US immigration uses Google Translate to scan people’s social media for bad posts – Er, don’t do that, says everyone else, including Google

Posted on by

Google recommends that anyone using its translation technology add a disclaimer that translated text may not be accurate.

The US government’s Citizenship and Immigration Services (USCIS) nonetheless has been relying on online translation services offered by Google, Microsoft, and Yahoo to read refugees’ non-English social media posts and judge whether or not they should be allowed into the Land of the Free™.

According to a report from ProPublica, USCIS uses these tools to help evaluate whether refugees should be allowed into the US. In so doing, agency personnel are putting their trust in an untrustworthy algorithm to make entry decisions that may have profound consequences for the health and welfare of those seeking admission to the country.

“The translation of these social media posts can mean life or death for refugees seeking to reunite with their family members,” said Betsy Fisher, director of strategy for the International Refugee Assistance Project (IRAP),” in an email to The Register. “It is dangerous to rely on inadequate technology to inform these unreasonable procedures ostensibly used to vet refugees.”

IRAP obtained a USCIS manual through a public records request and shared it with ProPublica. The manual advises USCIS personnel to use free online translation tools and provides a walkthrough for using Google Translate.

Scanning social media posts for content that would disqualify entry into the US follows from a 2017 executive order and memorandum. The impact of social media scrutiny was made clear recently when Ismail Ajjawi, a resident of Lebanon admitted to Harvard’s class of 2023, was denied entry into America by US Customs and Border Protection because of anti-US posts apparently made by friends.

After ten days of pressure from student petitioners and advocacy groups, CBP determined Ajjawi met its requirements for US entry after all.

To demonstrate the inaccuracy of Google Translate, ProPublica asked Mustafa Menai, who teaches Urdu at the University of Pennsylvania, to translate a Twitter post written in Urdu. By Menai’s estimation, an accurate English translation would be, “I have been spanked a lot and have also gathered a lot of love (from my parents).”

Google Translate’s rendering of the post is, “The beating is too big and the love is too windy.”

Source: US immigration uses Google Translate to scan people’s social media for bad posts – Er, don’t do that, says everyone else • The Register

Card stealing MageCart infection swipes customers details and payment cards from fragrancedirect.co.uk

Posted on by

Online merchant fragrancedirect.co.uk has confirmed a miscreant broke into its systems and made off with a raft of customers’ personal data, including payment card details.

The e-retailer, based in Macclesfield, England, wrote to punters this week to inform them of the digital burglary and the subsequent data leakage.

“We recently discovered that some of our user data may have been compromised as a result of unauthorised access to our website by a malicious third party,” the email states.

The online store then launched an investigation and “quickly identified the root cause and have taken the necessary steps to address the issue”, the note continues.

It added that “Fragrance Direct Username and Password”, along with “Name, Address and Phone Number”, and “Credit and Debit Card Details” spilled into the wrong hands.

Source: What’s that smell? Perfume merchant senses the scent of a digital burglary • The Register

Doordash  Food delivery services Latest Data Breach – 4.9m people have their physical addresses floating around the internet now

Posted on by

Doordash is the latest of the “services you probably use, or at least have an account with” companies to suffer a large data breach. And while your passwords likely haven’t been compromised, it’s possible that your physical address is floating around in the Internet somewhere, among other identifying information.

As Doordash wrote yesterday, an unknown individual accessed data they shouldn’t have on May 4. Among the information that was compromised included:

“Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.”

Approximately 4.9 million Doordash customers were affected by the breach, but only those who joined the site prior to April 5, 2018. If you signed up for Doordash after that, you’re in the clear.

However, the leaked information doesn’t stop with emails, phone numbers, and names—to name a few. For a subset of those affected, the attacker was able to access the last four digits of their stored credit card, their bank account number, or their drivers’ license numbers.

Doordash is currently reaching out to those whose data might have been compromised; if you haven’t received an email yet, you might be in the clear, but it’s also taking the company a bit of time to send these, so it’s OK to be slightly anxious.

Source: Doordash’s Latest Data Breach: How to Protect Yourself

AI equal with human experts in medical diagnosis with images, study finds

Posted on by

Artificial intelligence is on a par with human experts when it comes to making medical diagnoses based on images, a review has found.

The potential for artificial intelligence in healthcare has caused excitement, with advocates saying it will ease the strain on resources, free up time for doctor-patient interactions and even aid the development of tailored treatment. Last month the government announced £250m of funding for a new NHS artificial intelligence laboratory.

However, experts have warned the latest findings are based on a small number of studies, since the field is littered with poor-quality research.

One burgeoning application is the use of AI in interpreting medical images – a field that relies on deep learning, a sophisticated form of machine learning in which a series of labelled images are fed into algorithms that pick out features within them and learn how to classify similar images. This approach has shown promise in diagnosis of diseases from cancers to eye conditions.

However questions remain about how such deep learning systems measure up to human skills. Now researchers say they have conducted the first comprehensive review of published studies on the issue, and found humans and machines are on a par.

Prof Alastair Denniston, at the University Hospitals Birmingham NHS foundation trust and a co-author of the study, said the results were encouraging but the study was a reality check for some of the hype about AI.

Dr Xiaoxuan Liu, the lead author of the study and from the same NHS trust, agreed. “There are a lot of headlines about AI outperforming humans, but our message is that it can at best be equivalent,” she said.

Writing in the Lancet Digital Health, Denniston, Liu and colleagues reported how they focused on research papers published since 2012 – a pivotal year for deep learning.

An initial search turned up more than 20,000 relevant studies. However, only 14 studies – all based on human disease – reported good quality data, tested the deep learning system with images from a separate dataset to the one used to train it, and showed the same images to human experts.

The team pooled the most promising results from within each of the 14 studies to reveal that deep learning systems correctly detected a disease state 87% of the time – compared with 86% for healthcare professionals – and correctly gave the all-clear 93% of the time, compared with 91% for human experts.

However, the healthcare professionals in these scenarios were not given additional patient information they would have in the real world which could steer their diagnosis.

