The Linkielist

Linking ideas with the world

The Linkielist

You won’t guess where European mobile data was rerouted for two hours. Oh. You can. Yes, it was China Telecom

Posted on by

On June 6, more than 70,000 BGP routes were leaked from Swiss colocation company Safe Host to China Telecom in Frankfurt, Germany, which then announced them on the global internet. This resulted in a massive rerouting of internet traffic via China Telecom systems in Europe, disrupting connectivity for netizens: a lot of data that should have gone to European cellular networks was instead piped to China Telecom-controlled boxes.

BGP leaks are common – they happen every hour of every day – though the size of this one and particularly the fact it lasted for two hours, rather than seconds or minutes, has prompted more calls for ISPs to join an industry program that adds security checks to the routing system.

The fact that China Telecom, which peers with Safe House, was again at the center of the problem – with traffic destined for European netizens routed through its network – has also made internet engineers suspicious, although they have been careful not to make any accusations without evidence.

“China Telecom, a major international carrier, has still implemented neither the basic routing safeguards necessary both to prevent propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur,” noted Oracle Internet Intelligence’s (OII) director of internet analysis Doug Madory in a report. “Two hours is a long time for a routing leak of this magnitude to stay in circulation, degrading global communications.”

Source: You won’t guess where European mobile data was rerouted for two hours. Oh. You can. Yes, it was China Telecom • The Register

Who left a database of emails, credit cards, plain-text passwords, and more open to the web this week? Tech Data, come on down!

Posted on by

A team at network security outfit vpnMentor was scanning cyber-space as part of a web-mapping project when they happened upon a Graylog management server belonging to Tech Data that had been left freely accessible to the public. Within that database, we’re told, was a 264GB cache of information including emails, payment and credit card details, and unencrypted usernames and passwords. Pretty much everything you need to ruin someone’s day (or year).

The exposure, vpnMentor told The Register today, is particularly bad due to the nature of Tech Data’s customers. The Fortune 500 distie provides everything from financing and marketing services to IT management and user training courses. Among the clients listed on its site are Apple, Symantec, and Cisco.

“This is a serious leak as far as we can see, so much so that all of the credentials needed to log in to customer accounts are available,” a spokesperson for vpnMentor told El Reg. “Because of the size of the database, we could not go through all of it and there may be more sensitive information available to the public than what we have disclosed here.”

In addition to the login credentials and card information, the researchers said they were able to find private API keys and logs in the database, as well as customer profiles that included full names, job titles, phone numbers, and email and postal addresses. All available to anyone who could find it.

vpnMentor says it discovered and reported the open database on June 2 to Tech Data, and by June 4 the distie had told the team it had secured the database and hidden it from public view. Tech Data did not respond to a request for comment from The Register. The US-based company did not mention the incident in its most recent SEC filings.

Source: Who left a database of emails, credit cards, plain-text passwords, and more open to the web this week? Tech Data, come on down! • The Register

Infographic: How Different Generations Approach Work

Posted on by

How Different Generations Approach Work

View the full-size version of the infographic by clicking here

The first representatives of Generation Z have started to trickle into the workplace – and like generations before them, they are bringing a different perspective to things.

Did you know that there are now up to five generations now working under any given roof, ranging all the way from the Silent Generation (born Pre-WWII) to the aforementioned Gen Z?

Let’s see how these generational groups differ in their approaches to communication, career priorities, and company loyalty.

Generational Differences at Work

Today’s infographic comes to us from Raconteur, and it breaks down some key differences in how generational groups are thinking about the workplace.

Let’s dive deeper into the data for each category.

Communication

How people prefer to communicate is one major and obvious difference that manifests itself between generations.

While many in older generations have dabbled in new technologies and trends around communications, it’s less likely that they will internalize those methods as habits. Meanwhile, for younger folks, these newer methods (chat, texting, etc.) are what they grew up with.

Top three communication methods by generation:

  • Baby Boomers:
    40% of communication is in person, 35% by email, and 13% by phone
  • Gen X:
    34% of communication is in person, 34% by email, and 13% by phone
  • Millennials:
    33% of communication is by email, 31% is in person, and 12% by chat
  • Gen Z:
    31% of communication is by chat, 26% is in person, and 16% by emails

Motivators

Meanwhile, the generations are divided on what motivates them in the workplace. Boomers place health insurance as an important decision factor, while younger groups view salary and pursuing a passion as being key elements to a successful career.

Three most important work motivators by generation (in order):

  • Baby Boomers:
    Health insurance, a boss worthy of respect, and salary
  • Gen X:
    Salary, job security, and job challenges/excitement
  • Millennials:
    Salary, job challenges/excitement, and ability to pursue passion
  • Gen Z:
    Salary, ability to pursue passion, and job security

Loyalty

Finally, generational groups have varying perspectives on how long they would be willing to stay in any one role.

  • Baby Boomers: 8 years
  • Gen X: 7 years
  • Millennials: 5 years
  • Gen Z: 3 years

Given the above differences, employers will have to think clearly about how to attract and retain talent across a wide scope of generations. Further, employers will have to learn what motivates each group, as well as what makes them each feel the most comfortable in the workplace.

Source: Infographic: How Different Generations Approach Work

House Judiciary Committee aims guns at Big Tech and antitrust laws

Posted on by

The investigation will include a series of hearings held by the Subcommittee on Antitrust, Commercial and Administrative Law on the rise of market power online, as well as requests for information that are relevant to the investigation.

A small number of dominant, unregulated platforms have extraordinary power over commerce, communication and information online. Based on investigative reporting and oversight by international policymakers and enforcers, there are concerns that these platforms have the incentive and ability to harm the competitive process. The Antitrust Subcommittee will conduct a top-to-bottom review of the potential of giant tech platforms to hold monopoly power.

The committee’s investigation will focus on three main areas:

  • Documenting competition problems in digital markets;
  • Examining whether dominant firms are engaging in anti-competitive conduct; and
  • Assessing whether existing antitrust laws, competition policies and current enforcement levels are adequate to address these issues.

