The Linkielist

Linking ideas with the world

The Linkielist

Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache

Posted on by

The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned.

The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.

ZDNet has obtained copies of both data sets. We received the entire 44 million records released online today, but we also received a sample of 55 million user records that were part of the 115 million data dump. Based on the data sets, we can conclude that the two are the same.

According to our analysis of the leaked files, the data contained both personally-identifiable and telephony-related information. This includes the likes of:

  • Customer full names
  • Home addresses (city, region, street name)
  • National identification (CNIC) numbers
  • Mobile phone numbers
  • Landline numbers
  • Dates of subscription

The data included details for both Pakistani home users and local companies alike.

Details for companies matched public records and public phone numbers listed on companies’ websites. In addition, ZDNet also verified the validity of the leaked data with multiple Pakistani users.

Source: Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache | ZDNet

Jet propulsion by microwave air plasma in the atmosphere: AIP Advances: Vol 10, No 5

Posted on by

We propose a prototype design of a propulsion thruster that utilizes air plasma induced by microwave ionization. Such a jet engine simply uses only air and electricity to produce high temperature and pressurized plasma for jet propulsion. We used a home-made device to measure the lifting force and jet pressure at various settings of microwave power and the air flow rate. We demonstrated that, given the same power consumption, its propulsion pressure is comparable to that of conventional airplane jet engines using fossil fuels. Therefore, such a carbon-emission free thruster could potentially be used as a jet thruster in the atmosphere.

[…]

n this report, we consider a microwave air plasma jet thruster using high-temperature and high-pressure plasma generated by a 2.45 GHz microwave ionization chamber for injected pressurized air. We propose a simple prototype plasma jet thruster that can generate approximately 10 N of thrust at 400 W using 0.5 l/s for the airflow, corresponding to the lifting force of 28 N/kW and a jet pressure of 2.4 × 104 N/m2. At a higher microwave power or greater airflow, propulsion forces and jet pressures comparable to those of commercial airplane jet engines can be achieved.

[…]

When high-power microwave is generated using microwave sources arranged in parallel, higher heat is also generated. At this time, the method of measuring the propulsive force with a steel ball is no longer applicable. How to deal with the impact of high temperature on equipment and how to evaluate the driving force are challenges that require further research

Source: Jet propulsion by microwave air plasma in the atmosphere: AIP Advances: Vol 10, No 5

No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body

Posted on by

You can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. Not if you need to be compliant with European data protection law.

That’s the unambiguous message from the European Data Protection Board (EDPB), which has published updated guidelines on the rules around online consent to process people’s data.

Under pan-EU law, consent is one of six lawful bases that data controllers can use when processing people’s personal data.

But in order for consent to be legally valid under Europe’s General Data Protection Regulation (GDPR) there are specific standards to meet: It must be clear and informed, specific and freely given.

Hence cookie walls that demand ‘consent’ as the price for getting inside the club are not only an oxymoron but run into a legal brick wall.

No consent behind a cookie wall

The regional cookie wall has been crumbling for some time, as we reported last year — when the Dutch DPA clarified its guidance to ban cookie walls.

The updated guidelines from the EDPB look intended to hammer the point home. The steering body’s role is to provide guidance to national data protection agencies to encourage a more consistent application of data protection rules.

The EDPB’s intervention should — should! — remove any inconsistencies of interpretation on the updated points by national agencies of the bloc’s 27 Member States. (Though compliance with EU data protection law tends to be a process; aka it’s a marathon not a sprint, though on the cookie wall issues the ‘runners’ have been going around the tracks for a considerable time now.)

As we noted in our report on the Dutch clarification last year, the Internet Advertising Bureau Europe was operating a full cookie wall — instructing visitors to ‘agree’ to its data processing terms if they wished to view the content.

The problem that we pointed out is that that wasn’t a free choice. Yet EU law requires a free choice for consent to be legally valid. So it’s interesting to note the IAB Europe has, at some point since, updated its cookie consent implementation — removing the cookie wall and offering a fairly clear (if nudged) choice to visitors to either accept or deny cookies for “aggregated statistics”…

As we said at the time the writing was on the wall for consent cookie walls.

The EDPB document includes the below example to illustrate the salient point that consent cookie walls do not “constitute valid consent, as the provision of the service relies on the data subject clicking the ‘Accept cookies’ button. It is not presented with a genuine choice.”

It’s hard to get clearer than that, really.

Scrolling never means ‘take my data’

A second area to get attention in the updated guidance, as a result of the EDPB deciding there was a need for additional clarification, is the issue of scrolling and consent.

Simply put: Scrolling on a website or digital service can not — in any way — be interpreted as consent.

Or, as the EDPB puts it, “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action” [emphasis ours].

Source: No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body | TechCrunch

Google Lens can now copy and paste handwritten notes to your computer

Posted on by

Google has added a very useful feature to Google Lens, its multipurpose object recognition tool. You can now copy and paste handwritten notes from your phone to your computer with Lens, though it only works if your handwriting is neat enough.

In order to use the new feature, you need to have the latest version of Google Chrome as well as the standalone Google Lens app on Android or the Google app on iOS (where Lens can be accessed through a button next to the search bar). You’ll also need to be logged in to the same Google account on both devices.

That done, simply point your camera at any handwritten text, highlight it on-screen, and select copy. You can then go to any document in Google Docs, hit Edit, and then Paste to paste the text. And voila — or, viola, depending on your handwriting.

Copy and pasting with Google Lens.
Gif: Google

In our tests, the feature was pretty hit or miss. If you don’t write neatly, you’ll definitely get some typos. But it’s still a cool feature that’s especially useful at a time when a lot of people are now working from home and relying on endless to-do lists to bring some sense of order to their day.

