogen is a very good carrier for this type of work,” says Wei Wang, who is the chief scientist for stationary energy storage research at the Pacific Northwest National Laboratory in Washington. It’s an efficient energy carrier, and can be easily stored in pressurized tanks. When needed, the gas can then be converted back into electrical energy via a fuel cell and fed into the grid.

But water electrolyzers are expensive. They work under acidic conditions which require corrosion-resistant metal plates and catalysts made from precious metals such as titanium, platinum, and iridium. “Also, the oxygen electrode isn’t very efficient,” says Kathy Ayers, vice-president of R&D at Nel Hydrogen, an Oslo-based company that specializes in hydrogen production and storage. “You lose about 0.3 volts just from the fact that you’re trying to convert water to oxygen or vice versa,” she says. Splitting a water molecule requires 1.23 V of energy.

In a bid to overcome this problem, Nel Hydrogen and Wang’s team at Pacific Northwest joined forces in 2016, after receiving funding from the U.S. Department of Energy’s Advanced Research Projects Agency-Energy. The solution they’ve come up with is a fuel cell that acts as both a battery and hydrogen generator.

“We call it a redox-flow cell because it’s a hybrid between a redox-flow battery and a water electrolyzer,” explains Wang.

A redox-flow battery, in essence a reversible fuel cell, is typically made up of a positive and negative electrolyte stored in two separate tanks. When the liquids are pumped into the battery cell stack situated between the tanks, a redox reaction occurs, and generates electricity at the battery’s electrodes.

By comparison, the new invention has only one electrolyte, comprised of an iron salt (rather than the more commonly used vanadium) dissolved in acid. When hydrogen ions react with the iron salt (Fe2+), hydrogen gas is produced at the platinum-coated carbon cathode in the battery stack.

“We introduce iron as a middleman, so we can separate electrolysis into two reactions,” says Wang. Doing so allows one to control where and when to reverse the reaction to produce electrical energy to supply to the grid. “The system gives you flexibility… you could do the regeneration during evening time when electricity prices are at a peak,” he says.

Regenerating Fe2+ in the reverse reaction also allows for the continuous production of hydrogen gas, he says. “And because the hydrogen-iron cell uses about half the voltage of a traditional electrolyzer, you can generate hydrogen at a much cheaper cost if you do everything right.”

It also helps that iron is much cheaper and more abundant compared with vanadium.

Qing Wang, a materials scientist at the National University of Singapore, sees another benefit. “If you care more about purity and want to have ultra-pure hydrogen, then maybe it’s a good solution,” he says. Cross-contamination can sometimes occur during electrolysis because the hydrogen and oxygen gases produced are so small that they are able to traverse the membrane separator.

The new redox-flow cell performed well in lab tests, exhibiting a charge capacity of up to one ampere per square centimeter, a ten-fold increase over normal flow batteries. It was also able to withstand “several hundred cycles” of charging, which has never been demonstrated before in hydrogen ion flow batteries, says Wang, who has a number of patents for the invention, with a few more pending.

While the PNNL team experimented on a single cell measuring 10 square centimeters, Ayers and her colleagues at Nel Hydrogen proved that the technology could work even when scaled up to a five-cell stack measuring 100 square centimeters. They plan to spend the next few months fine-tuning the system and eliminating kinks, such as how to minimize damage to the pumps caused by the acidic electrolyte, before commercializing it.

Source: Redox-Flow Cell Stores Renewable Energy as Hydrogen – IEEE Spectrum

ICANN suffers split-personality disorder as deadline for .org sale decision draws close

Posted on by

With just seven days left until it has to make a decision on the $1.13bn sale of the .org registry to a private equity firm, DNS overseer ICANN appears in chaos.

In a series of communications from senior executives, ICANN has embarked on a public negotiation with potential buyer Ethos Capital over the sale of the domain, while at the same time aggressively questioning its corporate structure.

A blog post from ICANN’s CEO Goran Marby late last week highlighted revised “public interest commitments” (PICs) that Ethos Capital had published as a way to resolve ongoing concerns over the sale, and gave the clear signal that ICANN is intending to approve the deal on April 20.

There has been a clear negotiation between the two sides: Marby’s post came one day after an email from Ethos’ lawyer (since published [PDF] noted that the new changes were in direct response to a letter from ICANN sent just a few days earlier. “In making these changes, they specifically focused on changes that go to the clarity and enforceability of the PICs as you mentioned,” Ethos noted.

At the same time as it is moving forward on a deal, however, ICANN continues to dig [PDF] into Ethos Capital’s unusual corporate structure: something that critics say is no more a corporate shell game designed to hide the true owners of the company.

