GE Fridges Won’t Dispense Ice Or Water Unless Your Water Filter ‘Authenticates’ Via RFID Chip on their rip off expensive water filter

Posted on by

Count GE in on the “screw your customers” bandwagon. Twitter user @ShaneMorris tweeted: “My fridge has an RFID chip in the water filter, which means the generic water filter I ordered for $19 doesn’t work. My fridge will literally not dispense ice, or water. I have to pay General Electric $55 for a water filter from them.” Fortunately, there appears to be a way to hack them to work: How to Hack RWPFE Water Filters for Your GE Fridge. Hacks aside, count me out from ever buying another GE product if it includes anti-customer “features” like these. “The difference between RWPF and RPWFE is that the RPWFE has a freaking RFID chip on it,” writes Jack Busch from groovyPost. “The fridge reads the RFID chip off your filter, and if your filter is either older than 6 months or not a genuine GE RPWFE filter, it’s all ‘I’m sorry, Dave, I’m afraid I can’t dispense any water for you right now.’ Now, to be fair, GE does give you a bypass cartridge that lets you get unfiltered water for free (you didn’t throw that thing away, did you?). But come on…”

Jack proceeds to explain how you can pop off the filter bypass and “try taping the thing directly into your fridge where it would normally meet up when the filter is install.” If you’re able to get it in just the right spot, “you’re set for life,” says Jack. Alternatively, “you can tape it onto the front of an expired RPWFE GE water filter, install it backward, and then keep using it (again, not recommended for too much longer than six months). Or, you can tape it to the corresponding spot on a generic filter and reinstall it.”

Source: GE Fridges Won’t Dispense Ice Or Water Unless Your Water Filter ‘Authenticates’ Via RFID Chip – Slashdot

Sonos CEO apologizes for confusion, says legacy products will work ‘as long as possible’ – however long that is

Posted on by

Sonos CEO Patrick Spence just published a statement on the company’s website to try to clear up an announcement made earlier this week: on Tuesday, Sonos announced that it will cease delivering software updates and new features to its oldest products in May. The company said those devices should continue functioning properly in the near term, but it wasn’t enough to prevent an uproar from longtime customers, with many blasting Sonos for what they perceive as planned obsolescence. That frustration is what Spence is responding to today. “We heard you,” is how Spence begins the letter to customers. “We did not get this right from the start.”

Spence apologizes for any confusion and reiterates that the so-called legacy products will “continue to work as they do today.” Legacy products include the original Sonos Play:5, Zone Players, and Connect / Connect:Amp devices manufactured between 2011 and 2015.

“Many of you have invested heavily in your Sonos systems, and we intend to honor that investment for as long as possible.” Similarly, Spence pledges that Sonos will deliver bug fixes and security patches to legacy products “for as long as possible” — without any hard timeline. Most interesting, he says “if we run into something core to the experience that can’t be addressed, we’ll work to offer an alternative solution and let you know about any changes you’ll see in your experience.”

The letter from Sonos’ CEO doesn’t retract anything that the company announced earlier this week; Spence is just trying to be as clear as possible about what’s happening come May. Sonos has insisted that these products, some of which are a decade old, have been taken to their technological limits.

Spence again confirms that Sonos is planning a way for customers to fork any legacy devices they might own off of their main Sonos system with more modern speakers. (Sonos architected its system so that all devices share the same software. Once one product is no longer eligible for updates, the whole setup stops receiving them. This workaround is designed to avoid that problem.)

Source: Sonos CEO apologizes for confusion, says legacy products will work ‘as long as possible’ – The Verge

An Open Source eReader That’s Free of Corporate Restrictions Is Exactly What I Want Right Now

Posted on by

The Open Book Project was born from a contest held by Hackaday and that encouraged hardware hackers to find innovative and practical uses for the Arduino-based Adafruit Feather development board ecosystem. The winner of that contest was the Open Book Project which has been designed and engineered from the ground up to be everything devices like the Amazon Kindle or Rakuten Kobo are not. There are no secrets inside the Open Book, no hidden chips designed to track and share your reading habits and preferences with a faceless corporation. With enough know-how, you could theoretically build and program your own Open Book from scratch, but as a result of winning the Take Flight With Feather contest, Digi-Key will be producing a small manufacturing run of the ereader, with pricing and availability still to be revealed.

The raw hardware isn’t as sleek or pretty as devices like the Kindle, but at the same time there’s a certain appeal to the exposed circuit board which features brief descriptions of various components, ports, and connections etched right onto the board itself for those looking to tinker or upgrade the hardware. Users are encouraged to design their own enclosures for the Open Book if they prefer, either through 3D-printed cases made of plastic, or rustic wooden enclosures created using laser cutting machines.

Text will look a little aliased on the Open Book’s E Ink display.
Text will look a little aliased on the Open Book’s E Ink display.
Photo: Hackaday.io

With a resolution of just 400×300 pixels on its monochromatic E Ink display, text on the Open Book won’t look as pretty as it does on the Amazon Kindle Oasis which boasts a resolution of 1,680×1,264 pixels, but it should barely sip power from its built-in lithium-polymer rechargeable battery—a key benefit of using electronic paper.

The open source ereader—powered by an ARM Cortex M4 processor—will also include a headphone jack for listening to audio books, a dedicated flash chip for storing language files with specific character sets, and even a microphone that leverages a TensorFlow-trained AI model to intelligently process voice commands so you can quietly mutter “next!” to turn the page instead of reaching for one of the ereader’s physical buttons like a neanderthal. It can also be upgraded with additional functionality such as Bluetooth or wifi using Adafruit Feather expansion boards, but the most important feature is simply a microSD card slot allowing users to load whatever electronic text and ebook files they want. They won’t have to be limited by what a giant corporation approves for its online book store, or be subject to price-fixing schemes which, for some reason, have still resulted in electronic files costing more than printed books.

What remains to be seen is whether or not the Open Book Project can deliver an ereader that’s significantly cheaper than what Amazon or Rakuten has delivered to consumers. Both of those companies benefit from the economy of scale having sold millions of devices to date, and are able to throw their weight around when it comes to manufacturing costs and sourcing hardware. If the Open Book can be churned out for less than $50, it could potentially provide some solid competition to the limited ereader options currently out there.

Source: An Open Source eReader That’s Free of Corporate Restrictions Is Exactly What I Want Right Now

Body movement is achieved by molecular motors. A new ‘molecular nano-patterning’ technique allows us to study these motors, reveals that some motors coordinate differently

Posted on by

Body movement, from the muscles in your arms to the neurons transporting those signals to your brain, relies on a massive collection of proteins called molecular motors.

Fundamentally, molecular motors are proteins that convert chemical energy into mechanical movement, and have different functions depending on their task. However, because they are so small, the exact mechanisms by which these molecules coordinate with each other is poorly understood.