“Big Tech plays a huge role in our economy and our world,” said Collins. “As tech has expanded its market share, more and more questions have arisen about whether the market remains competitive. Our bipartisan look at competition in the digital markets gives us the chance to answer these questions and, if necessary, to take action. I appreciate the partnership of Chairman Nadler, Subcommittee Chairman Cicilline and Subcommittee Ranking Member Sensenbrenner on these important issues.”

“The open internet has delivered enormous benefits to Americans, including a surge of economic opportunity, massive investment, and new pathways for education online,” said Nadler. “But there is growing evidence that a handful of gatekeepers have come to capture control over key arteries of online commerce, content, and communications. The Committee has a rich tradition of conducting studies and investigations to assess the threat of monopoly power in the U.S. economy. Given the growing tide of concentration and consolidation across our economy, it is vital that we investigate the current state of competition in digital markets and the health of the antitrust laws.”

“Technology has become a crucial part of Americans’ everyday lives,” said Sensenbrenner. “As the world becomes more dependent on a digital marketplace, we must discuss how the regulatory framework is built to ensure fairness and competition. I believe these hearings can be informative, but it is important for us to avoid any predetermined conclusions. I thank Chairman Nadler, Ranking Member Collins, and Chairman Cicilline as we begin these bipartisan discussions.”

“The growth of monopoly power across our economy is one of the most pressing economic and political challenges we face today. Market power in digital markets presents a whole new set of dangers,” said Cicilline. “After four decades of weak antitrust enforcement and judicial hostility to antitrust cases, it is vital for Congress to step in to determine whether existing laws are adequate to tackle abusive conduct by platform gatekeepers or if we need new legislation.”

Source: House Judiciary Committee

Basically they are looking at how antitrust works, which is a great thing, because recently antitrust in the US has focused on consumer prices and ignored everything else. With the price gauging of Amazon, this is not the way to look at things. Have a look at my talk on this if you’re interested

Physicists can predict the jumps of Schrodinger’s cat (and finally save it)

Posted on by

Yale researchers have figured out how to catch and save Schrödinger’s famous cat, the symbol of quantum superposition and unpredictability, by anticipating its jumps and acting in real time to save it from proverbial doom. In the process, they overturn years of cornerstone dogma in quantum physics.

The discovery enables researchers to set up an early warning system for imminent jumps of artificial atoms containing quantum information. A study announcing the discovery appears in the June 3 online edition of the journal Nature.

[…]

The quantum jump is the discrete (non-continuous) and random change in the state when it is observed.

The experiment, performed in the lab of Yale professor Michel Devoret and proposed by lead author Zlatko Minev, peers into the actual workings of a quantum jump for the first time. The results reveal a surprising finding that contradicts Danish physicist Niels Bohr’s established view—the jumps are neither abrupt nor as random as previously thought.

For a tiny object such as an electron, molecule, or an artificial atom containing quantum information (known as a qubit), a quantum jump is the sudden transition from one of its discrete energy states to another. In developing quantum computers, researchers crucially must deal with the jumps of the qubits, which are the manifestations of errors in calculations.

The enigmatic quantum jumps were theorized by Bohr a century ago, but not observed until the 1980s, in .

“These jumps occur every time we measure a qubit,” said Devoret, the F.W. Beinecke Professor of Applied Physics and Physics at Yale and member of the Yale Quantum Institute. “Quantum jumps are known to be unpredictable in the long run.”

“Despite that,” added Minev, “We wanted to know if it would be possible to get an advance warning signal that a jump is about to occur imminently.”

Minev noted that the experiment was inspired by a theoretical prediction by professor Howard Carmichael of the University of Auckland, a pioneer of quantum trajectory theory and a co-author of the study.

In addition to its fundamental impact, the discovery is a potential major advance in understanding and controlling . Researchers say reliably managing quantum data and correcting errors as they occur is a key challenge in the development of fully useful quantum computers.

The Yale team used a special approach to indirectly monitor a superconducting artificial atom, with three microwave generators irradiating the atom enclosed in a 3-D cavity made of aluminum. The doubly indirect monitoring method, developed by Minev for superconducting circuits, allows the researchers to observe the atom with unprecedented efficiency.

Microwave radiation stirs the artificial atom as it is simultaneously being observed, resulting in quantum jumps. The tiny quantum signal of these jumps can be amplified without loss to room temperature. Here, their signal can be monitored in real time. This enabled the researchers to see a sudden absence of detection photons (photons emitted by an ancillary state of the atom excited by the microwaves); this tiny absence is the advance warning of a quantum jump.

“The beautiful effect displayed by this experiment is the increase of coherence during the jump, despite its observation,” said Devoret. Added Minev, “You can leverage this to not only catch the jump, but also reverse it.”

This is a crucial point, the researchers said. While quantum jumps appear discrete and random in the long run, reversing a quantum jump means the evolution of the state possesses, in part, a deterministic and not random character; the jump always occurs in the same, predictable manner from its random starting point.

“Quantum jumps of an atom are somewhat analogous to the eruption of a volcano,” Minev said. “They are completely unpredictable in the long term. Nonetheless, with the correct monitoring we can with certainty detect an advance warning of an imminent disaster and act on it before it has occurred.

Source: Physicists can predict the jumps of Schrodinger’s cat (and finally save it)

To catch and reverse a quantum jump mid-flight

The Russian Government Now Requires Tinder to Hand Over People’s Sexts

Posted on by

Tinder users in Russia may now have to decide whether the perks of dating apps outweigh a disconcerting invasion of privacy. Russian authorities are now requiring that the dating app hand over a wealth of intimate user data, including private messages, if and when it asks for them.

Tinder is the fourth dating app in the nation to be forced to comply with the Russian government’s request for user data, Moscow Times reports, and it’s among 175 services that have already consented to share information with the nation’s Federal Security Service, according to a registry online.

