DoNotPay helps you get out of parking tickets and cancel forgotten subscriptions, and now it can call you when it’s your turn in a customer service phone queue. The app today is launching “Skip Waiting On Hold.” Just type in the company you need to talk to, and DoNotPay calls for you using tricks to get a human on the line quickly. Then it calls you back and connects you to the agent so you never have to listen to that annoying hold music.
And in case the company tries to jerk you around or screw you over, the DoNotPay app lets you instantly share to social media a legal recording of the call to shame them.
Skip Waiting On Hold comes as part of the $3 per month DoNotPay suite of services designed to save people time and money by battling bureaucracy on their behalf. It can handle DMV paperwork for you, write legal letters to scare businesses out of overcharging you and it provides a credit card that automatically cancels subscriptions when your free trial ends.
“I think the world would be a lot fairer place if people had someone fighting for them” says DoNotPay’s 22-year-old founder Joshua Browder. Indeed; $3 per month gets the iOS app‘s 10,000 customers unlimited access to all the features with no extra fees or commissions on money saved. “If DoNotPay takes a commission then we have an incentive to perpetuate the problems we are fighting against.”
[…]
he full list of DoNotPay services includes:
Customer service disputes where it contacts companies about refunds for Comcast bills, delayed flights, etc.
The free trial credit card that auto-cancels subscriptions before you’re actually charged
Traffic and parking appeals where it generates a letter for you based on answers to questions, like if signs were too hard to read or there was a mistake on the ticket
Hidden money discovery that finds refunds in your bank fees, identifies forgotten subscriptions, gets you free stuff on your birthday and more
Government paperworkassistance that can help you get DMV appointments and fill out forms
Today, when you use Wizards Unite or Pokémon Go or any of Niantic’s other apps, your every move is getting documented and stored—up to 13 times a minute, according to the results of a Kotaku investigation. Even players who know that the apps record their location data are usually astonished once they look at just how much they’ve told Niantic about their lives through their footsteps.
For years, users of these technologists’ products—from Google Street View to Pokémon Go—have been questioning how far they’re going with users’ information and whether those users are adequately educated on what they’re giving up and with whom it’s shared. In the process, those technologists have made mistakes, both major and minor, with regards to user privacy. As Niantic summits the world of augmented reality, it’s engineering that future of that big-money field, too. Should what Niantic does with its treasure trove of valuable data remain shrouded in the darkness particular to up-and-coming Silicon Valley darlings, that opacity might become so normalized that users lose any expectation of knowing how they’re being profited from.
Niantic publicly describes itself as a gaming company with an outsized passion for getting gamers outside. Its games, from Ingress to Pokémon Go to Wizards Unite, encourage players to navigate and interact with the real world around them, whether it be tree-lined suburbs, big cities, local landmarks, the Eiffel Tower, strip malls, or statues in the town square. Niantic’s ever-evolving gaming platform closely resembles Google Maps, in part because Niantic spawned from just that.
[…]
At 2019’s GDC, Hanke showed a video titled “Hyper-Reality,” by the media artist Keiichi Matsuda. It’s a dystopian look at a future in which the entire world is slathered with virtual overlays, an assault on the senses that everyone must view through an AR headset if they want to participate in modern society. In the video, the protagonist’s entire field of vision is a spread of neon notifications, apps, and advertisements, all viewed from a seat at the back of a city bus. Their hands swipe across a game they’re playing in augmented reality, while in the background an ad for Starbucks Coffee indicates they won a coupon for a free cup. Push notifications in their periphery indicate three new messages and directions for where to exit the bus. Walking through the aisle, where digital “get off now!” signs indicate it’s their stop, and onto the street, the physical world is annotated with virtual information. The more tasks they accomplish, the more points they receive. The whole world is now one big game. It showed a definitively dystopian vision of a world in which the barriers between IRL and URL have been fully collapsed.
Hanke said that the video made him feel “stressed and nervous.” Calling it a work of “critical design,” he noted that it was meant to question this dystopian future for AR, “a world where you’re tracked everywhere you go, where giant companies know everything about you, your identity is constantly at stake, and the world itself is noisy, and busy and plastered with distractions.”
But when a path appeared in front of the video’s protagonist showing them where to walk, Hanke’s response was: “That looks helpful.”
“Some people would say AR is a bad thing because we’ve seen this vision of how bad it can be,” Hanke said. “The point I want to make to you all is, it doesn’t have to be that way.” He showed an image of the Ferry Building, the 120-year-old piece of classical revival architecture in San Francisco where the company is currently headquartered. Just like in the video, it was overlaid with augmented reality windows showing the building’s history, a public transit schedule, and tabs for nearby restaurants. Hanke described a world where people can better navigate public transit and understand their surroundings because of digital mapping initiatives like Niantic. He talked about the possibility of hologram tour guides in San Francisco, and how they’d rely on a digital map to navigate their surroundings, and about designing shared experiences of Pokémon games in a Pokémon-augmented world.
[…]
Since its 2016 release, Pokémon Go has netted over $2.3 billion. In it, players collect items from PokeStops—also real-life locations and landmarks—so they can catch and collect Pokémon, which spawn around them. Almost immediately, Pokémon Go sparked its own privacy controversy, also blamed on a bug, which involved users giving Niantic a huge number of permissions: contacts, location, storage, camera and, for iPhone users, full Google account access, which was not integral to gameplay. Minnesota senator Al Franken penned a strongly-worded letter to Niantic about it, expressing concern “about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent.” Niantic said that the “account creation process on iOS erroneously requests full access permission,” adding that Pokémon Go only got user ID and email address info.
[…]
Players give Wizards Unite permission to track their movement using a combination of GPS, Wi-Fi, and mobile cell tower triangulation. To understand the extent of this location data, Kotaku asked for data from European players who had all filed personal information requests to Niantic under the GDPR, the European digital privacy legislation designed to give EU citizens more control over their personal data. Niantic sent these players all the data it had on them, which the players then shared with Kotaku.
