Scientists 3D-print human skin and bone for Mars astronauts

Posted on by

Scientists from the University Hospital of Dresden Technical University in Germany bio-printed skin and bone samples upside down to help determine if the method could be used in a low-gravity environment. It worked. ESA released videos of the printing in action.

The skin sample was printed using human blood plasma as a “bio ink.” The researchers added plant and algae-based materials to increase the viscosity so it wouldn’t just fly everywhere in low gravity.

“Producing the bone sample involved printing human stem cells with a similar bio-ink composition, with the addition of a calcium phosphate bone cement as a structure-supporting material, which is subsequently absorbed during the growth phase,” said Nieves Cubo, a bioprinting specialist at the university.

These samples are just the first steps for the ESA’s ambitious 3D bio-printing project, which is investigating what it would take to equip astronauts with medical and surgical facilities to help them survive and treat injuries on long spaceflights and on Mars.

“Carrying enough medical supplies for all possible eventualities would be impossible in the limited space and mass of a spacecraft,” said Tommaso Ghidini, head of ESA’s Structures, Mechanisms and Materials Division. “Instead, a 3D bioprinting capability will let them respond to medical emergencies as they arise.”

Source: Scientists 3D-print human skin and bone for Mars astronauts – CNET

Study finds that parental ‘memory’ is inherited across generations

Posted on by

“While neuronally encoded behavior isn’t thought to be inherited across generations, we wanted to test the possibility that environmentally triggered modifications could allow ‘memory’ of parental experiences to be inherited,” explains Julianna “Lita” Bozler, a Ph.D. candidate in the Bosco Lab at the Geisel School of Medicine, who served as lead author on the study.

When exposed to —which deposit their eggs into and kill the larvae of fruit flies—Drosophila melanogaster females are known to shift their preference to food containing ethanol as an egg laying substrate, which protects their larvae from wasp infection.

For the study, the fruit flies were cohabitated with female wasps for four days before their eggs were collected. The embryos were separated into two cohorts—a wasp-exposed and unexposed (control) group—and developed to maturity without any contact with adult flies or wasps. One group was used to propagate the next generation and the other was analyzed for ethanol preference.

“We found that the original wasp-exposed flies laid about 94 percent of their eggs on ethanol food, and that this behavior persisted in their offspring, even though they’d never had direct interaction with wasps,” says Bozler.

The ethanol preference was less potent in the first-generation offspring, with 73 percent of their eggs laid on ethanol food. “But remarkably, this inherited ethanol preference persisted for five generations, gradually reverting back to a pre-wasp exposed level,” she says. “This tells us that inheritance of ethanol preference is not a permanent germline change, but rather a reversible trait.”

Importantly, the research team determined that one of the critical factors driving ethanol preference behavior is the depression of Neuropeptide-F (NPF) that is imprinted in a specific region of the female fly’s brain. While this change, based in part on visual signals, was required to initiate transgenerational inheritance, both male and female progeny were able to pass on preference to their offspring.

Source: Study finds that parental ‘memory’ is inherited across generations

Microsoft Action Pack software no longer for all sellers of MS products, reseller rebellion

Posted on by

More than 2,500 resellers and integrators have signed a petition opposing Microsoft’s intention to remove free software licences granted to members of the channel to run their business.The changes are described here:Effective July 1, 2020, we will retire the internal use rights (IUR) association with the product licenses partners receive in the Microsoft Action Pack and included with a competency. Product license use rights will be updated to be used for business development scenarios such as demonstration purposes, solution/services development purposes, and internal training.Beginning October 1, 2019, the product licenses included with competencies will be specific to the competency you attain. Please review the benefits you will receive with your competency in Partner Center at time of purchase. Additional licenses can be purchased through commercial licensing to run your business.There are a huge number of partners resellers, most of them small businesses, who recommend, resell and support customers running Microsoft wares or services. In 2017, Microsoft said that “our partners employ more than 17 million people around the world”.The barriers to entry are low and companies who sign up can qualify for a range of competencies, starting with an “Action Pack” subscription that comes with a wide range of benefits, such as five Office 365 seats, five Dynamics 365 licences, 2-core SQL Server, ten Windows 10 Enterprise packages, $100 per month Azure credit and so on. The Action Pack costs around £350 per year but represents excellent value if you would otherwise have to purchase the licences. The same is true of the higher levels, Silver and Gold competencies, which command a higher fee but provide a wider range of benefits.Resellers are not allowed to resell these specific licences, but critically, they do allow use for “internal business purposes”. Smaller Microsoft channel firms have been able to operate their businesses, in large part, using these subsidised licences.That offer is now ending. “We will retire product licenses for internal use purposes on July 1 2020,” stated the Microsoft Partner Network (MPN) guide.There are more changes too, and none of them good for partners. Free support incidents are being withdrawn. “Starting August 2019, on-premise Product Support incidents will no longer be available for Action Pack and competencies,” warned Microsoft.In addition, the matching of cloud benefits to specific competencies means reduced benefits. Dynamics 365 seats, for example, will now only be available to partners with the Cloud Business Applications Competency, instead of being doled out to all.

Source: Microsoft middlemen rebel against removal of free software licences • The Register

Over 90 Million Records Leaked by Chinese Public Security Department

Posted on by

A publicly accessible and unsecured ElasticSearch server owned by the Jiangsu Provincial Public Security Department of the Chinese province Jiangsu leaked two databases containing over 90 million people and business records.

