Hack of 100 Million Quora Users Could Be Worse Than it Sounds

On Monday, the question and answer site Quora announced that a third-party was able to gain access to virtually every data point the company keeps on 100 million users. Even if you don’t recall having a Quora account, you might want to make sure.

In a blog post, Quora CEO Adam D’Angelo explained that the company first noticed the data breach on Friday and has since enlisted independent security researchers to help investigate what happened and mitigate the damage. D’Angelo said that affected users should be receiving an email that explains the situation, but if you have a Quora account, it’s probably a good idea to go ahead and change your password—especially if you reuse passwords. In all, the attackers were able to compromise a lot of data. Quora says that information includes:

  • Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
  • Public content and actions, e.g. questions, answers, comments, upvotes
  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

Fortunately, Quora says it has not stored any identifying information associated with anonymous inquiries and replies.

For users, the biggest immediate concern should be that part about hackers accessing “data imported from linked networks.” Quora allows users to sign in with Facebook or Google and it’s possible that personal information from one of those networks also made it into the wrong hands. We’ve asked all three companies for more details on exactly what was compromised but we did not receive an immediate reply.

We also asked Quora what type of cryptographic hashing method it uses. The hackers should only be able to figure out the password through brute-force guessing and that takes longer depending on the complexity of the hash.

The good news is that there’s no financial information associated with Quora users, the bad news is that the website is more like a social network than it might seem. People ask personal questions that could help draw a personality profile and others give answers that could do the same. Earlier this year, when Facebook admitted that it had lost control of 87 million users data, the general public was reminded that data breaches aren’t just about identity theft. In that case, a firm working for the 2016 Trump presidential campaign obtained access to the data, raising concerns that it was used for targeted political messaging. The firm has disputed the number of users’ data it obtained and maintains that none of the data was directly employed during the 2016 election.

For now, check your inbox for any notifications and you can read an FAQ here.

[Quora]

Source: Hack of 100 Million Quora Users Could Be Worse Than it Sounds

China Set to Launch First-Ever Spacecraft to the Far Side of the Moon, try to grow plants there and listen to radio waves blocked off by the moon

Early in the New Year, if all goes well, the Chinese spacecraft Chang’e-4 will arrive where no craft has been before: the far side of the Moon. The mission is scheduled to launch from Xichang Satellite Launch Centre in Sichuan province on December 8. The craft, comprising a lander and a rover, will then enter the Moon’s orbit, before touching down on the surface.

If the landing is successful, the mission’s main job will be to investigate this side of the lunar surface, which is peppered with many small craters. The lander will also conduct the first radio astronomy experiments from the far side of the Moon—and the first investigations to see whether plants will grow in the low-gravity lunar environment.

Source: China Set to Launch First-Ever Spacecraft to the Far Side of the Moon – Scientific American

Researchers discover SplitSpectre, a new Spectre-like CPU attack via Javascript

Three academics from Northeastern University and three researchers from IBM Research have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code.

The research team says this new CPU vulnerability is, too, a design flaw in the microarchitecture of modern processors that can be exploited by attacking the process of “speculative execution,” an optimization technique used to improve CPU performance.

The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original Spectre v1 vulnerability discovered last year and which became public in January 2018.

The difference in SplitSpectre is not in what parts of a CPU’s microarchitecture the flaw targets, but how the attack is carried out.

According to the research team, a SplitSpectre attack is far easier to execute than an original Spectre attack

[…]

For their academic paper, the research team says it successfully carried out a SplitSpectre attack against Intel Haswell and Skylake CPUs, and AMD Ryzen processors, via SpiderMonkey 52.7.4, Firefox’s JavaScript engine.

Source: Researchers discover SplitSpectre, a new Spectre-like CPU attack | ZDNet

Twitter user hacks 50,000 printers to tell people to subscribe to PewDiePie

A Twitter user using the pseudonym of @TheHackerGiraffe has hacked over 50,000 printers to print out flyers telling people to subscribe to PewDiePie’s YouTube channel.

