The cards that are used to connect families in provinces in the Benelux as well as the family trees are published online are hugely anonymous, which means it’s nearly impossible to connect the dots as you don’t know when someone was born. Pictures and documents are being removed willy nilly from archives, in contravention of the archive laws (or openness laws, as they garauntee publication of data after a certain amount of time). Uncertainty about how far the AVG goes are leading people to take a very heavy handed view of it.
After two weeks of no uploads, a notable Borderlands personality on YouTube returned to the platform yesterday with a video explaining his absence. He said that the game’s publisher Take-Two Interactive hit his channel with several copyright strikes and sent investigators to his home in response to months of Borderlands coverage on his channel, which included leaks about upcoming games in the series.
[…]
Take-Two subsidiary 2K Games, however, said the YouTuber’s actions were sometimes illegal and harmful to the Borderlands community. “The action we’ve taken is the result of a 10-month investigation and a history of this creator profiting from breaking our policies, leaking confidential information about our product, and infringing our copyrights,” a 2K Games rep said in a statement. “Not only were many of his actions illegal, but they were negatively impacting the experiences of other content creators and our fans in anticipation for the game.”
The company did not specify what it was that Somers did that they think broke the law.
Somers’ videos include playthroughs of the Borderlands series as well as tips, tricks, and an in-depth history series that explores the lore of the Borderlands universe. For the last year, Somers’ channel has also been home to Borderlands 3 leaks and speculation, which he always attributed to either unnamed sources or the work of a community of fans digging through SteamDB, a third-party data repository that shows the work being done behind-the-scenes to get games ready for the PC platform.
Wherever he was getting his information from, Somers got a lot of things right
[…]
In his return video, Somers goes into great detail about what happened to him, his YouTube channel, and his Discord server. Somers claims that on July 25, investigators showed up at his home in New Jersey and questioned him on behalf of the New York-based Take-Two Interactive, the parent company of Borderlands publisher 2K Games. He describes being tense due to strangers trespassing on his private property and regrets having spoken with them. Somers allegedly answered questions about his channel and various information he had previously reported on
[…]
his YouTube channel, which was later hit by seven copyright strikes he says Take-Two handed down following his visit from the private investigators. Since then, all but one of these copyright strikes have been removed from his channel, allowing it to remain live, although he’s unsure if this means they were rescinded by Take-Two or removed by YouTube.
In addition to the strikes against his YouTube channel, Somers says that his Discord server and his Discord account were terminated 20 minutes after the private investigators left. The explanation he got from an automated Discord email was that his account was “involved in selling, promoting, or distributing cheats, hacks, or cracked accounts.” He says that no information was provided as to who was behind this shutdown and denies that anything of the sort took place in his Discord server.
[…]
A rep for 2K Games, however, called the video “incomplete and in some cases untrue.” They noted that “Take-Two and 2K take the security and confidentiality of trade secrets very seriously,” adding that the company “will take the necessary actions to defend against leaks and infringement of our intellectual property that not only potentially impact our business and partners, but more importantly may negatively impact the experiences of our fans and customers.”
The rep declined to provide further information on Take-Two and 2K’s investigation.
What really gets me here is the callous way in which he was booted from several services (YouTube and Discord) with no idea why or how to fix his problem or how they were fixed in the end. It’s the same black hole Amazon sellers live of in terror. These services are now too big to allow them to get away with “it’s a free service and you can choose not to use them” – there are no viable alternatives. The creation of the rules and enforcement of these rules cannot be left in the hands of entities that are solely interested in profit.
The Cloud Native Computing Foundation (CNCF) today released a security audit of Kubernetes, the widely used container orchestration software, and the findings are about what you’d expect for a project with about two million lines of code: there are plenty of flaws that need to be addressed.
The CNCF engaged two security firms, Trail of Bits and Atredis Partners, to poke around Kubernetes code over the course of four months. The companies looked at Kubernetes components involved in networking, cryptography, authentication, authorization, secrets management, and multi-tenancy.
Having identified 34 vulnerabilities – 4 high severity, 15 medium severity, 8 low severity and 7 informational severity – the Trail of Bits report advises project developers to rely more on standard libraries, to avoid custom parsers and specialized configuration systems, to choose “sane defaults,” and to ensure correct filesystem and kernel interactions prior to performing operations.
“The assessment team found configuration and deployment of Kubernetes to be non-trivial, with certain components having confusing default settings, missing operational controls, and implicitly designed security controls,” the Trail of Bits report revealed. “Also, the state of the Kubernetes codebase has significant room for improvement.”
Underscoring these findings, Kubernetes 1.13.9, 1.14.5, and 1.15.2 were released on Monday to fix two security issues in the software, CVE-2019-11247 and CVE-2019-11249. The former could allow a user in one namespace to access a resource scoped to a cluster. The latter could allow a malicious container to create or replace a file on the client computer when the client employs the kubectl cp command.
As noted by the CNCF, the security auditors found: policy application inconsistencies, which prompt a false sense of security; insecure TLS used by default; environmental variables and command-line arguments that reveal credentials; secrets leaked in logs; no support for certificate revocation, and seccomp (a system-call filtering mechanism in the Linux kernel) not activated by default.
The findings include advice to cluster admins, such as not using both Role-Based Access Controls and Attribute-Based Access Controls because of the potential for inadvertent permission grants if one of these fails.
They also include various recommendations and best practices for developers to follow as they continue making contributions to Kubernetes.
For example, one recommendation is to avoid hardcoding file paths to dependencies. The report points to Kubernetes’ kublet process, “where a dependency on hardcoded paths for PID files led to a race condition which could allow an attacker to escalate privileges.”
The report also advises enforcing minimum files permissions, monitoring processes on Linux, and various other steps to make Kubernetes more secure.
In an email to The Register, Chris Aniszczyk, CTO and COO of CNCF, expressed satisfaction with the audit process. “We view it positively that the whole process of doing a security audit was handled transparently by the members of the Kubernetes Security Audit WG, from selecting a vendor to working with the upstream project,” he said. “I don’t know of any other open source organization that has shared and open sourced the whole process around a security audit and the results. Transparency builds trust in open source communities, especially around security.”