ICANN is also looking at its financing of the deal, which financial experts have warned is typical of a debt-leveraged buyout where a founding firm is saddled with debt after the financiers walk away with a healthy profit.

Debt pile

“Can you please provide more detail on PIR’s current plans with respect to the repayment of the $360m term loan at the maturity date in light of Ethos Capital’s ten plus investment horizon for PIR?,” reads just one of dozens of pointed questions in a letter from ICANN to the company nominally in charge of .org, Public Interest Registry (PIR).

Another makes it plain that ICANN believes information is being hidden: “ICANN has specifically requested that PIR provide the entities and individuals that will ‘control’ PIR post-transaction as that is defined in PIR’s registry agreements. PIR has provided some information regarding share ownership but has not provided the specific information regarding ‘control’.”

There are no less than six different companies involved on the Ethos side of the transaction, all of them based in Delaware, a common base for shell companies, and all but one was incorporated on the same day, October 24, 2019.

In addition to Ethos Capital LLC, which was incorporated in May – the day after ICANN made it clear it was planning to remove price caps on .org domains in a decision worth tens of millions of dollars – there is also Ethos Purpose GP, LLC, and then four “Purpose Domains” companies: Purpose Domains Direct, Feeder, Holdings and Investments.

ICANN has asked for the directors of each of these companies and the structural connections between them but from published letters from Ethos and ICANN is it clear that Ethos has been withholding specific pieces of information.

Public interest

In addition to this mixed message, ICANN has still not outlined its decision-making process despite repeat calls from the internet community, including the world’s governments, to do so.

There is an obvious public interest in the sale of millions of .org domains but ICANN has repeatedly failed to say how or whether it will factor that in its decision. At a recent public meeting its general counsel failed to use the term “public interest” when discussing how a decision would be made; an omission that prompted the Governmental Advisory Committee (GAC) to pointedly note [PDF] that the ICANN Board had told it that “all options remain open and that the Board will consider the public interest in its decision-making.”

However, when PIR argued that ICANN only had grounds to reject the sale on issues of “security, reliability, or stability of services,” ICANN pushed back saying that it would not accept “any artificial restriction,” and noted “the obvious importance to the public interest of its operation.”

ICANN changes tune however when other groups point to “public interest” as a key reason for denying the sale. In his most recent letter to the GAC [PDF], ICANN’s chair Maarten Bottermann said that the organization “will apply a standard of reasonableness in making its determination on whether to provide or withhold its consent to the request.”

In a second sentence, he then notes that “the ICANN Board will continue to consider the public interest in all its decision-making using the totality of the information received.”

The difference between “apply” and “consider” is not lost on those watching the process; nor is the fact that ICANN has failed to define the term “reasonableness,” despite it now being the main factor of consideration.

[…]

Source: ICANN suffers split-personality disorder as deadline for .org sale decision draws close • The Register

Amazon hiring 75,000 more workers as demand rises due to coronavirus, after hiring 100k more last month

Posted on by

Amazon is hiring an additional 75,000 workers at its facilities, on top of the 100,000 new positions it created last month, the company said Monday.

In March, the company said it would hire additional warehouse and delivery workers across the country amid a surge in online shopping during the coronavirus outbreak. Since then, Amazon said it has hired more than 100,000 new employees and, as a result, is staffing up even more to help fulfill orders.

“We continue to see increased demand as our teams support their communities, and are going to continue to hire, creating an additional 75,000 jobs to help serve customers during this unprecedented time,” the company said.

As it continues to hire more workers, Amazon has also raised employees’ hourly pay and doubled overtime pay for warehouse workers. Through the end of April, warehouse and delivery workers can earn an additional $2 per hour in the U.S., 2 pounds per hour in the U.K., and approximately 2 euros per hour in many EU countries. Amazon currently pays $15 per hour or more in some areas of the U.S. for warehouse and delivery jobs.

Amazon has announced several benefits changes on top of the pay increases. The company has allowed workers to take unlimited unpaid time off and provides two weeks of paid leave for workers who tested positive for the virus or are in quarantine.

Amazon said it expects to continue investing in pay increases, benefits and safety improvements for warehouse and delivery workers. The company previously expected to spend $350 million on pay increases, but now estimates it will spend more than $500 million on those efforts.

Despite the pay increases and benefits changes, Amazon workers from at least three facilities have staged protests to call for the company to better protect workers amid the coronavirus outbreak. A dozen workers told CNBC they felt Amazon needed to provide employees with paid time off, among other concerns.