Tinder was added to the list of services that have to comply with the Russian data requests last Friday, May 31. The data Tinder must collect and provide to Russia upon request includes user data and all communications including audio and video. According to Tinder’s privacy policy, it does collect all your basic profile details, such as your date of birth and gender as well as the content you publish and your chats with other users, among other information. Which means the Russian government could get its hands on your sexts, your selfies, and even details on where you’ve been or where you might be going if it wants to.

It’s unclear if the possible data requests will apply to just Tinder users within Russia or any users of the dating app, regardless of where they are. If it’s the latter, it points to an unsettling reality in which one nation is able to extend its reach into the intimate data of people all over the world by simply making the request to any complying service that happens to also operate in Russia.

We have reached out to Tinder about which users this applies to, whether it will comply with this request, and what type of data it will share with the Russian authorities. We will update when we hear back. According to the Associated Press, Russian’s communications regulator confirmed on Monday that the company had shared information with it.

The Russian government is not only targeting Tinder. As the lengthy registry online indicates, a large and diverse range of services are already on the list and have been for years. This includes Snap, Wechat, Vimeo, and Badoo, another popular dating app in Russia.

Telegram famously objected to the Russian authorities’ request for its encryption keys last year, which resulted in the government banning the encrypted messaging app. It was an embarrassing mess for Russian internet service providers, which in their attempt to block workarounds for the messaging app, disrupted a litany of services online.

Source: The Russian Government Now Requires Tinder to Hand Over People’s Sexts

Lab Testing Giant Quest Diagnostics Says Data Breach May Have Hit Nearly 12 Million Patients

Posted on by

Clinical lab testing titan Quest Diagnostics acknowledged in a press release on Monday that an “unauthorized user” had gained access to personal information on around 11.9 million customers, including some financial and medical data.

Per NBC News, news of the breach comes via way of a Securities and Exchange Commission filing in which Quest wrote that American Medical Collection Agency (AMCA), which provides billing collection services to Quest contractor Optum 360, had notified it of the breach in mid-May. NBC wrote that Quest said AMCA’s web payments page had possibly been compromised from Aug. 1, 2018 to March 30, 2019.

In its statement, Quest wrote that compromised information could include “certain financial data,” Social Security numbers, and some medical material—but not the results of laboratory tests on patients. It also wrote the extent of the breach remained unclear:

AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results.

AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA.

Quest added that it had “suspended” sending collections requests to AMCA. According to the Wall Street Journal, a spokesperson for Optum360 parent company UnitedHealth said their Optum360 systems were unaffected by the breach.

Source: Lab Testing Giant Quest Diagnostics Says Data Breach May Have Hit Nearly 12 Million Patients

Supra smart TVs allow anyone on wifi network to switch video to whatever they want

Posted on by

Owners of Supra Smart Cloud TVs are in danger of getting some unwanted programming: it’s possible for miscreants or malware on your Wi-Fi network to switch whatever you’re watching for video of their or its choosing.

Bug-hunter Dhiraj Mishra laid claim to CVE-2019-12477, a remote file inclusion zero-day vulnerability that allows anyone with local network access to specify their own video to display on the TV, overriding whatever is being shown, with no password necessary. As such it’s more likely to be used my mischievous family members than hackers.

Mishra told The Register the issue is due to a complete lack of any authentication or session management in the software controlling the Wi-Fi-connected telly. By crafting a malicious HTTP GET request, and sending it to the set over the network, an attacker would be able to provide whatever video URL they desired to the target, and have the stream played on the TV without any sort of security check.

Source: Supra smart TVs aren’t so super smart: Hole lets hackers go all Max Headroom on e-tellies • The Register

Strewth: Hackers slurp 19 years of Oz student data in uni’s second breach within a year

Posted on by

The Australian National University (ANU) today copped to a fresh breach in which intruders gained access to “significant amounts” of data stretching back 19 years.

The top-ranked Oz uni said it noticed about a fortnight ago that hackers had got their claws on staff, visitor and student data, including names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, tax file numbers, payroll information, bank account details and passport details. It said the breach took place in “late 2018” – the same year it ‘fessed up to another lengthy attack.

Students will be miffed to find out that someone knows they had to retake second-year Statistics since academic records were also accessed.

The uni insisted: “The systems that store credit card details, travel information, medical records, police checks, workers’ compensation, vehicle registration numbers, and some performance records have not been affected.”

Source: Strewth: Hackers slurp 19 years of Oz student data in uni’s second breach within a year • The Register

why was this data not encrypted?

EU countries and car manufacturers, navigation systems will share information between everyone

Posted on by

Advanced Driver Assistance Systems (ADAS) in cars such as automatic braking systems, systems that detect the state of the road, if there is anything in your blind spot and navigation systems will be sharing their data with European countries, car manufacturers and presumably insurers under the cloak of making driving safer. I’m sure it will, but I still don’t feel comfortable having the government know where I am at all times and what my driving style is like.

The link below is in Dutch.

Source: EU-landen en autofabrikanten delen informatie voor meer verkeersveiligheid – Emerce

‘Wow, What Is That?’ Navy Pilots Report Unexplained Flying Objects – probably not little green men though

Posted on by

WASHINGTON — The strange objects, one of them like a spinning top moving against the wind, appeared almost daily from the summer of 2014 to March 2015, high in the skies over the East Coast. Navy pilots reported to their superiors that the objects had no visible engine or infrared exhaust plumes, but that they could reach 30,000 feet and hypersonic speeds.

“These things would be out there all day,” said Lt. Ryan Graves, an F/A-18 Super Hornet pilot who has been with the Navy for 10 years, and who reported his sightings to the Pentagon and Congress. “Keeping an aircraft in the air requires a significant amount of energy. With the speeds we observed, 12 hours in the air is 11 hours longer than we’d expect.”

In late 2014, a Super Hornet pilot had a near collision with one of the objects, and an official mishap report was filed. Some of the incidents were videotaped, including one taken by a plane’s camera in early 2015 that shows an object zooming over the ocean waves as pilots question what they are watching.

“Wow, what is that, man?” one exclaims. “Look at it fly!”