Jiangsu (江苏省) is an eastern-central coastal Chinese province with a population of over 80 million and an urban population of more than 55 million accounting for 68.76% of its total population according to a 2018 population census from the National Bureau of Statistics, which makes it the fifth most populous province in China.

Provincial public security departments are “functional organization under the dual leadership of Provincial Government and the Ministry of Public Security in charge of the whole province’s public security work.”

The two now secured databases contained than 26 GB of data in the form of personally identifiable information (PII) names, birth dates, genders, identity card numbers, location coordinates, as well as info on city_relations, city_open_id, and province_open_id for individuals.

In the case of businesses, the records included business IDs, business types, location coordinates, city_open_id, and memos designed to track if the owner of the business is known.

Besides the two exposed ElasticSearch databases, the Jiangsu Provincial Public Security Department also had a Public Security Network admin console that required a valid user/password combo for access, as well as a publicly-accessible Kibana installation running on the server which would help browse and analyze the stored data using a GUI-based interface.

However, unlike other cases of exposed Kibana installations, this one was not fully configured seeing that, once loaded in a web browser, it would go straight to the “Create index pattern page.”

Source: Over 90 Million Records Leaked by Chinese Public Security Department

Magento webshop Automated Magecart Campaign Hits Over 960 Breached Stores

Posted on by

A large-scale payment card skimming campaign that successfully breached 962 e-commerce stores was discovered today by Magento security research company Sanguine Security.

The campaign seems to be automated according to Sanguine Security researcher Willem de Groot who told BleepingComputer that the card skimming script was added within a 24-hour timeframe. “It would be nearly impossible to breach 960+ stores manually in such a short time,” he added.

Even though no information on how such automated Magecart attacks against e-commerce websites would work was shared by Sanguine Security, the procedure would most likely entail scanning for and exploiting security flaws in the stores’ software platform.

“Have not gotten confirmation yet, but it seems that several victims were missing patches against PHP object injection exploits,” also said de Groot.

While details on how the online stores were breached are still scarce given that the logs are still being analyzed, the JavaScript-based payment data skimmer script was decoded and uploaded by the security company to GitHub Gist.

As shown from its source code, the skimmer was used by the attackers to collect e-commerce customers’ payment info on breached stores, including full credit card data, names, phones, and addresses.

Source: Automated Magecart Campaign Hits Over 960 Breached Stores

Canon Stabs Tradition in the Back With Camera That Supports Vertical Video

Posted on by

Canon’s G7 X line has long been a favorite of photographers who wanted a travel-friendly camera that could still capture high-quality images. But with the rise of smartphones and the decline of point-and-shoots, Canon began pushing its compact cameras towards vloggers, who I’ve seen use cameras like the G7 X and Sony’s RX100 line as a backup or more portable alternative to a big mirrorless or DSLR cam. After all, when you’re attaching a camera to a gimbal or the end of a GorillaPod, every extra bit of lightness make a camera easier to handle.

So for the new G7 X III, it seems the influencers have influenced Canon because one of the camera’s new standout features is the ability to record vertical videos without rotating the footage in post natively. Using a new built-in gyro, the G7 X III can determine the camera’s orientation and then embed that info into a clip’s metadata, which means filming vertical videos for your Instagram stories on the G7 X III is as simple as turning the camera sideways.

And if that’s enough not to excite attendees of VidCon 2019—the vlogger convention where the $750 G7 X is making its official debut—Canon also gave the camera the ability to livestream video directly to YouTube over wifi via the company’s Image Gateway software. The G7 X III also comes with a built-in microphone jack for vloggers who aren’t satisfied with the camera’s on-board audio, and a 3-inch touchscreen that can flip up 180-degree so that vloggers can check their composition while they’re filming themselves.

Source: Canon Stabs Tradition in the Back With Camera That Supports Vertical Video

Indoor carbon dioxide levels could be a health hazard, scientists warn

Posted on by

Indoor levels of carbon dioxide could be clouding our thinking and may even pose a wider danger to human health, researchers say.

While air pollutants such as tiny particles and nitrogen oxides have been the subject of much research, there have been far fewer studies looking into the health impact of CO2.

However, the authors of the latest study – which reviews current evidence on the issue – say there is a growing body of research suggesting levels of CO2 that can be found in bedrooms, classrooms and offices might have harmful effects on the body, including affecting cognitive performance.

“There is enough evidence to be concerned, not enough to be alarmed. But there is no time to waste,” said Dr Michael Hernke, a co-author of the study from the University of Wisconsin-Madison, stressing further research was needed.

Writing in the journal Nature Sustainability, Hernke and colleagues report that they considered 18 studies of the levels of CO2 humans are exposed to, as well as its health impacts on both humans and animals.

Traditionally, the team say, it had been thought that CO2 levels would need to reach a very high concentration of at least 5,000 parts per million (ppm) before they would affect human health. But a growing body of research suggests CO2 levels as low as 1,000ppm could cause health problems, even if exposure only lasts for a few hours.

The team say crowded or poorly ventilated classrooms, office environments and bedrooms have all been found to have levels of CO2 that exceed 1,000ppm, and are spaces that people often remain in for many hours at a time. Air-conditioned trains and planes have also been found to exceed 1,000ppm.

[…]

The team found a number of studies have looked at the impact of such levels on human cognitive performance and productivity. In one study of 24 employees, cognitive scores were 50% lower when the participants were exposed to 1,400ppm of CO2 compared with 550ppm during a working day.

The team additionally looked at the impact of CO2 levels on animals, finding that a few hours’ exposure to 2,000 ppm was linked to inflammatory responses that could lead to damage to blood vessels. There is also tentative evidence suggesting that prolonged exposure to levels between 2,000 and 3,000ppm is linked to effects including stress, kidney calcification and bone demineralisation.