Prof David Spiegelhalter, the chair of the Winton centre for risk and evidence communication at the University of Cambridge, said the field was awash with poor research.

“This excellent review demonstrates that the massive hype over AI in medicine obscures the lamentable quality of almost all evaluation studies,” he said. “Deep learning can be a powerful and impressive technique, but clinicians and commissioners should be asking the crucial question: what does it actually add to clinical practice?”

Source: AI equal with human experts in medical diagnosis, study finds | Technology | The Guardian

Darknet cybercrime servers hosted in former NATO bunker in Germany busted in 600 policemen operation

Posted on by
Police outside the darknet data servers in Traben-Trarbach

A cybercrime data center that was shut down by German authorities was housed inside a former NATO bunker in a sleepy riverside town, police revealed on Friday.

More than 600 law enforcement personnel including Germany’s elite federal police unit, the GSG 9, were involved in an anti-cybercrime operation that took place in the town of Traben-Trarbach on the banks of the Mosel river.

Police officers succeeded in penetrating the building, a 5,000 square meter former NATO bunker with iron doors that goes five floors deep underground. The building was located on a 1.3-hectare (3.2 acre) property secured with a fence and surveillance cameras.

“We had to overcome not only real, or analog, protections; we also cracked the digital protections of the data center,” said regional police chief Johannes Kunz.

Read more: Darknet operator gets six years in connection with 2016 German shooting rampage

The target of the operation was a so-called “bulletproof hosting” service provider. Bulletproof hosters provide IT infrastructure that protects online criminal activity from government intervention.

In the raid, police seized 200 servers along with documents, cell phones, and large quantities of cash. Thursday’s operation was the first time German investigators were able to apprehend a bulletproof hoster, according to German media outlets.

Watch video 01:35

German police claim victory against cyber crime

Cracking the security codes to access the contents of the servers was another difficult task for the police. On the servers, they found countless websites facilitating the illegal sale of drugs, weapons, counterfeit documents, and stolen data as well as sites distributing child pornography. The servers hosted Wall Street Market, formerly the second largest darknet market place for drugs in the word before law enforcement shut the platform down earlier this year.

The police arrested 13 people between the ages of 20 and 59 allegedly tied to the operation. Seven are held in custody. The ringleader is a 59-year-old Dutch man with ties to organized crime in the Netherlands. He established the server in Traben-Trarbach in 2013. While his official residency is listed in Singapore, he had been living in the bunker.

Source: Darknet cybercrime servers hosted in former NATO bunker in Germany | News | DW | 28.09.2019

GNOME is Being Sued Because Shotwell Photo Manager can wirelessly transfer images. The US Patent Office really gave a patent to transfer images and label them to a patent troll.

Posted on by

The GNOME Foundation is facing a lawsuit from Rothschild Patent Imaging, LLC. Rothschild allege that Shotwell, a free and open source personal photo manager infringes its patent.

Neil McGovern, Executive Director for the GNOME Foundation says “We have retained legal counsel and intend to vigorously defend against this baseless suit. Due to the ongoing litigation, we unfortunately cannot make any further comments at this time.”

While Neil cannot make any further comments on this issue, let me throw some lights on this matter.

The patent in the question deals with wireless image distribution. The patent is ridiculous because it could mean any software that transfers images from one device to another could be violating this patent.

And that’s what this lawsuit is about. If you read the lawsuit, you’ll see why Neil called it baseless:

Gnome Shotwell Lawsuite
GNOME Shotwell Lawsuit

Shotwell is not the only one being sued

I did a quick web search with “Rothschild Patent Imaging” and I couldn’t find their website. I am guessing that it doesn’t exist. However, I come across a number of “Rothschild Patent Imaging vs XYZ” lawsuits.

I dig a little deeper. As per patent litigation website RPX Insight, there are six active cases and forty two inactive cases involving Rothschild Patent Imaging.

Rothschiled Patent
Rothschild Patent Imaging Lawsuits

There are a number of companies being sued if there product mentions grouping photos based on date, location etc, facial recognition and transferring images from one device to another. Sounds crazy, right?

But it won’t be crazy if it’s someone’s full time job.

Patent Litigation Abuse aka Patent Trolling

Patent Troll Attacks Gnome Foundation

Rothschild Patent Imaging is owned by Leigh M Rothschild.

The modus operandi of ‘inventor’ Leigh M Rothschild is to get patents on obvious ideas. And that obvious idea would be so broad that they could sue a huge number of organizations. Defendants have two choices, either pay Rothschild to settle the lawsuit or pay even more to lawyers and fight the court battle.

Rothschild Patent Imaging LLC might be formed to sue companies dealing with grouping and transferring images. In 2017, Rothschild Connected Devices Innovations LLC also filed a number of patent infringement lawsuits against companies that hinted mixing drinks and connected devices.

Ars Technica called Rothschild a patent troll because he was demanding $75,000 from each defendant for settling the lawsuits.

Smaller companies might have been intimidated but when Rothschild targeted a giant like Garmin, they hit back. Rothschild backed out of the lawsuit but Garmin filed a counter and Rothschild was asked to pay the legal expenses to Garmin.

Unfortunately, patent trolling is a big business, specially in the United States of America. There are companies with the sole business model of suing other companies. They are almost exclusively based in East Texas where the laws favors such patent trolls. EFF has a dedicated page that lists the victims of patent trolls.

I am so glad that GNOME Foundation has decided to fight this lawsuit vigorously.

Source: GNOME is Being Sued Because of Shotwell Photo Manager

The US Air Force Is Deploying PHASER Microwave Weapon to kill drones

Posted on by

Yesterday afternoon, the Pentagon notified Congress of its purchase of a microwave weapon system designed to knock down swarms of enemy drones with pulses of energy. The purchase comes with an intent to deploy the PHASER system overseas for a year-long assessment, making it the first directed energy defense weapon to ever be fielded.