Source: Amazon hiring 75,000 more workers as demand rises due to coronavirus

Suspicious senate stock sale spurt spurs scrutiny scheme: This website tracks which shares US senators are unloading mid-pandemic

Posted on by

In the wake of reports last month that four US senators sold stocks shortly after a classified briefing on January 24 about the risk posed by the novel coronavirus, Timothy Carambat, a mechanical and software engineer, created a website to make stock sales by every senator more visible.

In an email to The Register, Carambat, who runs a design firm based in Covington, Louisiana, called Industrial Object, explained he was motivated to create Senate Stock Watcher after news broke that Senators Richard Burr (R-NC), Dianne Feinstein (D-CA), James Inhofe (R-OK), and Kelly Loeffler (R-GA) had dumped stocks before most people in America understood the implications of the outbreak. It is illegal for senators to buy and sell shares using non-public information.

Burr, chairman of the Senate Intelligence Committee, has been sued for alleged securities fraud, a charge he has denied. It is said he unloaded up to $1.7m in stocks in mid-February, particularly in hotel groups that would be later hit hard by the virus pandemic, all while receiving daily confidential briefings about the impact of the bio-nasty – and reassuring the public everything would be fine.

“As public servants, there are some senators making alarmingly large money movements at what would seem to be very fortunate timing in the market,” Carambat said.

“I understand some senators were previously very accomplished businesspeople, but in my opinion, the level of access they have to information currently is highly privileged and it would only make sense to keep their own financial best interests at heart.”

Details about the stock sales in news reports prompted Carambat to look into the source of the data, which turned out to be the US Senate Financial Disclosures website.

Source: Suspicious senate stock sale spurt spurs scrutiny scheme: This website tracks which shares US senators are unloading mid-pandemic • The Register

Twitter Obliterates Its Users’ Privacy Choices

Posted on by

The EFF’s staff technologist — also an engineer on Privacy Badger and HTTPS Everywhere, writes: Twitter greeted its users with a confusing notification this week. “The control you have over what information Twitter shares with its business partners has changed,” it said. The changes will “help Twitter continue operating as a free service,” it assured. But at what cost?

Twitter has changed what happens when users opt out of the “Allow additional information sharing with business partners” setting in the “Personalization and Data” part of its site. The changes affect two types of data sharing that Twitter does… Previously, anyone in the world could opt out of Twitter’s conversion tracking (type 1), and people in GDPR-compliant regions had to opt in. Now, people outside of Europe have lost that option. Instead, users in the U.S. and most of the rest of the world can only opt out of Twitter sharing data with Google and Facebook (type 2).
The article explains how last August Twitter discovered that its option for opting out of device-level targeting and conversion tracking “did not actually opt users out.” But after fixing that bug, “advertisers were unhappy. And Twitter announced a substantial hit to its revenue… Now, Twitter has removed the ability to opt out of conversion tracking altogether.”

While users in Europe are protected by GDPR, “users in the United States and everywhere else, who don’t have the protection of a comprehensive privacy law, are only protected by companies’ self-interest…” BoingBoing argues that Twitter “has just unilaterally obliterated all its users’ privacy choices, announcing the change with a dialog box whose only button is ‘OK.’

Source: Twitter Accused of Obliterating Its Users’ Privacy Choices – Slashdot

Mozilla installs Scheduled Telemetry Task on Windows with Firefox 75 – if you had put telemetry on

Posted on by

Observant Firefox users on Windows who have updated the web browser to Firefox 75 may have noticed that the upgrade brought along with it a new scheduled tasks. The scheduled task is also added if Firefox 75 is installed on a Windows device.

The task’s name is Firefox Default Browser Agent and it is set to run once per day. Mozilla published a blog post on the official blog of the organization that provides information on the task and why it has been created.

firefox default browser agent

According to Mozilla, the task has been created to help the organization “understand changes in default browser settings”. At its core, it is a Telemetry task that collects information and sends the data to Mozilla.

Here are the details:

  • The Task is only created if Telemetry is enabled. If Telemetry is set to off (in the most recently used Firefox profile), it is not created and thus no data is sent. The same is true for Enterprise telemetry policies if they are configured. Update: Some users report that the task is created while Telemetry was set to off on their machine.
  • Mozilla collects information “related to the system’s current and previous default browser setting, as w2ell as the operating system locale and version”.
  • Mozilla notes that the data cannot be “associated with regular profile based telemetry data”.
  • The data is sent to Mozilla every 24 hours using the scheduled task.

Mozilla added the file default-browser-agent.exe to the Firefox installation folder on Windows which defaults to C:\Program Files\Mozilla Firefox\.