The files we received contained detailed information about the lives of these players: the number of calories they likely burned during a given session, the distance they traveled, the promotions they engaged with. Crucially, each request also contained a large file of timestamped location data, as latitudes and longitudes.
In total, Kotaku analyzed more than 25,000 location records voluntarily shared with us by 10 players of Niantic games. On average, we found that Niantic kept about three location records per minute of gameplay of Wizards Unite, nearly twice as many as it did with Pokémon Go. For one player, Niantic had at least one location record taken during nearly every hour of the day, suggesting that the game was collecting data and sharing it with Niantic even when the player was not playing.
When Kotaku first asked Niantic why Wizards Unite was collecting location data even while the game was not actively being played, its first response was that we must be mistaken, since the game, it said, did not collect data while backgrounded. After we provided Niantic with more information about that player, it got back to us a few days later to let us know that its engineering team “did identify a bug in the Android version of the client code that led it to continue to ping our servers intermittently when the app was still open but had been backgrounded.” The bug, Niantic said, has now been fixed.
Because the location data collected by Wizards Unite and sent to Niantic is so granular, sometimes up to 13 location records a minute, it is possible to discern individual patterns of user behavior as well as intimate details about a player’s life.
[…]
Niantic is far from the only company collecting this sort of data. Last year, the New York Times published an expose on how over 75 companies receive pinpoint-accurate, anonymous location data from phone apps on over 200 million devices. Sometimes, these companies tracked users’ locations over 14,000 times a day. The result was always the same: Even though users had signed away their location data to these companies by agreeing to their user agreements, a lot of the time, they generally had no idea that companies were taking such exhaustive notes on what kind of person they are, where they’d been, where they were likely to go next, and whether they’d buy something there.
That Niantic is yet another company that can infer this type of mundane personal information may not be, in itself, surprising. Credit card companies, email providers, cellular services, and a variety of data brokers all have access to your personal information in increasingly opaque ways. Remember when Target figured out that a high school girl was pregnant before her family did?
It’s important to note that the personal data that players requested from Niantic and voluntarily shared with Kotaku is, according to Niantic, not something that a third party could buy from them, or otherwise be allowed to see. “Niantic does not share individual player data with third party sponsored location partners,” a representative said, adding that it uses “additional mechanisms to process the data so that it cannot be connected to an individual.”
Niantic’s Kawai told Kotaku that the anonymized data that Niantic shares with third parties is only in the form of “aggregated stats,” such as “how many people have had access or went to those in-game locations and how many actions people take in those in-game locations, how many PokeStop spins to get items happened on that day and… what unique number of people went to that location.”
“We don’t go any further than that,” he said.
The idea that data can successfully be anonymized has long been a contentious one. In July, researchers at Imperial College London were able to accurately reidentify 99.98 percent of Americans in an “anonymized” dataset. And in 2018, a New York Times investigation found that, when provided raw anonymized location data, companies could identify individuals with or without their consent. In fact, according to experts, it can take just four timestamped location records to specifically identify an individual from a collection of latitudes and longitudes that they have visited.
[…]
Niantic makes a staggering amount of money off in-game microtransactions, a reported $1.8 billion in Pokémon Go’s first two years. It also makes money from sponsorships. By late 2017, there were over 35,000 sponsored PokeStops, which players visited over 500 million times. Hanke described foot traffic as the “holy grail of retail businesses” in a 2017 talk to the Mobile World Congress. 13,000 of the sponsored stops were Starbucks locations.
[…]
“We have always been transparent about this product and feel it is a much better experience for our players than the kind of video and text ads frequently deployed in other mobile games,” Hanke told Kotaku. He then shared a link to an Ad Age article announcing Pokémon Go’s sponsored locations and detailing its “cost per visit” business model.
Big-money tech companies rarely make money in just one or two ways, and often inconspicuously employ money-making strategies that may be less palatable to privacy-minded consumers. Mobile app companies are notorious for this. One 2017 Oxford study, for example, analyzed 1 million smartphone apps and determined that the median Google Play Store app can share users’ behavioral data with 10 third parties, while one in five can share it with over 20. “Freemium” mobile apps can earn big revenue from sharing data with advertisers—and it’s all completely opaque to users, as a Buzzfeed News report explained in 2018.
A graph illustrating the number of location records captured for one Harry Potter: Wizards Unite user per minute, over the span of a few hours.
Image: Kotaku
Advertising market research company Emarketer projected that advertisers will spend $29 billion on location-targeted advertising, also referred to as “geoconquesting,” this year. Marketers target and tailor ads for app users in a specific location in real-time, segment a potential audience for an ad by location, learn about consumers based on where they were before they bought something, and connect online ads to offline purchases using location data—another manifestation of “ubiquitous computing.” One of the biggest location-targeted ad companies, GroundTruth, taps data from 120 million unique monthly users to drive people to businesses like Taco Bell, where it recently took credit for 170,000 visits after a location-targeted ad campaign.
[…]
Niantic said it is not in the business of selling user location data. But it will send its users to you. Wizards Unite recently partnered with Simon Malls, which owns over 200 shopping centers, to add “multiple sponsored Inns and Fortresses” at each location, “giving players more XP and more spell energy than at any other non-sponsored location in the U.S.”
[…]
If the goal is to unite the physical with the digital, insights gleaned from how long users loiter outside a Coach store and how long they might look at a Coach Instagram ad could be massively useful to these waning mall brands. Uniting these worlds for a field trip around Tokyo is one thing; uniting them to consolidate digital and physical ad profiles is another.
“This is a hot topic in mall operation—tracking the motion of people within a mall, what stores they’re going to, how long they’re going,” said Ron Merriman, a theme park business strategist based in Shanghai (who, he noted after we contacted him for this story, happened to go to business school with Hanke). Merriman says that tracking users in malls, aquariums, and theme parks to optimize merchandising, user experiences, and ad targeting is becoming the norm where he lives in Asia. Retailers polled by Emarketer in late 2018 planned on investing more in proximity and location-based marketing than other emerging, hot-topic technologies like AI.
“BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.
[…]
The leaked data shows that in 2015, BriansClub added just 1.7 million card records for sale. But business would pick up in each of the years that followed: In 2016, BriansClub uploaded 2.89 million stolen cards; 2017 saw some 4.9 million cards added; 2018 brought in 9.2 million more.
Between January and August 2019 (when this database snapshot was apparently taken), BriansClub added roughly 7.6 million cards.
Most of what’s on offer at BriansClub are “dumps,” strings of ones and zeros that — when encoded onto anything with a magnetic stripe the size of a credit card — can be used by thieves to purchase electronics, gift cards and other high-priced items at big box stores.
For the first time ever, meat was created in space — but no animals were harmed in the making of this 3D bioprinted “space beef.”
Aleph Farms, an Israeli food company, announced today (Oct. 7) that its experiment aboard the International Space Station resulted in the first-ever lab-grown meat in space. The company focuses on growing cultivated beef steaks, or growing an entire piece of real, edible meat out of just a couple of cells, in this case, bovine cell spheroids, in a lab.
On the space station, the experiment involved growing a piece of meat by mimicking a cow’s natural muscle-tissue regeneration process. Aleph Farms collaborated with the Russian company 3D Bioprinting Solutions and two U.S.-based food companies to test this method in space.
Cosmonaut Oleg Skripochka conducting the “cultivated beef steak” experiment aboard the International Space Station on Sept. 26, 2019.
(Image credit: Rocosmos)
On Sept. 26, the team established a proof of concept when the astronauts performing the test were able to produce a small piece of cow muscle tissue on the space station. The experiment took place inside of a 3D bioprinter developed by 3D Bioprinting Solutions. Bioprinting is a process in which biomaterials, like animal cells, are mixed with growth factors and the material “bioink,” and “printed” into a layered structure. In this case, the resulting structure is a piece of muscle tissue.
The “3D bioprinter is equipped with a magnetic force which aggregated the cells into one small-scaled tissue, which is what meat is constructed by,” Yoav Reisler, an external relations manager at Aleph Farms, told Space.com in an email.
But, while 3D bioprinting has been used and tested on Earth for things like producing cartilage tissue, it works a little differently in space. “Maturing of bioprinted organs and tissues in zero gravity proceeds much faster than in Earth gravity conditions. The tissue is being printed from all sides simultaneously, like making a snowball, while most other bioprinters create it layer by layer. On Earth, the cells always fall downward. In zero gravity, they hang in space and interfere only with each other. Layer by layer printing in gravity requires a support structure. Printing in zero gravity allows tissue to be created only with cell material, without any intermediate support,” Reisler added.
An image of small-scale muscle tissue made using bovine cell spheroids.
(Image credit: 3D Printing Solutions)
The reasoning behind Aleph Farm’s efforts to produce “slaughter-free meat in space,” as the company describes it, is because of climate change, according to a press release sent by the company to Space.com. Animal farming, as it is noted in the 2019 Intergovernmental Panel on Climate Change special report, with its requirement for huge amounts of water and energy, contributes in a significant way to climate change.
“Our planet is on fire and we have no other one today. Our primary goal is to make sure it remains the same blue planet we know also with our next generations,” Reisler said.
“In space, we don’t have 10,000 or 15,000 Liter (3962.58 Gallon) of water available to produce one Kg (2.205 Pound) of beef,” Didier Toubia, Co-Founder and CEO of Aleph Farms, said in the release. “This joint experiment marks a significant first step toward achieving our vision to ensure food security for generations to come, while preserving our natural resources.”
The company aims to build upon the success of this proof of concept experiment and, within a few years or so, make cultivated beef steaks available on Earth through “bio-farms” where they will grow this meat, Reisler added.
Elizabeth Warren has taken an attention-getting approach to attacking Facebook’s recent announcement that it won’t fact-check politicians’ posts. She’s running an ad on the social network that deliberately contains a falsehood.
“Breaking news: Mark Zuckerberg and Facebook just endorsed Donald Trump for re-election,” reads the ad, which Warren also tweeted out Saturday. The ad immediately corrects itself but says it’s making a point. “What Zuckerberg *has* done is given Trump free rein to lie on his platform,” it says, “and then pay Facebook gobs of money to push out their lies to American voters.”
Neither Facebook nor the White House immediately responded to a request for comment.
Late last month, Facebook said it exempts politicians from its third-party fact-checking process and that that’s been the policy for more than a year. The company treats speech from politicians “as newsworthy content that should, as a general rule, be seen and heard,” Facebook’s vice president of global affairs and communications, Nick Clegg, said at the time.
“We don’t believe … that it’s an appropriate role for us to referee political debates and prevent a politician’s speech from reaching its audience and being subject to public debate and scrutiny,” Clegg added.
Earlier this week, Facebook told Joe Biden’s presidential campaign that it wouldn’t remove an ad by Trump’s reelection campaign despite assertions that the ad contains misinformation about Biden. The 30-second video said Biden had threatened to withhold $1 billion from Ukraine unless officials there fired the prosecutor investigating a company that employed Biden’s son.
At the time, Tim Murtaugh, a spokesman for Trump’s campaign, said the ads were accurate. But Factcheck.org noted that while Biden did threaten to withhold US money from Ukraine, there’s no evidence he did this to help his son, which is what the Facebook ad implied. Factcheck.org also said there’s no evidence Biden’s son was ever under investigation and that Biden and the US weren’t alone in pressuring Ukraine to fire the prosecutor, who was widely seen as corrupt.
Responding to Facebook’s refusal to pull the ad, Biden spokesman T.J. Ducklo said at the time that “the spread of objectively false information to influence public opinion poisons the public discourse and chips away at our democracy. It is unacceptable for any social media company to knowingly allow deliberately misleading material to corrupt its platform.”