No one in the Defense Department is saying that the objects were extraterrestrial, and experts emphasize that earthly explanations can generally be found for such incidents. Lieutenant Graves and four other Navy pilots, who said in interviews with The New York Times that they saw the objects in 2014 and 2015 in training maneuvers from Virginia to Florida off the aircraft carrier Theodore Roosevelt, make no assertions of their provenance.

But the objects have gotten the attention of the Navy, which earlier this year sent out new classified guidance for how to report what the military calls unexplained aerial phenomena, or unidentified flying objects.

Video

How U.S. Weapons Ended Up Hitting Hospitals in Yemen

By Robin Stein, Caroline Kim, Malachy Browne and Whitney Hurst

Videos filmed by Navy pilots show two encounters with flying objects. One was captured by a plane’s camera off the coast of Jacksonville, Fla., on Jan. 20, 2015. That footage, published previously but with little context, shows an object tilting like a spinning top moving against the wind. A pilot refers to a fleet of objects, but no imagery of a fleet was released. The second video was taken a few weeks later.CreditCreditU.S. Department of Defense

Joseph Gradisher, a Navy spokesman, said the new guidance was an update of instructions that went out to the fleet in 2015, after the Roosevelt incidents.

[Sign up for the weekly At War newsletter to receive stories about the military, conflict and consequence.]

“There were a number of different reports,” he said. Some cases could have been commercial drones, he said, but in other cases “we don’t know who’s doing this, we don’t have enough data to track this. So the intent of the message to the fleet is to provide updated guidance on reporting procedures for suspected intrusions into our airspace.”

The sightings were reported to the Pentagon’s shadowy, little-known Advanced Aerospace Threat Identification Program, which analyzed the radar data, video footage and accounts provided by senior officers from the Roosevelt. Luis Elizondo, a military intelligence official who ran the program until he resigned in 2017, called the sightings “a striking series of incidents.”

Navy pilots from the VFA-11 “Red Rippers” squadron aboard the aircraft carrier Theodore Roosevelt in 2015. The squadron began noticing strange objects just after the Navy upgraded the radar systems on its F/A-18 fighter planes.CreditAdam Ferguson for The New York Times
Image
Navy pilots from the VFA-11 “Red Rippers” squadron aboard the aircraft carrier Theodore Roosevelt in 2015. The squadron began noticing strange objects just after the Navy upgraded the radar systems on its F/A-18 fighter planes.CreditAdam Ferguson for The New York Times

The program, which began in 2007 and was largely funded at the request of Harry Reid, the Nevada Democrat who was the Senate majority leader at the time, was officially shut down in 2012 when the money dried up, according to the Pentagon. But the Navy recently said it currently investigates military reports of U.F.O.s, and Mr. Elizondo and other participants say the program — parts of it remain classified — has continued in other forms. The program has also studied video that shows a whitish oval object described as a giant Tic Tac, about the size of a commercial plane, encountered by two Navy fighter jets off the coast of San Diego in 2004.

Leon Golub, a senior astrophysicist at the Harvard-Smithsonian Center for Astrophysics, said the possibility of an extraterrestrial cause “is so unlikely that it competes with many other low-probability but more mundane explanations.” He added that “there are so many other possibilities — bugs in the code for the imaging and display systems, atmospheric effects and reflections, neurological overload from multiple inputs during high-speed flight.”

Source: ‘Wow, What Is That?’ Navy Pilots Report Unexplained Flying Objects – The New York Times

Major Google Outage Hits YouTube, G Suite, and Third Party Apps Including Discord and Snapchat

Posted on by

Google suffered major outages with its Cloud Platform on Sunday, causing widespread access issues with both its own services and third party apps ranging from Snapchat to Discord.

As of early Sunday evening, issues had persisted for hours; according to the Google Cloud Status Dashboard, the outages began at roughly 3:25 p.m. ET and were related to “high levels of network congestion in the eastern USA.” Outage-tracking service Down Detector indicated that access to YouTube was severely disrupted across the country, with the northeastern U.S. particularly having a rough go of it. Finally, the G Suite Status Dashboard listed virtually every one of its cloud-based productivity and collaboration tools—including Gmail, Drive, Docs, Hangouts, and Voice—as experiencing service outages. Amazingly enough, largely defunct social network Google+ was listed as experiencing no issues.

As the Verge noted, third-party services Discord, Snapchat, and Vimeo all use Google Cloud in their backends, with the outages preventing users from logging in. (However, issues were far from universal, with some users reporting no impact at all.)

Source: Major Google Outage Hits YouTube, G Suite, and Third Party Apps Including Discord and Snapchat [Updated]

US now requires social media info for visa applications

Posted on by

If you want to stay in the US, you’ll likely have to share your internet presence. As proposed in March 2018 (and to some extent in 2015), the country now requires virtually all visa applicants to provide their social media account names for the past five years. The mandate only covers a list of selected services, although potential visitors and residents can volunteer info if they belong to social sites that aren’t mentioned in the form.

Applicants also have to provide previous email addresses and phone numbers on top of non-communications info like their travel statuses and any family involvement in terrorism. Some diplomats and officials are exempt from the requirements.

The US had previously only required these details for people who visited terrorist-controlled areas. The goal is the same, however. The US is hoping to both verify identities and spot extremists who’ve discussed their ideologies online, potentially preventing incidents like the San Bernardino mass shooting.

The measure will affect millions of visa seekers each year, although whether or not it will be effective isn’t clear. A State Department official told The Hill that applicants could face “serious immigration consequences” if they’re caught lying, but it’s not certain that they’ll be found out in a timely fashion — the policy is counting on applicants both telling the truth and having relatively easy-to-find accounts if they’re dishonest. And like it or not, this affects the privacy of social media users who might not want to divulge their online identities (particularly private accounts) to government staff.

Source: US now requires social media info for visa applications

In case you’re wondering, this is not a Good Thing

Leap Motion sold to UltraHaptics

Posted on by

The company sought to completely change how we interact with computers, but now Leap Motion is selling itself off.