Source: Indoor carbon dioxide levels could be a health hazard, scientists warn | Environment | The Guardian

Another reason to limit creation of it

Serious Security Flaw With Teleconferencing App Zoom Allows Websites to Hijack Mac Webcams – and you can’t fix it by uninstalling

Posted on by

On Monday, security researcher Jonathan Leitschuh publicly disclosed a serious zero-day vulnerability in conferencing software Zoom—which apparently achieves its click-to-join feature, which allows users to go directly to a video meeting from a browser link, on Mac computers by installing a local web server running as a background process that “accepts requests regular browsers wouldn’t,” per the Verge. As a result, Zoom could be hijacked by any website to force a Mac user to join a call without their permission, and with webcams activated unless a specific setting was enabled.

Worse, Leitschuh wrote that the local web server persists even if Zoom is uninstalled and is capable of reinstalling the app on its own, and that when he contacted the company they did little to resolve the issues.

In a Medium post on Monday, Leitschuh provided a demo in the form of a link that, when clicked, took Mac users who have ever installed the app to a conference room with their video cameras activated (it’s here, if you must try yourself). Leitschuh noted that the code to do this can be embedded in any website as well as “in malicious ads, or it could be used as a part of a phishing campaign.” Additionally, Leitschuh wrote that even if users uninstall Zoom, the insecure local web server persists and “will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”

This implementation leaves open other nefarious ways to abuse the local web server, per the Verge:

Turning on your camera is bad enough, but the existence of the web server on their computers could open up more significant problems for Mac users. For example, in an older version of Zoom (since patched), it was possible to enact a denial of service attack on Macs by constantly pinging the web server: “By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS,” Leitschuh writes.

According to Leitschuh, he contacted Zoom on March 26, saying he would disclose the exploit in 90 days. Zoom did issue a “quick fix” patch that only disabled “a meeting creator’s ability to automatically enable a participants video by default,” he added, though this was far from a complete solution (and did nothing to negate the “ability for an attacker to forcibly join to a call anyone visiting a malicious site”) and only came in mid-June.

On July 7, he wrote, a “regression in the fix” caused it to no longer work, and though Zoom issued another patch on Sunday, he was able to create a workaround.

Source: Serious Security Flaw With Teleconferencing App Could Allow Websites to Hijack Mac Webcams

More than 1,000 Android apps harvest data even after you deny permissions

Posted on by

Permissions on Android apps are intended to be gatekeepers for how much data your device gives up. If you don’t want a flashlight app to be able to read through your call logs, you should be able to deny that access. But even when you say no, many apps find a way around: Researchers discovered more than 1,000 apps that skirted restrictions, allowing them to gather precise geolocation data and phone identifiers behind your back.

[…]

Researchers from the International Computer Science Institute found up to 1,325 Android apps that were gathering data from devices even after people explicitly denied them permission. Serge Egelman, director of usable security and privacy research at the ICSI, presented the study in late June at the Federal Trade Commission’s PrivacyCon.

“Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it,” Egelman said at the conference. “If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless.”

[…]

Egelman said the researchers notified Google about these issues last September, as well as the FTC. Google said it would be addressing the issues in Android Q, which is expected to release this year.

The update will address the issue by hiding location information in photos from apps and requiring any apps that access Wi-Fi to also have permission for location data, according to Google.

[…]

Researchers found that Shutterfly, a photo-editing app, had been gathering GPS coordinates from photos and sending that data to its own servers, even when users declined to give the app permission to access location data.

[…]

Some apps were relying on other apps that were granted permission to look at personal data, piggybacking off their access to gather phone identifiers like your IMEI number. These apps would read through unprotected files on a device’s SD card and harvest data they didn’t have permission to access. So if you let other apps access personal data, and they stored it in a folder on the SD card, these spying apps would be able to take that information.

While there were only about 13 apps doing this, they were installed more than 17 million times, according to the researchers. This includes apps like Baidu’s Hong Kong Disneyland park app, researchers said.

Source: More than 1,000 Android apps harvest data even after you deny permissions – CNET

UK data regulator threatens British Airways with 747-sized fine for massive personal data blurt

Posted on by

The UK Information Commissioner’s Office has warned BA it faces a whopping £183.39m following the theft of million customer records from its website and mobile app servers.

The record-breaking fine – more or less the lower end of the price of one of the 747-400s in BA’s fleet – under European General Data Protection Regulation (GDPR), represents 1.5 per cent of BA’s world-wide revenue in 2017.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The breach hit almost 500,000 people. The ICO statement reveals the breach is believed to have started in June 2018, previous statements from BA said it began in late August. The data watchdog described the attack as diverting user traffic from BA’s site to a fraudulent site.

ICO investigators found a variety of information was compromised including log-in details, card numbers, names, addresses and travel information.

Sophisticated card skimming group Magecart, which also hit Ticketmaster, was blamed for the data slurp. The group is believed to have exploited third party scripts, possibly modified JavaScript, running on BA’s site to gain access to the airline’s payment system.

Such scripts are often used to support marketing and data tracking functions or running external ads.

The Reg revealed that BA parent company IAG was in talks with staff to outsource cyber security to IBM just before the hack was carried out.