Warren has called for the breakup of Facebook and other big tech companies, saying in part that they wield too much influence. Other lawmakers have called for Facebook and rival platforms to be regulated as a way of addressing concerns about the spread of fake news, among other things.
A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all other victims.
This happened earlier today and involved the Muhstik gang. Muhstik is a recent strain of ransomware that has been active since late September, according to reports [1, 2, 3].
This ransomware targets network-attached storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service, according to a security advisory published by the company last week.
After gaining access to the phpMyAdmin installation, Muhstik operators encrypt users’ files and save a copy of the decryption keys on their command and control (C&C) server. QNAP files encrypted by Muhstik can be recognized by each file’s new “.muhstik” file extension.
Annoyed software dev hacks back
One of the gang’s victims was Tobias Frömel, a German software developer. Frömel was one of the victims who paid the ransom demand so he could regain access to his files.
However, after paying the ransom, Frömel also analyzed the ransomware, gained insight into how Muhstik operated, and then retrieved the crooks’ database from their server.
Besides releasing the decryption keys, the German developer also published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are avaiable on the Bleeping Computer forum.
In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter’s availability, advising users against paying the ransom.
Apple admits that it sends some user IP addresses to Tencent in the “About Safari & Privacy” section of its Safari settings which can be accessed on an iOS device by opening the Settings app and then selecting “Safari > About Privacy & Security.” Under the title “Fraudulent Website Warning,” Apple says:
“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.”
The “Fraudulent Website Warning” setting is toggled on by default which means that unless iPhone or iPad users dive two levels deep into their settings and toggle it off, their IP addresses may be logged by Tencent or Google when they use the Safari browser. However, doing this makes browsing sessions less secure and leaves users vulnerable to accessing fraudulent websites.
[…]
Even if people install a third-party browser on their iOS device, viewing web pages inside apps still opens them in an integrated form of Safari called Safari View Controller instead of the third-party browser. Tapping links inside apps also opens them in Safari rather than a third-party browser. These behaviors that force people back into Safari make it difficult for people to avoid the Safari browser completely when using an iPhone or iPad.
Now, Bengio says deep learning needs to be fixed. He believes it won’t realize its full potential, and won’t deliver a true AI revolution, until it can go beyond pattern recognition and learn more about cause and effect. In other words, he says, deep learning needs to start asking why things happen.
[…]
Machine learning systems including deep learning are highly specific, trained for a particular task, like recognizing cats in images, or spoken commands in audio. Since bursting onto the scene around 2012, deep learning has demonstrated a particularly impressive ability to recognize patterns in data; it’s been put to many practical uses, from spotting signs of cancer in medical scans to uncovering fraud in financial data.
But deep learning is fundamentally blind to cause and effect. Unlike a real doctor, a deep learning algorithm cannot explain why a particular image may suggest disease. This means deep learning must be used cautiously in critical situations.
[…]
At his research lab, Bengio is working on a version of deep learning capable of recognizing simple cause-and-effect relationships. He and colleagues recently posted a research paper outlining the approach. They used a dataset that maps causal relationships between real-world phenomena, such as smoking and lung cancer, in terms of probabilities. They also generated synthetic datasets of causal relationships.
[…]
Others believe the focus on deep learning may be part of the problem. Gary Marcus, a professor emeritus at NYU and the author of a recent book that highlights the limits of deep learning, Rebooting AI: Building Artificial Intelligence We Can Trust, says Bengio’s interest in causal reasoning signals a welcome shift in thinking.
“Too much of deep learning has focused on correlation without causation, and that often leaves deep learning systems at a loss when they are tested on conditions that aren’t quite the same as the ones they were trained on,” he says.
Marcus adds that the lesson from human experience is obvious. “When children ask ‘why?’ they are asking about causality,” he says. “When machines start asking why, they will be a lot smarter.”
This is a hugely important – and old – question in this field. Without the ‘why’, humans must ‘just trust’ answers given by AI that seem intuitively strange. When you’re talking about health care or human related activities such as liability ‘just accept what I’m telling you’ isn’t good enough.
Citing sources familiar with the program, Bloomberg reported Thursday that “dozens” of workers for the e-commerce giant who are based in Romania and India are tasked with reviewing footage collected by Cloud Cams—Amazon’s app-controlled, Alexa-compatible indoor security devices—to help improve AI functionality and better determine potential threats. Bloomberg reported that at one point, these human workers were responsible for reviewing and annotating roughly 150 security snippets of up to 30 seconds in length each day that they worked.
Two sources who spoke with Bloomberg told the outlet that some clips depicted private imagery, such as what Bloomberg described as “rare instances of people having sex.” An Amazon spokesperson told Gizmodo that reviewed clips are submitted either through employee trials or customer feedback submissions for improving the service.
[…]
So to be clear, customers are sharing clips for troubleshooting purposes, but they aren’t necessarily aware of what happens with that clip after doing so.
More troubling, however, is an accusation from one source who spoke with Bloomberg that some of these human workers tasked with annotating the clips may be sharing them with members outside of their restricted teams, despite the fact that reviews happen in a restricted area that prohibits phones. When asked about this, a spokesperson told Gizmodo by email that Amazon’s rules “strictly prohibit employee access to or use of video clips submitted for troubleshooting, and have a zero tolerance policy for about of our systems.”
[…]
To be clear, it’s not just Amazon who’s been accused of allowing human workers to listen in on whatever is going on in your home. Motherboard has reported that both Xbox recordings and Skype calls are reviewed by human contractors. Apple, too, was accused of capturing sensitive recordings that contractors had access to. The fact is these systems just aren’t ready for primetime and need human intervention to function and improve—a fact that tech companies have successfully downplayed in favor of appearing to be magical wizards of innovation.
System76, the Denver-based Linux PC manufacturer and developer of Pop OS, has some stellar news for those of us who prefer our laptops a little more open. Later this month the company will begin shipping two of their laptop models with its Coreboot-powered open source firmware.