Source: Google Lens can now copy and paste handwritten notes to your computer – The Verge

Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

Posted on by

There’s a hacker/security researcher with the Twitter handle GreenTheOnly that has been doing some interesting work with used Tesla parts. This time specifically, he’s acquired three Tesla Model 3 integrated media control units (MCU) and Autopilot (HW) units (known as the ICE computer, just for Models 3 and Y), and a Model X MCU unit. These were purchased off eBay, and despite having been reset, Green found that plenty of private owner information and passwords were still easily recoverable from the units.

[…]

There’s a number of reasons why Tesla owners may need to replace these units: if you’re adding on Autopilot to an existing car, for example, some early models had data-logging issues that caused failure after a few years, and various other wear-and-tear and failure issues.

Once he had the units, Green found that there was a surprising amount of data still on them, from what appear to be debugging screenshots taken every time a Model 3 starts up:

…to far more compromising data, which he described to InsideEVs:

“…owner’s home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.”

That’s a security hole big enough to drive a Model X through, even with the Falcon Doors stuck open. And, speaking of the Model X, the unit he got from that model was physically crushed, but data was still recoverable.

Green gave more details on his Twitter feed, clarifying that the Spotify passwords are stored as plain text, and that the Netflix and Gmail passwords are stored in cookie format:

The ability to get calendar events and owner’s phone book and call history are also huge security breaches, too.

When owners decide to upgrade their cars’ computer, Tesla will only let them keep their original hardware for, according to a Tesla owners’ forum, a $1,000 fee. Yes, it’s strange to have to pay the company to take hardware that you should have owned when you bought your car, but Tesla has a history with non-traditional ideas of just what you think you’ve bought with your car.

Source: Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

Amazon Sued for Acting Like Users Own “Purchased” Movies (Spoiler Alert: You Don’t)

Posted on by

The question of whether you own your digital purchases, or whether you’re simply licensing that content from whatever tech giant du jour hosts it, has always been a bit of a black box for consumers. Recently, this lack of transparency has prompted one California user to file a lawsuit against Amazon for saying customers can “purchase” movies on Prime Video when, in actuality, the company can cut off access to that content at its discretion.

Yeah, in case you didn’t know, you don’t really own what you buy on Prime Video. Even though the service bills this content as “Your Video Purchases”, Prime Video’s terms of service outlines how all purchases are really just long-term rentals that can disappear from your library at any time:

“Purchased Digital Content will generally continue to be available to you for download or streaming from the Service, as applicable, but may become unavailable due to potential content provider licensing restrictions or for other reasons, and Amazon will not be liable to you if Purchased Digital Content becomes unavailable for further download or streaming.”

None of this is made apparent unless you go digging into Prime Video’s ToS pages, though, which lawyers for the suit’s plaintiff, Amanda Caudel, argue is Amazon’s attempt to “deceive, mislead and defraud consumers.” Per the class action complaint, as first spotted by TechDirt:

“Reasonable consumers will expect that the use of a “Buy” button and the representation that their Video Content is a “Purchase” means that the consumer has paid for full access to the Video Content and, like any bought product, that access cannot be revoked.

Unfortunately for consumers who chose the “Buy” option, this is deceptive and untrue. Rather, the ugly truth is that Defendant secretly reserves the right to terminate the consumers’ access and use of the Video Content at any time, and has done so on numerous occasions, leaving the consumer without the ability to enjoy their already-bought Video Content.”

Defendant’s representations are misleading because they give the impression that the Video Content is purchased – i.e. the person owns it – when in fact that is not true because Defendant or others may revoke access to the Video Content at any time and for any reason.

And since renting movies for 30 days also costs significantly less than purchasing it on Prime Video, usually around $5 compared to $14.99-19.99, the lawsuit argues that Amazon uses this deceptive distinction to earn profit at the expense of consumers. Particularly since there’s no user agreement that pops up upon purchase to explain to customers that they won’t actually own the video content after hitting “Buy”. There’s no such disclaimer on the movie’s purchase page either.

Source: Amazon Sued for Acting Like Users Own “Purchased” Movies (Spoiler Alert: You Don’t)

IAB Europe Guide to the Post Third-Party Cookie Era

Posted on by

This Guide has been developed by experts from IAB Europe’s Programmatic Trading Committee (PTC) to prepare brands, agencies, publishers and tech intermediaries for the much-anticipated post third-party cookie advertising ecosystem.

It provides background to the current use of cookies in digital advertising today and an overview of the alternative solutions being developed. As solutions evolve, the PTC will be updating this Guide on a regular basis to provide the latest information and guidance on market alternatives to third-party cookies.

The Guide, available below as an e-book or PDF, helps to answer to the following questions:

  • What factors have contributed to the depletion of the third-party cookie?
  • How will the depletion of third-party cookies impact stakeholders and the wider industry including proprietary platforms?
  • How will the absence of third-party cookies affect the execution of digital advertising campaigns?
  • What solutions currently exist to replace the usage of third-party cookies?
  • What industry solutions are currently being developed and by whom?
  • How can I get involved in contributing to the different solutions?

Source: IAB Europe Guide to the Post Third-Party Cookie Era – IAB Europe

Yup, advertisers won’t be able to track you over the internet using 3rd party cookies anymore soon

Air Force Announces it Can Save $7 Million by Adjusting One Plane’s Windshield Wipers

Posted on by

The Air Force recently proved through a series of tests that its KC-135 Stratotanker aircraft can fly more efficiently just by mounting the cockpit window’s wiper blades vertically instead of horizontally. The potential fuel cost savings: about $7 million per year.