Firefox users have the following options if they don’t want the data sent to Mozilla:

  • Firefox users who opted-out of Telemetry are good, they don’t need to make any change as the new Telemetry data is not sent to Mozilla; this applies to users who opted-out of Telemetry in Firefox or used Enterprise policies to do so.
  • Firefox users who have Telemetry enabled can either opt-out of Telemetry or deal with the task/executable that is responsible.

Disable the Firefox Default Browser Agent task

firefox-browser agent task disabled

Here is how you disable the task:

  1. Open Start on the Windows machine and type Task Scheduler.
  2. Open the Task Scheduler and go to Task Scheduler Library > Mozilla.
  3. There you should find listed the Firefox Default Browser Agent task.
  4. Right-click on the task and select Disable.
  5. Note: Nightly users may see the Firefox Nightly Default Browser Agent task there as well and may disable it.

The task won’t be executed anymore once it is disabled.

Closing Words

The new Telemetry task is only introduced on Windows and runs only if Telemetry is enabled (which it is by default [NOTE: Is it? I don’t think so! It asks at install!]). Mozilla is transparent about the introduction and while that is good, I’d preferred if the company would have informed users about it in the browser after the upgrade to Firefox 75 or installation of the browser and before the task is executed the first time.

Source: Mozilla installs Scheduled Telemetry Task on Windows with Firefox 75 – gHacks Tech News

Go  to about:telemetry in Firefox to see what it’s collecting. In my case this was none, because when FF was installed it asked me whether I wanted it on or off and I said off.

Cannonball Record Broken During Coronavirus – 26 Hours 38 Minutes

Posted on by

Only a few months have passed since we reported that the New York-to-Los Angeles Cannonball record was broken. It’s allegedly been broken again. The 26 hour, 38 minute time—which beats the record set in November by more than 45 minutes—appears to be legitimate, according to Ed Bolian, a Cannonball insider and driver who set his own 28 hour, 50 minute record in 2013. Alex Roy, who set the first modern NYC-to-LA record in 2006, also said the new claim is credible based on his analysis of multiple sources.

“It was not me,” Bolian was quick to point out to Road & Track, eager to quell an Internet-generated rumor that perhaps he had been the one to pull it off.

All we know about this new set of scofflaws is that there were three, maybe four of them, and that they were driving a white 2019 Audi A8 sedan with a pair of red plastic marine fuel tanks ratchet-strapped into its trunk. They started at the Red Ball Garage in New York City at 11:15 pm on April 4, and ended less than 27 hours later at the Portofino Hotel & Marina in Redondo Beach, California, the traditional start and end points of a Cannonball attempt.

We also know that their timing was awful. It doesn’t seem likely that the new record-holders were keen to have news reach the public so soon, especially at a time when so many people are understandably on edge. But an exuberant friend posted a picture of the Audi on Facebook this week—situated among a number of other high-dollar cars, with its trunk open to show the auxiliary fuel tanks—along with the team’s alleged time. Within a day, hundreds of people had shared the post, and social media chat groups were abuzz with Cannonball aficionados offering up opinions on the matter.

Source: Cannonball Record Broken During Coronavirus – 26 Hours 38 Minutes

There’s some whining about it being in poor taste or something. Whatever.

The US Senate reportedly advised members to stop using Zoom

Posted on by

US senators have been advised not to use videoconferencing platform Zoom over security concerns, the Financial Times reports.

According to three people briefed on the matter, the Senate sergeant-at-arms – whose job it is to run law enforcement and security on the Capitol – told senators to find alternative methods for remote working, although he did not implement an outright ban.

With the coronavirus outbreak forcing millions to work from home, Zoom has seen a 1,900% increase in use between December and March to 200 million daily users. This has been accompanied by a string of bad press about its security and privacy practices, to the point where CEO Eric Yuan was forced to publicly apologize last week.

This week the company admitted to “mistakenly” routing data through China in a bid to secure more server space to deal with skyrocketing demand. “We failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect,” Yuan said.

The news sparked outrage among some senators, and Senate Democrat Richard Blumenthal called for the FTC to launch an investigation into the company.

“As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy and security,” the senator tweeted.

The slew of privacy issues has also prompted the Taiwanese government to ban its officials from using Zoom, and Google banned use of the app on work computers due to its “security vulnerabilities.”

While the Senate has told its members to stay away from Zoom, the Pentagon told the FT that it would continue to allow its staff to use the platform. A memo sent to top cybersecurity officials from the Department of Homeland Security said that the company was being responsive when questioned about concerns over the security of its software, Reuters reported.

Source: The US Senate reportedly advised members to stop using Zoom

Singapore stops teachers using Zoom app after ‘very serious incidents’ (Zoom bombing)

Posted on by

Singapore has suspended the use of video-conferencing tool Zoom by teachers after “very serious incidents” in the first week of a coronavirus lockdown that has seen schools move to home-based learning.