Asked how he’d characterize the risks present in Kubernetes at the moment, Aniszczyk said, “The Kubernetes developers responded quickly and created appropriate CVEs for critical issues. In the end, we would rather have the report speak for itself in terms of the findings and recommendations.”
according to a new report, Ring is also instructing cops on how to persuade customers to hang over surveillance footage even when they aren’t responsive to police requests.
According to a police memo obtained by Gizmodo and reported last week, Ring has partnerships with “over 225 law enforcement agencies,” Ring is actively involved in scripting and approving how police communicate those partnerships. As part of these relationships, Ring helps police obtain surveillance footage both by alerting customers in a given area that footage is needed and by asking to “share videos” with police. In a disclaimer included with the alerts, Ring claims that sharing the footage “is absolutely your choice.”
But according to documents and emails obtained by Motherboard, Ring also instructed police from two departments in New Jersey on how best to coax the footage out of Ring customers through its “neighborhood watch” app Neighbors in situations where police requests for video were not being met, including by providing police with templates for requests and by encouraging them to post often on the Neighbors app as well as on social media.
In one such email obtained by Motherboard, a Bloomfield Police Department detective requested advice from a Ring associate on how best to obtain videos after his requests were not being answered and further asked whether there was “anything that we can blast out to encourage Ring owners to share the videos when requested.”
In this email correspondence, the Ring associate informed the detective that a significant part of customer “opt in for video requests is based on the interaction law enforcement has with the community,” adding that the detective had done a “great job interacting with [community members] and this will be critical in regard to increased opt in rate.”
“The more users you have the more useful information you can collect,” the associate wrote.
Ring did not immediately return our request for comment about the practice of instructing police how to better obtain surveillance footage from its own customers. However, a spokesperson told Motherboard in a statement that the company “offers Neighbors app trainings and best practices for posting and engaging with app users for all law enforcement agencies utilizing the portal tool,” including by providing “templates and educational materials for police departments to utilize at their discretion.”
In addition to Gizmodo’s recent report that Ring is carefully controlling the messaging and implementation of its products with its police departments, a report from GovTech on Friday claimed that Amazon is also helping police work around denied requests by customers to supply their Ring footage. In such instances, according to the report, police can approach Ring’s parent company Amazon, which can provide the footage that police deem vital to an investigation.
“If we ask within 60 days of the recording and as long as it’s been uploaded to the cloud, then Ring can take it out of the cloud and send it to us legally so that we can use it as part of our investigation,” Tony Botti, public information officer for the Fresno County Sheriff’s Office, told GovTech. When contacted by Gizmodo, however, a Ring spokesperson denied this.
Data breach researchers at security firm UpGuard found the data in late July, and traced the storage bucket back to a former staffer at the Democratic Senatorial Campaign Committee, an organization that seeks grassroots donations and contributions to help elect Democratic candidates to the U.S. Senate.
Following the discovery, UpGuard researchers reached out to the DSCC and the storage bucket was secured within a few hours. The researchers shared their findings exclusively with TechCrunch and published their findings.
The spreadsheet was titled “EmailExcludeClinton.csv” and was found in a similarly named unprotected Amazon S3 bucket without a password. The file was uploaded in 2010 — a year after former Democratic senator and presidential candidate Hillary Clinton, whom the data is believed to be named after, became secretary of state.
UpGuard said the data may be people “who had opted out or should otherwise be excluded” from the committee’s marketing.
A redacted portion of the email spreadsheet (Image: UpGuard/supplied)
Stewart Boss, a spokesperson for the DSCC, denied the data came from Sen. Hillary Clinton’s campaign and claimed the data had been created using the committee’s own information.
“A spreadsheet from nearly a decade ago that was created for fundraising purposes was removed in compliance with the stringent protocols we now have in place,” he told TechCrunch in an email.
Despite several follow-ups, the spokesperson declined to say how the email addresses were collected, where the information came from, what the email addresses were used for, how long the bucket was exposed, or if the committee knew if anyone else accessed or obtained the data.
We also contacted the former DSCC staffer who owned the storage bucket and allegedly created the database, but did not hear back.
Most of the email addresses were from consumer providers, like AOL, Yahoo, Hotmail and Gmail, but the researchers found more than 7,700 U.S. government email addresses and 3,400 U.S. military email addresses, said the UpGuard researchers.
The DSCC security lapse is the latest in a string of data exposures in recent years — some of which were also discovered by UpGuard. Two incidents in 2015 and 2017 exposed 191 million and 198 million Americans’ voter data, respectively, including voter profiles and political persuasions. Last year, 14 million voter records on Texas residents were also found on an exposed server.
The developers of cutesy Animal Crossing–Pokemon mashup Ooblets just had a weekend from hell. After trying to preempt a tidal wave of rage over their newly announced Epic Games Store exclusivity, they got hit with a swirling tsunami of foaming-at-the-mouth anger, up to and including death threats and anti-Semitic hoaxes. This is the worst overreaction to an Epic deal that’s yet been publicized. It’s also part of a larger trend that the video game industry has let run rampant for far too long.
Today, Ooblets designer Ben Wasser published a lengthy Medium post about the harassment that he and his sole teammate at development studio Glumberland, programmer/artist Rebecca Cordingley, have been subjected to. In it, he discussed in detail what he’s only alluded to before, showing numerous screenshots of threatening, often racist and sexist abuse and pointing to coordinated efforts to storm the Ooblets Discord and propagate fabricated messages that made it look like Wasser said anti-Semitic things about gamers. In part, he blamed the tone of his tongue-in-cheek announcement post for this, saying that while it’s the tone the Ooblets team has been using to communicate with fans since day one, it was a “stupid miscalculation on my part.”
It is, on no uncertain terms, insane to expect that anyone might have to deal with a reaction like this because of some slight snark in a post about what is to them very good news. Actually, let’s just sit with that last point for a second: If you’re a fan of Ooblets, the Epic Store announcement is fantastic news; no, you don’t get to play it on Steam, and yes, the Epic Store is a weird, janky ghost town of a thing that’s improving at an alarmingly slow rate, but thanks to Epic’s funding, Ooblets and the studio making it are now guaranteed to survive. Thrive, even, thanks to additional staff and resources. You’ve got to download another (free) client to play it, but you get the best possible version of the game you were looking forward to, and its creators get to keep eating, which is something that I’ve heard keeps people alive.