Researchers with the Advanced Power and Technology Office, part of the Air Force Research Laboratory, and the Southwest Research Institute, assessed the KC-135 after similar tests were conducted on a commercial McDonnell Douglas MD-11 cargo airliner. The commercial tests showed the new blade direction reduced its flight drag by 1.2%.

“Across the KC-135 fleet, blades are positioned horizontally on the windshield as part of the aircraft’s original 1950s design,” officials said in a news release. “However, as the understanding of aviation aerodynamics advanced, research indicated placing the wipers vertically when not in use could improve aerodynamic efficiency and optimize fuel use.”

[,,,]

The data collected revealed drag was reduced 0.8% just by moving the blade vertically, and 0.2% for a slimmer wiper design on the cockpit’s window.

nose of a KC-135 Stratotanker, as the wiper blades are positioned horizontally
Computational fluid dynamics analysis, conducted by Air Force Research Laboratory and Southwest Research Institute, shows the nose of a KC-135 Stratotanker, as the wiper blades are positioned horizontally, left, and vertically, right. The red indicates an area of high aerodynamic drag. (U.S. Air Force courtesy photo)

“While 1% efficiency may not seem like a lot, it equates to millions of dollars in fuel savings each year, which can then be re-invested into other programs,” Daniel Pike, acquisition manager and chief of future operations for Air Force Operational Energy, said in a statement.

For example, the KC-135 fleet used more than 260 million gallons in fiscal 2019, the service said, citing the Air Force Total Ownership Cost database. That accounts for roughly 14% of the Air Force’s total fuel use across its aircraft fleets.

Source: Air Force Announces it Can Save $7 Million by Adjusting One Plane’s Windshield Wipers | Military.com

Apple sues Corellium for copyright – and sues everybody who talks about Corellium or is / was their customer. Strong arm much?

Posted on by

Last year, Apple accused a cybersecurity startup based in Florida of infringing its copyright by developing and selling software that allows customers to create virtual iPhone replicas. Critics have called the Apple’s lawsuit against the company, called Corellium, “dangerous” as it may shape how security researchers and software makers can tinker with Apple’s products and code.

The lawsuit, however, has already produced a tangible outcome: very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit’s proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.

[…]

“I don’t know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible,” the researcher added, referring to Apple’s subpoena to the spanish finance giant Santander Bank, which named an employee who had Tweeted about Corellium.

[…]

A security researcher, who specializes in offensive security and asked to remain anonymous, said that he would definitely “have legal look into it beforehand if I needed [Corellium’s] stuff,” arguing that he’d be wary of Apple getting involved.

Three other researchers who specialize in hacking Apple software declined to comment citing the risk of some sort of retaliation from Apple.

[…]

In January, Apple subpoenaed the defense contractor L3Harris and Santander Bank, requesting information on how they use Corellium, all communications they’ve had with the startup, internal communications about their products, and any contracts they’ve signed with the company, among other information.

Mark Dowd, the founder of Azimuth Security, a cybersecurity startup that specializes in developing hacking tools for governments that’s now part of L3Harris, said last year that he couldn’t comment about Corellium “because [Apple] mention[ed] us in the original filing.” (Dowd did not respond to a request for comment this week.)

[…]

Some researchers, however, are not afraid of Apple. Elias Naur uses Corellium to test code written in the Go language for mobile operating systems. Before Corellium, Naur said he had to test code on two busted old phones plugged in under his couch. Naur said he’s “not worried Apple will come after Corellium’s customers” and is still using the software.

[…]

In this David v. Goliath battle, as Forbes called it, many people are choosing to stay away from David even before seeing who wins.

Source: Apple’s Copyright Lawsuit Has Created a ‘Chilling Effect’ on Security Research – VICE

‘Artificial leaf’ concept inspires research into solar-powered fuel production

Posted on by

Rice University researchers have created an efficient, low-cost device that splits water to produce hydrogen fuel.

The platform developed by the Brown School of Engineering lab of Rice materials scientist Jun Lou integrates catalytic electrodes and that, when triggered by sunlight, produce electricity. The current flows to the catalysts that turn water into hydrogen and oxygen, with a sunlight-to-hydrogen efficiency as high as 6.7%.

This sort of catalysis isn’t new, but the lab packaged a layer and the electrodes into a single module that, when dropped into water and placed in sunlight, produces hydrogen with no further input.

The introduced by Lou, lead author and Rice postdoctoral fellow Jia Liang and their colleagues in the American Chemical Society journal ACS Nano is a self-sustaining producer of that, they say, should be simple to produce in bulk.

“The concept is broadly similar to an artificial leaf,” Lou said. “What we have is an integrated module that turns sunlight into electricity that drives an electrochemical reaction. It utilizes water and sunlight to get chemical fuels.”

Perovskites are crystals with cubelike lattices that are known to harvest light. The most efficient perovskite produced so far achieve an efficiency above 25%, but the materials are expensive and tend to be stressed by light, humidity and heat.

“Jia has replaced the more expensive components, like platinum, in perovskite solar cells with alternatives like carbon,” Lou said. “That lowers the entry barrier for commercial adoption. Integrated devices like this are promising because they create a system that is sustainable. This does not require any external power to keep the module running.”

Liang said the key component may not be the perovskite but the polymer that encapsulates it, protecting the module and allowing to be immersed for long periods. “Others have developed catalytic systems that connect the solar cell outside the water to immersed electrodes with a wire,” he said. “We simplify the system by encapsulating the perovskite layer with a Surlyn (polymer) film.”

The patterned film allows sunlight to reach the solar cell while protecting it and serves as an insulator between the cells and the electrodes, Liang said.