Publishing in Science Advances, Kyoto University’s School of Engineering has found that two types of kinesin molecular motors have different properties of coordination. Collaborating with the National Institute of Information and Communications Technology, or NICT, the findings were made possible thanks to a new tool the team developed that parks individual motors on platforms thousands of times smaller than a .

“Kinesin is a protein that is involved in actions such as cell division, muscle contractions, and flagella movement. They move along these long protein filaments called microtubules,” explains first author Taikopaul Kaneko. “In the body, kinesins work as a team to inside a cell, or allow the cell itself to move.”

To observe the coordination closely, the team constructed a device consisting of an array of gold nano-pillars 50 nanometers in diameter and spaced 200 to 1000 nanometers apart. For reference, a skin cell is about 30 micrometers, or 30,000 nanometers, in diameter.

“We then combined this array with self-assembled monolayers, or SAM, that immobilized a single kinesin molecule on each nano-pillar,” continues Kaneko. “This ‘nano-patterning’ method of motor proteins gives us control of the number and spacing of kinesins, allowing us to accurately calculate how they transport microtubules.”

The team evaluated two kinesins: kinesin-1 and kinesin-14, which are involved in intercellular transport and cell division, respectively. Their results showed that in the case of kinesin-1, neither the number nor spacing of the molecules change the transport velocity of microtubules.

In contrast, kinesin-14 decreased transport velocity as the number of motors on a filament increased, but increased as the spacing of the motors increased. The results indicate that while kinesin-1 molecules work independently, -14 interacts with each other to tune the speed of transport.

Ryuji Yokokawa who led the team was surprised by the results, “Before we started this study, we thought that more motors led to faster transport and more force. But like most things in biology, it’s rarely that simple.”

The team will be using their new nano-patterning method to study the mechanics of other kinesins and different molecular motors.

“Humans have over 40 kinesins along with two other types of molecular motors called myosin and dynein. We can even modify our array to study how these motors act in a density gradient. Our results and this new tool are sure to expand our understanding of the various basic cellular processes fundamental to all life,” concludes Yokokawa.

Source: A new ‘molecular nano-patterning’ technique reveals that some molecular motors coordinate differently

Turns out that RNA affects DNA in multiple ways. Genes don’t just send messages to RNA which then direct proteins to do stuff.

Posted on by

Rather than directions going one-way from DNA to RNA to proteins, the latest study shows that RNA itself modulates how DNA is transcribed—using a chemical process that is increasingly apparent to be vital to biology. The discovery has significant implications for our understanding of human disease and drug design.

[…]

The picture many of us remember learning in school is an orderly progression: DNA is transcribed into RNA, which then makes proteins that carry out the actual work of living cells. But it turns out there are a lot of wrinkles.

He’s team found that the molecules called messenger RNA, previously known as simple couriers that carry instructions from DNA to proteins, were actually making their own impacts on protein production. This is done by a reversible chemical reaction called methylation; He’s key breakthrough was showing that this methylation was reversible. It wasn’t a one-time, one-way transaction; it could be erased and reversed.

“That discovery launched us into a modern era of RNA modification research, which has really exploded in the last few years,” said He. “This is how so much of gene expression is critically affected. It impacts a wide range of biological processes—learning and memory, circadian rhythms, even something so fundamental as how a cell differentiates itself into, say, a blood cell versus a neuron.”

[…]

they began to see that messenger RNA methylation could not fully explain everything they observed.

This was mirrored in other experiments. “The data coming out of the community was saying there’s something else out there, something extremely important that we’re missing—that critically impacts many early development events, as well as human diseases such as cancer,” he said.

He’s team discovered that a group of RNAs called chromosome-associated regulatory RNAs, or carRNAs, was using the same methylation process, but these RNAs do not code proteins and are not directly involved in translation. Instead, they controlled how DNA itself was stored and transcribed.

“This has major implications in basic biology,” He said. “It directly affects gene transcriptions, and not just a few of them. It could induce global chromatin change and affects transcription of 6,000 genes in the cell line we studied.”

He sees major implications in biology, especially in human health—everything from identifying the genetic basis of disease to better treating patients.

“There are several biotech companies actively developing small molecule inhibitors of RNA methylation, but right now, even if we successfully develop therapies, we don’t have a full mechanical picture for what’s going on,” he said. “This provides an enormous opportunity to help guide disease indication for testing inhibitors and suggest new opportunities for pharmaceuticals.”

Source: Surprise discovery shakes up our understanding of gene expression

Sorry to be blunt about this… Open AWS S3 storage bucket just made 30,000 potheads’ privacy go up in smoke

Posted on by

Personal records, including scans of ID cards and purchase details, for more than 30,000 people were exposed to the public internet from this unsecured cloud silo, we’re told. In addition to full names and pictures of customer ID cards, the 85,000 file collection is said to include email and mailing address, phone numbers, dates of birth, and the maximum amount of cannabis an individual is allowed to purchase. All available to download, unencrypted, if you knew where to look.

Because many US states have strict record-keeping requirements written into their marijuana legalization laws, dispensaries have to manage a certain amount of customer and inventory information. In the case of THSuite, those records were put into an S3 bucket that was left accessible to the open internet – including the Shodan.io search engine.

The bucket was taken offline last week after it was discovered on December 24, and its insecure configuration was reported to THSuite on December 26 and Amazon on January 7, according to vpnMentor. The S3 bucket’s data belonged to dispensaries in Maryland, Ohio, and Colorado, we’re told.

Source: Sorry to be blunt about this… Open AWS S3 storage bucket just made 30,000 potheads’ privacy go up in smoke • The Register

These VIPs May Want to Make Sure Mohammed bin Salman Didn’t Hack Them

Posted on by

In early 2018, Saudi Crown Prince Mohammed bin Salman took a sweeping tour of the U.S. as part of a strategy to rebrand Saudi Arabia’s ruling monarchy as a modernizing force and pull off his “Vision 2030” plan—hobnobbing with a list of corporate execs and politicians that reads like a who’s who list of the U.S. elite.

[…]

Bezos was one of the individuals that bin Salman met with during his trip to the U.S., and at the time, Amazon was considering investments in Saudi Arabia. Those plans went south after the Khashoggi murder, but a quick scan of the crown prince’s 2018 itinerary reveals others corporate leaders and politicians eager to get into his good graces.

These people may want to have their phones examined.

According to the New York Times, the crown prince started off with a meeting in D.C. with Donald Trump and his son-in-law Jared Kushner (the latter of whom may have real reason to worry due to his WhatsApp conversations with bin Salman). Politicians who met with him include Vice President Mike Pence, then-International Monetary Fund chief Christine Lagarde, and United Nations Secretary-General António Guterres, the Guardian reported. He also met with former Senator John Kerry and former President Bill Clinton, as well as the two former President Bushes.