The Darter Pro laptop
System76
Beginning today, System76 will start taking pre-orders for both the Galago Pro and Darter Pro laptops. The systems will ship out later in October, and include the company’s Coreboot-based open source firmware which was previously teased at the 2019 Open Source Firmware Conference.
(Coreboot, formerly known as LinuxBIOS, is a software project aimed at replacing proprietary firmware found in most computers with a lightweight firmware designed to perform only the minimum number of tasks necessary to load and run a modern 32-bit or 64-bit operating system.)
What’s so great about ripping out the proprietary firmware included in machines like this and replacing it with an open alternative? To begin with, it’s leaner. System76 claims that users can boot from power off to the desktop 29% faster with its Coreboot-based firmware.
The U.S. is slowly being gripped by a flooding crisis as seas rise and waterways overflow with ever more alarming frequency. An idea at the forefront for how to help Americans cope is so-called managed retreat, a process of moving away from affected areas and letting former neighborhoods return to nature. It’s an idea increasingly en vogue as it becomes clearer that barriers won’t be enough to keep floodwaters at bay.
But new research shows a startling finding: Americans are already retreating. More than 40,000 households have been bought out by the federal government over the past three decades. The research published in Science Advances on Wednesday also reveals that there are disparities between which communities opt-in for buyout programs and, even more granularly, which households take the offers and relocate away. The cutting-edge research answers questions that have been out there for a while and raises a whole host of new ones that will only become more pressing in the coming decades as Earth continues to warm.
“People are using buyouts and doing managed retreat,” AR Siders, a climate governance researcher at Harvard and study author, said during a press call. “No matter how difficult managed retreat sounds, we know that there are a thousand communities in the United States, all over the country, who have made it work. I want to hear their stories, I want to know how they did it.”
“The anti-climate effort has been largely underwritten by conservative billionaires,” says the Guardian, “often working through secretive funding networks. They have displaced corporations as the prime supporters of 91 think tanks, advocacy groups and industry associations which have worked to block action on climate change.”
The annual Misery Index ranks the most and least miserable countries, based on four economic factors—unemployment, inflation, lending rates, and GDP growth.
Twitter says it was just an accident that caused the microblogging giant to let advertisers use private information to better target their marketing materials at users.
The social networking giant on Tuesday admitted to an “error” that let advertisers have access to the private information customers had given Twitter in order to place additional security protections on their accounts.
“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” Twitter said.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.”
Twitter assures users that no “personal” information was shared, though we’re not sure what Twitter would consider “personal information” if your phone number and email address do not meet the bar.
The FBI routinely misused a database, gathered by the NSA with the specific purpose of searching for foreign intelligence threats, by searching it for everything from vetting to spying on relatives.
In doing so, it not only violated the law and the US constitution but knowingly lied to the faces of congressmen who were asking the intelligence services about this exact issue at government hearings, hearings that were intended to find if there needed to be additional safeguards added to the program.
That is the upshot of newly declassified rulings of the secret FISC court that decides issues of spying and surveillance within the United States.
On Tuesday, in a year-old ruling [PDF] that remains heavily redacted, everything that both privacy advocates and a number of congressmen – particularly Senator Ron Wyden (D-OR) – feared was true of the program turned out to be so, but worse.
Even though the program in question – Section 702 – is specifically designed only to be used for US government agencies to be allowed to search for evidence of foreign intelligence threats, the FBI gave itself carte blanche to search the same database for US citizens by stringing together a series of ridiculous legal justifications about data being captured “incidentally” and subsequent queries of that data not requiring a warrant because it had already been gathered.
Despite that situation, the FBI repeatedly assured lawmakers and the courts that it was using its powers in a very limited way. Senator Wyden was not convinced and used his position to ask questions about the program, the answers to which raised ever greater concerns.
For example, while the NSA was able to outline the process by which its staff was allowed to make searches on the database, including who was authorized to dig further, and it was able to give a precise figure for how many searches there had been, the FBI claimed it was literally not able to do so.
Free for all
Any FBI agent was allowed to search the database, it revealed under questioning, any FBI agent was allowed to de-anonymize the data and the FBI claimed it did not have a system to measure the number of search requests its agents carried out.
In a year-long standoff between Senator Wyden and the Director of National Intelligence, the government told Congress it was not able to get a number for the number of US citizens whose details had been brought up in searches – something that likely broke the Fourth Amendment.
Today’s release of the FISC secret opinion reveals that giving the FBI virtually unrestricted access to the database led to exactly the sort of behavior that people were concerned about: vast number of searches, including many that were not remotely justified.
For example, the DNI told Congress that in 2016, the NSA had carried out 30,355 searches on US persons within the database’s metadata and 2,280 searches on the database’s content. The CIA had carried out 2,352 search on content for US persons in the same 12-month period. The FBI said it had no way to measure it the number of searches it ran.
But that, it turns out, was a bold-faced lie. Because we now know that the FBI carried out 6,800 queries of the database in a single day in December 2017 using social security numbers. In other words, the FBI was using the NSA’s database at least 80 times more frequently than the NSA itself.
The FBI’s use of the database – which, again, is specifically defined in law as only being allowed to be used for foreign intelligence matters – was completely routine. And a result, agents started using it all the time for anything connected to their work, and sometimes their personal lives.
In the secret court opinion, now made public (but, again, still heavily redacted), the government was forced to concede that there were “fundamental misunderstandings” within the FBI staff over what criteria they needed to meet before carrying out a search.
Basically sim swapping, man in the middle attacks and poor URL protections
FBI warns about SIM swapping and tools like Muraen and NecroBrowser.
“The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17.
Past incidents of MFA bypasses
While nowadays there are multiple ways of bypassing MFA protections, the FBI alert specifically warned about SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser.