[…]

The U.S. Air Force spent $16.28 million for one prototype PHASER high power microwave system for a “field assessment for purposes of experimentation” in an unspecified location outside the U.S. The test is “expected to be completed by Dec. 20, 2020,” making the overseas deployment “against real-world or simulated hostile vignettes” imminent.

A Growing Threat

There are several directed energy weapons that the Air Force is buying to test their effectiveness in the field, and officials say some will be on the frontlines in tense areas of the globe where enemy drones are becoming a threat, includes North Korea, Africa, the Ukraine and—most recently—the Middle East.

“At the moment we have awarded multiple DE systems for use in our field assessment overseas and are working to support multiple bases and areas of responsibility,” says Michael Jirjis, who is lead on the PHASER experiment, told Popular Mechanics. “We can’t say which specific locations at this time.”

[…]

The recent swarm attack on Saudi Arabian oil facilities has highlighted the risk and drawn a stern response from the Pentagon.

“This is not the reaction of just a few events but the realization of a growing need over the past few years,” says Jirjis.

Gen. Joseph Dunford, the chairman of the Joint Chiefs of Staff, said on Friday that the U.S. would be moving enhanced air defenses into the region. He didn’t offer any specifics, saying the Pentagon is working with the Saudis to come up with a support plan. The PHASER system, by virtue of timing, could now land at the forefront of an international crisis.

“It is a remarkable coincidence because this has been in the works between the Air Force and Raytheon essentially since an experiment at White Sands [Missile Range] late last year,” says Don Sullivan, Raytheon missile systems’ chief technologist for directed energy.

Those who sell drone-killing weapons keep a sharp eye on the warning signs, and there were many that preceded the attack in Saudi Arabia.

“There are fairly recent incidents, for example in Yemen where a very large drone with a high explosive payload killed about 40 people, at a prayer ground of all places. And that was on YouTube,” Sullivan says. “It was a real eye-opener. What happened in Saudi over the weekend was kind of that raised to the nth degree.”

[…]

The system uses microwaves to disable Class One and Class Two drones, ones that are less than 55 pounds and fly at altitudes of 1,200 to 3,500 feet at speeds between 100 and 200 knots. Think RQ-11 Raven at the low end and a ScanEagle as the maximum-sized target.

There were an estimated 20 drones and cruise missiles used to attack Saudi Arabia, and some of the drones may have been small enough for PHASER to have disabled them. The HPM system is not known to work against cruise missiles, according the Air Force and Raytheon.

[…]

PHASER is high-powered microwaves cannon that emits radio frequencies in a conical beam. It doesn’t cook a drone with heat. Instead, the weapon disrupts or destroys their circuits with a burst of overwhelming energy.

“It’s not a thermal effect, it’s an electric field effect that is basically imposed on the electronics to either upset or permanently damage them,” says Sullivan. “And the effect is essentially instantaneous.”

[…]

PHASER frying a rotary drone mid-flight.

Microwave weapons have traditionally been hampered by the fact that they don’t discriminate targets—bathing an area with them could damage friendly hardware along with a foe’s. But with attacks involving swarms of small UAVs becoming popular, that vice has become a virtue since PHASER can attack multiple targets simultaneously and doesn’t run out of ammunition.

Source: PHASER Microwave Weapon – The Air Force Is Deploying PHASER

This Guy Made an Ad Blocker That Works on Podcasts and Radio

Posted on by

Meet AdBlock Radio, an adblocker for live radio streams and podcasts. Its creator, Alexandre Storelli, told Motherboard he hopes to help companies “develop alternative business models for radio and podcast lovers that do not want ads.”

“Ads exploit the weaknesses of many defenseless souls,” Storelli told Motherboard. “Ads dishonestly tempt people, steal their time and promise them a higher social status. Blocking them will be a relieving experience for many.”

Most audio ads exploit “auditory artifacts” to produce an ad that can’t be ignored or tuned out because it feels louder than it actually is—this has gotten so bad that there has actually been a “sonic arms race” where ads have been made increasingly louder over the years.

[…]

He said he’s been working on it for more than three years and that it uses techniques such as speech recognition, acoustic fingerprinting, and machine learning to detect known ad formats. It uses a crowdsourced database of ads and “acoustic fingerprinting,” which converts audio features into a series of numbers that can be combed by an algorithm. Storelli says this is the same technology used by Shazam to identify songs. He notes that the algorithm isn’t perfect, and that hip-hop music, for example, is often misidentified as an advertisement. It also has trouble with “native” advertisements, in which a podcast host reads an ad (this type of advertisement has become increasingly popular.)

[…]

Storelli has made AdBlock Radio open-source and given detailed instructions on how to build on it, integrate it into user devices, and deploy it in a way that pressures radio stations (and podcasts) to self-regulate the quality of their ads.

James Williams, co-founder of the Time Well Spent movement, once made the case that “[the ultimate benefit of adblockers is] better informational environments that are fundamentally designed to be on our side, to respect our increasingly scarce attention, and to help us navigate under the stars of our own goals and values.” Storelli goes a little further, quoting Jean-Marc Jancovici, a French energy expert, to argue “Climate change being one of the consequences of the modern mass consumption lifestyle, wishing a firm action against this process implies, for a part, to question the perpetual increase of the material consumption otherwise encouraged by ads.”

It’s not likely that ad blocking will avert a climate apocalypse. Ad blocking, however, may serve as a good salvo in the war against consumerism.

Source: This Guy Made an Ad Blocker That Works on Podcasts and Radio

Xiaomi’s Mi Mix Alpha is almost entirely made of screen

Posted on by

As for the phone’s more traditional specs, there’s a Qualcomm Snapdragon 855+ processor, 5G connectivity, 12GB of RAM, 512GB of storage, 40W wired fast-charging, and a 4,050mAh battery. That last spec would perhaps suggest that Xiaomi doesn’t imagine you having the whole screen turned on all the time.