While touting the importance of investment in Saudi Arabian projects including Neom, bin Salman’s plans for some kind of wonder city, the crown prince met with 40 U.S. business leaders. He also met with Goldman Sachs CEO Lloyd Blankfein and former New York mayor Michael Bloomberg, a 2020 presidential candidate, in New York.

One-on-one meetings included hanging out with Microsoft CEO Satya Nadella during the Seattle wing of the crown prince’s trip, as well as Microsoft co-founder Bill Gates.

[…]

Rupert Murdoch, as well as bevy of prominent Hollywood personalities including Disney CEO Bob Iger, Universal film chairman Jeff Shell, Fox executive Peter Rice and film studio chief Stacey Snider, according to the Hollywood Reporter. Also present were Warner Bros. CEO Kevin Tsujihara, Nat Geo CEO Courtney Monroe, filmmakers James Cameron and Ridley Scott, and actors Morgan Freeman, Michael Douglas, and Dwayne “The Rock” Johnson.

During another leg of his trip in San Francisco, bin Salman met with Apple CEO Tim Cook as well as chief operating officer Jeff Williams, head of environment, policy, and social initiatives Lisa Jackson, and former retail chief Angela Ahrendts.

But to be fair, he also met Google co-founders Larry Page and Sergey Brin as well as current CEO Sundar Pichai.

[…]

ominous data analytics firm Palantir and met with its founder, venture capitalist Peter Thiel.

[…]

venture capitalists, including Andreessen Horowitz co-founder Marc Andreessen, Y Combinator chairman Sam Altman, and Sun Microsystems co-founder Vinod Khosla, according to Business Insider. Photos and the New York Times show that LinkedIn co-founder Reid Hoffman was also present.

Finally, bin Salman also met with Virgin Group founder Richard Branson and Magic Leap CEO Rony Abovitz.

During an earlier visit to the states in June 2016, bin Salman met with President Barack Obama before he traveled to San Francisco. At that time the crown prince visited Facebook and met CEO Mark Zuckerberg

[…]

At that time, the crown prince also met with Khan Academy CEO Salman Khan and then-Uber CEO Travis Kalanick,

[…]

then-SeaWorld CEO Joel Manby

Source: These VIPs May Want to Make Sure Mohammed bin Salman Didn’t Hack Them

Clearview has scraped all social media sites illegally and vs TOS, has all your pictures in a massive database (who knows how secure this is?) and a face recognition AI. Is selling access to it to cops, and who knows who else.

Posted on by

What if a stranger could snap your picture on the sidewalk then use an app to quickly discover your name, address and other details? A startup called Clearview AI has made that possible, and its app is currently being used by hundreds of law enforcement agencies in the US, including the FBI, says a Saturday report in The New York Times.

The app, says the Times, works by comparing a photo to a database of more than 3 billion pictures that Clearview says it’s scraped off Facebook, Venmo, YouTube and other sites. It then serves up matches, along with links to the sites where those database photos originally appeared. A name might easily be unearthed, and from there other info could be dug up online.

The size of the Clearview database dwarfs others in use by law enforcement. The FBI’s own database, which taps passport and driver’s license photos, is one of the largest, with over 641 million images of US citizens.

The Clearview app isn’t currently available to the public, but the Times says police officers and Clearview investors think it will be in the future.

The startup said in a statement Tuesday that its “technology is intended only for use by law enforcement and security personnel. It is not intended for use by the general public.”

Source: Clearview app lets strangers find your name, info with snap of a photo, report says – CNET

Using the system involves uploading photos to Clearview AI’s servers, and it’s unclear how secure these are. Although Clearview AI says its customer-support employees will not look at the photos that are uploaded, it appeared to be aware that Kashmir Hill (the Times journalist investigating the piece) was having police search for her face as part of her reporting:

While the company was dodging me, it was also monitoring me. At my request, a number of police officers had run my photo through the Clearview app. They soon received phone calls from company representatives asking if they were talking to the media — a sign that Clearview has the ability and, in this case, the appetite to monitor whom law enforcement is searching for.

The Times reports that the system appears to have gone viral with police departments, with over 600 already signed up. Although there’s been no independent verification of its accuracy, Hill says the system was able to identify photos of her even when she covered the lower half of her face, and that it managed to find photographs of her that she’d never seen before.

One expert quoted by The Times said that the amount of money involved with these systems means that they need to be banned before the abuse of them becomes more widespread. “We’ve relied on industry efforts to self-police and not embrace such a risky technology, but now those dams are breaking because there is so much money on the table,” said a professor of law and computer science at Northeastern University, Woodrow Hartzog, “I don’t see a future where we harness the benefits of face recognition technology without the crippling abuse of the surveillance that comes with it. The only way to stop it is to ban it.”

Source: The Verge

So Clearview has you, even if it violates TOS. How to stop the next guy from getting you in FB – maybe.

Posted on by

It should come as little surprise that any content you offer to the web for public consumption has the potential to be scraped and misused by anyone clever enough to do it. And while that doesn’t make this weekend’s report from The New York Times any less damning, it’s a great reminder about how important it is to really go through the settings for your various social networks and limit how your content is, or can be, accessed by anyone.

I won’t get too deep into the Times’ report; it’s worth reading on its own, since it involves a company (Clearview AI) scraping more than three billion images from millions of websites, including Facebook, and creating a facial-recognition app that does a pretty solid job of identifying people using images from this massive database.

Even though Clearview’s scraping techniques technically violate the terms of service on a number of websites, that hasn’t stopped the company from acquiring images en masse. And it keeps whatever it finds, which means that turning all your online data private isn’t going to help if Clearview has already scanned and grabbed your photos.

Still, something is better than nothing. On Facebook, likely the largest stash of your images, you’re going to want to visit Settings > Privacy and look for the option described: “Do you want search engines outside of Facebook to link to your profile?”

Turn that off, and Clearview won’t be able to grab your images. That’s not the setting I would have expected to use, I confess, which makes me want to go through all of my social networks and rethink how the information I share with them flows out to the greater web.

Lock down your Facebook even more with these settings

Since we’re already here, it’s worth spending a few minutes wading through Facebook’s settings and making sure as much of your content is set to friends-only as possible. That includes changing “Who can see your future posts” to “friends,” using the “Limit Past Posts” option to change everything you’ve previously posted to friends-only, and making sure that only you can see your friends list—to prevent any potential scraping and linking that some third-party might attempt. Similarly, make sure only your friends (or friends of friends) can look you up via your email address or phone number. (You never know!)

You should then visit the Timeline and Tagging settings page and make a few more changes. That includes only allowing friends to see what other people post on your timeline, as well as posts you’re tagged in. And because I’m a bit sensitive about all the crap people tag me in on Facebook, I’d turn on the “Review” options, too. That won’t help your account from being scraped, but it’s a great way to exert more control over your timeline.