To get the point across, the FBI listed recent incidents where hackers had used these techniques to bypass MFA and steal money from companies and regular users alike. We cite from the report:
In 2016 customers of a US banking institution were targeted by a cyber attacker who ported their phone numbers to a phone he owned-an attack called SIM swapping. The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application.
Over the course of 2018 and 2019, the FBI’s Internet Crime Complaint Center and FBI victim complaints observed the above attack-SIM swapping-as a common tactic from cyber criminals seeking to circumvent two-factor authentication. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed. Many of these attacks rely on socially engineering customer service representatives for major phone companies, who give information to the attackers.
In 2019 a US banking institution was targeted by a cyber attacker who was able to take advantage of a flaw in the bank’s website to circumvent the two-factor authentication implemented to protect accounts. The cyber attacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims’ accounts.
In February 2019 a cyber security expert at the RSA Conference in San Francisco, demonstrated a large variety of schemes and attacks cyber actors could use to circumvent multi-factor authentication. The security expert presented real-time examples of how cyber actors could use man-in-the-middle attacks and session hijacking to intercept the traffic between a user and a website to conduct these attacks and maintain access for as long as possible. He also demonstrated social engineering attacks, including phishing schemes or fraudulent text messages purporting to be a bank or other service to cause a user to log into a fake website and give up their private information.
At the June 2019 Hack-in-the-Box conference in Amsterdam, cyber security experts demonstrated a pair of tools – Muraena and NecroBrowser – which worked in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target website where they are requested to enter login credentials and a token code as usual. Once authenticated, NecroBrowser stores the data for the victims of this attack and hijacks the session cookie, allowing cyber actors to log into these private accounts, take them over, and change user passwords and recovery e-mail addresses while maintaining access as long as possible.
MFA is still effective
The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.
Each of the newly discovered moons is about five kilometers, or three miles, in diameter. Seventeen of them orbit the planet backwards, or in a retrograde direction, meaning their movement is opposite of the planet’s rotation around its axis. The other three moons orbit in the prograde—the same direction as Saturn rotates.
Two of the prograde moons are closer to the planet and take about two years to travel once around Saturn. The more-distant retrograde moons and one of the prograde moons each take more than three years to complete an orbit.
Rapid progress in research involving miniature human brains grown in a dish has led to a host of ethical concerns, particularly when these human brain cells are transplanted into nonhuman animals. A new paper evaluates the potential risks of creating “humanized” animals, while providing a pathway for scientists to move forward in this important area.
Neuroscientist Isaac Chen from the Perelman School of Medicine at the University of Pennsylvania, along with his colleagues, has written a timely Perspective paper published today in the science journal Cell Stem Cell. The paper was prompted by recent breakthroughs involving the transplantation of human brain organoids into rodents—a practice that’s led to concerns about the “humanization” of lab animals.
In their paper, the authors evaluate the current limits of this biotechnology and the potential risks involved, while also looking ahead to the future. Chen and his colleagues don’t believe anything needs to be done right now to limit these sorts of experiments, but that could change once scientists start to enhance certain types of brain functions in chimeric animals, that is, animals endowed with human attributes, in this case human brain cells.
In the future, the authors said, scientists will need to be wary of inducing robust levels of consciousness in chimeric animals and even stand-alone brain organoids, similar to the sci-fi image of a conscious brain in a vat.
Cross-section of a brain organoid.
Image: Trujillo et al., 2019, Cell Stem Cell
Human brain organoids are proving to be remarkably useful. Made from human stem cells, brain organoids are tiny clumps of neural cells which scientists can use in their research.
To be clear, pea-sized organoids are far too basic to induce traits like consciousness, feelings, or any semblance of awareness, but because they consist of living human brain cells, scientists can use them to study brain development, cognitive disorders, and the way certain diseases affect the brain, among other things. And in fact, during the opening stages of the Zika outbreak, brain organoids were used to study how the virus infiltrates brain cells.
The use of brain organoids in this way is largely uncontroversial, but recent research involving the transplantation of human brain cells into rodent brains is leading to some serious ethical concerns, specifically the claim that scientists are creating part-human animals.
Anders Sandberg, a researcher at the University of Oxford’s Future of Humanity Institute, said scientists are not yet able to generate full-sized brains due to the lack of blood vessels, supporting structure, and other elements required to build a fully functioning brain. But that’s where lab animals can come in handy.
“Making organoids of human brain cells is obviously interesting both for regenerating brain damage and for research,” explained Sandberg, who’s not affiliated with the new paper. “They do gain some structure, even though it is not like a full brain or even part of a brain. One way of getting around the problem of the lack of blood vessels in a petri dish is to implant them in an animal,” he said. “But it’s at this point when people start to get a bit nervous.”
The concern, of course, is that the human neural cells, when transplanted into a nonhuman animal, say a mouse or rat, will somehow endow the creature with human-like traits, such as greater intelligence, more complex emotions, and so on.
The next time you’re hunting for a parking spot, mathematics could help you identify the most efficient strategy, according to a recent paper in the Journal of Statistical Mechanics. It’s basically an optimization problem: weighing different variables and crunching the numbers to find the optimal combination of those factors. In the case of where to put your car, the goal is to strike the optimal balance of parking close to the target—a building entrance, for example—without having to waste too much time circling the lot hunting for the closest space.
Paul Krapivsky of Boston University and Sidney Redner of the Santa Fe Institute decided to build their analysis around an idealized parking lot with a single row (a semi-infinite line), and they focused on three basic parking strategies. A driver who employs a “meek” strategy will take the first available spot, preferring to park as quickly as possible even if there might be open spots closer to the entrance. A driver employing an “optimistic” strategy will go right to the entrance and then backtrack to find the closest possible spot.
Finally, drivers implementing a “prudent” strategy will split the difference. They might not grab the first available spot, figuring there will be at least one more open spot a bit closer to the entrance. If there isn’t, they will backtrack to the space a meek driver would have claimed immediately.
[…]
Based on their model, the scientists concluded that the meek strategy is the least effective of the three, calling it “risibly inefficient” because “many good parking spots are unfilled and most cars are parked far from the target.”