And yet, in reaction to this, people went ballistic, just like they have so many times before. This is our default now. Every tiny pinprick slight is a powder keg. Developers may as well have lit matches taped to their fingers, because any perceived “wrong” move is enough to set off an explosive consumer revolt. And make no mistake, the people going after Ooblets were not fans, as evidenced by the fact that, according to Wasser, they didn’t even know how the game’s Patreon worked. Instead, they were self-described “consumers” and “potential customers” who felt like the game’s mere existence granted them some impossibly huge stake in its future. Wasser talked about this in his post:
“We’ve been told nonstop throughout this about how we must treat ‘consumers’ or ‘potential customers’ a certain way,” he said. “I understand the relationship people think they might be owed when they exchange money for goods or services, but the people using the terms consumers and potential customers here are doing so specifically because we’ve never actually sold them anything and don’t owe them anything at all… Whenever I’ve mentioned that we, as random people happening to be making a game, don’t owe these other random people anything, they become absolutely enraged. Some of the most apparently incendiary screenshots of things I’ve said are all along these lines.”
We need to face facts: This kind of mentality is a major force in video game culture. This is what a large number of people believe, and they use it as a justification to carry out sustained abuse and harassment. “When presented with the reality of the damage inflicted, we’ve seen countless people effectively say ‘you were asking for it,’” said Wasser. “According to that logic, anything anyone says that could rub someone the wrong way is cause for the internet to try to ruin their life. Either that, or our role as two people who had the nerve to make a video game made us valid targets in their minds.”
Things reached this deranged fever pitch, in part, because companies kowtowed to an increasingly caustic and abusive consumer culture, frequently chalking explosive overreactions up to “passion” and other ostensibly virtuous qualities. This culture, to be fair, is not always out of line (see: loot boxes, exploitative pricing from big publishers, and big companies generally behaving in questionable ways), but it frequently takes aim at individuals who have no actual power and contains people who are not opposed to using reprehensible mob tactics to achieve their goals—or just straight up deploying consumer-related concerns as an excuse to heap abuse on people and groups they hate. While the concerns, targets, and participants are not always the same, it’s hard to ignore that many of these mob tactics were pioneered and refined on places like 4chan and 8chan, and by movements like Gamergate—other pernicious elements that the gaming industry has widely failed to condemn (and has even engaged with, in some cases).
In the world of PC gaming, Valve is the biggest example of a company that utterly failed to keep its audience in check. Valve spent years lingering in the shadows, resolutely remaining hands-off until everything caught on fire and even the metaphorical “This is fine” dog could no longer ignore the writing on the wall. Or the company got sued. In this environment, PC gamers developed an oppositional relationship with game makers. Groups sprung up to police what they perceived as sketchy games—but, inevitably, they ended up going after perfectly legitimate developers, too. Users flooded forums when they were upset about changes to games or political stances or whatever else, with Valve leaving moderation to often-understaffed development teams instead of putting its foot down against abuse. Review bombs became a viable tactic to tank games’ sales, and for a time, any game that ran afoul of the larger PC gaming consumer culture saw its score reduced to oblivion, with users dropping bombs over everything from pricing decisions to women and trans people in games.
Smaller developers, utterly lacking in systemic or institutional support, were forced to respond to these attacks, granting them credibility. The tactics worked, so people kept using them, their cause justified by the overarching idea that many developers are “lazy” and disingenuous—when, in reality, game development is mind-bogglingly difficult and takes time. Recently, Valve has begun totake aim at some of these issues, but the damage is already done.
Whether unknowingly or out of malice, Valve went on to fire the starting gun for this same audience to start giving Epic Store developers trouble. When publisher Deep Silver announced that Metro Exodus would be an Epic Store exclusive, Valve published a note on the game’s Steam store page calling the move “unfair.” Inevitably, Steam review bombs of previous games in the series followed, as did harassment of individual developers and even the author of the books on which the Metro video game series is based. Soon, this became a pattern when any relatively high-profile game headed toward Epic’s (at least temporarily) greener pastures.
That brings us to Ooblets. The game’s developers are facing astounding abuse over what is—in the grand scheme of life, or even just media platforms—a minor change of scenery. But they’re not backing down.
“I recognize that none of this post equates to an apology in any way that a lot of the mob is trying to obtain, and that’s by design,” Wasser wrote in his Medium post. “While some of what I’ve said was definitely bad for PR, I stand behind it. A portion of the gaming community is indeed horrendously toxic, entitled, immature, irrationally-angry, and prone to joining hate mobs over any inconsequential issue they can cook up. That was proven again through this entire experience. It was never my intention to alienate or antagonize anyone in our community who does not fit that description, and I hope that you can see my tone and pointed comments were not directed at you.”
And while Epic is, at the end of the day, an industry titan deserving of some of the scrutiny that gets hurled its way, it’s at least taking a stand instead of washing its hands of the situation like Valve and other big companies have for so long.
“The announcement of Ooblets highlighted a disturbing trend which is growing and undermining healthy public discourse, and that’s the coordinated and deliberate creation and promotion of false information, including fake screenshots, videos, and technical analysis, accompanied by harassment of partners, promotion of hateful themes, and intimidation of those with opposing views,” Epic said in a statement yesterday, concluding that it plans to “steadfastly support our partners throughout these challenges.”
So far, it seems like the company has been true to its word. “A lot of companies would’ve left us to deal with all of this on our own, but Epic has been by our side as our world has gone sideways,” said Wasser. “The fact that they care so much about a team and game as small as us proves to us that we made the right call in working with them, and we couldn’t be more thankful.”
That’s a step in the right direction, and hopefully one that other companies will follow. But the gaming industry has allowed this problem to grow and grow and grow over the course of many years, and it’s hard to see a future in which blowups like this don’t remain a regular occurrence. In his post, Wasser faced this sad reality.
“I hope that laying all this out helps in some way to lessen what pain is brought against whoever the next targets are, because we sadly know there will be many,” he said. “You should have opinions, disagree with things, make arguments, but don’t try to ruin people’s lives or jump on the bandwagon when it’s happening. What happened to us is the result of people forgetting their humanity for the sake of participating in video game drama. Please have a little perspective before letting your mild annoyance lead to deeply hurting a fellow human being.”