Source: UK data regulator threatens British Airways with 747-sized fine for massive personal data blurt • The Register

AMD Ryzen 7 3700X + Ryzen 9 3900X Offer Incredible Linux Performance – if you can get it to boot. Which newer distros seemingly can’t

Posted on by

On newer Linux distributions, there’s a hard regression either within the kernel but more likely some cross-kernel/user-space interaction issue leaving newer Linux distributions unbootable.

While Ubuntu 18.04 LTS and older Linux distributions boot Zen 2, to date I have not been able to successfully boot the likes of Ubuntu 19.04, Manjaro Linux, and Fedora Workstation 31. On all newer Linux distributions I’ve tried on two different systems built around the Ryzen 7 3700X and Ryzen 9 3900X, each time early in the boot process as soon as trying to start systemd services, all systemd services fail to start.

I’ve confirmed with AMD they do have an open issue surrounding “5.0.9” (the stock kernel of Ubuntu 19.04) but as of writing hadn’t shed any light into the issue. AMD has said their testing has been mostly focused on Ubuntu 18.04 given its LTS status. I’ve also confirmed the same behavior with some other Windows reviewers who occasionally dabble with Linux.

So unfortunately not being able to boot newer Linux distributions is a huge pain. I’ve spent days trying different BIOS versions/options, different kernel command line parameters, and other options to no avail. On some Linux distributions after roughly 20~30 minutes of waiting after all systemd services fail to start, sometimes there will be a kernel panic but that hadn’t occurred on all systems at least not within that time-frame.

Source: AMD Ryzen 7 3700X + Ryzen 9 3900X Offer Incredible Linux Performance But With A Big Caveat Review – Phoronix

Dynamic Wood Sculptures Carved to Look Like Pixelated Glitches

Posted on by

Taiwanese artist Hsu Tung Han, however, uses them for inspiration in his latest series of stunning wooden sculptures.

By carving delicate block-shaped details that separate from various parts of the sculpture, Han successfully creates the bizarre yet magnificently original illusion of pixelation in 3D form.

He applies this technique masterfully on his most recent finished product, which depicts a snorkeler underwater.

Here, the wooden ‘pixels’ seem to represent the water that surrounds and submerges the snorkeling man.

Han has been posting photos of his carved sculptures on Flickr since 2006, and has developed a unique niche for blending traditional styles of woodwork with modern artistic elements.

Source: Dynamic Wood Sculptures Carved to Look Like Pixelated Glitches – Stay Wild Moon Child

Posted in Art

Ancient life awakens amid thawing ice caps and permafrost

Posted on by

Researchers in a warming Arctic are discovering organisms, frozen and presumed dead for millennia, that can bear life anew. These ice age zombies range from simple bacteria to multicellular animals, and their endurance is prompting scientists to revise their understanding of what it means to survive.

“You wouldn’t assume that anything buried for hundreds of years would be viable,” said La Farge, who researches mosses at the University of Alberta. In 2009, her team was scouring Teardrop’s margin to collect blackened plant matter spit out by the shrinking glacier. Their goal was to document the vegetation that long ago formed the base of the island’s ecosystem.

“The material had always been considered dead. But by seeing green tissue, “I thought, ‘Well, that’s pretty unusual,’ ” La Farge said about the centuries-old moss tufts she found.

She brought dozens of these curious samples back to Edmonton, lavishing them with nutrient-rich soils in a bright, warm laboratory. Almost a third of the samples burst forth with new shoots and leaves. “We were pretty blown away,” La Farge said. The moss showed few ill effects of its multi-centennial deep-freeze.

[,,,]

Tatiana Vishnivetskaya has studied ancient microbes long enough to make the extreme feel routine. A microbiologist at the University of Tennessee, Vishnivetskaya drills deep into the Siberian permafrost to map the web of single-celled organisms that flourished ice ages ago. She has coaxed million-year-old bacteria back to life on a petri dish. They look “very similar to bacteria you can find in cold environments (today),” she said.

But last year, Vishnivetskaya’s team announced an “accidental finding” – one with a brain and nervous system – that shattered scientists’ understanding of extreme endurance.

As usual, the researchers were seeking singled-celled organisms, the only life-forms thought to be viable after millennia locked in the permafrost. They placed the frozen material on petri dishes in their room-temperature lab and noticed something strange. Hulking among the puny bacteria and amoebae were long, segmented worms complete with a head at one end and anus at the other – nematodes.

“Of course we were surprised and very excited,” Vishnivetskaya said. Clocking in at a half-millimeter long, the nematodes that wriggled back to life were the most complex creatures Vishnivetskaya – or anyone else – had ever revived after a lengthy deep freeze.

She estimated one nematode to be 41,000 years old – by far the oldest living animal ever discovered.

Source: Ancient life awakens amid thawing ice caps and permafrost – SFGate

The next generation of GaN wall chargers is getting smaller and better

Posted on by

The tech world is probably sitting on the edge of a charger revolution, and most of us just haven’t realized it yet. No, I’m not talking about USB-C (sadly); I’m talking about GaN (gallium nitride) chargers, a material that’s started to replace silicon in chargers. I’ve had the chance to try out two of the first GaN chargers — RavPower’s 45W slimline design model and Anker’s PowerPort Atom PD 1 — and it’s not just marketing hype: the new chargers really do make a huge leap forward for shrinking down power bricks in a way that’s really exciting to see.

In both cases, simply holding the charger in your hand is enough to make you skeptical. The 30W Anker just flat out seems too small to drive anything bigger than a phone, and the 45W RavPower option, while a bit larger, also pales in comparison to a similarly specced silicon-based charger.