FILE PHOTO: FILE PHOTO: Zoom logo is seen in front of diplayed coronavirus disease (COVID-19) in this illustration taken March 19, 2020. REUTERS/Dado Ruvic/Illustration

One incident involved obscene images appearing on screens and strange men making lewd comments during the streaming of a geography lesson with teenage girls, media said.

Zoom Video Communications Inc (ZM.O) has faced safety and privacy concerns over its conferencing app, use of which has surged in offices and schools worldwide after they shut to try and curb virus infections.

“These are very serious incidents,” Aaron Loh of the education ministry’s technology division said on Friday, without giving details.

“The Ministry of Education (MOE) is currently investigating both breaches and will lodge a police report if warranted.

“As a precautionary measure, our teachers will suspend their use of Zoom until these security issues are ironed out.”

Loh said they ministry would further advise teachers on security protocols, such as requiring secure log-ins and not sharing the meeting link beyond the students in the class.

Source: Singapore stops teachers using Zoom app after ‘very serious incidents’ – Reuters

After 50 Years of Effort, Researchers Made Silicon Emit Light, could improve computer speeds vastly

Posted on by

Modern transistors, which function as a computer’s brain cells, are only a few atoms long. If they are packed too tightly, that can cause all sorts of problems: electron traffic jams, overheating, and strange quantum effects. One solution is to replace some electronic circuits with optical connections that use photons instead of electrons to carry data around a chip. There’s just one problem: Silicon, the main material in computer chips, is terrible at emitting light.

Now, a team of European researchers says they have finally overcome this hurdle. On Wednesday, a research team led by Erik Bakkers, a physicist at Eindhoven University of Technology in the Netherlands, published a paper in Nature that details how they grew silicon alloy nanowires that can emit light. It’s a problem that physicists have grappled with for decades, but Bakkers says his lab is already using the technique to develop a tiny silicon laser that can be built into computer chips. Integrating photonic circuits on conventional electronic chips would enable faster data transfer and lower energy consumption without raising the chip’s temperature, which could make it particularly useful for data-intensive applications like machine learning.

“It’s a big breakthrough that they were able to demonstrate light emission from nanowires made of a silicon mixture, because these materials are compatible with the fabrication processes used in the computer chip industry,” says Pascal Del’Haye, who leads the microphotonics group at the Max Planck Institute for the Science of Light and was not involved in the research. “In the future, this might enable the production of microchips that combine both optical and electronic circuits.”

Source: After 50 Years of Effort, Researchers Made Silicon Emit Light | WIRED

Stanislascollege Pijnacker stopt ook met Zoom door ‘beelden die niet door de beugel kunnen’: porno en Hitler snor tijdens Duits

Posted on by
PIJNACKER – Het Stanislascollege in Pijnacker stopt per direct met het gebruik van de video-app Zoom voor het geven van online lessen. De school heeft meerdere berichten ontvangen van leerlingen, ouders en docenten dat er tijdens de lessen beelden of teksten te zien zijn die niet door de beugel kunnen.

Woensdag besloot het Zoetermeerse Erasmus College ook onmiddellijk te stoppen met Zoom, nadat leerlingen pornobeelden te zien kregen tijdens een online les. Het Stanislascollege heeft zes scholen, verdeeld over Delft, Pijnacker en Rijswijk.

‘In de meeste gevallen lijken de beelden of teksten getoond te worden door personen die niet aan de school verbonden zijn en zich onrechtmatig toegang hebben verschaft tot de les’, schrijft de school in een brief aan ouders.

Hitler-snorretje tijdens les Duits

Volgens regiodirecteur Fons Loogman van Stichting Lucas Onderwijs, waar het Stanislascollege onder valt, zijn er kleine incidenten geweest. ‘Leerlingen sturen een uitnodigingslink door aan derden die dan ook mee kunnen kijken met de les, daar heb je dan geen controle op. Zo is er bijvoorbeeld tijdens een les Duits ergens een Hitlergroet of een Hitler-snorretje getoond.’

Het incident met pornobeelden in Zoetermeer was voor de school in Pijnacker echter de doorslag om te stoppen met Zoom. ‘Daarnaast werden we de afgelopen week al attent gemaakt op berichten uit de ICT-wereld dat Zoom niet veilig is. Zo verzamelen ze informatie, zijn er onveilige beveiligingsstructuren en is het makkelijk te hacken’, zegt Loogman.