Source: ‘Artificial leaf’ concept inspires research into solar-powered fuel production

New study spotlights the dark side of venture capitalist funding – shows it’s also bad for the bottom line

Posted on by

A new study from The School of Business at Portland State University suggests that the aggressive cultures of private equity firms, like , might spill over into the companies that they fund. Venture capitalists are often the hidden players in decision making, and they are funding startups like Uber, SpaceX and AirBnB.

With money, comes expectations

As a company grows through early developmental milestones, it becomes accountable to key stakeholders.

According to the study, companies often face challenges when balancing the tension between long-term socially responsible strategies and short-term demands associated with .

PSU Associate Professor of Management Theodore Khoury and colleagues published their study, “Is socially responsible? Exploring the imprinting effect of VC funding on CSR practices,” in the Journal of Business Venturing.

The study found that capitalist investors often push a business they are financing to prioritize long-term financially-based goals instead of socially responsible business ones, like fair wages, reducing carbon footprints or improving labor policies.

Venture capitalists often hold a large portion of the equity in the companies in which they invest, which gives them voting power to challenge or advocate for specific strategic directions and influence decisions that might jeopardize company returns.

The prioritization of financial success opens a floodgate, allowing behaviors such as sexual harassment at new companies like Uber to go unchecked.

“We find that venture capitalist-backed companies have poorer socially responsible practice records, which do improve over time, but at a comparatively slower rate than non-venture capitalist-backed companies,” Khoury said.

Unexpected consequence of greed

The PSU study also highlights how venture capitalists’ desires for financial surplus might end up causing more harm than good.

Uber agreed to pay $4.4 million dollars to settle federal charges of fostering a work culture wrought with sexual harassment. It’s just one of the dozens of Silicon Valley companies facing huge fines related to sexual harassment charges.

The researchers assert that socially responsible practices positively impact, rather than reduce, a company’s financial performance.

“Compared to non-venture capitalist-backed companies, venture capitalist-backed companies presented significantly lower assets, sales, tangible assets, inventories, returns on assets, profit margins and debt levels, as well as higher intangibles and current ratios,” the study said.

In addition to financial success, socially responsible practices help satisfy multiple stakeholders (like employees), enhance a ‘s market value, preempt government regulations, reduce risk, develop business resources and lower capital costs.

However, the researchers add that when venture capitalist-backed companies receive funding from firms with a responsible investment orientation and a broader stakeholder view, their socially responsible practice records are significantly better.

“Early-stage imprinting can happen from many sources, but when businesses take funding from certain investors, certain cultures, operating modes and ways of conducting business may start to take shape for the long term to affect a broader group of stakeholders,” Khoury said. “The effects of early-stage imprinting from venture capital funding can be hard to ‘undo,’ and there are social consequences.”

Source: New study spotlights the dark side of venture capitalist funding

Tesla stock rise appears to qualify CEO Musk for $700 million payday – and the chance to buy loats of Tesla stock at low prices

Posted on by

Shares of Tesla Inc (TSLA.O) jumped more than 8% on Monday, putting Tesla’s market capitalization at $141.1 billion at the close. More importantly for Musk, Tesla’s stock market value reached a six-month average of $100.2 billion, according to an analysis of Refinitiv data.

Hitting a six-month average of $100 billion triggers the vesting of the first of 12 tranches of options granted to the billionaire to buy Tesla stock as part of a pay package agreed in 2018. Musk has already met two other requirements by hitting a growth target and far exceeding a one-month average $100 billion market cap.

Each tranche gives Musk the option to buy 1.69 million Tesla shares at $350.02 each. At Tesla’s closing stock price of $761.19, Musk would theoretically be able to sell the shares for a profit of $694 million.

Musk on Friday said on Twitter, “Tesla stock price is too high imo,” using an abbreviation for “in my opinion”.

That tweet sent Tesla’s stock tumbling 10%, shocking shareholders. Tesla, whose California factory is closed as part of the state’s coronavirus-related lockdowns, posted its third quarterly profit in a row last week.

Musk, who is also the majority owner and CEO of the SpaceX rocket maker, receives no salary or cash bonus, only options that vest based on Tesla’s market cap and milestones for revenue and profit growth.

A full payoff of all tranches would surpass anything previously granted to U.S. executives.

When Tesla unveiled Musk’s package in 2018, it said he could theoretically reap as much as $55.8 billion if no new shares were issued. However, Tesla has since issued shares to compensate employees, and last year it sold $2.7 billion in shares and convertible bonds.

Musk’s subsequent options tranches would vest at $50 billion increments of Tesla market capitalization over the agreement’s 10-year period, with the billionaire earning the full package if Tesla’s market capitalization reaches $650 billion and the high tech vehicle maker achieves several revenue and profit targets.

Source: Tesla stock rise appears to qualify CEO Musk for $700 million payday – Reuters

Study reveals single-step strategy for recycling used nuclear fuel

Posted on by

A typical nuclear reactor uses only a small fraction of its fuel rod to produce power before the energy-generating reaction naturally terminates. What is left behind is an assortment of radioactive elements, including unused fuel, that are disposed of as nuclear waste in the United States. Although certain elements recycled from waste can be used for powering newer generations of nuclear reactors, extracting leftover fuel in a way that prevents possible misuse is an ongoing challenge.

Now, Texas A&M University engineering researchers have devised a simple, proliferation-resistant approach for separating out different components of . The one-step chemical reaction, described in the February issue of the journal Industrial & Engineering Chemistry Research, results in the formation of crystals containing all of the leftover nuclear elements distributed uniformly.

The researchers also noted that the simplicity of their recycling approach makes the translation from lab bench to industry feasible.