Illustration for article titled Change These Facebook Settings to Protect Your Photos From Facial Recognition Software
Screenshot: David Murphy

Finally, even though it also doesn’t prevent companies from scraping your account, pull up the Public postssection of Facebook’s settings page and limit who is allowed to follow you (if you desire). You should also restrict who can comment or like your public information, like posts or other details about your life you share openly on the service.

Illustration for article titled Change These Facebook Settings to Protect Your Photos From Facial Recognition Software
Screenshot: David Murphy

Once I fix Facebook, then what?

Here’s the annoying part. Were I you, I’d take an afternoon or evening and write out all the different places I typically share snippets of my life online. For most, maybe that’s probably a handful of social services: Facebook, Instagram, Twitter, YouTube, Flickr, et cetera.

Once you’ve created your list, I’d dig deep into the settings of each service and see what options you have, if any, for limiting the availability of your content. This might run contrary to how you use the service—if you’re trying to gain lots of Instagram followers, for example, locking your profile to “private” and requiring potential followers to request access might slow your attempts to become the next big Insta-star. However, it should also prevent anyone with a crafty scraping utility to mass-download your photos (and associate them with you, either through some fancy facial-recognition tech, or by linking them to your account).

Source: Change These Facebook Settings to Protect Your Photos From Facial Recognition Software

‘I am done with open source’: Developer of Rust Actix web framework quits, appoints new maintainer

Posted on by

The maintainer of the Actix web framework, written in Rust, has quit the project after complaining of a toxic web community – although over 100 Actix users have since signed a letter of support for him.

Actix Web was developed by Nikolay Kim, who is also a senior software engineer at Microsoft, though the Actix project is not an official Microsoft project. Actix Web is based on Actix, a framework for Rust based on the Actor model, also developed by Kim.

The web framework is important to the Rust community partly because it addresses a common use case (development web applications) and partly because of its outstanding performance. For some tests, Acitx tops the Techempower benchmarks.

The project is open source and while it is popular, there has been some unhappiness among users about its use of “unsafe” code. In Rust, there is the concept of safe and unsafe. Safe code is protected from common bugs (and more importantly, security vulnerabilities) arising from issues like variables which point to uninitialized memory, or variables which are used after the memory allocated to them has been freed, or attempting to write data to a variable which exceeds the memory allocated. Code in Rust is safe by default, but the language also supports unsafe code, which can be useful for interoperability or to improve performance.

Actix is top of the Techempower benchmarks on some tests

Actix is top of the Techempower benchmarks on some tests

There is extensive use of unsafe code in Actix, leading to debate about what should be fixed. Kim was not always receptive to proposed changes. Most recently, developer Sergey Davidoff posted about code which “violates memory safety by handing out multiple mutable references to the same data, which can lead to, eg, a use-after-free vulnerability.”

Davidoff also stated that: “I have reported the issue to the maintainers, but they have refused to investigate it,” referring to a bug report which Kim deleted.

Debate on this matter on the Reddit Rust forum became heated and personal, the key issue being not so much the existence of real or potential vulnerabilities, but Kim’s habit of ignoring or deleting some reports. Kim decided to quit. On January 17th, he posted an “Actix project postmortem”, defending his position and complaining about the community response.

“Be[ing] a maintainer of large open source project is not a fun task. You[‘re] alway[s] face[d] with rude[ness] and hate, everyone knows better how to build software, nobody wants to do homework and read docs and think a bit and very few provide any help. … You could notice after each unsafe shitstorm, i started to spend less and less time with the community. … Nowadays supporting actix project is not fun, and be[ing] part of rust community is not fun as well. I am done with open source.”

Kim said that he did not ignore or delete issues arbitrarily, but only because he felt he had a better or more creative solution than the one proposed – while also acknowledging that the “removing issue was a stupid idea.” He also threatened to “make [Actix] repos private and then delete them.”

Over on the official Actix forum, he said he was “highly sceptical about fork viability” perhaps because, at least according to him, “no one showed any sign of project architecture understanding.”

So long, and good luck

Since then, matters have improved. The Github repository was restored and Kim said:

I realized, a lot of people depend on actix. And it would be unfair to just delete repos. I promote @JohnTitor to project leader. He did very good job helping me for the last year. I hope new community of developers emerge. And good luck!

In addition, Kim has started winning support from many community members, as evidenced by a letter with over 100 signatories thanking him and stating: “We are extremely disappointed at the level of abuse directed towards you.”

The episode demonstrates that expert developers are often not expert in managing the human relations aspect of projects that can become significant. It also shows how some contributors and users do not practice best behaviour in online interactions, forgetting the extent of the work done by volunteers and for which, it’s worth noting, they have paid nothing.

Positive recent developments may mean that Actix development continues, that bugs and security vulnerabilities are fixed, and that its community gets a better handle on how to proceed constructively. ®

Source: ‘I am done with open source’: Developer of Rust Actix web framework quits, appoints new maintainer • The Register

Netgear leaves admin interface’s TLS cert and private key router firmware

Posted on by

Netgear left in its router firmware key ingredients needed to intercept and tamper with secure connections to its equipment’s web-based admin interfaces.

Specifically, valid, signed TLS certificates with private keys were embedded in the software, which was available to download for free by anyone, and also shipped with Netgear devices. This data can be used to create HTTPS certs that browsers trust, and can be used in miscreant-in-the-middle attacks to eavesdrop on and alter encrypted connections to the routers’ built-in web-based control panel.

In other words, the data can be used to potentially hijack people’s routers. It’s partly an embarrassing leak, and partly indicative of manufacturers trading off security, user friendliness, cost, and effort.

Security mavens Nick Starke and Tom Pohl found the materials on January 14, and publicly disclosed their findings five days later, over the weekend.

The blunder is a result in Netgear’s approach to security and user convenience. When configuring their kit, owners of Netgear equipment are expected to visit https://routerlogin.net or https://routerlogin.com. The network’s router tries to ensure those domain names resolve to the device’s IP address on the local network. So, rather than have people enter 192.168.1.1 or similar, they can just use that memorable domain name.

To establish an HTTPS connection, and avoid complaints from browsers about using insecure HTTP and untrusted certs, the router has to produce a valid HTTPS cert for routerlogin.net or routerlogin.com that is trusted by browsers. To cryptographically prove the cert is legit when a connection is established, the router needs to use the certificate’s private key. This key is stored unsecured in the firmware, allowing anyone to extract and abuse it.

Netgear doesn’t want to provide an HTTP-only admin interface, to avoid warnings from browsers of insecure connections and to thwart network eavesdroppers, we presume. But if it uses HTTPS, the built-in web server needs to prove its cert is legit, and thus needs its private key. So either Netgear switches to using per-device private-public keys, or stores the private key in a secure HSM in the router, or just uses HTTP, or it has to come up with some other solution. You can follow that debate here.