Source: Stanislascollege Pijnacker stopt ook met Zoom door ‘beelden die niet door de beugel kunnen’ – Omroep West

Porno tijdens online les van Zoetermeerse school dus stoppen met Zoom

Posted on by
ZOETERMEER – Leerlingen van een klas van het Zoetermeerse Erasmus College hebben woensdagochtend, tijdens een les via de video-app Zoom, pornobeelden te zien gekregen. De school is onmiddellijk gestopt met het gebruik van Zoom.

‘We snappen dat jullie ontzettend geschrokken zijn’, schrijft de school in een mail aan de betreffende leerlingen. ‘We hebben natuurlijk direct alle Zoom-lessen stopgezet en gaan kijken naar een andere methode om thuis les te geven.’

Directeur-bestuurder Roderik Rot bevestigt dat er pornografische beelden te zien zijn geweest en dat om die reden alle lessen zijn gestopt. ‘Ja, er is één klas geweest, waarbij daarvan kort sprake was.’ Om hoeveel leerlingen het gaat kan Rot niet zeggen: ‘Een klas bestaat nooit uit meer dan dertig leerlingen en meestal is het bij die online lessen zo dat niet alle leerlingen erbij zijn.’ Op de vraag om welke les het ging, wil hij uit privacyoverwegingen niet ingaan. De school bood leerlingen aan om indien gewenst contact op te nemen met een hulpteam, maar daarvan is voor zover bekend door niemand gebruik gemaakt.

Gestopt met online lessen

Het Erasmus College is nu dus meteen gestopt met Zoom. Volgens Rot had de school dat al in gang gezet. Een externe privacyadviseur had al gezegd dat Zoom, onder strikte voorwaarden, te gebruiken was, maar dat hij toch andere programma’s adviseerde. ‘Dus we hebben gisteren de ouders allemaal bericht dat we gaan overstappen naar iets anders. En dat we daar druk mee bezig zijn.’

[…]

ID’s onveilig gedeeld

Volgens het Delftse cybersecuritybedrijf Fox-IT is het onwaarschijnlijk dat Zoom zelf is gehackt. Security-expert Sanne Maasakkers: ‘Zoom is een heel groot softwarebedrijf waar iedere dag veel mensen met de beveiliging bezig zijn.’ Volgens Maasakkers is het aannemelijker dat uitnodigingscodes in handen terecht zijn gekomen van mensen die niet op de vergadering zijn uitgenodigd.

Iedere deelnemer krijgt zo’n ID. Als die niet is beveiligd met een wachtwoord, dan kunnen buitenstaanders inbreken in een Zoom-meeting, wat met een wachtwoord veel moeilijker is, tenzij een deelnemer zelf is gehackt.

Source: Porno tijdens online les van Zoetermeerse school: ‘Onwaarschijnlijk dat Zoom is gehackt’ – Omroep West

Nee, het is niet echt ‘gehackt’ in die zin dat het zo’n slechte beveiliging heeft dat je gewoon een  ID in kan voeren en daar lukraak porno naar kan sturen.

Trump signs executive order to support moon mining, tap asteroid resources

Posted on by

The water ice and other lunar resources that will help the United States establish a long-term human presence on the moon are there for the taking, the White House believes.

President Donald Trump signed an executive order today (April 6) establishing U.S. policy on the exploitation of off-Earth resources. That policy stresses that the current regulatory regime — notably, the 1967 Outer Space Treaty — allows the use of such resources.

This view has long held sway in U.S. government circles. For example, the United States, like the other major spacefaring nations, has not signed the 1979 Moon Treaty, which stipulates that non-scientific use of space resources be governed by an international regulatory framework. And in 2015, Congress passed a law explicitly allowing American companies and citizens to use moon and asteroid resources.

The new executive order makes things even more official, stressing that the United States does not view space as a “global commons” and sees a clear path to off-Earth mining, without the need for further international treaty-level agreements.

The executive order, called “Encouraging International Support for the Recovery and Use of Space Resources,” has been in the works for about a year, a senior administration official said during a teleconference with reporters today. The order was prompted, at least in part, by a desire to clarify the United States’ position as it negotiates with international partners to help advance NASA’s Artemis program for crewed lunar exploration, the official added. (Engagement with international partners remains important, the official said.)

Artemis aims to land two astronauts on the moon in 2024 and to establish a sustainable human presence on and around Earth’s nearest neighbor by 2028. Lunar resources, especially the water ice thought to be plentiful on the permanently shadowed floors of polar craters, are key to Artemis’ grand ambitions, NASA officials have said.

The moon is not the final destination for these ambitions, by the way. Artemis is designed to help NASA and its partners learn how to support astronauts in deep space for long stretches, lessons that will be key to putting boots on Mars, which NASA wants to do in the 2030s.