“Our recycling strategy can be easily integrated into a chemical flow sheet for industrial-scale implementation,” said Johnathan Burns, research scientist in the Texas A&M Engineering Experiment Station’s Nuclear Engineering and Science Center. “In other words, the reaction can be repeated multiple times to maximize fuel recovery yield and further reduce radioactive nuclear waste.”

[…]

For their experiments, they prepared a surrogate solution of uranium, plutonium, neptunium and americium in highly concentrated nitric acid at 60-90 degrees Celsius to mimic dissolving of a real fuel rod in the strong acid. They found when the solution reached , as predicted, that uranium, neptunium, plutonium and americium separated from the solution together, uniformly distributing themselves within the crystals.

Burns noted that this simplified, single-step process is also proliferation-resistant since plutonium is not isolated but incorporated within the uranium crystals.

“The idea is that the reprocessed fuel generated from our prescribed chemical reaction can be used in future generations of reactors, which would not only burn uranium like most present-day reactors but also other heavy elements such as , and americium,” Burns said. “In addition to addressing the fuel recycling problem and reducing proliferation risk, our strategy will drastically reduce nuclear to just the fission products whose radioactivity is hundreds rather than hundreds of thousands of years.”

Source: Study reveals single-step strategy for recycling used nuclear fuel

Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers

Posted on by

Not only can malicious people make airliners climb and dive without pilot input – they can also control where and when they do so, research from Pen Test Partners (PTP) has found.

TCAS spoofing, the practice of fooling collision detection systems aboard airliners, can be controlled to precisely determine whether an airliner fitted with TCAS climbs or descends – and even to produce climb rates of up to 3,000ft/min.

Building on earlier research into the bare-bones concept [PDF], PTP said it had figured out how to shape and control airliners’ automatic TCAS responses so they moved up or down at precisely known points.

In a blog post the firm said: “We rationalised this to the point where we only needed three fake aircraft to provide [a Resolution Advisory] that caused a climb of over 3,000 ft/min.”

[…]

The prospect of a rollercoaster ride is less scary (or realistic) than it might seem; a recent Oxford University study showed that when airliner pilots are presented with too many spoof warnings, they simply disable the system responsible – and look out of the window so they keep flying safely.

Source: Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers • The Register

OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit…

Posted on by

Israeli cyber-security side-channel expert Mordechai Guri has devised a way to pilfer data from devices that have been air-gapped and silenced.

Organizations with extreme security needs may keep certain computer hardware disconnected from any network, a practice known as air-gapping, to preclude the possibility of miscreants hacking in from compromised systems on the network, or from across internet. Attacks on such systems generally require some manner of physical access to introduce malware: an unauthorized person has to get their hands on the machine, typically briefly and unnoticed, to install malicious software, thus getting around the air-gap.

Perhaps the most widely reported air gap attack of this sort is said to have involved the covert introduction of the Stuxnet centrifuge-knackering malware around 2007, after three years of planning, to the nuclear fuel enrichment lab in Natanz, Iran, apparently from a USB stick.

Guri, head of research and development at Ben-Gurion University of the Negev, Israel’s Cyber-Security Research Center, told The Register in an email that air-gapped networks are not just for sensitive military facilities. They are used, he said, by many regulated industries to protect sensitive private data, intellectual property, and critical infrastructure.

In previous work, Guri and colleagues have explored various ways to attack air-gapped systems. Two years ago, for example, he and several other researchers developed a technique dubbed MOSQUITO to exfiltrate data from air-gapped systems using ultrasonic transmissions between speakers.

An obvious defense against acoustic data transmission is to disable any speakers on the protected device, a practice known as audio-gapping.

But Guri’s latest research shows that’s not enough. He and his team have found a way to turn the power supply in an isolated, muted machine into a speaker of sorts, one capable of transmitting data at a rate of 50 bits/sec.

He calls the attack POWER-SUPPLaY. The technique has the potential to be used against PC workstations and servers, as well as embedded systems and IoT devices that have no addressable audio hardware.

“We show that malware running on a PC can exploit its power supply unit (PSU) and use it as an out-of-band speaker with limited capabilities,” a paper [PDF] detailing the technique explained. “The malicious code intentionally manipulates the internal switching frequency of the power supply and hence controls the waveform generated from its capacitors and transformers.”

Source: OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit… • The Register

Apple’s T2 Security Chip ensure used laptops become unrecyclable junk, a Nightmare for MacBook Refurbishers

Posted on by

As predicted, the proprietary locking system Apple rolled out with its 2018 MacBook Pros is hurting independent repair stores, refurbishers, and electronics recyclers. A combination of secure software locks, diagnostic requirements, and Apple’s new T2 security chip are making it hard to breathe new life into old MacBook Pros that have been recycled but could be easily repaired and used for years were it not for these locks.

It’s a problem that highlights Apple’s combative attitude towards the secondhand market and the need for national right to repair legislation.

“The irony is that I’d like to do the responsible thing and wipe user data from these machines, but Apple won’t let me,” John Bumstead, a MacBook refurbisher and owner of the RDKL INC repair store, said in a tweet with an attached picture of two “bricked” MacBook Pros. “Literally the only option is to destroy these beautiful $3,000 MacBooks and recover the $12/ea they are worth as scrap.”

Source: Apple’s T2 Security Chip Has Created a Nightmare for MacBook Refurbishers – VICE

Way to highlight capitalist consumer planet unfriendly culture, Apple

Iceland Has Tested 13% of Its Population for Coronavirus. They have days with 0 deaths. Here’s What It Found

Posted on by

Iceland’s testing yielded new leads for scientists about how the virus behaves. Early results suggested 0.6 percent of the population were “silent carriers” of the disease with no symptoms or only a mild cough and runny nose.