Source: Leave your admin interface’s TLS cert and private key in your router firmware in 2020? Just Netgear things • The Register

Immune cell which kills most cancers discovered by accident by Welsh scientists in major breakthrough 

Posted on by

A new type of immune cell which kills most cancers has been discovered by accident by British scientists, in a finding which could herald a major breakthrough in treatment.

Researchers at Cardiff University were analysing blood from a bank in Wales, looking for immune cells that could fight bacteria, when they found an entirely new type of T-cell.

That new immune cell carries a never-before-seen receptor which acts like a grappling hook, latching on to most human cancers, while ignoring healthy cells.

In laboratory studies, immune cells equipped with the new receptor were shown to kill lung, skin, blood, colon, breast, bone, prostate, ovarian, kidney and cervical cancer.

Professor Andrew Sewell, lead author on the study and an expert in T-cells from Cardiff University’s School of Medicine, said it was “highly unusual” to find a cell that had broad cancer-fighting therapies, and raised the prospect of a universal therapy.

“This was a serendipitous finding, nobody knew this cell existed,” Prof Sewell told The Telegraph.

“Our finding raises the prospect of a ‘one-size-fits-all’ cancer treatment, a single type of T-cell that could be capable of destroying many different types of cancers across the population. Previously nobody believed this could be possible.”

[…]

the new cell attaches to a molecule on cancer cells called MR1, which does not vary in humans.

It means that not only would the treatment work for most cancers, but it could be shared between people, raising the possibility that banks of the special immune cells could be created for instant ‘off-the-shelf’ treatment in future.

When researchers injected the new immune cells into mice bearing human cancer and with a human immune system, they found ‘encouraging’ cancer-clearing results.

And they showed that T-cells of skin cancer patients, which were modified to express the new receptor, could destroy not only the patient’s own cancer cells, but also other patients’ cancer cells in the laboratory.

[…]

Professor Awen Gallimore, of the University’s division of infection and immunity and cancer immunology lead for the Wales Cancer Research Centre, added: “If this transformative new finding holds up, it will lay the foundation for a ‘universal’ T-cell medicine, mitigating against the tremendous costs associated with the identification, generation and manufacture of personalised T-cells.

“This is truly exciting and potentially a great step forward for the accessibility of cancer immunotherapy.”

Commenting on the study, Daniel Davis, Professor of Immunology at the University of Manchester, said it was an exciting discovery which opened the door to cellular therapies being used for more people.

“We are in the midst of a medical revolution harnessing the power of the immune system to tackle cancer.  But not everyone responds to the current therapies and there can be harmful side-effects.

“The team have convincingly shown that, in a lab dish, this type of immune cell reacts against a range of different cancer cells.

“We still need to understand exactly how it recognises and kills cancer cells, while not responding to normal healthy cells.”

The research was published in the journal Nature Immunology.

Source: Immune cell which kills most cancers discovered by accident by British scientists in major breakthrough 

Local water availability is permanently reduced after planting forests

Posted on by

River flow is reduced in areas where forests have been planted and does not recover over time, a new study has shown. Rivers in some regions can completely disappear within a decade. This highlights the need to consider the impact on regional water availability, as well as the wider climate benefit, of tree-planting plans.

“Reforestation is an important part of tackling , but we need to carefully consider the best places for it. In some places, changes to water availability will completely change the local cost-benefits of tree-planting programmes,” said Laura Bentley, a plant scientist in the University of Cambridge Conservation Research Institute, and first author of the report.

Planting large areas of has been suggested as one of the best ways of reducing atmospheric carbon dioxide levels, since trees absorb and store this greenhouse gas as they grow. While it has long been known that planting trees reduces the amount of water flowing into nearby rivers, there has previously been no understanding of how this effect changes as forests age.

The study looked at 43 sites across the world where forests have been established, and used as a measure of water availability in the region. It found that within five years of planting trees, river flow had reduced by an average of 25%. By 25 years, rivers had gone down by an average of 40% and in a few cases had dried up entirely. The biggest percentage reductions in water availability were in regions in Australia and South Africa.

“River flow does not recover after planting trees, even after many years, once disturbances in the catchment and the effects of climate are accounted for,” said Professor David Coomes, Director of the University of Cambridge Conservation Research Institute, who led the study.

Published in the journal Global Change Biology, the research showed that the type of land where trees are planted determines the degree of impact they have on local water availability. Trees planted on natural grassland where the soil is healthy decrease river flow significantly. On land previously degraded by agriculture, establishing forest helps to repair the soil so it can hold more water and decreases nearby river flow by a lesser amount.

Counterintuitively, the effect of trees on river flow is smaller in drier years than wetter ones. When trees are drought-stressed they close the pores on their leaves to conserve water, and as a result draw up less water from the soil. In the trees use more water from the soil, and also catch the rainwater in their leaves.

“Climate change will affect availability around the world,” said Bentley. “By studying how forestation affects , we can work to minimise any local consequences for people and the environment.”

Source: Local water availability is permanently reduced after planting forests

Ultrafast camera takes 1 trillion frames per second of transparent objects and phenomena, can photograph light pulses

Posted on by

A little over a year ago, Caltech’s Lihong Wang developed the world’s fastest camera, a device capable of taking 10 trillion pictures per second. It is so fast that it can even capture light traveling in slow motion.

But sometimes just being quick is not enough. Indeed, not even the fastest camera can take pictures of things it cannot see. To that end, Wang, Bren Professor of Medical Engineering and Electrical Engineering, has developed a that can take up to 1 trillion pictures per second of transparent objects. A paper about the camera appears in the January 17 issue of the journal Science Advances.

The technology, which Wang calls phase-sensitive compressed ultrafast photography (pCUP), can take video not just of transparent objects but also of more ephemeral things like shockwaves and possibly even of the signals that travel through neurons.

Wang explains that his new imaging system combines the high-speed photography system he previously developed with an old technology, phase-contrast microscopy, that was designed to allow better imaging of objects that are mostly transparent such as cells, which are mostly water.

[…]

Wang says the technology, though still early in its development, may ultimately have uses in many fields, including physics, biology, or chemistry.

“As signals travel through neurons, there is a minute dilation of nerve fibers that we hope to see. If we have a network of neurons, maybe we can see their communication in real time,” Wang says. In addition, he says, because temperature is known to change phase contrast, the system “may be able to image how a flame front spreads in a combustion chamber.”

The paper describing pCUP is titled “Picosecond-resolution phase-sensitive imaging of transparent objects in a single shot.”