Twee T-shirts ‘n’ merch purveyor CafePress had 23 million user records swiped – reportedly back in February – and this morning triggered a mass password reset, calling it a change in internal policy.
Details of the security breach emerged when infosec researcher Troy Hunt’s Have I Been Pwned service – which lists websites known to have been hacked, allowing people to check if their information has been stolen – began firing out emails to affected people in the small hours of this morning.
According to HIBP, a grand total of 23,205,290 CafePress customers’ data was swiped by miscreants, including email addresses, names, phone numbers, and physical addresses.
We have asked CafePress to explain itself and will update this article if the company responds. There was no indication on its UK or US websites at the time of writing to indicate that the firm had acknowledged any breach.
[…]
Musing on the 77 per cent of email addresses from the breach having been seen in previous HIBP reports, Woodward said that factoid “brings me to a problem that isn’t being discussed that much, and which this kind of breach does highlight: the use of email as the user name. It’s clearly meant to make life easier for users, but the trouble is once hackers know an email has been used as a username in one place it is instantly useful for mounting credential-stuffing attacks elsewhere.”
“I wonder,” he told The Register, “if we shouldn’t be using unique usernames and passwords for each site. However, it would mean that it becomes doubly difficult to keep track of your credentials, especially if you’re using different strong passwords for each site, which I hope they are. But all users need do is start using a password manager, which I really wish they would.”
Last week, online sneaker-trading platform StockX asked its users to reset their passwords due to “recently completed system updates on the StockX platform.” In actuality, the company suffered a large data breach back in May, and only finally came clean about it when pressed by reporters who had access to some of the leaked data.
In other words, StockX lied. And while it disclosed details on the breach in the end, there’s still no explanation for why it took StockX so long to figure out what happened, nor why the company felt the need to muddy the situation with its suspicious password-reset email last week.
While most companies are fairly responsible about security disclosures, there’s no question that plenty would prefer if information about massive security breaches affecting them never hit the public eye. And even when companies have to disclose the details of a breach, they can get cagey—as we saw with Capital One’s recent problems.
Sadly it’s partially understandable, considering the lawsuit shotguns brought to bear on companies following disclosure.
Having said that, many of the disclosures are the results of really really stupid mistakes, such as storing credentials in plain text and not securing AWS buckets.
Amazon constantly scans rivals’ prices to see if they’re lower. When it discovers a product is cheaper on, say, Walmart.com, Amazon alerts the company selling the item and then makes the product harder to find and buy on its own marketplace — effectively penalizing the merchant. In many cases, the merchant opts to raise the price on the rival site rather than risk losing sales on Amazon.
Pricing alerts reviewed by Bloomberg show Amazon doesn’t explicitly tell sellers to raise prices on other sites, and the goal may be to push them to lower their prices on Amazon. But in interviews, merchants say they’re so hemmed in by rising costs levied by Amazon and reliant on sales on its marketplace, that they’re more likely to raise their prices elsewhere.
Antitrust experts say the Amazon policy is likely to attract scrutiny from Congress and the Federal Trade Commission, which recently took over jurisdiction of the Seattle-based company. So far, criticism of Amazon’s market power has centered on whether it mines merchants’ sales data to launch competing products and then uses its dominance to make the original product harder to find on its marketplace. Harming consumers by prompting merchants to raise prices on other sites more neatly fits the traditional definition of antitrust behavior in the U.S.
“Monopolization charges are always about business conduct that causes harm in a market,” said Jennifer Rie, an analyst at Bloomberg Intelligence who specializes in antitrust litigation. “It could end up being considered illegal conduct because people who prefer to shop on Walmart end up having to pay a higher price.”
[…]
Online merchants typically sell their products on multiple websites, including Amazon, EBay Inc. and Walmart Inc., which also removes products with “highly uncompetitive” prices compared with those on other sites. But merchants often generate most of their revenue on Amazon, which now accounts for almost 40% of online sales in the U.S., according to EMarketer.
Merchants have long complained that Amazon wields outsize influence over their businesses. Besides paying higher fees, many now have to buy advertising to stand out on the increasingly cluttered site. Some report giving Amazon 40% or more of each transaction, up from 20% a few years ago.
[…]
Amazon began sending the price alerts in 2017, and merchants say they have increased in frequency amid an intensifying price war between Amazon and Walmart. Merchants receive the alerts via a web platform they use to manage their Amazon businesses. The alerts show the product, the price on Amazon and the price found elsewhere on the web. They don’t name the competing site with a lower price; the merchants must find that themselves.
A typical pricing alert reads: “One or more of your offers is currently ineligible for being a featured offer on the product detail page because those items are priced higher on Amazon than at other retailers.”
In plain English, that means merchants lose the prominent “buy now” button that simplifies shopping on Amazon. With that icon missing, shoppers can still buy the products, but it’s a more tedious and unfamiliar process, which can hurt sales
[…]
“Amazon is in control of the price, not the merchant,” said Boyce, who runs Avenue 7 Media.
Molson Hart, who sells toys online through his company Viahart, typifies the challenge. Hart says more than 98% of his $4 million in 2018 sales came from Amazon even though he also sells his products on EBay, Walmart and his own website. He was trying to sell a toy stuffed tiger for $150 on Amazon. Hart designs, manufactures, imports, stores and ships the item to customers; Amazon would get $40 for listing some photographs on its website, handling the payment and charging Hart to advertise the product on the site.
Hart said he could sell the product for about $40 less on his own website, but won’t since that would jeopardize his sales on Amazon due to its pricing enforcement, he said. “If we sell our products for less on channels outside Amazon and Amazon detects this, our products will not appear as prominently in search,” he wrote in a recent article on Medium. Hart has since lowered the price of the tigers on Amazon and is now selling them at a loss.
Amazon used to require that merchants offer their best prices on Amazon as terms for selling on the site, but the agreement attracted the attention of regulators bent on ensuring competition. Amazon removed the requirement for sellers in Europe in 2013 following investigations and quietly removed the requirement without explanation for U.S. sellers in March shortly after Democratic presidential hopeful Senator Elizabeth Warren announced a goal of breaking up Amazon and other big tech companies.