From left to right: Apple’s 5W iPhone charger (for scale), Anker’s 30W PowerPort Atom PD 1, and RavPower’s 45W GaN charger

But both work as promised, outputting the charge they say on their respective labels without getting unnecessarily hot or exploding, which is basically all you can really ask of a charger. It’s not magic: as my colleague Angela Chen explains, GaN is much more efficient, meaning that chargers that use it can be much smaller and waste less energy than ones based on silicon. The biggest obstacle is simply that companies are used to working with silicon, whereas GaN is relatively new; in an ideal world, we’ll probably start to see more products taking advantage of the tech in the near future.

It’s not perfect yet: Anker’s 30W Atom PD 1 struggles to power something as large as a 13-inch MacBook Pro — you can charge it while the computer is sleeping, but while actively running, it’ll still struggle to really keep pace with the power drain (although it’ll work in a pinch). And for anything smaller, like a phone, iPad, Nintendo Switch, headphones, or anything else with USB-C, it’s practically a no-brainer for the $29.99 price.

RavPower’s 45W plug is even more impressive — it can actually drive basically any USB-C device, barring the most power-hungry laptops (like Apple’s 15-inch MacBook Pro). And while I’d wish for that kind of wattage in something a little smaller, we’re still in the extremely early days for GaN chargers, and odds are that we’ll start to see more varied designs soon.

Source: The next generation of wall chargers is getting smaller and better – The Verge

King’s College London breached GDPR by sharing list of activist students with cops – wait, it has a list of activist students?!

Posted on by

Kings College London breached the General Data Protection Regulations when it shared a list of student activists with the police and barred the activists from campus during a visit by the Queen, an independent report (PDF) has found.

Some 13 students and one member of staff were unable to access any of the campus sites as their cards had been deactivated to prevent access to the Bush House site, which was opened by the Queen on March 19.

In foreword to the report, Professor Evelyn Welch, acting principal at KCL said the university accepts the findings and recommendations in full and is putting in place a plan to address all the issues raised.

One of the findings of the report is that we have breached our own policies regarding protection of personal information and the GDPR regulations. Following the event, we informed the Information Commissioner’s Office that we were undertaking this review. We have now shared the report with them and await their response.

The report also contains recommendations about our security arrangements which we will follow as we bring our operations in house and a new Head of Security joins us.

Welch said that while some have interpreted the actions taken on the day as racial profiling, “this was not the case and I want to reiterate that discrimination on any grounds is unacceptable and is damaging to our community.”

The report’s author, Laura Gibbs, concluded that the security team had “overstepped the boundaries” when it compiled the list of activists and shared it with the Met Police.

She said “the barring of individuals against whom there was neither evidence of criminal activity nor any internal disciplinary findings, from “their campus” was disproportionate and “against King’s stated values.”

One student was blocked from entering a KCL building for an exam in south London, and was only able to enter when the on-site security staff reinstated the card.

Source: King’s College London breached GDPR by sharing list of activist students with cops • The Register

Internet group brands Mozilla ‘internet villain’ for supporting DNS privacy feature which may also allow users access to porn in the UK, make it hard for the great filter there to see where everyone is surfing

Posted on by

An industry group of internet service providers has branded Firefox browser maker Mozilla an “internet villain” for supporting a DNS security standard.

The U.K.’s Internet Services Providers’ Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to “bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.”

Mozilla said late last year it was planning to test DNS-over-HTTPS to a small number of users.

Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead.

DNS-over-HTTPS also improves performance, making DNS queries — and the overall browsing experience — faster.

But the ISPA doesn’t think DNS-over-HTTPS is compatible with the U.K.’s current website blocking regime.

Under U.K. law, websites can be blocked for facilitating the infringement of copyrighted or trademarked material or if they are deemed to contain terrorist material or child abuse imagery. In encrypting DNS queries, it’s claimed that it will make it more difficult for internet providers to filter their subscribers’ internet access.

The ISPA isn’t alone. U.K. spy agency GCHQ and the Internet Watch Foundation, which maintains the U.K.’s internet blocklist, have criticized the move to roll out encrypted DNS features to the browser.

The ISPA’s nomination quickly drew ire from the security community. Amid a backlash on social media, the ISPA doubled down on its position. “Bringing in DNS-over-HTTPS by default would be harmful for online safety, cybersecurity and consumer choice,” but said it encourages “further debate.”

One internet provider, Andrews & Arnold, donated £2,940 — around $3,670 — to Mozilla in support of the nonprofit. “The amount was chosen because that is what our fee for ISPA membership would have been, were we a member,” said a tweet from the company.

Mozilla spokesperson Justin O’Kelly told TechCrunch: “We’re surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades old internet infrastructure.”

“Despite claims to the contrary, a more private DNS would not prevent the use of content filtering or parental controls in the UK. DNS-over-HTTPS (DoH) would offer real security benefits to UK citizens. Our goal is to build a more secure internet, and we continue to have a serious, constructive conversation with credible stakeholders in the UK about how to do that,” he said.

“We have no current plans to enable DNS-over-HTTPS by default in the U.K. However, we are currently exploring potential DNS-over-HTTPS partners in Europe to bring this important security feature to other Europeans more broadly,” he added.

Mozilla isn’t the first to roll out DNS-over-HTTPS. Last year Cloudflare released a mobile version of its 1.1.1.1 privacy-focused DNS service to include DNS-over-HTTPS. Months earlier, Google-owned Jigsaw released its censorship-busting app Infra, which aimed to prevent DNS manipulation.

Mozilla has yet to set a date for the full release of DNS-over-HTTPS in Firefox.