Xiaomi describes the Mix Alpha as a “concept smartphone” and isn’t going to be mass-producing it any time soon. The phone will go into small-scale production this year and go on sale in December for 19,999 yuan, or about $2,800. The original Mi Mix was also given the “concept” label and released in small quantities, with the Mi Mix 2 following a year later as a more mainstream device.

On one hand, this design poses obvious issues with cost, durability, battery life, accidental touch recognition, privacy, and so on. On the other, well, just look at it:

Next Up In Tech

Source: Xiaomi’s Mi Mix Alpha is almost entirely made of screen – The Verge

DNA is held together by hydrophobic forces

Posted on by

Researchers at Chalmers University of Technology, Sweden, have disproved the prevailing theory of how DNA binds itself. It is not, as is generally believed, hydrogen bonds which bind together the two sides of the DNA structure. Instead, water is the key. The discovery opens doors for new understanding in research in medicine and life sciences. The findings are published in PNAS.

DNA is constructed of two strands consisting of sugar molecules and phosphate groups. Between these two strands are nitrogen bases, the compounds that make up genes, with hydrogen bonds between them. Until now, it was commonly thought that those hydrogen bonds held the two strands together.

But now, researchers from Chalmers University of Technology show that the secret to DNA’s helical structure may be that the molecules have a hydrophobic interior, in an environment consisting mainly of water. The environment is therefore hydrophilic, while the DNA molecules’ nitrogen bases are hydrophobic, pushing away the surrounding water. When hydrophobic units are in a hydrophilic environment, they group together to minimize their exposure to the water.

[…]

e have also shown that DNA behaves totally differently in a hydrophobic environment. This could help us to understand DNA, and how it repairs. Nobody has previously placed DNA in a hydrophobic environment like this and studied how it behaves, so it’s not surprising that nobody has discovered this until now.”

The researchers also studied how DNA behaves in an environment that is more hydrophobic than normal, a method they were the first to experiment with. They used the hydrophobic solution polyethylene glycol, and changed the DNA’s surroundings step-by-step from the naturally hydrophilic environment to a hydrophobic one. They aimed to discover if there is a limit where DNA starts to lose its structure, when the DNA does not have a reason to bind, because the environment is no longer hydrophilic. The researchers observed that when the solution reached the borderline between hydrophilic and hydrophobic, the DNA molecules’ characteristic spiral form started to unravel.

Upon closer inspection, they observed that when the base pairs split from one another (due to external influence, or simply from random movements), holes are formed in the structure, allowing water to leak in. Because DNA wants to keep its interior dry, it presses together, with the base pairs coming together again to squeeze out the water. In a hydrophobic environment, this is missing, so the holes stay in place.

“Hydrophobic catalysis and a potential biological role of DNA unstacking induced by effects” is published in Proceedings of the National Academy of Sciences (PNAS).

Source: DNA is held together by hydrophobic forces

Several months after the fact, and after public reporting, CafePress finally acknowledges huge data theft to its customers

Posted on by

T-shirt flogger CafePress has finally informed its customers about a serious data loss dating back to February and first reported last month.

Several CafePress punters told us they had received an email this morning warning them the company had lost customer names, emails, physical addresses, phone numbers and unencrypted passwords. Some customers have also had the last four numbers of payment cards and expiry dates nabbed by hackers.

The email, addressed to “Dear Valued Customer”, says that the incident happened “on or about February 19”. But fear not: “We have been diligently investigating this incident with the assistance of outside experts.”

The email claims that CafePress “recently discovered” the security hole. But in early August, the company ran a mass-password reset following reports that some 23 million user details were floating around on hacker forums.

Security researcher Jim Scott told The Register at the time: “Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA-1.” The hack was originally spotted by Troy Hunt, operator of the Have I Been Pwned website.

Today’s email says that an unidentified third party accessed a CafePress database and customer data. They may also have had access to CafePress accounts for a limited time and the information “could have been used for fraudulent activity”.

[…]

The company has not responded to our questions, which include why passwords were not properly encrypted and why it has taken so long to warn customers.

Source: Several months after the fact, CafePress finally acknowledges huge data theft to its customers • The Register

Football Leaks: Possible Interest Conflict Dogs Probe

Posted on by

Eurojust, the European Union agency that facilitates cooperation between EU prosectuors, had extended the invitation for a working meeting, the focus of which was on the probes into findings from Football Leaks, the largest data leak in history. But the meeting produced more controversy than expected.

Ten countries have expressed interest in the gigantic trove of data. Under the leadership of French authorities, the working meeting in The Hague had been set up to determine who and under what circumstances authorities would be permitted to work with the millions of files of data from the heart of the football industry. Investigators are hoping the information will provide evidence of serious tax evasion, collective fraud, embezzlement, corruption and money laundering.

[…]

Cluny was present as Portugal’s Eurojust representative at the press conference. And the fact that he didn’t disclose a personal conflict of interest in the course of these proceedings has been the source of significant irritation among his colleagues. Furthermore, it confirms the fears of the whistleblower who gathered the Football Leaks data. Because there are now suspicions Cluny may not be impartial.

But first things first.

Football Leaks is a raft of data that sheds light on the dirty side of the professional football business. The documents offer insights into the inner workings of numerous companies whose revenues end up taking circuitous routes through offshore countries. Financial authorities in Europe have often been kept in the dark about the nested corporate structures, but the documents reveal everything: articles of incorporation, ownership structures, payment flows, wire transfers and bank account numbers.

A source named “John” has been providing DER SPIEGEL with the data since the beginning of 2016. The newsmagazine shared more than 70 million documents with the journalist network European Investigative Collaborations (EIC) and those documents have provided the basis for more than 800 investigative articles over the past three years. The publication of the articles has led to numerous investigations and trials. Among others, Cristiano Ronaldo and José Mourinho were slapped with suspended sentences and fines for tax fraud.

But the whistleblower behind Football Leaks is facing his own trouble with the law following his arrest in mid-January. He has since discarded his pseudonym John and revealed his real name to the public: Rui Pinto. The 30-year-old Portuguese national is now under house arrest in Budapest after Portuguese investigators issued an arrest warrant against him on suspicion of attempted extortion and cybercrime. They are demanding Pinto’s extradition to Portugal. Pinto denies the accusations and is waging a legal fight to prevent his deportation.