Preliminary research suggests one-third of those who tested positive at deCODE infected someone around them, providing evidence that silent carriers do transmit the disease but much less than symptomatic patients.

In a random sample of 848 children under the age of 10 none of them tested positive, which guided Icelandic authorities’ decision to keep schools open for children under 16.

Alongside the testing, civil defense authorities set up a Contact Tracing Team, including police officers and university students, which used legwork and phone calls to identify people who had come into contact with infected individuals. A mobile phone tracing app was up and running a few weeks later.

Gudnason said the approach’s success is shown by the fact that about 60% of people who tested positive were already in quarantine after being contacted by the tracing team.

Altogether, 19,000 people were ordered into two-week quarantine. Everyone else carried on with a semblance of normality. Primary schools remained open, and some cafes and restaurants kept operating, following social distancing rules: no more than 20 people gathered at once and everyone 2 meters (6.5 feet) apart.

Starting Monday, gatherings of up to 50 will be permitted, high schools and colleges can resume classes and all businesses except bars, gyms and swimming pools can reopen.

The entire country, however, must self-isolate from the rest of the world for the time being. Everyone arriving from abroad faces a 14-day quarantine.

Source: Iceland Has Tested 13% of Its Population for Coronavirus. Here’s What It Found | Time

Researchers create a new system to protect users’ online data by checking if data entered is consistent with the privacy policy

Posted on by

Researchers have created a new a new system that helps Internet users ensure their online data is secure.

The software-based system, called Mitigator, includes a plugin users can install in their browser that will give them a secure signal when they visit a website verified to process its data in compliance with the site’s privacy policy.

“Privacy policies are really hard to read and understand,” said Miti Mazmudar, a PhD candidate in Waterloo’s David R. Cheriton School of Computer Science. “What we try to do is have a compliance system that takes a simplified model of the privacy policy and checks the code on the website’s end to see if it does what the privacy policy claims to do.

“If a website requires you to enter your email address, Mitigator will notify you if the privacy policy stated that this wouldn’t be needed or if the privacy policy did not mention the requirement at all.”

Mitigator can work on any computer, but the companies that own the website servers must have machines with a trusted execution environment (TEE). TEE, a secure area of modern server-class processors, guarantees the protection of code and data loaded in it with respect to confidentiality and integrity.

“The big difference between Mitigator and prior systems that had similar goals is that Mitigator’s primary focus is on the signal it gives to the user,” said Ian Goldberg, a professor in Waterloo’s Faculty of Mathematics. “The important thing is not just that the company knows their software is running correctly; we want the user to get this assurance that the company’s software is running correctly and is processing their data properly and not just leaving it lying around on disk to be stolen.

“Users of Mitigator will know whether their data is being properly protected, managed, and processed while the companies will benefit in that their customers are happier and more confident that nothing untoward is being done with their data.”

The study, Mitigator: Privacy policy compliance using trusted hardware, authored by Mazmudar and Goldberg, has been accepted for publication in the Proceedings of Privacy Enhancing Technologies.

Source: Researchers create a new system to protect users’ online data | Waterloo Stories | University of Waterloo

Antwerpen Uni bans video app Zoom – city of Antwerp is stupid enough to keep using it

Posted on by

De Universiteit Antwerpen verbiedt het gebruik van videobelapp Zoom. De applicatie zou niet veilig genoeg en de universiteit wil geen risico’s nemen nadat men vorig jaar al eens het slachtoffer is geworden van een cyberaanval.

Ook Google en de Amerikaanse ruimtevaartorganisatie NASA namen onlangs het besluit om Zoom niet meer te gebruiken.

Bij de stad Antwerpen wordt Zoom nog volop gebruikt. ‘Door het nemen van gepaste veiligheidsmaatregelen en gebruikmakend van de beveiligingsopties van Zoom zelf werden onnodige risico’s vermeden’, zegt woordvoerder Dirk Delechambre.

Source: Universiteit Antwerpen verbiedt videobelapp Zoom – Emerce

Sorry Dirk, you’re wrong. There is no “safe” way to use the app.

UK COVID-19 contact tracing app data may be kept for ‘research’ after crisis ends, MPs told

Posted on by

Britons will not be able to ask NHS admins to delete their COVID-19 tracking data from government servers, digital arm NHSX’s chief exec Matthew Gould admitted to MPs this afternoon.

Gould also told Parliament’s Human Rights Committee that data harvested from Britons through NHSX’s COVID-19 contact tracing app would be “pseudonymised” – and appeared to leave the door open for that data to be sold on for “research”.

The government’s contact-tracing app will be rolled out in Britain this week. A demo seen by The Register showed its basic consumer-facing functions. Key to those is a big green button that the user presses to send 28 days’ worth of contact data to the NHS.

Screenshot of the NHSX covid-19 contact tracing app

Screenshot of the NHSX COVID-19 contact tracing app … Click to enlarge

Written by tech arm NHSX, Britain’s contact-tracing app breaks with international convention by opting for a centralised model of data collection, rather than keeping data on users’ phones and only storing it locally.

In response to questions from Scottish Nationalist MP Joanna Cherry this afternoon, Gould told MPs: “The data can be deleted for as long as it’s on your own device. Once uploaded all the data will be deleted or fully anonymised with the law, so it can be used for research purposes.”