Source: Internet group brands Mozilla ‘internet villain’ for supporting DNS privacy feature | TechCrunch

Privacy-first browsers look to take the shine off Google’s Chrome

Posted on by

Before Google, Facebook and Amazon, tech dominance was known by a single name: Microsoft.

And no product was more dominant than Microsoft’s web browser, Internet Explorer. The company’s browser was the gateway to the internet for about 95 percent of users in the early 2000s, which helped land Microsoft at the center of a major government effort to break up the company.

Almost two decades later, Google’s Chrome now reigns as the biggest browser on the block, and the company is facing challenges similar to Microsoft’s from competitors, as well as government scrutiny.

But Google faces a new wrinkle — a growing realization among consumers that their every digital move is tracked.

“I think Cambridge Analytica acted as a catalyst to get people aware that their data could be used in ways they didn’t expect,” said Peter Dolanjski, the product lead for Mozilla’s Firefox web browser, referring to the scandal in which a political consulting firm obtained data on millions of Facebook users and their friends.

[…]

Web browsers, being the primary way the vast majority of people experience the internet, are a crucial choke point in the digital ecosystem. While the browsers are free to users, the companies that operate them can have an outsized impact on how the internet works — especially if they gain a dominant market position. For a company like Google, which makes most of its money from online advertising, that has meant being able to liberally collect user data. For a nonprofit like Mozilla, more users means the chance to convince developers and other tech companies to adopt their privacy-focused standards.

[…]

Chrome, with more than 60 percent market share worldwide, is yet another source of complaints about Google’s power, after its search engine and advertisement businesses. Last year, Chrome changed the system for logging in to the browser, a move that one researcher said could allow Google to collect data much more easily.

Firefox trails Microsoft in corporate size and influence, but it is pressing other browsers on privacy and playing up its status as a nonprofit. Last month, Firefox changed the initial settings for new users so that third-party tracking “cookies” such as those used for ad purposes are blocked — meaning the default is no tracking.

[…]

A technology columnist at the Post wrote in a scathing review last month that he was switching from Chrome to Firefox, calling Google’s product “a lot like surveillance software.” In a week of desktop websurfing, the columnist, Geoffrey Fowler, wrote that he discovered 11,189 requests for tracker cookies that were blocked by Firefox but would have been allowed by Chrome.

[…]

The browser fight has become heated enough to worry the advertising and media industries. Advertisers have become used to filling up websites with sometimes dozens of “cookies” and other forms of online tracking, and they fear a wider backlash against personalized, data-driven ads.

[…]

For now, there are few signs that Google’s browser dominance will end anytime soon, but the tech industry is riddled with examples of companies that appeared to be invincible just before their fall, including with web browsers.

Source: Privacy-first browsers look to take the shine off Google’s Chrome

Google Gmail purchase history can’t be deleted

Posted on by

Google and other tech companies have been under fire recently for a variety of issues, including failing to protect user data, failing to disclose how data is collected and used and failing to police the content posted to their services.

[…]

n May, I wrote up something weird I spotted on Google’s account management page. I noticed that Google uses Gmail to store a list of everything you’ve purchased, if you used Gmail or your Gmail address in any part of the transaction.

If you have a confirmation for a prescription you picked up at a pharmacy that went into your Gmail account, Google logs it. If you have a receipt from Macy’s, Google keeps it. If you bought food for delivery and the receipt went to your Gmail, Google stores that, too.

You get the idea, and you can see your own purchase history by going to Google’s Purchases page.

Google says it does this so you can use Google Assistant to track packages or reorder things, even if that’s not an option for some purchases that aren’t mailed or wouldn’t be reordered, like something you bought a store.

At the time of my original story, Google said users can delete everything by tapping into a purchase and removing the Gmail. It seemed to work if you did this for each purchase, one by one. This isn’t easy — for years worth of purchases, this would take hours or even days of time.

So, since Google doesn’t let you bulk-delete this purchases list, I decided to delete everything in my Gmail inbox. That meant removing every last message I’ve sent or received since I opened my Gmail account more than a decade ago.

Despite Google’s assurances, it didn’t work.

ike a horror movie villain that just won’t die

On Friday, three weeks after I deleted every Gmail, I checked my purchases list.

I still see receipts for things I bought years ago. Prescriptions, food deliveries, books I bought on Amazon, music I purchased from iTunes, a subscription to Xbox Live I bought from Microsoft — it’s all there.

CNBC Tech: Google Purchases
A list of my purchases Google pulled in from Gmail.
Todd Haselton | CNBC

Google continues to show me purchases I’ve made recently, too.

I can’t delete anything and I can’t turn it off.

Source: Google Gmail purchase history can’t be deleted

Fake Samsung firmware update app tricks more than 10 million Android users

Posted on by

Over ten million users have been duped in installing a fake Samsung app named “Updates for Samsung” that promises firmware updates, but, in reality, redirects users to an ad-filled website and charges for firmware downloads.

“I have contacted the Google Play Store and asked them to consider removing this app,” Aleksejs Kuprins, malware analyst at the CSIS Security Group, told ZDNet today in an interview, after publishing a report on the app’s shady behavior earlier today.

The app takes advantage of the difficulty in getting firmware and operating system updates for Samsung phones, hence the high number of users who have installed it.

“It would be wrong to judge people for mistakenly going to the official application store for the firmware updates after buying a new Android device,” the security researcher said. “Vendors frequently bundle their Android OS builds with an intimidating number of software, and it can easily get confusing.”

“A user can feel a bit lost about the [system] update procedure. Hence can make a mistake of going to the official application store to look for system update.”