“As America prepares to return humans to the moon and journey on to Mars, this executive order establishes U.S. policy toward the recovery and use of space resources, such as water and certain minerals, in order to encourage the commercial development of space,” Scott Pace, deputy assistant to the president and executive secretary of the U.S. National Space Council, said in a statement today.

President Trump has shown considerable interest in shaping U.S. space policy. In December 2017, for example, he signed Space Policy Directive-1, which laid the groundwork for the Artemis campaign. Two other directives have aimed to streamline commercial space regulation and the protocols for space traffic control. And Space Policy Directive-4, which the president signed in February 2019, called for the creation of the Space Force, the first new U.S. military branch since the Air Force was stood up in 1947.

Source: Trump signs executive order to support moon mining, tap asteroid resources | Space

Attackers can bypass fingerprint authentication with an ~80% success rate

Posted on by

For decades, the use of fingerprints to authenticate users to computers, networks, and restricted areas was (with a few notable exceptions) mostly limited to large and well-resourced organizations that used specialized and expensive equipment. That all changed in 2013 when Apple introduced TouchID. Within a few years, fingerprint-based validation became available to the masses as computer, phone, and lock manufacturers added sensors that gave users an alternative to passwords when unlocking the devices.

Further Reading

Bypassing TouchID was “no challenge at all,” hacker tells Ars

Although hackers managed to defeat TouchID with a fake fingerprint less than 48 hours after the technology was rolled out in the iPhone 5S, fingerprint-based authentication over the past few years has become much harder to defeat. Today, fingerprints are widely accepted as a safe alternative over passwords when unlocking devices in many, but not all, contexts.

A very high probability

A study published on Wednesday by Cisco’s Talos security group makes clear that the alternative isn’t suitable for everyone—namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.

The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. While Apple Apple products limit users to five attempts before asking for the PIN or password, the researchers subjected the devices to 20 attempts (that is, multiple groups of from one or more attempts). Of the 20 attempts, 17 were successful. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries.

Tuesday’s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack—which involved obtaining a clean image of a target’s fingerprint and then getting physical access to the target’s device—meant that only the most determined and capable adversaries would succeed.

“Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the PIN unlocking,” Talos researchers Paul Rascagneres and Vitor Ventura wrote. “The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”

Source: Attackers can bypass fingerprint authentication with an ~80% success rate | Ars Technica

Google Bans Zoom Videoconferencing Software From Employees’ Computers

Posted on by

Google has banned the popular videoconferencing software Zoom from its employees’ devices, BuzzFeed News has learned. Zoom, a competitor to Google’s own Meet app, has seen an explosion of people using it to work and socialize from home and has become a cultural touchstone during the coronavirus pandemic.

Last week, Google sent an email to employees whose work laptops had the Zoom app installed that cited its “security vulnerabilities” and warned that the videoconferencing software on employee laptops would stop working starting this week.

“We have long had a policy of not allowing employees to use unapproved apps for work that are outside of our corporate network,” Jose Castaneda, a Google spokesperson, told BuzzFeed News. “Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees. Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile.”

Source: Google Bans Zoom Videoconferencing Software From Employees’ Computers

Germany Flies in Seasonal Farm Workers Amid COVID-19 Efforts – yeah I thought they wanted to keep out the immigrants or something?

Posted on by

Two planeloads of Eastern European farmhands arrived Thursday in Berlin and Duesseldorf amid strict precautions to protect the country from the new coronavirus, as an ambitious German program to import thousands of seasonal agricultural workers got underway.

Seasonal workers had been caught up in the country’s ban on travel after the outbreak of the coronavirus. That left a massive deficit in personnel available to pick asparagus, which has already sprouted, and plant other crops in German fields, where some 300,000 such workers were employed last year.

Most came from Eastern European countries such as Romania, Bulgaria, Ukraine, and Hungary, where wages are much lower than in Germany, which is Europe’s largest economy.

Under the new program, workers need to fly to the country in controlled groups — to prevent the possible infection of others en route — and are subject to medical checks upon arrival. They then must live and work separately from other farmhands for two weeks, and wear protective gear.

Announcing the program, Agriculture Minister Julia Kloecker said it was a “pragmatic and goal-oriented solution” that would allow up to 40,000 seasonal workers into the country in April, and another 40,000 in May. She said the hope was to find an additional 20,000 over the two months among Germany’s own unemployed, students or resident asylum seekers.

“This is important and good news for our farmers,” she said. “Because the harvest doesn’t wait and you can’t delay sowing the fields.”

Ahead of time, interested workers have to register online and have their information checked by federal police. Farmers needing help register online with Eurowings, the airline contracted to bring the workers in, saying when they’re needed and where.