Apple reportedly tried to get their hands on the hand-tracking tech, which Leap Motion rebuffed, but now the hyped nine-year-old consumer startup is being absorbed into the younger, enterprise-focused UltraHaptics. The Wall Street Journal first reported the deal this morning; we’ve heard the same from a source familiar with the deal.

The report further detailed that the purchase price was a paltry $30 million, nearly one-tenth the company’s most recent valuation. CEO Michael Buckwald will also not be staying on with the company post-acquisition, we’ve learned.

Leap Motion raised nearly $94 million off of their mind-bending demos of their hand-tracking technology, but they were ultimately unable to ever zero in on a customer base that could sustain them. Even as the company pivoted into the niche VR industry, the startup remained a solution in search of a problem.

In 2011, when we first covered the startup, then called OcuSpec, it had raised $1.3 million in seed funding from Andreessen Horowitz and Founders Fund. At the time, Buckwald told us that he was building motion-sensing tech that was “radically more powerful and affordable than anything currently available,” though he kept many details under wraps.

Source: Once poised to kill the mouse and keyboard, Leap Motion plays its final hand – TechCrunch

Docker Bug Allows Root Access to Host File System

Posted on by

All of the current versions of Docker have a vulnerability that can allow an attacker to get read-write access to any path on the host server. The weakness is the result of a race condition in the Docker software and while there’s a fix in the works, it has not yet been integrated.

The bug is the result of the way that the Docker software handles some symbolic links, which are files that have paths to other directories or files. Researcher Aleksa Sarai discovered that in some situations, an attacker can insert his own symlink into a path during a short time window between the time that the path has been resolved and the time it is operated on. This is a variant of the time of check to time of use (TOCTOU) problem, specifically with the “docker cp” command, which copies files to and from containers.

“The basic premise of this attack is that FollowSymlinkInScope suffers from a fairly fundamental TOCTOU attack. The purpose of FollowSymlinkInScope is to take a given path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of ‘docker cp’ it is opened when creating the archive that is streamed to the client),” Sarai said in his advisory on the problem.

“If an attacker can add a symlink component to the path after the resolution but beforeit is operated on, then you could end up resolving the symlink path component on the host as root. In the case of ‘docker cp’ this gives you read and write access to any path on the host.”

Sarai notified the Docker security team about the vulnerability and, after talks with them, the two parties agreed that public disclosure of the issue was legitimate, even without a fix available, in order to make customers aware of the problem. Sarai said researchers were aware that this kind of attack might be possible against Docker for a couple of years. He developed exploit code for the vulnerability and said that a potential attack scenario could come through a cloud platform.

“The most likely case for this particular vector would be a managed cloud which let you (for instance) copy configuration files into a running container or read files from within the container (through “docker cp”),,” Sarai said via email.

“However it should be noted that while this vulnerability only has exploit code for “docker cp”, that’s because it’s the most obvious endpoint for me to exploit. There is a more fundamental issue here — it’s simply not safe to take a path, expand all the symlinks within it, and assume that path is safe to use.”

Source: Docker Bug Allows Root Access to Host File System | Decipher

Flipboard hacked and open for 9 months – fortunately passwords properly salted and encrypted so not much damage

Posted on by

In a series of emails seen by ZDNet that the company sent out to impacted users, Flipboard said hackers gained access to databases the company was using to store customer information.

Most passwords are secure

Flipboard said these databases stored information such as Flipboard usernames, hashed and uniquely salted passwords, and in some cases, emails or digital tokens that linked Flipboard profiles to accounts on third-party services.

The good news appears to be that the vast majority of passwords were hashed with a strong password-hashing algorithm named bcrypt, currently considered very hard to crack.

The company said that some passwords were hashed with the weaker SHA-1 algorithm, but they were not many.

“If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1,” Flipboard said.

[…]

In its email, Flipboard said it is now resetting all customer passwords, regardless if users were impacted or not, out of an abundance of caution.

Furthermore, the company has already replaced all digital tokens that customers used to connect Flipboard with third-party services like Facebook, Twitter, Google, and Samsung.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to your Flipboard accounts,” the company said.

Extensive breach

But despite some good news for users, the breach appears to be quite extensive, at least for the company’s IT staff.

According to Flipboard, hackers had access to its internal systems for almost nine months, first between June 2, 2018, and March 23, 2019, and then for a second time between April 21 and April 22, 2019.

The company said it detected the breach the day after this second intrusion, on April 23, while investigating suspicious activity on its database network.

Source: Flipboard says hackers stole user details | ZDNet

Laboratory Black Hole Shows Stephen Hawking Was Right, – wait they make black holes in labs now?!

Posted on by

Physicists have confirmed predictions of Stephen Hawking’s namesake theory of black holes using a black hole they constructed in their lab, according to a new paper.

This black hole isn’t like the black holes out in space, where gravity creates a region of spacetime so warped that light can’t escape. Instead, the researchers built a black hole analog using a strange quantum material called a Bose-Einstein condensate, in which the point of no return is for sound rather than light. Still, it’s an important verification Hawking’s work.

“I’m interested in learning whatever we can about real black holes and real gravity,” study author Jeff Steinhauer, physicist at the Technion-Israel Institute of Technology, told Gizmodo.

Stephen Hawking’s landmark theory is called Hawking radiation. When trying to apply the physical laws governing heat to black holes, he realized that black holes must emit radiation from their surfaces. The mechanism marks a combination of quantum mechanics (the science of the smallest things) with gravity (the science of interactions between the most massive things). But astronomers haven’t been able to peer close enough to a black hole to prove or disprove the theory. Some scientists have instead turned to analogues in the lab.

The scientists created an elongated Bose-Einstein condensate by trapping 8,000 rubidium atoms in a focused laser beam. Bose-Einstein condensates are systems of ultra-cold atoms where strange quantum physical phenomena become more visible on larger scales. They are often used for analog-type experiments like these.