[…]
Michael Kades, a former FTC attorney who now researches antitrust issues at the Washington Center for Equitable Growth, says the price alerts will almost certainly draw the government’s attention. “If regulators can prove that this conduct is causing merchants to raise prices on other platforms,” he said, “Amazon loses the argument that their policies are all about giving everyone lower prices.”
As I say in my talk, Break it Up! monopolistic behaviour is a lot more than just pricing – just this sort of anti-competitive pressure on third parties is one of the more maffia style sort
Trendy online-only Brit bank Monzo is telling hundreds of thousands of its customers to pick a new PIN – after it discovered it was storing their codes as plain-text in log files.
As a result, 480,000 folks, a fifth of the bank’s customers, now have to go to a cash machine, and reset their PINs.
The bank said the numbers, normally tightly secured with extremely limited access, had accidentally been kept in an encrypted-at-rest log file. The content of those logs were, however, accessible to roughly 100 Monzo engineers who normally would not have the clearance nor any need to see customer PINs.
The PINs were logged for punters who had used the “card number reminder” and “cancel a standing order” features.
To hear Monzo tell it, the misconfigured logs, along with the PINs, were discovered on Friday evening. By Saturday morning, the UK bank updated its mobile app so that no new PINs were sent to the log collector. On Monday, the last of the logged data had been deleted.
It is possible to thoroughly hijack a nearby vulnerable Qualcomm-based Android phone, tablet, or similar gadget, via Wi-Fi, we learned on Monday. This likely affects millions of Android devices.
Specifically, the following two security holes, dubbed Qualpwn and found by Tencent’s Blade Team, can be leveraged one after the other to potentially take over a handheld:
CVE-2019-10540 […] could be exploited by nearby miscreants over the air to silently squirt spyware into your phone to snoop on its wireless communications.
CVE-2019-10538: This vulnerability can be exploited by malicious code running within the Wi-Fi controller to overwrite parts of the Linux kernel running the device’s main Android operating system, paving the way for a full device compromise.
A spreadsheet containing the contact information and personal addresses of over 2,000 games journalists, editors, and other content creators was recently found to have been published and publicly accessible on the website of the E3 Expo.
The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well as the file itself, but the information has continued to be disseminated online in various gaming forums. While many of the individuals listed in the documents provided their work addresses and phone numbers when they registered for E3, many others, especially freelance content creators, seem to have used their home addresses and personal cell phones, which have now been publicized. This leak makes it possible for bad actors to misuse this information to harass journalists. Two people who say their private information appeared in the leak have informed Kotaku that they have already received crank phone calls since the list was publicized.
In July, members of the federal Senate Judiciary Committee chose to move forward with a bill targeting copyright abuse with a more streamlined way to collect damages, but critics say that it could still allow big online players to push smaller ones around—and even into bankruptcy.
Known as the Copyright Alternative in Small-Claims Enforcement (or CASE) Act, the bill was reintroduced in the House and Senate this spring by a roster of bipartisan lawmakers, with endorsements from such groups as the Copyright Alliance and the Graphic Artists’ Guild.
Under the bill, the U.S. Copyright Office would establish a new ‘small claims-style’ system for seeking damages, overseen by a three-person Copyright Claims Board. Owners of digital content who see that content used without permission would be able to file a claim for damages up to $15,000 for each work infringed, and $30,000 in total, if they registered their content with the Copyright Office, or half those amounts if they did not.
Groups such as the Electronic Frontier Foundation (EFF), Public Knowledge, and the Authors Alliance have opposed the bill, which such critics argue could also end up burdening individuals and small outfits, while potentially giving big companies and patent trolls a leg up.
[…]
In fact, in its present form, the bill establishes that content which is used without thinking does fall under the purview of the Copyright Claims Board—though reports of potential $15,000 fines for sharingmemes are an obvious exaggeration.
According to the bill, “The Copyright Claims Board may not make any finding that, or consider whether, the infringement was committed willfully in making an award of statutory damages.” The Board would, however, be allowed to consider “whether the infringer has agreed to cease or mitigate the infringing activity” when it comes to awarding statutory damages.
Ernesto Falcon argued in another EFF post last month that the bill would also present censorship risks, given that the current legal system for content “takedown” notices, as defined by the Digital Millennium Copyright Act (DMCA), is already abused.
Under the new, additional framework, Falcon wrote, “[An] Internet platform doesn’t have to honor the counter-notice by putting the posted material back online within 14 days. Already, some of the worst abuses of the DMCA occur with time-sensitive material, as even a false infringement notice can effectively censor that material for up to two weeks during a newsworthy event, for example.”
He continued, “The CASE Act would allow unscrupulous filers to extend that period by months, for a small filing fee.”
A team of Polish astronomers has created the most accurate three-dimensional map of the Milky Way to date, revealing surprising distortions and irregularities along the galactic disk.
Building an accurate map of the Milky Way is not easy.
Our location deep inside the gigantic structure means we can’t observe our galaxy externally, forcing us to envision its form from within. Dense expanses of stars, gas, and dust complicate our view even further. Despite these limitations, we know that the Milky Way is a spiral galaxy measuring around 120,000 light-years across, and that we’re located around 27,000 light-years from the galactic core.
[…]
team of scientists from the Astronomical Observatory at the University of Warsaw has compiled the most accurate 3D map of the Milky Way to date. Astronomer Dorota Skowron led the study, which was published today in Science.
Animation showing the twisted shape of our galaxy.
GIF: J. Skowron/OGLE/Astronomical Observatory, University of Warsaw/Gizmodo
Among several other new findings, the updated 3D map shows the S-shaped structure of our galaxy’s distorted stellar disk. The Milky Way is not flat like a pancake, and is instead “warped and twisted,” in the words of co-author Przemek Mroz, who described his team’s work in a related video. That our galaxy is warped was already known, but the new research further characterizes the surprising extent of these distortions. As the new research shows, this warp starts at ranges greater than 25,000 light-years from the galactic core, and it gets more severe with distance.
[…]
The new research also showed that the thickness of the Milky Way is variable throughout. Our galaxy gets thicker with distance from the core. At our location, for example, the galactic disk is about 500 light-years thick, but at the outer edges it’s as much as 3,000 light-years thick.