The messages have been sent out yesterday, November 29, and have caused quite the stirr among the users who received them, as they ended up on a bunch of places, from high-end multi-functional printers at large companies to small handheld receipt printers at gas stations and restaurants.

The only condition was that the printer was connected to the Internet, used old firmware, and had “printing” ports left exposed online.

The message the printers received was a simple one. It urged people to subscribe to PewDiePie’s YouTube channel in order for PewDiePie –a famous YouTuber from Sweden, real name Felix Kjellberg– to keep the crown of most subscribed to YouTube channel.

If this sounds …odd… it’s because over the past month, an Indian record label called T-Series has caught up and surpassed PewDiePie, once considered untouchable in terms of YouTube followers.

The Swedish Youtube star made a comeback after his fans banded together in various social media campaigns, but T-Series is catching up with PewDiePie again.

Source: Twitter user hacks 50,000 printers to tell people to subscribe to PewDiePie | ZDNet

EU anti Geo-blocking comes into force: unlocking e-commerce in the EU

Under the new rules, traders will not be able to discriminate between customers with regard to the general terms and conditions – including prices – in three cases: for goods that are either delivered in a member state to which the trader offers delivery or are collected at a location agreed with the customer for electronically supplied services such as cloud, data warehousing and website hosting for services such as hotel accommodation and car rental which are received by the customer in the country where the trader operates

Under the new rules, traders will not be able to discriminate between customers with regard to the general terms and conditions – including prices – in three cases:

  • for goods that are either delivered in a member state to which the trader offers delivery or are collected at a location agreed with the customer
  • for electronically supplied services such as cloud, data warehousing and website hosting
  • for services such as hotel accommodation and car rental which are received by the customer in the country where the trader operates

Source: Geo-blocking: unlocking e-commerce in the EU – Consilium

Geo-blocking refers to practices used by online sellers that result in the denial of access to websites from other Member States. It also includes situations where access to a website is granted, but the customer from abroad is prevented from finalising the purchase or being asked to pay with a debit or credit card from a certain country. “Geo-discrimination” also takes place when buying goods and services off-line, e.g. when a consumer is physically present at the trader’s location but is either prevented from accessing a product or service or being offered different conditions.

The Geo-blocking Regulation aims to provide for more opportunities to consumers and businesses within the EU’s internal market. In particular, it addresses the problem of (potential) customers not being able to buy goods and services from traders located in a different Member State for reasons related to their nationality, place of residence or place of establishment, hence discriminating them when they try to access the best offers, prices or sales conditions compared to nationals or residents of the traders’ Member State.u

https://ec.europa.eu/digital-single-market/en/faq/geo-blocking

Above FAQ link has  more answers to questions

 

Reports of First Genetically Enhanced Babies Spark Outrage

Twin girls born earlier this month had their DNA altered to prevent them from contracting HIV, according to an Associated Press report. If confirmed, the births would signify the first gene-edited babies in human history—a stunning development that’s sparking an outcry from scientists and ethicists.

Professor He Jiankui of Shenzhen, China, made the announcement earlier today in Hong Kong, informing the Associated Press of his apparent achievement and releasing an accompanying video. He claims the twin girls were born earlier this month and that he altered their DNA with the CRISPR-cas9 gene-editing tool, which he did to confer a built-in immunity to the AIDS virus. The claim has yet to be independently confirmed, and the findings haven’t been published to a peer-reviewed journal; outside experts haven’t had an opportunity to corroborate the claims, or assess the efficacy or safety of the procedure.

A BBC article describes this news as “dubious,” but there’s reason to believe the claims could be true. Back in 2016, scientists in China used CRISPR to introduce a beneficial mutation that disables an immune-cell gene called CCR5, conferring immunity by knocking out a critical receptor, or mode of entry, for the HIV virus to infect a cell. The experiment showed that someday it might be possible to deliberately endow human DNA with this desirable mutation—the key word being “someday.” Immediately after the 2016 experiment, the scientists destroyed the embryos, saying more research will be required before modified embryos can be implanted in a mother’s womb.