A second laser increases the potential energy on one side of the Bose-Einstein condensate, making it denser on that side. A sharp transition separates the denser area (considered to be outside the black hole) and the less dense area (inside the black hole). This transition moves at a constant speed through the condensate, but from the point of view of the experimenters, it appears to be stationary; instead, it looks as if all of the rubidium atoms are moving. Outside the black hole in the denser region, the speed of sound is faster than the speed of this flow, so sound waves can move in either direction. But in the less dense region—inside the black hole—the speed of sound is slower, so sound waves only travel away from the sharp transition and further into the black hole, as described in the paper published in Nature.

This experiment mimics one of the most important features of the black hole—outside the black hole, light can either move away from or into the black hole. But once inside the black hole, it cannot escape. The laboratory analogue replaces light with sound, and the researchers can measure sound waves both outside and inside inside their black hole’s “event horizon.” The signal of the Hawking radiation is a correlation between these two kinds of waves.

Steinhauer’s team previously observed Hawking radiation in this system back in 2016. But this time around, they made at least 21 improvements to the system in order to get a better signal. This was enough to pull out important information about the system’s radiation, namely that it has a thermal spectrum with a temperature determined only by the system’s analogous equivalent to gravity, a relationship between the speed of sound and its flow. This means that it emitted a continuous spectrum of wavelengths, rather than preferred wavelengths. These observations, and the temperatures, were exactly as predicted in Hawking’s theories.

“The way I see it, what we saw was that Hawking’s calculations were correct,” Steinhauer said. By correct, he means that they’re a real effect that happens in these kinds of systems. Whether they happen in real black holes in space, well, we don’t quite know yet. But they do show that if Hawking was correct, then any information that falls into a black hole is lost, the subject of an important black hole paradox.

Mathematician Silke Weinfurtner at the University of Nottingham in the United Kingdom wrote in a Nature commentary that the research was “promising” and that the scheme the researchers used to extract the temperature of the radiation was “clever.” Perhaps, she wrote, the setup will be useful in measuring other interesting quantum phenomenon expected to occur near the black hole’s event horizon.

This research is yet another example of scientists using analogues to access physical phenomena that might otherwise be impossible to observe. It can serve as an important verification of the theories that drive our understanding of inaccessible things.

Next up, the researchers hope to repeatedly redo the experiment in order to determine how this Hawking radiation changes over time. And who knows, maybe one day we really will be able to measure these properties in actual black holes.

Source: Laboratory Black Hole Shows Stephen Hawking Was Right, Obviously

Apple’s privacy schtick is just an act, say folks suing the iGiant: iTunes ‘purchase histories sold’ to highest bidders

Posted on by

Apple has been hit with a class-action complaint in the US accusing the iGiant of playing fast and loose with the privacy of its customers.

The lawsuit [PDF], filed this month in a northern California federal district court, claims the Cupertino music giant gathers data from iTunes – including people’s music purchase history and personal information – then hands that info over to marketers in order to turn a quick buck.

“To supplement its revenues and enhance the formidability of its brand in the eyes of mobile application developers, Apple sells, rents, transmits, and/or otherwise discloses, to various third parties, information reflecting the music that its customers purchase from the iTunes Store application that comes pre-installed on their iPhones,” the filing alleged.

“The data Apple discloses includes the full names and home addresses of its customers, together with the genres and, in some cases, the specific titles of the digitally-recorded music that its customers have purchased via the iTunes Store and then stored in their devices’ Apple Music libraries.”

What’s more, the lawsuit goes on to claim that the data Apple sells is then combined by the marketers with information purchased from other sources to create detailed profiles on individuals that allow for even more targeted advertising.

Additionally, the lawsuit alleges the Music APIs Apple includes in its developer kit can allow third-party devs to harvest similarly detailed logs of user activity for their own use, further violating the privacy of iTunes customers.

The end result, the complaint states, is that Cook and Co are complacent in the illegal harvesting and reselling of personal data, all while pitching iOS and iTunes as bastions of personal privacy and data security.

“Apple’s disclosures of the personal listening information of plaintiffs and the other unnamed Class members were not only unlawful, they were also dangerous because such disclosures allow for the targeting of particularly vulnerable members of society,” the complaint reads.

“For example, any person or entity could rent a list with the names and addresses of all unmarried, college-educated women over the age of 70 with a household income of over $80,000 who purchased country music from Apple via its iTunes Store mobile application. Such a list is available for sale for approximately $136 per thousand customers listed.”

Source: Apple’s privacy schtick is just an act, say folks suing the iGiant: iTunes ‘purchase histories sold’ to highest bidders • The Register

Mysterious Chinese Dating Apps Targeting US Customers Expose 42.5 Million Records Online

Posted on by

On May 25th I discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders. The IP address is located on a US server and a majority of the users appear to be Americans based on their user IP and geolocations. I also noticed Chinese text inside the database with commands such as:

  •  模型更新完成事件已触发,同步用户到 
  • according to Google Translate: The model update completion event has been triggered, syncing to the user. 

The strange thing about this discovery was that there were multiple dating applications all storing data inside this database. Upon further investigation I was able to identify dating apps available online with the same names as those in the database. What really struck me as odd was that despite all of them using the same database, they claim to be developed by separate companies or individuals that do not seem to match up with each other. The Whois registration for one of the sites uses what appears to be a fake address and phone number. Several of the other sites are registered private and the only way to contact them is through the app (once it is installed on your device).

Finding several of the users’ real identity was easy and only took a few seconds to validate them. The dating applications logged and stored the user’s IP address, age, location, and user names. Like most people your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint. Just like a good password many people use it again and again across multiple platforms and services. This makes it extremely easy for someone to find and identify you with very little information. Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places. The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID.

Source: Mysterious Chinese Dating Apps Targeting US Customers Expose 42.5 Million Records Online – Security Discovery

Newly Released Amazon Patent Shows Just How Much Creepier Alexa Can Get

Posted on by

A newly revealed patent application filed by Amazon is raising privacy concerns over an envisaged upgrade to the company’s smart speaker systems. This change would mean that, by default, the devices end up listening to and recording everything you say in their presence.