Determining whether the optimistic or prudent strategy was preferable proved trickier, so they introduced a cost variable. They defined it as “the distance from the parking spot to the target plus time wasted looking for a parking spot.” Their model also assumes the speed of the car in the lot is the same as average walking speed.
“On average, the prudent strategy is less costly,” the authors concluded. “Thus, even though the prudent strategy does not allow the driver to take advantage of the presence of many prime parking spots close to the target, the backtracking that must always occur in the optimistic strategy outweighs the benefit.” Plenty of people might indeed decide that walking a bit farther is an acceptable tradeoff to avoid endlessly circling a crowded lot hunting for an elusive closer space. Or maybe they just want to rack up a few extra steps on their FitBit.
The authors acknowledge some caveats to their findings. This is a “minimalist physics-based” model, unlike more complicated models used in transportation studies that incorporate factors like parking costs, time limits, and so forth. And most parking lots are not one-dimensional (a single row). The model used by the authors also assumes that cars enter the lot from the right at a fixed rate, and every car will have time to find a spot before the next car enters—a highly unrealistic scenario where there is no competition between cars for a given space. (Oh, if only…)
Attorney General Bill Barr, along with officials from the United Kingdom and Australia, is set to publish an open letter to Facebook CEO Mark Zuckerberg asking the company to delay plans for end-to-end encryption across its messaging services until it can guarantee the added privacy does not reduce public safety.
A draft of the letter, dated Oct. 4, is set to be released alongside the announcement of a new data-sharing agreement between law enforcement in the US and the UK; it was obtained by BuzzFeed News ahead of its publication.
Signed by Barr, UK Home Secretary Priti Patel, acting US Homeland Security Secretary Kevin McAleenan, and Australian Minister for Home Affairs Peter Dutton, the letter raises concerns that Facebook’s plan to build end-to-end encryption into its messaging apps will prevent law enforcement agencies from finding illegal activity conducted through Facebook, including child sexual exploitation, terrorism, and election meddling.
With Tether’s monthly trading volume about 18% higher than that of Bitcoin, it’s arguably the most important coin in the crypto ecosystem. Tether’s also one of the main reasons why regulators regard cryptocurrencies with a wary eye, and have put the breaks on crypto exchange-traded funds amid concern of market manipulation.
“If there is no Tether, we lose a massive amount of daily volume — around $1 billion or more depending on the data source,” said Lex Sokolin, global financial technology co-head at ConsenSys, which offers blockchain technology. “Some of the concerning potential patters of trading in the market may start to fall away.”
Coins With Biggest Daily Trading Volumes
In billions of U.S. dollars
Source: CoinMarketCap.com
Values as of Sept. 27, 2019
Tether is the world’s most used stablecoin, a category of tokens that seek to avoid price fluctuations, often through pegs or reserves. It’s also a pathway for most of the world’s active traders into the crypto market. In countries like China, where crypto exchanges are banned, people can pay cash over the counter to get Tethers with few questions asked, according to Sokolin. From there, they can trade Tethers for Bitcoin and other cryptocurrencies, he said.
“For many people in Asia, they like the idea that it’s this offshore, opaque thing out of reach of the U.S. government,” said Jeremy Allaire, chief executive officer of Circle, which supports a rival stablecoin called USD Coin. “It’s a feature, not a problem.”
Read more: A QuickTake explains the allure of stablcoins
Tether, which is being sued by New York for allegedly commingling funds including reserves, says using a know-your-customer form and approval process is required to issue and redeem the coin.
Asian traders account for about 70% of all crypto trading volume, according to Allaire, and Tether was used in 40% and 80% of all transactions on two of the world’s top exchanges, Binance and Huobi, respectively, Coin Metrics said earlier this year.
Many people don’t even know they use Tether, said Thaddeus Dryja, a research scientist at the Massachusetts Institute of Technology. Because traditional financial institutions worry that they don’t sniff out criminals and money launderers well enough, most crypto exchanges still don’t have bank accounts and can’t hold dollars on behalf of customers. So they use Tether as a substitute, Dryja said.
“I don’t think people actually trust Tether — I think people use Tether without realizing that they are using it, and instead think they have actual dollars in a bank account somewhere,” Dryja said. Some exchanges mislabel their pages, to convey the impression that customers are holding dollars instead of Tethers, he said.
Tether’s Market Cap Balloons
In U.S. dollars
Source: CoinMarketCap.com
The way Tether is managed and governed makes it a black box. While Bitcoin belongs to no one, Tether is issued by a Hong Kong-based private company whose proprietors also own the Bitfinex crypto exchange. The exact mechanism by which Tether’s supply is increased and decreased is unclear. Exactly how much of the supply is covered by fiat reserves is in question, too, as Tether is not independently audited. In April, Tether disclosed that 74% of the Tethers are covered by cash and short-term securities, while it previously said it had a 100% reserve.
The disclosure was a part of an ongoing investigation into Tether by the New York Attorney General, which accused the companies behind the coin of a coverup to hide the loss of $850 million of comingled client and corporate funds.
John Griffin, a finance professor at the University of Texas at Austin, said that half of Bitcoin’s runup in 2017 was the result of market manipulation using Tether. Last year Bloomberg reported that the U.S. Justice Department is investigating Tether’s role in this market manipulation.
Convenience Versus Risk
“Being controlled by centralized parties defeats the entire original purpose of blockchain and decentralized cryptocurrencies,” Griffin said. “By avoiding government powers, stablecoins place trust instead in the hands of big tech companies, who have mixed accountability. So while the idea is great in theory, in practice it is risky, open to abuse, and plagued by similar problems to traditional fiat currencies.”
Back in March 2019, Amnesty International published a report that uncovered a targeted attack against journalists and human rights activists in Egypt. The victims even received an e-mail from Google warning them that government-backed attackers attempted to steal their passwords.