Antonio Cluny, the inconspicuous man at the press conference in The Hague, used to be the deputy prosecutor general of Portugal and has been representing his country’s interests at Eurojust since 2014. He said at the press conference that Portugal is also interested in analyzing the data gathered by Pinto, but he also stressed that his country would continue to insist on Pinto’s extradition.

[…]

s it turns out, Cluny did not, in fact, share critical information that has now cast doubt on his independence.

What Cluny shared neither publicly nor with his colleagues at Eurojust is that he’s the father of João Lima Cluny, a top lawyer at the Portuguese law firm Morais Leitão. The firm represents Cristiano Ronaldo, José Mourinho and many other big names in the football world who ran into trouble with the judiciary following the publication of Football Leaks documents. In his private messages, Ronaldo affectionately calls one of the firm’s partners, Carlos Osório de Castro, “father.” Osório de Castro has served as Ronaldo’s legal adviser since the beginning of the football player’s career and the Porto-based lawyer has also coordinated Ronaldo’s defense strategy for the rape allegations that have been leveled against him.

Source: Football Leaks: Possible Interest Conflict Dogs Probe – SPIEGEL ONLINE

I didn’t know about the whole football leaks thing!

Der Spiegel’s site and reporting on the leaks content

The Football leaks data site. You can download player contracts, see how much agents make, what kind of sponsorships there are and much much much more!

Facebook suspends apps belonging to 400 developers for slurping user data

Posted on by

We initially identified apps for investigation based on how many users they had and how much data they could access. Now, we also identify apps based on signals associated with an app’s potential to abuse our policies. Where we have concerns, we conduct a more intensive examination. This includes a background investigation of the developer and a technical analysis of the app’s activity on the platform. Depending on the results, a range of actions could be taken from requiring developers to submit to in-depth questioning, to conducting inspections or banning an app from the platform.

Our App Developer Investigation is by no means finished. But there is meaningful progress to report so far. To date, this investigation has addressed millions of apps. Of those, tens of thousands have been suspended for a variety of reasons while we continue to investigate.

It is important to understand that the apps that have been suspended are associated with about 400 developers. This is not necessarily an indication that these apps were posing a threat to people. Many were not live but were still in their testing phase when we suspended them. It is not unusual for developers to have multiple test apps that never get rolled out. And in many cases, the developers did not respond to our request for information so we suspended them, honoring our commitment to take action.

In a few cases, we have banned apps completely. That can happen for any number of reasons including inappropriately sharing data obtained from us, making data publicly available without protecting people’s identity or something else that was in clear violation of our policies. We have not confirmed other instances of misuse to date other than those we have already notified the public about, but our investigation is not yet complete. We have been in touch with regulators and policymakers on these issues. We’ll continue working with them as our investigation continues.

Source: An Update on Our App Developer Investigation | Facebook Newsroom

Which basically means there were loads of and loads more apps harvesting data they shouldn’t have had access to.

This Site Uses AI to Find Issues in Privacy Policies

Posted on by

Whenever you sign up for a new app or service you probably are also agreeing to a new privacy policy. You know, that incredibly long block of text you scroll quickly by without reading?

Guard is a site that uses AI to read epically long privacy policies and then highlight any aspects of them that might be problematic.

Once it reads through a site or app’s privacy policy it gives the service a grade based on that policy as well as makes a recommendation on whether or not you should use it. It also brings in news stories about any scandals associated with a company and information about any security threats.

Twitter, for instance, has a D rating on the service. Guard recommends you avoid that app. The biggest threat? The company’s privacy policy says that it can sell or transfer your information.

Illustration for article titled This Site Uses AI to Find Issues in Privacy Policies

For now, you’re limited to seeing ratings for only services Guard has decided to analyze, which includes most of the major apps out there like youTube, Reddit, Spotify, and Instagram. However, if you’re interested in a rating for a particular app you can submit it to the service and ask it to be done.

As the list of supported services grow, this could be even more of a solid resource in looking into what you’re using on your phone or computer and understanding how your data is being used.

Source: This Site Uses AI to Find Issues in Privacy Policies

Critical Vulnerability in Harbor (container security!) Enables Privilege Escalation from Zero to Admin (CVE-2019-16097)

Posted on by

Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request.

The maintainers of Harbor released a patch that closes this critical security hole. Versions 1.7.6 and 1.8.3 include this fix.

Unit 42 has found 1,300 Harbor registries open to the internet with vulnerable default settings, which are currently at risk until they’re updated.

[…]

Harbor is an open source cloud native registry that stores, signs and scan images for vulnerabilities. Harbor integrates with Docker Hub, Docker Registry, Google Container Registry and other registries. It provides a simple GUI that allows users to download, upload and scan images according to their permissions.

[…]

The vulnerability is in user.go:317.

if err := ua.DecodeJSONReq(&user); err != nil

In this line of code, we take the data from the post request and decode it into a user object.

A normal request payload will look like this:

{“username”:”test”,”email”:”test123@gmai.com”,”realname”:”no name”,”password”:”Password1\u0021″,”comment”:null}

The problem is that we can send a request and add the parameter “has_admin_role”.

If we send the same request with “has_admin_role” = True, then the user that will be created will be an admin. It’s as simple as that.

Exploitation

I wrote a simple Python script that sends a post request to /api/users in order to create a new user with admin privileges, by setting the “has_admin_role” parameter in the request body to True. After running this script, all we need to do is to open Harbor in the browser and just sign in to the user we created.

Source: Critical Vulnerability in Harbor Enables Privilege Escalation from Zero to Admin (CVE-2019-16097)

When were you at Tesco? Let’s have a look. parking app hauled offline after exposing 10s of millions of Automatic Number Plate Recognition images by Ranger Services and NCP

Posted on by

Tesco has shuttered its parking validation web app after The Register uncovered tens of millions of unsecured ANPR images sitting in a Microsoft Azure blob.