Alexa, Amazon’s virtual assistant system that runs on the company’s Echo series of smart speakers, works by listening out for a ‘wakeword’ that tells the device to turn on its extended speech recognition systems in order to respond to spoken commands.

[…]

In theory, Alexa-enabled devices will only record what you say directly after the wakeword, which is then uploaded to Amazon, where remote servers use speech recognition to deduce your meaning, then relay commands back to your local speaker.

But one issue in this flow of events, as Amazon’s recently revealed patent application argues, is it means that anything you say before the wakeword isn’t actually heard.

“A user may not always structure a spoken command in the form of a wakeword followed by a command (eg. ‘Alexa, play some music’),” the Amazon authors explain in their patent application, which was filed back in January, but only became public last week.

“Instead, a user may include the command before the wakeword (eg. ‘Play some music, Alexa’) or even insert the wakeword in the middle of a command (eg. ‘Play some music, Alexa, the Beatles please’). While such phrasings may be natural for a user, current speech processing systems are not configured to handle commands that are not preceded by a wakeword.”

To overcome this barrier, Amazon is proposing an effective workaround: simply record everything the user says all the time, and figure it out later.

Rather than only record what is said after the wakeword is spoken, the system described in the patent application would effectively continuously record all speech, then look for instances of commands issued by a person.

Source: Newly Released Amazon Patent Shows Just How Much Creepier Alexa Can Get

wow – a continuous spy in your home

Germany thinks about resurrecting the Stasi, getting rid of end-to-end chat app encryption and requiring decrypted plain-text.

Posted on by

Government officials in Germany are reportedly mulling a law to force chat app providers to hand over end-to-end encrypted conversations in plain text on demand.

According to Der Spiegel this month, the Euro nation’s Ministry of the Interior wants a new set of rules that would require operators of services like WhatsApp, Signal, Apple iMessage, and Telegram to cough up plain-text records of people’s private enciphered chats to authorities that obtain a court order.

This would expand German law, which right now only allows communications to be gathered from a suspect’s device itself, to also include the companies providing encrypted chat services and software. True and strong end-to-end encrypted conversations can only be decrypted by those participating in the discussion, so the proposed rules would require app makers to deliberately knacker or backdoor their code in order to comply. Those changes would be needed to allow them to collect messages passing through their systems and decrypt them on demand.

Up until now, German police have opted not to bother with trying to decrypt the contents of messages in transit, opting instead to simply seize and break into the device itself, where the messages are typically stored in plain text.

The new rules are set to be discussed by the members of the interior ministry in an upcoming June conference, and are likely to face stiff opposition not only on privacy grounds, but also in regards to the technical feasibility of the requirements.

Spokespeople for Facebook-owned WhatsApp, and Threema, makers of encrypted messaging software, were not available to comment.

The rules are the latest in an ongoing global feud between the developers of secure messaging apps and the governments. The apps, designed in part to let citizens, journalists, and activists communicate secured from the prying eyes of oppressive government regimes.

The governments, meanwhile, say that the apps also provide a safe haven for criminals and terror groups that want to plan attacks and illegal activities, making it harder for intelligence and police agencies to perform vital monitoring tasks.

The app developers note that even if governments do try to implement mandatory decryption (aka backdoor) capabilities, actually getting those tools to work properly, without opening up a massive new security hole in the platforms that miscreants and criminals could exploit, would be next to impossible.

Source: Germany mulls giving end-to-end chat app encryption das boot: Law requiring decrypted plain-text is in the works • The Register

Whatever happened to mail confidentiality then?

Google Now Forces Microsoft Edge Preview Users to Use Chrome for the Modern YouTube Experience – a bit like they fuck around with Firefox

Posted on by

Microsoft started testing a new Microsoft Edge browser based on Chromium a little while ago. The company has been releasing new canary and dev builds for the browser over the last few weeks, and the preview is actually really great. In fact, I have been using the new Microsoft Edge Canary on my main Windows machine and my MacBook Pro for more than a month, and it’s really good.

But if you watch YouTube quite a lot, you will face a new problem on the new Edge. It turns out, Google has randomly disabled the modern YouTube experience for users of the new Microsoft Edge. Users are now redirected to the old YouTube experience, which lacks the modern design as well as the dark theme for YouTube, as first spotted by Gustave Monce. And when you try to manually access the new YouTube from youtube.com/new, YouTube simply asks users to download Google Chrome, stating that the Edge browser isn’t supported. Ironically, the same page states “We support the latest versions of Chrome, Firefox, Opera, Safari, and Edge.”

The change affects the latest versions of Microsoft Edge Canary and Dev channels. It is worth noting that the classic Microsoft Edge based on EdgeHTML continues to work fine with the modern YouTube experience.

The weird thing here is that Microsoft has been working closely with Google engineers on the new Edge and Chromium. Both the companies engineers are working closely to improve Chromium and introduce new features like ARM64 support to Chromium. So it’s very odd that Google would prevent users of the new Microsoft Edge browser from using the modern YouTube experience. This is most likely an error on Google’s part, but it could be intentional, too — we really don’t know for now.

Source: Google Now Forces Microsoft Edge Preview Users to Use Chrome for the Modern YouTube Experience – Thurrott.com

See also:
Google isn’t the company that we should have handed the Web over to: why MS switching to Chromium is a bad idea

SpaceX Starlink satellites dazzle but pose big questions for astronomers – Musk thought things out well again, not.

Posted on by

The first batch of satellites were launched from Cape Canaveral, Florida, and deployed to orbit by a Falcon 9 rocket on May 23. Each contains a single solar array, which both captures and bounces sunlight off the satellites and, as a result, can sometimes be seen from Earth. On May 25, as the drifting luminescent army of satellites zoomed overhead, Dutch satellite tracker Marco Langbroek captured their marching, posting a stunning video to Vimeo.

In time, the satellites will drift apart and head to specific orbits so that satellite internet coverage can be beamed to every corner of the globe.

However, as the unusual display in the night sky quickly gathered steam across social media, some astronomers began to point out the potential problems the satellite system may pose for astronomy. At present, only 60 satellites are moving into their orbit, but eventually that number will reach 12,000, and a megaconstellation will encircle the Earth. Practically overnight, our view of the sky has changed.