Milky Way Cepheids on the Milky Way map.
Image: J. Skowron/Serge Brunier
To create the 3D map, Skowron and her colleagues charted the location of Cepheid variable stars. These young, pulsating supergiants are ideal for this research because their brightness changes in a very regular pattern. Ultimately, the location of Cepheid stars within the Milky Way can be more accurately pinned down than other kinds of stars, which is precisely what was needed for this mapping project.
A sample of over 2,400 Cepheids was used to create the new map, the majority of which were identified with the Optical Gravitational Lensing Experiment (OGLE) survey, which monitors the brightness of nearly 2 billion stars. In total, the researchers observed the galactic disk for six years, taking 206,726 images of the sky.
[…]
If this work sounds familiar, it’s because research published earlier this year in Nature Astronomy employed a similar technique, in which scientists from the Chinese Academy of Sciences reached similar conclusions, using a different group of Cepheids for their map. One of the scientists behind the previous research, Xiaodian Chen from the National Astronomical Observatories at the Chinese Academy of Sciences, took issue with the fact that the authors of the new paper did not cite his team’s work. Nonetheless, he still liked the new science.
Amazon-owned home security company Ring is pursuing contracts with police departments that would grant it direct access to real-time emergency dispatch data, Gizmodo has learned.
The California-based company is seeking police departments’ permission to tap into the computer-aided dispatch (CAD) feeds used to automate and improve decisions made by emergency dispatch personnel and cut down on police response times. Ring has requested access to the data streams so it can curate “crime news” posts for its “neighborhood watch” app, Neighbors.
[…]
An internal police email dated April 2019, obtained by Gizmodo last week via a records request, stated that more than 225 police departments have entered into partnerships with Ring. (The company has declined to confirm that, or provide the actual number.) Doing so grants the departments access to a Neighbors “law enforcement portal” through which police can request access to videos captured by Ring doorbell cameras.
Ring says it does not provide the personal information of its customers to the authorities without consent. To wit, the company has positioned itself as an intermediary through which police request access to citizen-captured surveillance footage. When police make a request, they don’t know who receives it, Ring says, until a user chooses to share their video. Users are also prompted with the option to review their footage before turning it over.
[…]
Through its police partnerships, Ring has requested access to CAD, which includes information provided voluntarily by 911 callers, among other types of data automatically collected. CAD data is typically compromised of details such as names, phone numbers, addresses, medical conditions and potentially other types of personally identifiable information, including, in some instances, GPS coordinates.
In an email Thursday, Ring confirmed it does receive location information, including precise addresses from CAD data, which it does not publish to its app. It denied receiving other forms of personal information.
Ring CAD materials provided to police.
According to some internal documents, police CAD data is received by Ring’s “Neighbors News team” and is then reformatted before being posted on Neighbors in the form of an “alert” to users in the vicinity of the alleged incident.
[…]
Earlier this year, when the Seattle Police Department sought access to CAD software, it triggered a requirement for a privacy impact report under a city ordinance concerning the acquisition of any “surveillance technologies.”
According to the definition adopted by the city, a technology has surveillance capability if it can be used “to collect, capture, transmit, or record data that could be used to surveil, regardless of whether the data is obscured, de-identified, or anonymized before or after collection and regardless of whether technology might be used to obscure or prevent the capturing of certain views or types of information.”
Some CAD systems, such as those marketed by Central Square Technologies (formerly known as TriTech), are used to locate cellular callers by sending text messages that force the return of a phone-location service tracking report. CAD systems also pull in data automatically from phone companies, including ALI information—Automatic Location Identification—which is displayed to dispatch personnel whenever a 911 call is placed. CAD uses these details, along with manually entered information provided by callers, to make fast, initial decisions about which police units and first responders should respond to which calls.
According to Ring’s materials, the direct address, or latitude and longitude, of 911 callers is among the information the Neighbors app requires police to provide, along with the time of the incident, and the category and description of the alleged crime.
Ring said that while it uses CAD data to generate its “News Alerts,” sensitive details, such as the direct address of an incident or the number of police units responding, are never included.
Oddly enough no mention is made of voice recordings. Considering Amazon is building a huge database of voices and people through Alexa, cross referencing the two should be trivial and allow Amazon to surveil the population more closely
An artificial intelligence system should be recognised as the inventor of two ideas in patents filed on its behalf, a team of academics says.
The AI has designed interlocking food containers that are easy for robots to grasp and a warning light that flashes in a rhythm that is hard to ignore.
Patents offices insist innovations are attributed to humans – to avoid legal complications that would arise if corporate inventorship were recognised.
And it could see patent offices refusing to assign any intellectual property rights for AI-generated creations.
As a result, two professors from the University of Surrey have teamed up with the Missouri-based inventor of Dabus AI to file patents in the system’s name with the relevant authorities in the UK, Europe and US.
Unlike some machine-learning systems, Dabus has not been trained to solve particular problems.
Instead, it seeks to devise and develop new ideas – “what is traditionally considered the mental part of the inventive act”, according to creator Stephen Thaler
The first patent describes a food container that uses fractal designs to create pits and bulges in its sides. One benefit is that several containers can be fitted together more tightly to help them be transported safely. Another is that it should be easier for robotic arms to pick them up and grip them.
Image copyrightRyan AbbottImage caption This diagram shows how a container’s shape could be based on fractals
Law professor Ryan Abbott told BBC News: “These days, you commonly have AIs writing books and taking pictures – but if you don’t have a traditional author, you cannot get copyright protection in the US.
“So with patents, a patent office might say, ‘If you don’t have someone who traditionally meets human-inventorship criteria, there is nothing you can get a patent on.’
“In which case, if AI is going to be how we’re inventing things in the future, the whole intellectual property system will fail to work.”
Instead, he suggested, an AI should be recognised as being the inventor and whoever the AI belonged to should be the patent’s owner, unless they sold it on.
However, Prof Abbott acknowledged lawmakers might need to get involved to settle the matter and that it could take until the mid-2020s to resolve the issue.
A spokeswoman for the European Patent Office indicated that it would be a complex matter.
“It is a global consensus that an inventor can only be a person who makes a contribution to the invention’s conception in the form of devising an idea or a plan in the mind,” she explained.