The images consisted of photos of cars taken as they entered and left 19 Tesco car parks spread across Britain. Visible and highlighted were the cars’ numberplates, though drivers were not visible in the low-res images seen by The Register.

Used to power the supermarket’s outsourced parkshopreg.co.uk website, the Azure blob had no login or authentication controls. Tesco admitted to The Register that “tens of millions” of timestamped images were stored on it, adding that the images had been left exposed after a data migration exercise.

Ranger Services, which operated the Azure blob and the parkshopreg.co.uk web app, said it had nothing to add and did not answer any questions put to it by The Register. We understand that they are still investigating the extent of the breach. The firm recently merged with rival parking operator CP Plus and renamed itself GroupNexus.

[…]

The Tesco car parks affected by the breach include Braintree, Chelmsford, Chester, Epping, Fareham, Faversham, Gateshead, Hailsham, Hereford, Hove, Hull, Kidderminster, Woolwich, Rotherham, Sale (Cheshire), Slough, Stevenage, Truro, Walsall and Weston-super-Mare.

The web app compared the store-generated code with the ANPR images to decide whom to issue with parking charges. Ranger Services has pulled parkshopreg.co.uk offline, with its homepage now defaulting to a 403 error page.

[…]

A malicious person could use the data in the images to create graphs showing the most likely times for a vehicle of interest to be parked at one of the affected Tesco shops.

This was what Reg reader Ross was able to do after he realised just how insecure the database behind the parking validation app was.

Frequency of parking for 3 vehicles at Tesco in Faversham

Frequency of parking for three vehicles at Tesco in Faversham. Each colour represents one vehicle; the size of the circle shows how frequently they parked at the given time. Click to embiggen

A Tesco spokesman told The Register: “A technical issue with a parking app meant that for a short period historic images and times of cars entering and exiting our car parks were accessible. Whilst no images of people, nor any sensitive data were available, any security breach is unacceptable and we have now disabled the app as we work with our service provider to ensure it doesn’t happen again.”

We are told that during a planned data migration exercise to an AWS data lake, access to the Azure blob was opened to aid with the process. While it has been shut off, Tesco hasn’t told us how long it was left open for.

Tesco said that because it bought the car park monitoring services in from a third party, the third party was responsible for protecting the data in law. Ranger Services had not responded to The Register’s questions about whether it had informed the Information Commissioner’s Office by the time of writing.

[…]

As part of our investigation into the Tesco breach we also found exposed data in an unsecured AWS bucket belonging to car park operator NCP. The data was powering an online dashboard that could also be accessed without any login creds at all. A few tens of thousands of images were exposed in that bucket.

[…]

The unsecured NCP Vizuul dashboard

The unsecured NCP Vizuul dashboard

The dashboard, hosted at Vizuul.com, allowed the casual browser to pore through aggregated information drawn from ANPR cameras at an unidentified location. The information on display allowed one to view how many times a particular numberplate had infringed the car park rules, how many times it has been flagged in particular car parks, and how many penalty charge notices had been issued to it in the past.

The dashboard has since been pulled from public view.

Source: Tesco parking app hauled offline after exposing 10s of millions of Automatic Number Plate Recognition images • The Register

FBI Served Valve, Symantec, 120 companies with secret surveillance National Security Letters

Posted on by

The names of more than 120 companies secretly served FBI subpoenas for their customers’ personal data were revealed on Friday, including a slew of U.S. banks, cellphone providers, and a leading antivirus software maker.

Known as national security letters (NSL), the subpoenas are a tool commonly used by FBI counterterrorism agents when seeking individuals’ communication and financial histories. No judge oversees their use. Senior-most agents at any of the FBI’s 56 nationwide field offices can issue the letters, which are typically accompanied by a gag order.

The letters allow the FBI to demand access to limited types of information, most of which may be described as “metadata”—the names of email senders and recipients and the dates and times that messages were sent, for example. The actual content of messages is legally out of bounds. Financial information such as credit card transactions and travelers check purchases can also be obtained, in addition to the billing records and history of any given phone number.

Because NSL recipients are often forced to keep the fact secret for many years there’s been little transparency around who’s getting served.

But on Friday, the New York Times published four documents with details on 750 NSLs issued as far back as 2016. The paper described the documents—obtained by digital-rights group the Electronic Frontier Foundation (EFF) in a Freedom of Information Act lawsuit—as a “small but telling fraction” of the more than 500,000 letters issued since 2001, when passage of the Patriot Act greatly expanded the number of FBI officials who could sign them. Between 2000 and 2006, use of NSLs increased nearly six-fold, according to the Justice Department inspector general.

[…]

After passage of the USA Freedom Act in 2015, the FBI adopted guidelines that require gag orders to be reviewed for necessity three years after issuance or after an investigation is closed. Yet, privacy advocates accuse the FBI of failing to follow its own rules.

“The documents released by the FBI show that a wide range of services and providers receive NSLs and that the majority of them never tell their customers or the broader public, even after the government releases them from NSL gag orders,” said Aaron Mackey, a staff attorney at the EFF. “The records also show that the FBI is falling short of its obligations to release NSL recipients from gag orders that are no longer necessary.”

The FBI declined to comment.

The secrecy—not to mention the weak evidentiary standards—has kept NSLs squarely in cross hairs of civil liberties groups for years. But the FBI also carries a history of abuse, having in the past issued numerous letters “without proper authorization,” to quote the bureau’s own inspector general in 2009.

The same official would also describe to Congress a bevy of violations including “improper requests” and “unauthorized collections” of data that can’t be legally obtained with an NSL. In some cases, the justifications used by agents to obtain letters were found to be “perfunctory and conclusory,” or convenient and inherently flawed.

“It’s unconstitutional for the FBI to impose indefinite gags on the companies that receive NSLs,” said Neema Singh Guliani, senior legislative counsel with the American Civil Liberties Union. “This is one of the reasons that Congress previously sought to put an end to this practice, but it is now clear that the FBI is not following the law as intended.”