Alarmingly, professor He has decided, quite unilaterally, to move ahead with this research, reportedly implanting the modified embryos into the mother’s womb—a step considered by most experts to be highly premature and reckless at this stage. Gene-editing of human embryos is sanctioned in the United States, but all embryos must be destroyed within a few days. A huge issue with this form of gene-editing is that it’s done on germline cells, which means introduced traits are heritable. Such is the case with these twins in China, who—if they are indeed genetically modified—will pass modified DNA down to any children they have. Scientists are still a long ways off from knowing if this procedure is effective and safe.

In this case, there’s good reason for doubt. The CCR5 gene is known to trigger offsetting conditions, such as a higher risk of contracting the West Nile Virus. Research suggests it also increases a person’s chance of dying from influenza. Also, CRISPR is a notoriously blunt instrument, and there’s no way of knowing if He’s procedure introduced knock-off effects, some of which wouldn’t be known until the girls reach maturity.

Details of the procedure are still scarce, such as the identity of the parents or where the research was conducted, but preliminary information acquired by AP is cause for concern.

The AP reports that CRISPR-cas9 gene editing was done during the in vitro fertilization, or IVF, stage. Several days later, the cells of the modified embryos were checked for signs of DNA editing. Of the 22 embryos edited, 11 were used in six implant attempts. Only one worked, resulting in the twin births. In all, some seven couples participated in the procedure.

Follow-up tests suggest one of the twins had just one copy of the intended gene alteration, while the other had both. Individuals with one copy of the mutated gene can still contract HIV, but they may have an increased ability to ward off the effects of the disease. Many experts say the procedure should not have been allowed to happen, but the decision to allow the implantation of the “partially” modified embryo was an even worse indiscretion, calling it a form of human experimentation.

Speaking to the AP, Dr. Kiran Musunuru, a University of Pennsylvania gene editing expert, said in this particular child, “there really was almost nothing to be gained in terms of protection against HIV and yet you’re exposing that child to all the unknown safety risks,” adding that the entire enterprise is “unconscionable” and “an experiment on human beings that is not morally or ethically defensible.”

Bioethicist Julian Savulescu from the University of Oxford described the experiment as “monstrous” in an interview with the BBC.

“Gene editing itself is experimental and is still associated with off-target mutations, capable of causing genetic problems early and later in life, including the development of cancer,” Savulescu told the BBC. “This experiment exposes healthy normal children to risks of gene editing for no real necessary benefit.”

If that’s not enough, this story gets even murkier.

He, who works at the Southern University of Science and Technology of China in Shenzhen, gave the university official notice of his experiment “long after he said he started it,” AP reports. It’s not clear if the participants understood the true nature of the experiment, which was described as an “AIDS vaccine development” program. The Shenzhen university said He’s work “seriously violated academic and ethics standards,” and an investigation is in the works. He, who owns two genetics companies in China, was reportedly assisted by U.S. scientist Michael Deem, who was an advisor to He when they worked together at Rice University in Houston. Deem also has stakes in both of He’s companies.

Condemnation of the procedure, however, is not universal among experts. Harvard geneticist George Church defended the alleged human gene-editing, telling AP that HIV is a “major and growing public health threat” and that the work done by He was “justifiable.”

A fascinating aspect of this alarming story is that He was not trying to cure a genetic disease. Rather, it was a deliberate attempt to endow humans with the capacity to ward off a future infection, namely one caused by the AIDS virus. In this sense, the procedure (if it happened in the way He is claiming), might be considered an enhancement rather than a therapy. As such, these girls may go down in history as the first enhanced humans produced by gene-editing.

Unfortunately, the brazen recklessness exhibited by He will now place a dark taint on that futuristic prospect. Yes, we may eventually use gene-editing to cure diseases and endow our species with new capacities—but such research cannot happen at the whim of rogue scientists.