Source: UK COVID-19 contact tracing app data may be kept for ‘research’ after crisis ends, MPs told • The Register

Why smartphones are digital truth serum

Posted on by

Do smartphones alter what people are willing to disclose about themselves to others? A new study in the Journal of Marketing suggests that they might. The research indicates that people are more willing to reveal about themselves online using their smartphones compared to desktop computers. For example, Tweets and reviews composed on smartphones are more likely to be written from the perspective of the first person, to disclose negative emotions, and to discuss the writer’s private family and personal friends. Likewise, when consumers receive an online ad that requests personal information (such as and income), they are more likely to provide it when the request is received on their smartphone compared to their desktop or laptop computer.

Why do smartphones have this effect on behavior? Melumad explains that “Writing on one’s smartphone often lowers the barriers to revealing certain types of sensitive information for two reasons; one stemming from the unique form characteristics of phones and the second from the emotional associations that consumers tend to hold with their device.” First, one of the most distinguishing features of phones is the small size; something that makes viewing and creating content generally more difficult compared with desktop computers. Because of this difficulty, when writing or responding on a smartphone, a person tends to narrowly focus on completing the task and become less cognizant of external factors that would normally inhibit self-disclosure, such as concerns about what others would do with the information. Smartphone users know this effect well—when using their phones in public places, they often fixate so intently on its content that they become oblivious to what is going on around them.

The second reason people tend to be more self-disclosing on their phones lies in the feelings of comfort and familiarity people associate with their phones. Melumad adds, “Because our smartphones are with us all of the time and perform so many vital functions in our lives, they often serve as ‘adult pacifiers’ that bring feelings of comfort to their owners.” The downstream effect of those feelings shows itself when people are more willing to disclose feelings to a close friend compared to a stranger or open up to a therapist in a comfortable rather than uncomfortable setting. As Meyer says, “Similarly, when writing on our phones, we tend to feel that we are in a comfortable ‘safe zone.’ As a consequence, we are more willing to open up about ourselves.”

The data to support these ideas is far-ranging and includes analyses of thousands of social media posts and online reviews, responses to web ads, and controlled laboratory studies. For example, initial evidence comes from analyses of the depth of self-disclosure revealed in 369,161 Tweets and 10,185 restaurant reviews posted on TripAdvisor.com, with some posted on PCs and some on smartphones.? Using both automated natural-language processing tools and human judgements of self-disclosure, the researchers find robust evidence that -generated content is indeed more self-disclosing. Perhaps even more compelling is evidence from an analysis of 19,962 “call to action” web ads, where consumers are asked to provide private information.

Consistent with the tendency for smartphones to facilitate greater self-disclosure, compliance was systematically higher for ads targeted at smartphones versus PCs.

The findings have clear and significant implications for firms and consumers. One is that if a firm wishes to gain a deeper understanding of the real preferences and needs of consumers, it may obtain better insights by tracking what they say and do on their smartphones than on their desktops. Likewise, because more self-disclosing content is often perceived to be more honest, firms might encourage consumers to post reviews from their personal devices. But therein lies a potential caution for —these findings suggest that the device people use to communicate can affect what they communicate. This should be kept in mind when thinking about the device one is using when interacting with firms and others.

Source: Why smartphones are digital truth serum

OK, Landlord: If Copyright Supporters Are Going To Insist Copyright Is Property, Why Are They So Mad About Being Called Landlords?

Posted on by

Law professor Brian Frye has spent the last month or so making a really important point regarding the never-ending “is copyright property” debate — saying that if copyright is property, then copyright holders should be seen and treated as landlords. This whole approach can be summed up in the slightly snarky and trollish phrase: “OK, Landlord” used to respond to all sorts of nonsensical takes in support of more egregious copyright policies:

Like everyone, the copyright cops want to have their cake and eat it too. They claim that copyright is a kind of property, so the law should protect it just like any other kind of property. But they also claim that authors are morally entitled to copyright ownership because of their special contribution to society. I find both claims uncompelling, but in any case, they can’t have it both ways. If copyright is a property right, they have to own it and can’t claim the moral high ground.

What’s been most telling about this useful analogy is just how angry it seems to make copyright holders and copyright-system supporters. They react very negatively to the suggestion that they are “landlords” and any money they make from copyright licensing is a form of “rent.” But if you’re going to claim that your copyright is profit, then, well, the landlord moniker fits.

But the copyright cops persist, insisting that copyright is property, so copyright owners are entitled to the entire value of the works they create because that’s what property means. Accordingly, copying a work of authorship without permission is theft, even though it only increases the number of copies, because the copyright owner didn’t profit. And even consuming a work of authorship without permission is wrong because copyright owners are entitled to profit from every use of the work they own.

The circularity of these claims should be obvious: copyright is property because copyright owners receive exclusive rights, and copyright owners receive exclusive rights because copyright is property. But let’s run with it. Okay, copyright is property and copyright owners are property owners. Why are copyright owners entitled to profit from the use of their property?

Because they’re landlords. Copyright owners want to own the property metaphor? Then, let ‘em own it. If copyright is property, then they are landlords and copyright profits are rent. Just like landlords, copyright owners simply make a capital investment in creating or acquiring a property, then sit back and wait for the profits to roll in.

As Frye notes, the whole idea that copyright holders are landlords (even as they claim that they are holding property that you need to pay them to use), shows the sort of emotional trickery that copyright holders use in also claiming some sort of moral right to their works as “creators.” They’re picking and choosing which arguments to use when — and, have long tried to imbue some sort of magical mystical status on holding the copyright to creativity (which is often quite different than creating itself).

Of course, the real issue at play is that many of the most vocal copyright system supporters want to believe that they’re “artists” who are fighting the system and speaking for the oppressed… and being a “landlord” who is renting out their property goes against that self-image. But as Frye notes, they can’t really have it both ways. If they want to declare that they have property rights, they should be perfectly find with recognizing that they are the current landlords for that “property.”