“As part of its surveillance reform efforts this year, Congress must strengthen existing laws designed to bar these types of gag orders,” she added.

The NSL records obtained by the EFF can be viewed here.

Source: FBI Served Valve, Symantec, More National Security Letters

The world’s most-surveilled cities – China, US, UK, UAE, Australia and India: you are being spied on!

Posted on by

Cities in China are under the heaviest CCTV surveillance in the world, according to a new analysis by Comparitech. However, some residents living in cities across the US, UK, UAE, Australia, and India will also find themselves surrounded by a large number of watchful eyes, as our look at the number of public CCTV cameras in 120 cities worldwide found.

[…]

Depending on whom you ask, the increased prevalence and capabilities of CCTV surveillance could make society safer and more efficient, could trample on our rights to privacy and freedom of movement, or both. No matter which side you argue, the fact is that live video surveillance is ramping up worldwide.

Comparitech researchers collated a number of data resources and reports, including government reports, police websites, and news articles, to get some idea of the number of CCTV cameras in use in 120 major cities across the globe. We focused primarily on public CCTV—cameras used by government entities such as law enforcement.

Here are our key findings:

  • Eight out of the top 10 most-surveilled cities are in China
  • London and Atlanta were the only cities outside of China to make the top 10
  • By 2022, China is projected to have one public CCTV camera for every two people
  • We found little correlation between the number of public CCTV cameras and crime or safety

The 20 most-surveilled cities in the world

Based on the number of cameras per 1,000 people, these cities are the top 20 most surveilled in the world:

  1. Chongqing, China – 2,579,890 cameras for 15,354,067 people = 168.03 cameras per 1,000 people
  2. Shenzhen, China – 1,929,600 cameras for 12,128,721 people = 159.09 cameras per 1,000 people
  3. Shanghai, China – 2,985,984 cameras for 26,317,104 people = 113.46 cameras per 1,000 people
  4. Tianjin, China – 1,244,160 cameras for 13,396,402 people = 92.87 cameras per 1,000 people
  5. Ji’nan, China – 540,463 cameras for 7,321,200 people = 73.82 cameras per 1,000 people
  6. London, England (UK) – 627,707 cameras for 9,176,530 people = 68.40 cameras per 1,000 people
  7. Wuhan, China – 500,000 cameras for 8,266,273 people = 60.49 cameras per 1,000 people
  8. Guangzhou, China – 684,000 cameras for 12,967,862 people = 52.75 cameras per 1,000 people
  9. Beijing, China – 800,000 cameras for 20,035,455 people = 39.93 cameras per 1,000 people
  10. Atlanta, Georgia (US) – 7,800 cameras for 501,178 people = 15.56 cameras per 1,000 people
  11. Singapore – 86,000 cameras for 5,638,676 people = 15.25 cameras per 1,000 people
  12. Abu Dhabi, UAE – 20,000 cameras for 1,452,057 people = 13.77 cameras per 1,000 people
  13. Chicago, Illinois (US) – 35,000 cameras for 2,679,044 people = 13.06 cameras per 1,000 people
  14. Urumqi, China – 43,394 cameras for 3,500,000 people = 12.40 cameras per 1,000 people
  15. Sydney, Australia – 60,000 cameras for 4,859,432 people = 12.35 cameras per 1,000 people
  16. Baghdad, Iraq – 120,000 cameras for 9,760,000 people = 12.30 cameras per 1,000 people
  17. Dubai, UAE – 35,000 cameras for 2,883,079 people = 12.14 cameras per 1,000 people
  18. Moscow, Russia – 146,000 cameras for 12,476,171 people = 11.70 cameras per 1,000 people
  19. Berlin, Germany – 39,765 cameras for 3,556,792 people = 11.18 cameras per 1,000 people
  20. New Delhi, India – 179,000 cameras for 18,600,000 people = 9.62 cameras per 1,000 people

Source: The world’s most-surveilled cities – Comparitech

Smart TVs, smart-home devices found to be leaking sensitive user data to all kinds of companies

Posted on by

Smart-home devices, such as televisions and streaming boxes, are collecting reams of data — including sensitive information such as device locations — that is then being sent to third parties like advertisers and major tech companies, researchers said Tuesday.

As the findings show, even as privacy concerns have become a part of the discussion around consumer technology, new devices are adding to the hidden and often convoluted industry around data collection and monetization.

A team of researchers from Northeastern University and the Imperial College of London found that a variety of internet-connected devices collected and distributed data to outside companies, including smart TV and TV streaming devices from Roku and Amazon — even if a consumer did not interact with those companies.

“Nearly all TV devices in our testbeds contacts Netflix even though we never configured any TV with a Netflix account,” the Northeastern and Imperial College researchers wrote.

The researchers tested a total of 81 devices in the U.S. and U.K. in an effort to gain a broad idea of how much data is collected by smart-home devices, and where that data goes.

The research was first reported by The Financial Times.

The researchers found data sent to a variety of companies, some known to consumers including Google, Facebook and Amazon, as well as companies that operate out of the public eye such as Mixpanel.com, a company that tracks users to help companies improve their products.

Source: Smart TVs, smart-home devices found to be leaking sensitive user data, researchers find

A Moon Space Elevator Is Actually Feasible and Inexpensive: Study

Posted on by

In a paper published on the online research archive arXiv in August, Columbia astronomy students Zephyr Penoyre and Emily Sandford proposed the idea of a “lunar space elevator,” which is exactly what it sounds like—a very long elevator connecting the moon and our planet.

The concept of a moon elevator isn’t new. In the 1970s, similar ideas were floated in science fiction (Arthur C. Clarke’s The Fountains of Paradise, for example) and by academics like Jerome Pearson and Yuri Artsutanov.