[Associated Press and BBC]

Source: Reports of First Genetically Enhanced Babies Spark Outrage

Your phone indeed has ears that you may not know about – the companies that listen to noise in the background while apps that contain their software are open

: No, your phone is not “listening” to you in the strictest sense of the word. But, yes, all your likes, dislikes and preferences are clearly being heard by apps in your phone which you oh-so-easily clicked “agree” to the terms of which while installing.

How so?

If you are in India, the answer to the question will lead you to Zapr, a service backed by heavyweights such as the Rupert Murdoch-led media group Star, Indian e-commerce leader Flipkart, Indian music streaming service Saavn, and mobile phone maker Micromax, among more than a dozen others. The company owning Zapr is named Red Brick Lane Marketing Solutions Pvt Ltd. (Paytm founder Vijay Shekhar Sharma and Sanjay Nath, co-founder and managing partner, Blume Ventures, were early investors in Zapr but are no longer so, according to filings with the ministry of corporate affairs. Sharma and Blume are among the investors in Sourcecode Media Pvt Ltd, which owns FactorDaily.)

Zapr, in fact, is one of the few companies in the world that has developed a solution that uses your mobile device’s microphone to recognise the media content you are watching or listening to in order to help brands and channels understand consumer media consumption. In short, it monitors sounds around you to contextualise you better for advertising and marketing targeting.

[…]

Advertisers globally spend some $650 billion annually and this cohort believes better profiling consumers by analysing their ambient sounds helps target advertising better. This group includes Chinese company ACRCloud, Audible Magic from the US, and the Netherlands’s Betagrid Media — and, Zapr from India.

Cut back to the Zapr headquarters on Old Madras Road in Bengaluru. One of the apps that inspired Zapr’s founding team was the popular music detection and identification app Shazam. But, its three co-founders saw opportunity in going further. “Instead of detecting music, can we detect all kinds of medium? Can we detect television? Can we detect movies in a theatre? Can we detect video on demand? Can we really build a profile for a user about their media consumption habits… and that really became the idea, the vision we wanted to solve for,” Sandipan Mondal, CEO of Zapr Media Labs, said in an interview last week on Thursday.

[…]

But, Zapr’s tech comes with privacy and data concerns – lots of it. The way its tech gets into your phone is dodgy: its code ride on third-party apps ranging from news apps to gaming apps to video streaming apps. You might be downloading Hotstar or a Dainik Jagran app or a Chotta Beem app on your phone little knowing that Zapr’s or an equivalent audio monitoring code sits on those apps to listen to sounds around you in an attempt to see what media content you are consuming.

In most cases reviewed by FactorDaily in a two-week exercise, it was not obvious that the app would monitor audio via the smartphone or mobile device’s microphone for use by another party (Zapr) for ad targeting purposes. Some apps hinted about Zapr’s tech at the bottom of the app description and some in the form of a pop-up – an app from Nazara games, for instance, mentioned that it required mic access to ‘Record Audio for better presentation’. Sometimes, the pop-up app would show up a few days after the download. And, often, the disclosure was buried somewhere in the app’s privacy policy.

None of these apps made it clear explicitly what the audio access via the microphone was for. “The problem with apps which embed this technology is that their presence is not outright disclosed and is difficult to find. Also, there is not an easy way to find out the apps in the PlayStore that have this tech embedded in them,” said Thejesh G N, an info-activist and the founder of DataMeet, a community of data scientists and open data enthusiasts.

Source: Your phone indeed has ears that you may not know about | FactorDaily

A Chinese startup may have cracked solid-state batteries

According to Chinese media, Qing Tao Energy Development Co, a startup out of the technical Tsinghua University, has deployed a solid-state battery production line in Kunshan, East China. Reports claim the line has a capacity of 100MWh per year — which is planned to increase to 700MWh by 2020 — and that the company has achieved an energy density of more than 400Wh/kg, compared to new generation lithium-ion batteries that boast a capacity of around 250-300Wh/kg.