“The current state of technological development suggests that, for the foreseeable future, AI is… a tool used by a human inventor.
“Any change… [would] have implications reaching far beyond patent law, ie to authors’ rights under copyright laws, civil liability and data protection.
“The EPO is, of course, aware of discussions in interested circles and the wider public about whether AI could qualify as inventor.”
The UK’s Patents Act 1977 currently requires an inventor to be a person, but the Intellectual Property Office is aware of the issue.
“The government believes that AI technology could increase the UK’s GDP by 10% in the next decade, and the IPO is focused on responding to the challenges that come with this growth,” said a spokeswoman.
America’s trade watchdog has officially told millions in the US not to apply for the $125 it promised each of them as part of the deal it struck with Equifax – and instead take up an offer of free credit monitoring.
In a memo on Wednesday, FTC assistant director Robert Schoshinski said the regulator has been overwhelmed by people filing claims against Equifax after the biz was cyber-looted by hackers in 2017.
He then warned that, because the settlement with the mega-hacked outfit had been capped, it is very unlikely people will end up receiving that promised $125 each. In fact, the deal may be worth no more than 21 cents. We note that the FTC website folks can file claims through, ftc.gov/equifax, no longer mentions a $125 option, whereas the settlement website it redirects to still offers the cash lump sum.
“There is a downside to this unexpected number of claims,” noted Schoshinski.
“The pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.”
Since unfurling the spacecraft’s silver solar sail last week, mission managers have been optimizing the way the spacecraft orients itself during solar sailing. After a few tweaks, LightSail 2 began raising its orbit around the Earth. In the past 4 days, the spacecraft has raised its orbital high point, or apogee, by about 2 kilometers. The mission team has confirmed the apogee increase can only be attributed to solar sailing, meaning LightSail 2 has successfully completed its primary goal of demonstrating flight by light for CubeSats.
“We’re thrilled to announce mission success for LightSail 2,” said LightSail program manager and Planetary Society chief scientist Bruce Betts. “Our criteria was to demonstrate controlled solar sailing in a CubeSat by changing the spacecraft’s orbit using only the light pressure of the Sun, something that’s never been done before. I’m enormously proud of this team. It’s been a long road and we did it.”
LightSail is a citizen-funded project from The Planetary Society to send a small spacecraft, propelled solely by sunlight, to Earth orbit.
The milestone makes LightSail 2 the first spacecraft to use solar sailing for propulsion in Earth orbit, the first small spacecraft to demonstrate solar sailing, and just the second-ever solar sail spacecraft to successfully fly, following Japan’s IKAROS, which launched in 2010. LightSail 2 is also the first crowdfunded spacecraft to successfully demonstrate a new form of propulsion.
The Humanitarian Data Exchange (HDX) is an open platform for sharing data across crises and organisations. Launched in July 2014, the goal of HDX is to make humanitarian data easy to find and use for analysis. Our growing collection of datasets has been accessed by users in over 200 countries and territories. Watch this video to learn more.
HDX is managed by OCHA’s Centre for Humanitarian Data, which is located in The Hague. OCHA is part of the United Nations Secretariat and is responsible for bringing together humanitarian actors to ensure a coherent response to emergencies. The HDX team includes OCHA staff and a number of consultants who are based in North America, Europe and Africa.
[…]
We define humanitarian data as:
data about the context in which a humanitarian crisis is occurring (e.g., baseline/development data, damage assessments, geospatial data)
data about the people affected by the crisis and their needs
data about the response by organisations and people seeking to help those who need assistance.
HDX uses an open-source software called CKAN for our technical back-end. You can find all of our code on GitHub.
When it comes to knowing where humans around the world actually live, resources come in varying degrees of accuracy and sophistication.
Heavily urbanized and mature economies generally produce a wealth of up-to-date information on population density and granular demographic data. In rural Africa or fast-growing regions in the developing world, tracking methods cannot always keep up, or in some cases may be non-existent.
This is where new maps, produced by researchers at Facebook, come in. Building upon CIESIN’s Gridded Population of the World project, Facebook is using machine learning models on high-resolution satellite imagery to paint a definitive picture of human settlement around the world. Let’s zoom in.
Connecting the Dots
Will all other details stripped away, human settlement can form some interesting patterns. One of the most compelling examples is Egypt, where 95% of the population lives along the Nile River. Below, we can clearly see where people live, and where they don’t.
While it is possible to use a tool like Google Earth to view nearly any location on the globe, the problem is analyzing the imagery at scale. This is where machine learning comes into play.
Finding the People in the Petabytes
High-resolution imagery of the entire globe takes up about 1.5 petabytes of storage, making the task of classifying the data extremely daunting. It’s only very recently that technology was up to the task of correctly identifying buildings within all those images.
To get the results we see today, researchers used process of elimination to discard locations that couldn’t contain a building, then ranked them based on the likelihood they could contain a building.
Facebook identified structures at scale using a process called weakly supervised learning. After training the model using large batches of photos, then checking over the results, Facebook was able to reach a 99.6% labeling accuracy for positive examples.
Why it Matters
An accurate picture of where people live can be a matter of life and death.
For humanitarian agencies working in Africa, effectively distributing aid or vaccinating populations is still a challenge due to the lack of reliable maps and population density information. Researchers hope that these detailed maps will be used to save lives and improve living conditions in developing regions.
For example, Malawi is one of the world’s least urbanized countries, so finding its 19 million citizens is no easy task for people doing humanitarian work there. These maps clearly show where people live and allow organizations to create accurate population density estimates for specific areas.
Visit the project page for a full explanation and to access the full database of country maps.
Authorities in the United Kingdom have made unauthorized copies of data stored inside a EU database for tracking undocumented migrants, missing people, stolen cars, or suspected criminals.
Named the Schengen Information System (SIS), this is a EU-run database that stores information such as names, personal details, photographs, fingerprints, and arrest warrants for 500,000 non-EU citizens denied entry into Europe, over 100,000 missing people, and over 36,000 criminal suspects.
The database was created for the sole purpose of helping EU countries manage access to the passport-free Schengen travel zone.
The UK was granted access to this database in 2015, even if it’s not an official member of the Schengen zone.