The “Updates for Samsung” app promises to solve this problem for non-technical users by providing a centralized location where Samsung phone owners can get their firmware and OS updates.

But according to Kuprins, this is a ruse. The app, which has no affiliation to Samsung, only loads the updato[.]com domain in a WebView (Android browser) component.

Rummaging through the app’s reviews, one can see hundreds of users complaining that the site is an ad-infested hellhole where most of them can’t find what they’re looking — and that’s only when the app works and doesn’t crash.

The site does offer both free and paid (legitimate) Samsung firmware updates, but after digging through the app’s source code, Kuprins said the website limits the speed of free downloads to 56 KBps, and some free firmware downloads eventually end up timing out.

“During our tests, we too have observed that the downloads don’t finish, even when using a reliable network,” Kuprins said.

But by crashing all free downloads, the app pushes users to purchase a $34.99 premium package to be able to download any files.

Source: Fake Samsung firmware update app tricks more than 10 million Android users | ZDNet

Top VPNs secretly owned by Chinese firms

Posted on by

Almost a third (30%) of the world’s top virtual private network (VPN) providers are secretly owned by six Chinese companies, according to a study by privacy and security research firm VPNpro.

The study shows that the top 97 VPNs are run by just 23 parent companies, many of which are based in countries with lax privacy laws.

Six of these companies are based in China and collectively offer 29 VPN services, but in many cases, information on the parent company is hidden to consumers.

Researchers at VPNpro have pieced together ownership information through company listings, geolocation data, the CVs of employees and other documentation.

In some instances, ownership of different VPNs is split amongst a number of subsidiaries. For example, Chinese company Innovative Connecting owns three separate businesses that produce VPN apps: Autumn Breeze 2018, Lemon Cove and All Connected. In total, Innovative Connecting produces 10 seemingly unconnected VPN products, the study shows.

Although the ownership of a number of VPN services by one company is not unusual, VPNpro is concerned that so many are based in countries with lax or non-existence privacy laws.

For example, seven of the top VPN services are owned by Gaditek, based in Pakistan. This means the Pakistani government can legally access any data without a warrant and data can also be freely handed over to foreign institutions, according to VPNpro.

The ability to access the data held by VPN providers, the researchers said, could enable governments or other organisations to identify users and their activity online. This potentially puts human rights activists, privacy advocates, investigative journalists and whistleblowers in jeopardy.

This lack of privacy, the study notes, extends to ordinary consumers, who are also coming under greater government surveillance.

“We’re not accusing any of these companies of doing anything underhand. However, we are concerned that so many VPN providers are not fully transparent about who owns them and where they are based,” said Laura Kornelija Inamedinova, research analyst at VPNpro.

Source: Top VPNs secretly owned by Chinese firms

Amazon Seeks Permission to Launch 3,236 Internet Satellites – awesome! more trash metal in low earth orbit!

Posted on by

Amazon wants the U.S. Federal Communications Commission (FCC) to give it the go-ahead to launch 3,236 satellites that would be used to establish a globe-spanning internet network. Seeking Alpha reported that Amazon expects “to offer service to tens of millions of underserved customers around the world” via the network, which the company is developing under the code-name Project Kuiper.

News of Project Kuiper broke in April, when Amazon uncharacteristically confirmed its work on the project to GeekWire. The company often declines to comment on reports concerning its plans; it seems the development of thousands of internet-providing satellites is the exception. The company had yet to seek FCC approval for the project, though, which is what Seeking Alpha reported today.

So what does this plan to offer space internet with a weird name actually involve? Amazon explained in April:

“Project Kuiper is a new initiative to launch a constellation of low Earth orbit satellites that will provide low-latency, high-speed broadband connectivity to unserved and underserved communities around the world. This is a long-term project that envisions serving tens of millions of people who lack basic access to broadband internet. We look forward to partnering on this initiative with companies that share this common vision.”

Expanding Internet access has become something of an obsession among tech companies. Google offers fiber Internet services as well as its own cellular network, Facebook scrapped plans to offer internet access via drones in June 2018, and Amazon isn’t the only company hoping to use low Earth orbit satellites to allow previously unconnected people to finally join the rest of the world online. It’s a bit of a trend.

Source: Amazon Seeks Permission to Launch 3,236 Internet Satellites

What if All Your Slack Chats Were Leaked?

Posted on by

Slack is one of many Silicon Valley unicorns going public this year, but it’s the only one that has admitted it is at risk for nation-state attacks. In the S-1 forms filed with the Securities and Exchange Commission, Uber, Lyft, Pinterest and Snapchat addressed threats that could lower the price of their stock — including malware, phishing, disgruntled employees and denial-of-service attacks — but only Slack explicitly highlighted “nation-states” as a potential threat.

According to Slack’s S-1 form, the company faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors.” The company acknowledges that its security measures “may not be sufficient to protect Slack and our internal systems and networks against certain attacks,” and correctly assesses that it is “virtually impossible” for the company to completely eliminate the risk of a nation-state attack.

But it is possible for Slack to minimize that risk. Or it would be, if Slack gave all its users the ability to decide which information Slack should keep and which information it should delete.

Right now, Slack stores everything you do on its platform by default — your username and password, every message you’ve sent, every lunch you’ve planned and every confidential decision you’ve made. That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers — including the nation-state actors highlighted in Slack’s S-1 — can break in and steal it.

Slack is widely marketed for and used in business settings, so the company’s servers hold a treasure trove of valuable, proprietary information. Slack’s paying enterprise customers do have a way to mitigate their security risk — they can change their settings to set shorter retention periods and automatically delete old messages — but it’s not just big companies that are at risk.