Source: OK, Landlord: If Copyright Supporters Are Going To Insist Copyright Is Property, Why Are They So Mad About Being Called Landlords? | Techdirt

Scientists can 3D print insect-like robots in minutes

Posted on by

It might soon be relatively trivial to make soft robots — at least, if you have a 3D printer handy. UC San Diego researchers have devised a way to 3D-print insect-like flexible robots cheaply, quickly and without using exotic equipment. The trick was to print “flexoskeletons,” or rigid materials 3D-printed on to flexible and thin polycarbonate sheets. Much like insects, there are features that increase rigidity only in specific areas — a contrast with conventional soft robots that often have soft features tacked on to solid bodies.

Each flexoskeleton component takes about 10 minutes to print, and a completely assembled bot should be ready in less than two hours. An individual part costs less than $1 — the processing power, sensors and battery are likely to be the most expensive parts.

This will initially help researchers build robots quickly and easily, but the final aim is to mass-produce robots without human involvement. That could lead to robot swarms that can accomplish tasks at least as well as large, monolithic machines, but with lower costs and less risk.

Source: Scientists can 3D print insect-like robots in minutes | Engadget

The Dot Org Sale Has Been Rejected – now what?

Posted on by

When I began writing about the dot-org sale, it was out of concern for the loss of what I felt strongly was long understood to be a unique place in the Internet’s landscape. Like a national park, dot-org deserved special protection. It turns out lots of people and organizations agreed.

On April 30th, 2020, The ICANN Board upheld these values. They unanimously withheld consent for a change of control of the Public Interest Registry to a private equity firm. There were real questions about public support, financial stability and ultimately about whether the proposal was in the best interest of those most affected, dot-org domain owners.

Ethos, PIR and ISOC failed to respond to any in a convincing manner. They failed to gather any material support for their approach. As of today, the #savedotorg campaign has nearly 27,000 supporters and 2,000 nonprofits behind it. It dwarfs any campaign Internet governance has ever seen. There’s no way to de-legitimize such an outpouring of concern.

[…]

ISOC and PIR’s announcements seem to imply that things will simply go back to the way they were. PIR will continue to run dot-org and ISOC will continue to do what it does. This is the same kind of magical thinking that led to the idea that dot-org could be sold to a private equity firm. It is not grounded in the reality of how decisions that impact massive global communities are made.

Here’s what needs to be done:

First, ISOC and PIR leadership must recognize and apologize for the harm and uncertainty that they have caused both nonprofits and Internet governance. There never should have needed to be a #savedotorg campaign, because dot-org should never have been put at risk.

Second, The ISOC board should invite the leadership of the organizations that led the #SaveDotOrg campaign to an open dialogue to understand their concerns and priorities for the future of dot-org. This dialogue should recognize that it may be agreed that ISOC and PIR may no longer be the appropriate stewards for dot-org.

Third, the leadership of the #SaveDotOrg campaign needs to recognize that this was a closeted decision by a few actors, taken in secret. There are many skilled professionals that work at both PIR and ISOC. While ISOC and PIR may have to change dramatically, solutions must be sought that consider the value and future of these organizations, their staff, and their members.

Fourth, all parties should agree to work together with ICANN to chart a course of action that builds confidence and faith in the multi-stakeholder model of Internet governance. While there are many challenges with this model, one being how messy it seems, in the end the right decisions were taken. We must all come together to defend the model that has built and will continue to sustain a single global Internet.

Source: The Dot Org Sale Has Been Rejected – savedotorg – Medium

Facebook releases Blender AI Chatbot sources

Posted on by

  • Facebook AI has built and open-sourced Blender, the largest-ever open-domain chatbot. It outperforms others in terms of engagement and also feels more human, according to human evaluators.

  • The culmination of years of research in conversational AI, this is the first chatbot to blend a diverse set of conversational skills — including empathy, knowledge, and personality — together in one system.

  • We achieved this milestone through a new chatbot recipe that includes improved decoding techniques, novel blending of skills, and a model with 9.4 billion parameters, which is 3.6x more than the largest existing system.

  • Today we’re releasing the complete model, code, and evaluation set-up, so that other AI researchers will be able to reproduce this work and continue to advance conversational AI research.

[…]

As the culmination of years of our research, we’re announcing that we’ve built and open-sourced Blender, the largest-ever open-domain chatbot. It outperforms others in terms of engagement and also feels more human, according to human evaluators. This is the first time a chatbot has learned to blend several conversational skills — including the ability to assume a persona, discuss nearly any topic, and show empathy — in natural, 14-turn conversation flows. Today we’re sharing new details of the key ingredients that we used to create our new chatbot.

Some of the best current systems have made progress by training high-capacity neural models with millions or billions of parameters using huge text corpora sourced from the web. Our new recipe incorporates not just large-scale neural models, with up to 9.4 billion parameters — or 3.6x more than the largest existing system — but also equally important techniques for blending skills and detailed generation.

[…]

We’re currently exploring ways to further improve the conversational quality of our models in longer conversations with new architectures and different loss functions. We’re also focused on building stronger classifiers to filter out harmful language in dialogues. And we’ve seen preliminary success in studies to help mitigate gender bias in chatbots.

True progress in the field depends on reproducibility — the opportunity to build upon the best technology possible. We believe that releasing models is essential to enable full, reliable insights into their capabilities. That’s why we’ve made our state of the art open-domain chatbot publicly available through our dialogue research platform ParlAI. By open-sourcing code for fine-tuning and conducting automatic and human evaluations, we hope that the AI research community can build on this work and collectively push conversational AI forward.

 

Read the paper here.

 

Get the code here.

Source: A state-of-the-art open source chatbot