According to the report, the attackers did not rely on traditional phishing methods or credential-stealing payloads, but rather utilized a stealthier and more efficient way of accessing the victims’ inboxes: a technique known as “OAuth Phishing”. By abusing third-party applications for popular mailing services such as Gmail or Outlook, the attackers manipulated victims into granting them full access to their e-mails.
Fig 1: Previous OAuth phishing campaign
Recently, we were able to find previously unknown or undisclosed malicious artifacts belonging to this operation. A new website we attributed to this malicious activity revealed that the attackers are going after their prey in more than one way, and might even be hiding in plain sight: developing mobile applications to monitor their targets, and hosting them on Google’s official Play Store.
After we notified Google about the involved applications, they quickly took them off of the Play Store and banned the associated developer.
Infrastructure: The Early Days
The full list of indicators belonging to this campaign and shared by Amnesty on GitHub showed multiple websites that used keywords such as “mail”, “secure”, or “verify”, possibly not to arouse any suspicions and to masquerade as legitimate mailing services.
By visualizing the information available about each of these websites, we saw clear connections between them: they were registered using NameCheap, had HTTPS certificates, and many of them resolved to the same IP addresses.
The addresses shared the same IPv4 range or netblock (185.125.228[.]0/22), which belongs to a Russian telecommunications company called MAROSNET.
Fig 2: Maltego visualization of campaign infrastructure
Naturally, the websites cannot be accessed nowadays, but by looking over public scans available for some of them we could see that in addition to being related to OAuth phishing, they hosted phishing pages that impersonated Outlook or Facebook and tried to steal log-in credentials for those services
[…]
Following up on the investigation first conducted by Amnesty International, we revealed new aspects of the attack that has been after Egypt’s civil society since at least 2018.
Whether it is phishing pages, legitimate-looking applications for Outlook and Gmail, and mobile applications to track a device’s communications or location, it is clear that the attackers are constantly coming up with creative and versatile methods to reach victims, spy on their accounts, and monitor their activity.
We discovered a list of victims that included handpicked political and social activists, high-profile journalists and members of non-profit organizations in Egypt.
The information we gathered from our investigation suggested that the perpetrators are Arabic speakers, and well familiar with the Egyptian ecosystem. Because the attack might be government-backed, it means that we are looking at what might be a surveillance operation of a country against its own citizens or of another government that screens some other attack using this noisy one.
A man has been able to move all four of his paralysed limbs with a mind-controlled exoskeleton suit, French researchers report.
Thibault, 30, said taking his first steps in the suit felt like being the “first man on the Moon”.
His movements, particularly walking, are far from perfect and the robo-suit is being used only in the lab.
But researchers say the approach could one day improve patients’ quality of life.
Thibault had surgery to place two implants on the surface of the brain, covering the parts of the brain that control movement
Sixty-four electrodes on each implant read the brain activity and beam the instructions to a nearby computer
Sophisticated computer software reads the brainwaves and turns them into instructions for controlling the exoskeleton
[…]
in 2017, he took part in the exoskeleton trial with Clinatec and the University of Grenoble.
Initially he practised using the brain implants to control a virtual character, or avatar, in a computer game, then he moved on to walking in the suit.
Media captionMind-controlled exoskeleton allows paralysed 30-year-old man to walk in French lab
“It was like [being the] first man on the Moon. I didn’t walk for two years. I forgot what it is to stand, I forgot I was taller than a lot of people in the room,” he said.
It took a lot longer to learn how to control the arms.
“It was very difficult because it is a combination of multiple muscles and movements. This is the most impressive thing I do with the exoskeleton.”
[…]
“This is far from autonomous walking,” Prof Alim-Louis Benabid, the president of the Clinatec executive board, told BBC News.
[…]
In tasks where Thibault had to touch specific targets by using the exoskeleton to move his upper and lower arms and rotate his wrists, he was successful 71% of the time.
Prof Benabid, who developed deep brain stimulation for Parkinson’s disease, told the BBC: “We have solved the problem and shown the principle is correct. This is proof we can extend the mobility of patients in an exoskeleton.
[…]
At the moment they are limited by the amount of data they can read from the brain, send to a computer, interpret and send to the exoskeleton in real-time.
They have 350 milliseconds to go from thought to movement otherwise the system becomes difficult to control.
It means out of the 64 electrodes on each implant, the researchers are using only 32.
So there is still the potential to read the brain in more detail using more powerful computers and AI to interpret the information from the brain.
The Iranian government has attempted to hack into hundreds of Office 365 email accounts belonging to politicians, government officials and journalists last month, Microsoft has warned.
“We’ve recently seen significant cyber activity by a threat group we call Phosphorous, which we believe originates from Iran and is linked to the Iranian government,” Microsoft’s vice president of customer security and trust Tom Burt said in a blog post on Friday.
Redmond’s bit wranglers observed more than 2,700 attempts to hack into 241 different accounts, according to the software giant. It noted that those accounts “are associated with a US presidential campaign, current and former US government officials, journalists covering global politics and prominent Iranians living outside Iran.”
Microsoft says that only four of the 241 accounts were compromised and none of them were connected to government officials or presidential campaigns. It says the accounts are now secure the owners are aware of the activity.
Notably, Microsoft says the hacking efforts were “not technically sophisticated” but used personal information gathered elsewhere to try to prompt password reset or account recovery in an effort to get into the accounts.
“For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account,” Microsoft explained.
It also appears that the hackers attempted to bypass two-factor authentication. “In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets,” the company said. It described the attackers as “highly motivated and willing to invest significant time and resources.”
Instead Microsoft proposes that people used its Authenticator app, which provides a login code that changes every 30 seconds in order to access their accounts.
How come Iran?
The company did not go into any detail over why it believes the Iranian government is behind the hacks beyond noting that those targeted included “prominent Iranians living outside Iran.” Presumably, it was able to identify the same pattern of hacking efforts with other accounts not directly connected with Iran and extrapolated from that.