Slack’s users include community organizers, political organizations, journalists and unions. At the Electronic Frontier Foundation, where I work, we collaborate with activists, reporters and others on their digital privacy and security, and we’ve noticed these users increasingly gravitating toward Slack’s free product.

And that’s what makes the company’s warning to investors particularly alarming: Free customer accounts don’t allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack’s servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers.

Source: Opinion | What if All Your Slack Chats Were Leaked? – The New York Times

OpenPGP Certificate Attack Worries Experts, due to same symptoms bothering other Open Source projects – not enough contributors

Posted on by

There’s an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates.

The attack is quite simple and doesn’t exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that’s used to distribute certificates. Keyservers are designed to allow people to discover the public certificates of other people with them they want to communicate over a secure channel. One of the properties of the network is that anyone who has looked at a certificate and verified that it belongs to another specific person can add a signature, or attestation, to the certificate. That signature basically serves as the public stamp of approval from one user to another.

In general, people add signatures to someone’s certificate in order to give other users more confidence that the certificate is actually owned and controlled by the person who claims to own it. However, the OpenPGP specification doesn’t have any upper limit on the number of signatures that a certificate can have, so any user or group of users can add signatures to a given certificate ad infinitum. That wouldn’t necessarily be a problem, except for the fact that GnuPG, one of the more popular packages that implements the OpenPGP specification, doesn’t handle certificates with extremely large numbers of signatures very well. In fact, GnuPG will essentially stop working when it attempts to import one of those certificates.

Last week, two people involved in the OpenPGP community discovered that their public certificates had been spammed with tens of thousands of signatures–one has nearly 150,000–in an apparent effort to render them useless. The attack targeted Robert J. Hansen and Daniel Kahn Gillmor, but the root problem may end up affecting many other people, too.

“This attack exploited a defect in the OpenPGP protocol itself in order to ‘poison’ rjh and dkg’s OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned,” Hansen wrote in a post explaining the incident.

Source: OpenPGP Certificate Attack Worries Experts | Decipher

UChicago and Google Sued in Federal Class Action Suit for Patient Data Sharing between 2009 – 2016

Posted on by

A former patient at the University of Chicago Medical Center is suing UChicago, the medical center, and Google, accusing them of violating the privacy rights of patients at UChicago Medicine through the sharing of patient records containing identifiable information.

The class action lawsuit, filed by Matt Dinerstein in the Northern District of Illinois on Wednesday, claims that UChicago violated federal law protecting patient privacy in its partnership with Google to share records of patients from 2009 to 2016. It also claims that Google will be able to use the patient data to develop highly lucrative health-care technologies.

The suit charges that the University breached contracts between UChicago and its patients by allegedly falsely claiming to patients that it would be protecting their medical records. It also charges UChicago for violating an Illinois law dictating that companies cannot engage in deceptive practices with clients.

UChicago spokesperson Jeremy Manier said in a statement e-mailed to The Maroon, “The claims in this lawsuit are without merit. The University of Chicago Medical Center has complied with the laws and regulations applicable to patient privacy.”

“The Medical Center entered into a research partnership with Google as part of the Medical Center’s continuing efforts to improve the lives of its patients,” the statement continues. “That research partnership was appropriate and legal and the claims asserted in this case are baseless and a disservice to the Medical Center’s fundamental mission of improving the lives of its patients. The University and the Medical Center will vigorously defend this action in court.”

A Google spokesperson said in a statement e-mailed to The Maroon, “We believe our healthcare research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data.”

UChicago announced in 2017 that it would begin sharing electronic medical records with Google in a partnership to develop machine-learning techniques that could improve the quality of health services. At the time, UChicago said that Google would ensure that “patient data is kept private and secure,” and would be “strictly following HIPAA privacy rule.”

HIPAA, the Health Insurance Portability and Accountability Act, is a federal law mandating that shared patient information must be “de-identified”—stripped of any identifying information such as addresses and photos—to protect patients’ privacy.

The complaint accuses UChicago of making insufficient efforts to scrub patient-identifying data before handing over documents.

Though UChicago and Google claim to have de-identified patients, UChicago’s inclusion of timestamps indicating when patients checked in and out of the medical center makes the records identifiable and thereby violate HIPAA, the suit alleges. It cites an article published last year by Google and researchers from collaborating universities that says, “All EHRs [medical records] were de-identified, except that dates of service were maintained in the UCM [UChicago Medicine] dataset.”

Google’s potential capability to “re-identify” patients with its advanced data mining technologies indicates that “these records were not sufficiently anonymized and put the patients’ privacy at grave risk,” the complaint claims. It notes Google’s possession of geolocation information that can “pinpoint and match exactly when certain people entered and exited the University’s hospital.”

UChicago is not the only university to share health records with Google; other universities with similar partnerships include Stanford University and the University of California, San Francisco, according to the article published by Google and collaborating researchers. Wednesday’s lawsuit rests on the fact that UChicago’s records, as obtained by Google, include timestamps of patient records.

The suit also argues that Google’s acquisition of a British startup called DeepMind in 2014 has allowed Google to possess robust machine-learning technologies that would allow Google to connect medical records to Google users’ data.

DeepMind and Google obtained health records from the British Royal Free Hospital in 2015. The project was accused by a British watchdog organization for not complying with data protection law, the suit claims.

Source: UChicago and Google Sued in Federal Class Action Suit for Data Sharing