Source: Ultrafast camera takes 1 trillion frames per second of transparent objects and phenomena

HP Remotely Disables a Customer’s Printer Until He Joins Company’s Monthly Subscription Service

Posted on by

A Twitter user’s complaint last week in which he produces photo evidence of HP warning him that his ink cartridges would be disabled until he starts paying for HP Instant Ink monthly subscription service has gone viral on the social media.

Ryan Sullivan, the user who made the complaint, said he only discovered the warning after cancelling a random HP subscription — which charged him $4.99 a month — after “over a year” of the billing cycle. “Cartridge cannot be used until printer is enrolled in HP Instant Ink,” Sullivan was informed by an error message.

Source: HP Remotely Disables a Customer’s Printer Until He Joins Company’s Monthly Subscription Service – Slashdot

Opera reportedly has multiple predatory loan apps in the Play Store with interest rates of up to 876%

Posted on by

It’s no secret that Opera isn’t doing so well in the era of Chrome dominance. According to a report published by Hindenburg Research, the company’s losses in browser revenue have apparently led it to create multiple loan apps with short payment windows and interest rates of ~365-876%, which are in violation of new Play Store rules Google enacted last year.

You may recall that Opera became a public company in mid-2017, shortly after it was purchased by a China-based investor group. Since then, Opera’s market share has continued to fall, due to the increasing dominance of Chrome. As a result, Opera decided to pivot to predatory short-term lending in Africa and Asia across four apps: OKash and OPesa in Kenya, CashBean in India, and OPay in Nigeria.

The apps have apparently remained available in the Play Store (except OPesa, which seems to be gone) by advertising different loan rates in the app description than users actually receive. For example, the listing for OKash stated its loans range from 91-365 days (the page now says 61-365 days), but an email response from the company stated it only offered loans from 15-29 days — significantly lower than the 60-day minimum enforced by Google. All of Opera’s other apps were also found to be in violation to varying extents.

If you think that’s bad, then buckle in! According to Play Store reviews, the OKash and OPesa apps sent text messages or calls to people in the user’s contacts when payments were late, threatening to take legal action or place the borrower on a credit blacklist. A former employee told Hindenburg Research that this practice ended last year “because it was said it was illegal.” That’s probably a good reason to stop doing something, right?

Play Store reviews on OKash

Unfortunately for Opera, scamming low-income people isn’t helping the company’s financial situation. With all apps in violation of Play Store policies (and one already removed from the store), Opera’s primary means of income could very well disappear, and Hindenburg Research found evidence of investor money possibly being redirected to other companies and people:

1. $9.5 million of cash went toward an entity that appears to have been owned 100% by Opera’s Chairman/CEO, despite company disclosures suggesting otherwise. Ostensibly, the reason for the payment was to ‘purchase’ a business that was already funded and operated by Opera. To us, this transaction simply looks like a cash withdrawal.

2. $30 million of cash went into a karaoke app business owned by Opera’s Chairman/CEO, days before the arrest of a key business partner.

3. $31+ million of cash was doled out for “marketing expenses and prepayments” to an antivirus software company controlled by an Opera director and influenced by Opera’s Chairman/CEO. The antivirus company has no other known marketing clients, but is paid to help Opera with Google and Facebook ads and other marketing services. (Note: Most firms use a marketing agency for help with marketing needs.)

Since the report was released on January 16th, Opera’s stock price has dropped from ~$9 to $7.15 after hours (as of the time of writing).

You can read the full report at the link below. In the meantime, it might be a good idea to uninstall any Opera-owned apps — they might start sending texts to your friends about your browsing habits.

Source: Opera reportedly has multiple predatory loan apps in the Play Store with interest rates of up to 876%

BlackVue dashcam shows anyone everywhere you are in real time and where you have been in the past

Posted on by

An app that is supposed to be a fun activity for dashcam users to broadcast their camera feeds and drives is actually allowing people to scrape and store the real-time location of drivers across the world.

BlackVue is a dashcam company with its own social network. With a small, internet-connected dashcam installed inside their vehicle, BlackVue users can receive alerts when their camera detects an unusual event such as someone colliding with their parked car. Customers can also allow others to tune into their camera’s feed, letting others “vicariously experience the excitement and pleasure of driving all over the world,” a message displayed inside the app reads.

Users are invited to upload footage of their BlackVue camera spotting people crashing into their cars or other mishaps with the #CaughtOnBlackVue hashtag. It’s kind of like Amazon’s Ring cameras, but for cars. BlackVue exhibited at CES earlier this month, and was previously featured on Innovations with Ed Begley Jr. on the History Channel.

But what BlackVue’s app doesn’t make clear is that it is possible to pull and store users’ GPS locations in real-time over days or even weeks. Motherboard was able to track the movements of some of BlackVue’s customers in the United States.

The news highlights privacy issues that some BlackVue customers or other dashcam users may not be aware of, and more generally the potential dangers of adding an internet and GPS enabled device into your vehicle. It also shows how developers may have one use case for an app, while people can discover others: although BlackVue wanted to create an entertaining app where users could tap into each others’ feeds, they may not have realized that it would be trivially easy to track its customers’ movements in granular detail, at scale, and over time.

BlackVue acts as another example of how surveillance products that are nominally intended to protect a user have been designed in such a way that can end up in a user being spied on, too.

“I don’t think people understand the risk,” Lee Heath, an information security professional and BlackVue user told Motherboard. “I knew about some of the cloud features which I wanted. You can have it automatically connect and upload when events happen. But I had no idea about the sharing” before receiving the device as a gift, he added.

Ordinarily, BlackVue lets anyone create an account and then view a map of cameras that are broadcasting their location and live feed. This broadcasting is not enabled by default, and users have to select the option to do so when setting up or configuring their own camera. Motherboard tuned into live feeds from users in Hong Kong, China, Russia, the U.K, Germany, and elsewhere. BlackVue spokesperson Jeremie Sinic told Motherboard in an email that the users on the map only represent a tiny fraction of BlackVue’s overall customers.

But the actual GPS data that drives the map is available and publicly accessible.

1579127170434-blackvue-user-gps
A screenshot of the location data of one BlackVue user that Motherboard tracked throughout New York. Motherboard has heavily obfuscated the data to protect the individual’s privacy. Image: Motherboard

By reverse engineering the iOS version of the BlackVue app, Motherboard was able to write scripts that pull the GPS location of BlackVue users over a week long period and store the coordinates and other information like the user’s unique identifier. One script could collect the location data of every BlackVue user who had mapping enabled on the eastern half of the United States every two minutes. Motherboard collected data on dozens of customers.

With that data, we were able to build a picture of several BlackVue users’ daily routines: one drove around Manhattan during the day, perhaps as a rideshare driver, before then leaving for Queens in the evening. Another BlackVue user regularly drove around Brooklyn, before parking on a specific block in Queens overnight. The user did this for several different nights, suggesting this may be where the owner lives or stores their vehicle. A third showed someone driving a truck all over South Carolina.