“We’ve become used to change in space activities as slow and incremental, and suddenly, it’s fast and speeding up,” said Alice Gorman, space archeologist at Flinders University, Australia. “By its very visibility, Starlink has opened up some big questions: who gets to use Earth orbit and what for?”

Watch this: SpaceX launches first batch of Starlink satellites
7:05

Indeed, Starlink would triple the number of satellites orbiting the Earth. If thousands of satellites are sent into orbit, our view of space changes. Will we find ourselves in a position where it’s impossible to investigate the cosmos from the ground?

The quick answer: not forever, no. SpaceX designed the Starlink satellites to fall back to the Earth after about five years of service..

“The satellites are meant to put themselves in a re-entry orbit at the end of their mission life, and remove themselves from the debris population by burning up,” says Gorman.

But the long answer is: potentially. Astronomers already wrangle with the problems posed by space robots and satellites circling the Earth whenever they turn their ground-based telescopes toward the stars. Bright, reflective surfaces pose a problem because they obstruct our view of the universe.

More satellites equals cloudier vision, and Starlink plans to launch more satellites than ever.

When the sun is reflecting off the satellites’ solar panels, astronomers will have to account for the appearance of the satellites in their images. SpaceX was relatively mum about the design of the satellites leading up to launch, so it’s come as a bit of a surprise to some astronomers just how bright they are. However, the satellites will position their solar panels as they establish themselves in orbit, which should reduce their brightness.

Jonathan McDowell, an astronomer with the Harvard-Smithsonian Center for Astrophysics, perhaps summed it up best in a tweet, saying the satellites are “brighter than we had expected and still a problem, but somewhat less of a sky-is-on-fire problem.”

“Somewhat less of a sky-is-on-fire problem” sounds slightly reassuring, at least. But there do seem to be clear issues for the astronomy community..

Elon Musk, SpaceX CEO, jumped to the defense of his satellite system and noted on Twitter how “potentially helping billions of economically disadvantaged people is the greater good,” while making it clear that SpaceX plans to limit Starlink’s effects on astronomy. “We care a great deal about science,” Musk tweeted. He said he’s sent a note to the Starlink team to reduce albedo — that is, the amount of light the satellites reflect.

In addition, after a user suggested placing space telescopes using Starlink chassis into orbit to appease the astronomers, Musk said he “would love to do exactly that.” That might ease concerns, but will it slow our quickening colonization of Earth’s orbit? Unlikely.

“Space agencies and organizations have been cluttering the sky for decades and taking a very lax attitude to the long-term consequences,” said Gorman.

With a number of satellite constellations on the way, it will be critical for regulatory bodies and satellite providers to adequately manage the space debris and satellite problem, lest all of our space robots collide and lock us on Earth forever (yes, that’s a faint but possible catastrophic scenario)

Source: SpaceX Starlink satellites dazzle but pose big questions for astronomers – CNET

The Asus ZenBook Pro Duo laptop with two 4K screens – for some reason people are comparing to Apples touch bar, but has nothing to do with that.

Posted on by

The ZenBook Pro Duo has not one, but two 4K screens. (At least if you’re counting horizontal pixels.) There’s a 15-inch 16:9 OLED panel where you’d normally find the display on a laptop, then a 32:9 IPS “ScreenPad Plus” screen directly above the keyboard that’s the same width and half the height. It’s as if Asus looked at the MacBook Pro Touch Bar and thought “what if that, but with 32 times as many pixels?”

Unlike the Touch Bar, though, the ScreenPad Plus doesn’t take anything away from the ZenBook Pro Duo, except presumably battery life. Asus still included a full-sized keyboard with a function row, including an escape key, and the trackpad is located directly to the right. The design is very reminiscent of Asus’ Zephryus slimline gaming laptops — you even still get the light-up etching that lets you use the trackpad as a numpad. HP tried something similar recently, too, though its second screen was far smaller.

asus

Asus has built some software for the ScreenPad Plus that makes it more of a secondary control panel, but you can also use it as a full-on monitor, or even two if you want to split it into two smaller 16:9 1080p windows. You can also set it to work as an extension of the main screen, so websites rise up from above your keyboard as you scroll down, which is pretty unnerving. Or you could use it to watch Lawrence of Arabia while you jam on Excel spreadsheets.

The ZenBook Pro Duo has up to an eight-core Intel Core i9 processor with an Nvidia RTX 2060 GPU. There are four far-field microphones designed for use with Alexa and Cortana, and there’s an Echo-style blue light at the bottom edge that activates with voice commands. It has a Thunderbolt 3 port, two USB-A ports, a headphone jack, and a full-sized HDMI port.

Performance seemed fine in my brief time using the ZenBook Pro Duo, without any hiccups or hitches even when running an intensive video editing software demo. It’s a fairly hefty laptop at 2.5kg (about 5.5lbs), but that’s to be expected given the gaming laptop-class internals. I would also expect its battery life to fall somewhere close to that particular category of products, though we’ll have to wait and see about that.

While both of the screens looked good, I will say they looked different. Part of that is because of the searing intensity of the primary OLED panel, but the ScreenPad Plus is also coated with a matte finish, and usually looks less bright because of how you naturally view it at an off angle.

asus

Asus is also making a cheaper and smaller 14-inch model called the ZenBook Duo. The design and concept is basically the same, but both screens are full HD rather than 4K, there’s no Core i9 option, and the discrete GPU has been heavily downgraded to an MX250.

Asus hasn’t announced pricing or availability for the ZenBook Pro Duo or the ZenBook Duo, but they’re expected to land in the third quarter of this year.

Source: The Asus ZenBook Pro Duo is an extravagant laptop with two 4K screens – The Verge

Why they see any similtarity to the Apple touch bar is beyond me – this is sprung from a totally different well. The dual screen laptop concept has been around for a lot longer than Apple putting a tiny strip somewhere. This is something that’s actually useful.