So far, 9,900 people had registered for April and another 4,300 for May.

Flights are then organized to bring in groups, and the first group of workers, 530 people from Romania, arrived on Thursday in Duesseldorf and Berlin, Eurowings said. Further flights were already planned to Duesseldorf, Karlsruhe, Leipzig, Nuremberg and Frankfurt.

Source: Germany Flies in Seasonal Farm Workers Amid COVID-19 Efforts | Time

Rocket Lab proves it can recover a rocket in mid-air by catching it with a helicopter

Posted on by

Last year, Rocket Lab announced that it would attempt to reuse the first stage of its Electron rocket. The company’s goal is to catch the stage as it falls back towards the ocean by plucking it out of mid-air with a helicopter. While that’s ambitious, a video released today shows that Rocket Lab may not be too far off. The clip shows one helicopter dropping an Electron test stage and another hooking the stage’s parachute with a grappling hook and towing it back to land.

Rocket Lab pulled off this stunt in early March. One helicopter dropped the Electron test stage over open ocean in New Zealand. A second helicopter caught it, on the first attempt, at around 5,000 feet.

Next, Rocket Lab will attempt to recover a full Electron first stage following a launch. It won’t pull that from the air but will retrieve the rocket stage after it lands in the ocean. A parachute will help slow its descent, and like previous versions, it will include instrumentation to “inform future recovery efforts.” That mission is planned for late 2020.

Of course, catching a rocket stage after an actual launch is a lot different than catching one that’s dropped neatly by a helicopter. But the feat is a key milestone, as Rocket Lab’s plans to reuse the rockets depend on this recovery method. If it’s successful, Rocket Lab will be able to lower costs, and in theory, that may lead to more launches.

Source: Rocket Lab proves it can recover a rocket in mid-air | Engadget

Easy-to-pick “smart” locks gush personal data, FTC finds

Posted on by

A padlock—whether it uses a combination, a key, or “smart” tech—has exactly one job: to keep your stuff safe so other people can’t get it. Tapplock, Inc., based in Canada, produces such a product. The company’s locks unlock with a fingerprint or an app connected by Bluetooth to your phone. Unfortunately, the Federal Trade Commission said, the locks are full of both digital and physical vulnerabilities that leave users’ stuff, and data, at risk.

The FTC’s complaint (PDF) against Tapplock, released Monday, basically alleges that the company misrepresented itself, because it marketed its products as secure and tested when they were neither. A product—any product—simply being kind of crappy doesn’t necessarily fall under the FTC’s purview. Saying untrue things about your product in your advertisement or privacy policy, however, will make the commission very unhappy with you indeed.

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a written statement. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

Tapplock’s advertisements say its flagship product, the Tapplock One, can store up to 500 user fingerprints and can be connected to an “unlimited” number of devices through the app—a design optimized for something many people need to be able to access and for which handing off a physical key is impractical. To make the $99 lock work, Tapplock collects a great deal of personal information on its users, including usernames, email addresses, profile photos, location history, and the precise location of a user’s lock.

[…]

The lock may be built with “7mm reinforced stainless steel shackles, strengthened by double-layered lock design with anti-shim and anti-pry technologies,” as Tapplock’s website promises, but according to the FTC, perhaps it should have considered anti-screwdriver technologies. As it turns out, a researcher was able to unlock the lock “within a matter of seconds” by unscrewing the back panel. Oops.

The complaint also pointed to several “reasonably foreseeable” software vulnerabilities that the FTC alleges Tapplock could have avoided if the company “had implemented simple, low-cost steps.”

One vulnerability security researchers identified allowed a user to bypass the account authentication process entirely in order to gain full access to the account of literally any Tapplock user, including their personal information. And how could this happen? “A researcher who logged in with a valid user credential could then access another user’s account without being re-directed back to the login page, thereby allowing the researcher to circumvent Respondent’s authentication procedures altogether,” the complaint explains.

A second vulnerability allowed researchers the ability to access and unlock any lock they could get close enough to with a working Bluetooth connection. That’s because Tapplock “failed to encrypt the Bluetooth communication between the lock and the app,” leaving the data wide open for the researchers to discover and replicate.

The third vulnerability outlined in the complaint also has to do with a failure to secure communication data. That app that allows “unlimited” connections? The primary owner can of course add and revoke authorized users from the lock. But someone whose access was revoked could still access the lock because the vulnerability allowed for sniffing out the relevant data packets.

How’d this happen?

And how did Tapplock fail to discover any of these weaknesses? Because the company did not have a security program prior to the third-party researchers’ discoveries, the FTC alleges.

Source: Easy-to-pick “smart” locks gush personal data, FTC finds | Ars Technica