Some customers may use BlackVue as part of a fleet of vehicles; an employer wanting to keep tabs on their delivery trucks as they drive around, for instance. But BlackVue also markets its products to ordinary consumers who want to protect their cars.

1579127955288-blackvue-live-feed
A screenshot of Motherboard accessing someone’s public live feed as the user is driving in public away from their apparent home. Motherboard has redacted the user information to protect individual privacy. Image: Motherboard

BlackVue’s Sinic said that collecting GPS coordinates of multiple users over an extended period of time is not supposed to be possible.

“Our developers have updated the security measures following your report from yesterday that I forwarded,” Sinic said. After this, several of Motherboard’s web requests that previously provided user data stopped working.

In 2018 the company did make some privacy-related changes to its app, meaning users were not broadcasting their camera feeds by default.

“I think BlackVue has decent ideas as far as leaving off by default but allows people to put themselves at risk without understanding,” Heath, the BlackVue user, said.

Motherboard has deleted all of the data collected to preserve individuals’ privacy.

Source: This App Lets Us See Everywhere People Drive – VICE

PopSockets CEO calls out Amazon’s ‘bullying with a smile’ tactics, shows how monopolies are bad for competition

Posted on by
Amazon has a “bullying” problem.

So insisted PopSockets CEO and inventor David Barnett today while describing his company’s relationship with the e-commerce and logistics giant. Barnett was addressing members of the House Subcommittee on Antitrust, Commercial, and Administrative Law and, over the course of the hearing, laid out how the Jeff Bezos-helmed corporate behemoth had pressured his smartphone accessory company in a manner best described as incredibly shady.

Barnett was joined by executives from Sonos, Basecamp, and Tile, who all took turns airing a list of grievances against major tech players such as Amazon, Apple, Facebook and Google. They all recounted, in manners specific to their respective companies, how the major tech players have used their market dominance to squeeze smaller competitors in allegedly anticompetitive ways.

The CEO of PopSockets, however, appeared to have a personal beef with Jeff Bezos (which he pronounced “Bey-zoo”).

“Multiple times we discovered that Amazon itself had sourced counterfeit product and was selling it alongside our own product,” he noted.

Barnett, under oath, told the gathered members of the House that Amazon initially played nice only to drop the hammer when it believed no one was watching. After agreeing to a written contract stipulating a price at which PopSockets would be sold on Amazon, the e-commerce giant would then allegedly unilaterally lower the price and demand that PopSockets make up the difference.

Colorado Congressman Ed Perlmutter asked Barnett how Amazon could “ignore the contract that [PopSockets] entered into and just say, ‘Sorry, that was our contract, but you got to lower your price.'”

Barnett didn’t mince words.

“With coercive tactics, basically,” he replied. “And these are tactics that are mainly executed by phone. It’s one of the strangest relationships I’ve ever had with a retailer.”

Barnett emphasized that, on paper, the contract “appears to be negotiated in good faith.”

However, he claimed, this is followed by “… frequent phone calls. And on the phone calls we get what I might call bullying with a smile. Very friendly people that we deal with who say, ‘By the way, we dropped the price of X product last week. We need you to pay for it.'”

Barnett said he would push back and that’s when “the threats come.”

He asserted that Amazon representatives would tell him over the phone: “If we don’t get it, then we’re going to source product from the gray market.”

In other words, as with so many things Amazon, it’s either play ball or get bent according to Barnett.

An Amazon spokesperson reached for comment, unsurprisingly, framed the issue differently.

“We sought to continue working with PopSockets as a vendor to ensure that we could provide competitive prices, availability, broad selection and fast delivery for those products to our customers,” read the statement in part. “Like any brand, however, PopSockets is free to choose which retailers it supplies and chose to stop selling directly through Amazon.”

Essentially, in Amazon’s view, PopSockets chose to get bent. We should all be so lucky to be offered such a choice.

Source: PopSockets CEO calls out Amazon’s ‘bullying with a smile’ tactics

PGP keys, software security, and much more threatened by new SHA1 exploit

Posted on by

Three years ago, Ars declared the SHA1 cryptographic hash algorithm officially dead after researchers performed the world’s first known instance of a fatal exploit known as a “collision” on it. On Tuesday, the dead SHA1 horse got clobbered again as a different team of researchers unveiled a new attack that’s significantly more powerful.

The new collision gives attackers more options and flexibility than were available with the previous technique. It makes it practical to create PGP encryption keys that, when digitally signed using SHA1 algorithm, impersonate a chosen target. More generally, it produces the same hash for two or more attacker-chosen inputs by appending data to each of them. The attack unveiled on Tuesday also costs as little as $45,000 to carry out. The attack disclosed in 2017, by contrast, didn’t allow forgeries on specific predetermined document prefixes and was evaluated to cost from $110,000 to $560,000 on Amazon’s Web Services platform, depending on how quickly adversaries wanted to carry it out.

The new attack is significant. While SHA1 has been slowly phased out over the past five years, it remains far from being fully deprecated. It’s still the default hash function for certifying PGP keys in the legacy 1.4 version branch of GnuPG, the open-source successor to PGP application for encrypting email and files. Those SHA1-generated signatures were accepted by the modern GnuPG branch until recently, and were only rejected after the researchers behind the new collision privately reported their results.

Git, the world’s most widely used system for managing software development among multiple people, still relies on SHA1 to ensure data integrity. And many non-Web applications that rely on HTTPS encryption still accept SHA1 certificates. SHA1 is also still allowed for in-protocol signatures in the Transport Layer Security and Secure Shell protocols.

In a paper presented at this week’s Real World Crypto Symposium in New York City, the researchers warned that even if SHA1 usage is low or used only for backward compatibility, it will leave users open to the threat of attacks that downgrade encrypted connections to the broken hash function. The researchers said their results underscore the importance of fully phasing out SHA1 across the board as soon as possible.

“This work shows once and for all that SHA1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function,” the researchers wrote. “Continued usage of SHA1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA1 support to avoid downgrade attacks.”

Source: PGP keys, software security, and much more threatened by new SHA1 exploit | Ars Technica

More than 600 million users installed Android ‘fleeceware’ apps from the Play Store – where they don’t cancel your trial after uninstalling

Posted on by

Security researchers from Sophos say they’ve discovered a new set of “fleeceware” apps that appear to have been downloaded and installed by more than 600 million Android users.

The term fleeceware is a recent addition to the cyber-security jargon. It was coined by UK cyber-security firm Sophos last September following an investigation that discovered a new type of financial fraud on the official Google Play Store.

It refers to apps that abuse the ability for Android apps to run trial periods before a payment is charged to the user’s account.

By default, all users who sign up for an Android app trial period, have to cancel the trial period manually to avoid being charged. However, most users just uninstall an app when they don’t like it.