But the Columbia study differs from previous proposal in an important way: instead of building the elevator from the Earth’s surface (which is impossible with today’s technology), it would be anchored on the moon and stretch some 200,000 miles toward Earth until hitting the geostationary orbit height (about 22,236 miles above sea level), at which objects move around Earth in lockstep with the planet’s own rotation.

Dangling the space elevator at this height would eliminate the need to place a large counterweight near Earth’s orbit to balance out the planet’s massive gravitational pull if the elevator were to be built from ground up. This method would also prevent any relative motion between Earth’s surface and space below the geostationary orbit area from bending or twisting the elevator.

These won’t be problems for the moon because the lunar gravitational pull is significantly smaller and the moon’s orbit is tidally locked, meaning that the moon keeps the same face turned toward Earth during its orbit, therefore no relative motion of the anchor point.

After doing the math, the researchers estimated that the simplest version of the lunar elevator would be a cable thinner than a pencil and weigh about 88,000 pounds, which is within the payload capacity of the next-generation NASA or SpaceX rocket.

The whole project may cost a few billion dollars, which is “within the whim of one particularly motivated billionaire,” said Penoyre.

Future moon travelers will still have to ride a rocket, though, to fly up to the elevator’s dangling point, and then transfer to a robotic vehicle, which would climb up the cable all the way up to the moon.

Source: A Moon Space Elevator Is Actually Feasible and Inexpensive: Study | Observer

Scotiabank slammed for ‘muppet-grade security’ after internal source code and credentials spill onto open internet

Posted on by

Scotiabank leaked online a trove of its internal source code, as well as some of its private login keys to backend systems, The Register can reveal.

Over the past 24 hours, the Canadian financial giant has torn down GitHub repositories, inadvertently left open to the public, that contained this sensitive information, after The Register raised the alarm. These repositories featured, among other things, software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances: a potential gold mine of vulnerabilities for criminals and hackers to exploit.

We were tipped off to the security blunder by Jason Coulls, an IT pro based in the Great White North, who discovered the data sitting out in the open, some of which was exposed for months, we’re told. As well as Scotiabank, GitHub, and payment and card processors integrated with the bank, were also alerted prior to publication.

[…]

According to Coulls, this latest gaffe isn’t the first time Scotiabank has spilled its internal secrets online.

“In my experience, this muppet-grade security is perfectly normal for Scotiabank, as they usually leak information once every three weeks on average,” Coulls mused.

“Scotiabank had [IBM] AS/400 and DB2 instances where the credentials and connection information is public. They regularly leak source code for everything, from customer-facing mobile apps to server-side REST APIs. They also leak customer data. If they ever claimed that security is a top priority, I would dread to see how they handle low priority things.”

Source: Scotiabank slammed for ‘muppet-grade security’ after internal source code and credentials spill onto open internet • The Register

Spotify wants to know where you are and will be checking in

Posted on by

Spotify knows a lot about its users — their musical tastes, their most listened-to artists and their summer anthems. Spotify will also want to know where you live or to obtain your location data. It’s part of an effort to detect fraud and abuse of its Premium Family program.

Premium Family is a $15-a-month plan for up to six people. The only condition is that they all live at the same address. But the streaming music giant is concerned about people abusing that plan to pay as little as $2.50 for its services. So in August, the company updated its terms and conditions for Premium Family subscribers, requiring that they provide location data “from time to time” to ensure that customers are actually all in the same family.

You have 30 days to cancel after the new terms went into effect, which depends on where you are. The family plan terms rolled out first on Aug. 19 in Ireland and on Sept. 5 in the US.

The company tested this last year and asked for exact GPS coordinates but ended the pilot program after customers balked, according to TechCrunch. Now it intends on rolling the location data requests out fully, reigniting privacy concerns and raising the question of how much is too much when it comes to your personal information.

“The changes to the policy allow Spotify to arbitrarily use the location of an individual to ascertain if they continue to reside at the same address when using a family account, and it’s unclear how often Spotify will query users’ devices for this information,” said Christopher Weatherhead, technology lead for UK watchdog group Privacy International, adding that there are “worrying privacy implications.”

Source: Spotify wants to know where you live and will be checking in – CNET

Windows 7’s July 2019 Security Patch Includes Telemetry – but you can disable it in task scheduler

Posted on by

To the surprise of Windows watchers, the latest Windows 7 “security-only” update includes telemetry. The telemetry in question is Microsoft’s “Compatibility Appraiser,” which checks PCs for problems that could prevent upgrading to Windows 10.

As Woody Leonhard points out on Computerworld, this is pretty odd on Microsoft’s part—the telemetry code was previously available and is probably installed on your system already if you use Windows 7. But, it was restricted to the normal “cumulative” update rollups. As Ed Bott explains on ZDNet:

What was surprising about this month’s Security-only update, formally titled the “July 9, 2019—KB4507456 (Security-only update),” is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10.

It’s hard to say exactly why Microsoft is trying to install the telemetry on all Windows 7 PCs now, but extended support for Windows 7 expires on January 14, 2020. Windows 7 users don’t have much time left before they should upgrade—just six months. Windows 7 is already nagging users about updates. Microsoft may want to understand how many Windows 7 machines are left in the wild and whether they have compatibility problems with new software.

When Ed Bott asked Microsoft why it added the telemetry code to this update, he received a “no comment.” As usual, Microsoft is making itself look bad by refusing to be transparent and explain what it’s doing. The security update doesn’t seem to bundle any code for upgrading to Windows 10.

We still always recommend installing security patches for your PC. After installation, you can stop the telemetry from running, if you like. As abbodi86 advises on the Ask Woody forums:

Disabling (or deleting) these scheduled tasks after installation (before reboot) should be enough to turn off the appraiser

\Microsoft\Windows\Application Experience\ProgramDataUpdater
\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
\Microsoft\Windows\Application Experience\AitAgent

If you don’t want this code running. head to the Task Scheduler and disable these scheduled tasks. If you disable them before a reboot after running the update, they won’t even run once.

Source: Windows 7’s July 2019 Security Patch Includes Telemetry