According to the report, UK officials made copies of this database and stored it at airports and ports in unsafe conditions. Furthermore, by making copies, the UK was always working with outdated versions of the database.
This meant UK officials wouldn’t know in time if a person was removed from SIS, resulting in unnecessary detainments, or if a person was added to the database, allowing criminals to move through the UK and into the Schengen travel zone.
Furthermore, they also mismanaged and misused this data by providing unsanctioned access to this highly-sensitive and secret information to third-party contractors, including US companies (IBM, ATOS, CGI, and others).
The report expressed concerns that by doing so, the UK indirecly allowed contractors to copy this data as well, or allow US officials to request the database from a contractor under the US Patriot Act.
Organisations that deploy Facebook’s ubiquitous “Like” button on their websites risk falling foul of the General Data Protection Regulation following a landmark ruling by the European Court of Justice.
The EU’s highest court has decided that website owners can be held liable for data collection when using the so-called “social sharing” widgets.
The ruling (PDF) states that employing such widgets would make the organisation a joint data controller, along with Facebook – and judging by its recent record, you don’t want to be anywhere near Zuckerberg’s antisocial network when privacy regulators come a-calling.
‘Purposes of data processing’
According to the court, website owners “must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the [data] processing”.
By extension, the ECJ’s decision also applies to services like Twitter and LinkedIn.
Facebook’s “Like” is far from an innocent expression of affection for a brand or a message: its primary purpose is to track individuals across websites, and permit data collection even when they are not explicitly using any of Facebook’s products.
[…]
On Monday, the ECJ ruled that Fashion ID could be considered a joint data controller “in respect of the collection and transmission to Facebook of the personal data of visitors to its website”.
The court added that it was not, in principle, “a controller in respect of the subsequent processing of those data carried out by Facebook alone”.
‘Consent’
“Thus, with regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as Fashion ID must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data,” the ECJ said.
The concept of “data controller” – the organisation responsible for deciding how the information collected online will be used – is a central tenet of both DPR and GDPR. The controller has more responsibilities than the data processor, who cannot change the purpose or use of the particular dataset. It is the controller, not the processor, who would be held accountable for any GDPR sins.
How is this possible? In the simplest of terms, the scientists measured the electrooculographic signals generated when eyes make specific movements (up, down, left, right, blink, double blink) and created a soft biomimetic lens that responds directly to those electric impulses. The lens created was able to change its focal length depending on the signals generated.
Therefore the lens could literally zoom in the blink of an eye.
Incredibly, the lens works regardless of whether the user can see or not. It’s not about the sight, it’s about the electricity produced by specific movements.
Modern aircraft systems are becoming increasingly reliant on networked communications systems to display information to the pilot as well as control various systems aboard aircraft. Small aircraft typically maintain the direct mechanical linkage between the flight controls and the flight surface. However, electronic controls for flaps, trim, engine controls, and autopilot systems are becoming more common. This is similar to how most modern automobiles no longer have a physical connection between the throttle and the actuator that causes the engine to accelerate.
Before digital systems became common within aircraft instrumentation, the gauges and flight instruments would rely on mechanical and simple electrical controls that were directly connected to the source of the data they were displaying to the pilot. For example, the altitude and airspeed indicators would be connected to devices that measure the speed of airflow through a tube as well as the pressure outside the aircraft. In addition, the attitude and directional indicators would be powered by a vacuum source that drove a mechanical gyroscope. The flight surfaces would be directly connected to the pilot’s control stick or yoke—on larger aircraft, this connection would be via a hydraulic interface. Some flight surfaces, such as flaps and trim tabs, would have simple electrical connections that would directly turn motors on and off.
Modern aircraft use a network of electronics to translate signals from the various sensors and place this data onto a network to be interpreted by the appropriate instruments and displayed to the pilot. Together, the physical network, called a “vehicle bus,” and a common communications method called Controller Area Network (CAN) create the “CAN bus,” which serves as the central nervous system of a vehicle using this method. In avionics, these systems provide the foundation of control systems and sensor systems and collect data such as altitude, airspeed, and engine parameters such as fuel level and oil pressure, then display them to the pilot.
After performing a thorough investigation on two commercially available avionics systems, Rapid7 demonstrated that it was possible for a malicious individual to send false data to these systems, given some level of physical access to a small aircraft’s wiring. Such an attacker could attach a device—or co-opt an existing attached device—to an avionics CAN bus in order to inject false measurements and communicate them to the pilot. These false measurements may include the following:
Incorrect engine telemetry readings
Incorrect compass and attitude data
Incorrect altitude, airspeed, and angle of attack (AoA) data
In some cases, unauthenticated commands could also be injected into the CAN bus to enable or disable autopilot or inject false measurements to manipulate the autopilot’s responses. A pilot relying on these instrument readings would not be able to tell the difference between false data and legitimate readings, so this could result in an emergency landing or a catastrophic loss of control of an affected aircraft.
While the impact of such an attack could be dire, we want to emphasize that this attack requires physical access, something that is highly regulated and controlled in the aviation sector. While we believe that relying wholly on physical access controls is unwise, such controls do make it much more difficult for an attacker to access the CAN bus and take control of the avionics systems.
A hacker raided Capital One’s cloud storage buckets and stole personal information on 106 million credit card applicants in America and Canada.
The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we’re told, as well as one million Canadian social insurance numbers, plus names, addresses, phone numbers, dates of birth, and reported incomes.
The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019. The info was siphoned between March this year and July 17, and Capital One learned of the intrusion on July 19.
Seattle software engineer Paige A. Thompson, aka “erratic,” aka 0xA3A97B6C on Twitter, was suspected of nicking the data, and was collared by the FBI at her home on Monday this week. The 33-year-old has already appeared in court, charged with violating the US Computer Fraud and Abuse Act. She will remain in custody until her next hearing on August 1.
According to the Feds in their court paperwork [PDF], Thompson broke into Capital One’s cloud-hosted storage, believed to be Amazon Web Services’ S3 buckets, and downloaded their contents.
The financial giant said the intruder exploited a “configuration vulnerability,” while the Feds said a “firewall misconfiguration permitted commands to reach and be executed” by Capital One’s cloud-based storage servers. US prosecutors said the thief slipped past a “misconfigured web application firewall.”