The vast majority of app developers interpret this action — a user uninstalling their app — as a trial period cancelation and don’t follow through with a charge.

But last year, Sophos discovered that some Android app developers didn’t cancel an app’s trial period once the app is uninstalled and they don’t receive a specific request from the user.

Sophos said it initially discovered 24 Android apps that were charging obscene fees (between $100 and $240 per year) for the most basic and simplistic apps, such as QR/barcode readers and calculators.

Sophos researchers called these apps “fleeceware.”

In a new report published yesterday, Sophos said it discovered another set of Android “fleeceware” apps that have continued to abuse the app trial mechanism to impose charges to users after they uninstalled an app.

Source: More than 600 million users installed Android ‘fleeceware’ apps from the Play Store | ZDNet

Mozilla (Firefox) lays off 70 as it waits for new products to generate revenue

Posted on by

In an internal memo, Mozilla chairwoman and interim CEO Mitchell Baker specifically mentions the slow rollout of the organization’s new revenue-generating products as the reason for why it needed to take this action. The overall number may still be higher, though, as Mozilla is still looking into how this decision will affect workers in the U.K. and France. In 2018, Mozilla Corporation (as opposed to the much smaller Mozilla Foundation) said it had about 1,000 employees worldwide.

“You may recall that we expected to be earning revenue in 2019 and 2020 from new subscription products as well as higher revenue from sources outside of search. This did not happen,” Baker writes in her memo. “Our 2019 plan underestimated how long it would take to build and ship new, revenue-generating products. Given that, and all we learned in 2019 about the pace of innovation, we decided to take a more conservative approach to projecting our revenue for 2020. We also agreed to a principle of living within our means, of not spending more than we earn for the foreseeable future.”

Source: Mozilla lays off 70 as it waits for new products to generate revenue | TechCrunch

Time to donate!

Apple’s latest AI acquisition leaves some Wyze cameras without people detection

Posted on by

Earlier today, Apple confirmed it purchased Seattle-based AI company Xnor.ai (via MacRumors). Acquisitions at Apple’s scale happen frequently, though rarely do they impact everyday people on the day of their announcement. This one is different.

Cameras from fellow Seattle-based company Wyze, including the Wyze Cam V2 and Wyze Cam Pan, have utilized Xnor.ai’s on-device people detection since last summer. But now that Apple owns the company, it’s no longer available. Some people on Wyze’s forum are noting that the beta firmware removing the people detection has already started to roll out.

Oddly enough, word of this lapse in service isn’t anything new. Wyze issued a statement in November 2019 saying that Xnor.ai had terminated their contract (though its reason for doing so wasn’t as clear then as it is today), and that a firmware update slated for mid-January 2020 would remove the feature from those cameras.

There’s a bright side to this loss, though, even if Apple snapping up Xnor.ai makes Wyze’s affordable cameras less appealing in the interim. Wyze says that it’s working on its own in-house version of people detection for launch at some point this year. And whether it operates on-device via “edge AI” computing like Xnor.ai’s does, or by authenticating through the cloud, it will be free for users when it launches.

That’s good and all, but the year just started, and it’s a little worrying Wyze hasn’t followed up with a specific time frame for its replacement of the feature. Two days ago, Wyze’s social media community manager stated that the company was “making great progress” on its forums, but they didn’t offer up when it would be available.

As for what Apple plans to do with Xnor.ai is anyone’s guess. Ahead of its partnership with Wyze, the AI startup had developed a small, wireless AI camera that ran exclusively on solar power. Regardless of whether Apple is more interested in its edge computing algorithm, as was seen working on Wyze cameras for a short time, or its clever hardware ideas around AI-powered cameras, it’s getting all of it with the purchase.

Source: Apple’s latest AI acquisition leaves some Wyze cameras without people detection – The Verge

A floating device created to clean up plastic from the ocean is finally doing its job, organizers say

Posted on by

A huge trash-collecting system designed to clean up plastic floating in the Pacific Ocean is finally picking up plastic, its inventor announced Wednesday.

The Netherlands-based nonprofit the Ocean Cleanup says its latest prototype was able to capture and hold debris ranging in size from huge, abandoned fishing gear, known as “ghost nets,” to tiny microplastics as small as 1 millimeter.
“Today, I am very proud to share with you that we are now catching plastics,” Ocean Cleanup founder and CEO Boyan Slat said at a news conference in Rotterdam.
The Ocean Cleanup system is a U-shaped barrier with a net-like skirt that hangs below the surface of the water. It moves with the current and collects faster moving plastics as they float by. Fish and other animals will be able to swim beneath it.
The new prototype added a parachute anchor to slow the system and increased the size of a cork line on top of the skirt to keep the plastic from washing over it.
The Ocean Cleanup's System 001/B collects and holds plastic until a ship can collect it.

The Ocean Cleanup’s System 001/B collects and holds plastic until a ship can collect it.
It’s been deployed in “The Great Pacific Garbage Patch” — a concentration of trash located between Hawaii and California that’s about double the size of Texas, or three times the size of France.
Ocean Cleanup plans to build a fleet of these devices, and predicts it will be able to reduce the size of the patch by half every five years.

Source: A floating device created to clean up plastic from the ocean is finally doing its job, organizers say – CNN

Skype and Cortana audio listened in on by workers in China with ‘no security measures’

Posted on by

A Microsoft programme to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with “no security measures”, according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company.

The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google’s Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor.

Workers had no cybersecurity help to protect the data from criminal or state interference, and were even instructed to do the work using new Microsoft accounts all with the same password, for ease of management, the former contractor said. Employee vetting was practically nonexistent, he added.

“There were no security measures, I don’t even remember them doing proper KYC [know your customer] on me. I think they just took my Chinese bank account details,” he told the Guardian.

While the grader began by working in an office, he said the contractor that employed him “after a while allowed me to do it from home in Beijing. I judged British English (because I’m British), so I listened to people who had their Microsoft device set to British English, and I had access to all of this from my home laptop with a simple username and password login.” Both username and password were emailed to new contractors in plaintext, he said, with the former following a simple schema and the latter being the same for every employee who joined in any given year.

“They just give me a login over email and I will then have access to Cortana recordings. I could then hypothetically share this login with anyone,” the contractor said. “I heard all kinds of unusual conversations, including what could have been domestic violence. It sounds a bit crazy now, after educating myself on computer security, that they gave me the URL, a username and password sent over email.”

As well as the risks of a rogue employee saving user data themselves or accessing voice recordings on a compromised laptop, Microsoft’s decision to outsource some of the work vetting English recordings to companies based in Beijing raises the additional prospect of the Chinese state gaining access to recordings. “Living in China, working in China, you’re already compromised with nearly everything,” the contractor said. “I never really thought about it.”

Source: Skype audio graded by workers in China with ‘no security measures’ | Technology | The Guardian