Source: A Chinese startup may have cracked solid-state batteries

Creepy Chinese AI shames CEO for jaywalking on public displays throughout city – but detected the CEO on an ad on a bus

Dong Mingzhu, chairwoman of China’s biggest maker of air conditioners Gree Electric Appliances, who found her face splashed on a huge screen erected along a street in the port city of Ningbo that displays images of people caught jaywalking by surveillance cameras.

That artificial intelligence-backed surveillance system, however, erred in capturing Dong’s image on Wednesday from an advertisement on the side of a moving bus.

The traffic police in Ningbo, a city in the eastern coastal province of Zhejiang, were quick to recognise the mistake, writing in a post on microblog Sina Weibo on Wednesday that it had deleted the snapshot. It also said the surveillance system would be completely upgraded to cut incidents of false recognition in future.

[…]

Since last year, many cities across China have cracked down on jaywalking by investing in facial recognition systems and advanced AI-powered surveillance cameras. Jaywalkers are identified and shamed by displaying their photographs on large public screens.

First-tier cities like Beijing and Shanghai were among the first to employ those systems to help regulate traffic and identify drivers who violate road rules, while Shenzhen traffic police began displaying photos of jaywalkers on large screens at major intersections from April last year.

Source: Facial recognition snares China’s air con queen Dong Mingzhu for jaywalking, but it’s not what it seems | South China Morning Post

Be Warned: Customer Service Agents Can See What You’re Typing in Real Time on their website forms

Next time you’re chatting with a customer service agent online, be warned that the person on the other side of your conversation might see what you’re typing in real time. A reader sent us the following transcript from a conversation he had with a mattress company after the agent responded to a message he hadn’t sent yet.

Something similar recently happened to HmmDaily’s Tom Scocca. He got a detailed answer from an agent one second after he hit send.

Googling led Scocca to a live chat service that offers a feature it calls “real-time typing view” to allow agents to have their “answers prepared before the customer submits his questions.” Another live chat service, which lists McDonalds, Ikea, and Paypal as its customers, calls the same feature “message sneak peek,” saying it will allow you to “see what the visitor is typing in before they send it over.” Salesforce Live Agent also offers “sneak peak.”

On the upside, you get fast answers. On the downside, your thought process is being unknowingly observed. For the creators, this is technological magic, a deception that will result, they hope, in amazement and satisfaction. But once revealed by an agent who responds too quickly or one who responds before the question is asked, the trick falls apart, and what is left behind feels distinctly creepy, like a rabbit pulled from a hat with a broken neck. “Why give [customers] a fake ‘Send message’ button while secretly transmitting their messages all along?” asks Scocca.

This particular magic trick happens thanks to JavaScript operating in your browser and detecting what’s happening on a particular site in real time. It’s also how companies capture information you’ve entered into web forms before you’ve hit submit. Companies could lessen the creepiness by telling people their typing is seen in real time or could eliminate the send button altogether (but that would undoubtedly confuse people, as if the useless buttons in elevators to “close door” or the placebos to push at crosswalks disappeared overnight.).

Lest you think unexpected monitoring is limited to your digital interactions, know that you should be paranoid during telephone chats too. As the New York Times reported over a decade ago, during those calls where you are reassured of “being recorded for quality assurance purposes,” your conversation while on hold is recorded. So even if there is music playing, monitors may later listen to you fight with your spouse, sing a song, or swear about the agent you’re talking to.

Source: Be Warned: Customer Service Agents Can See What You’re Typing in Real Time

US told to quit sharing data with human rights-violating surveillance regime. Which one, you ask? That’d be the UK

UK authorities should not be granted access to data held by American companies because British laws don’t meet human rights obligations, nine nonprofits have said.

In a letter to the US Department of Justice, organisations including Human Rights Watch and the Electronic Frontier Foundation set out their concerns about the UK’s surveillance and data retention regimes.

They argue that the nation doesn’t adhere to human rights obligations and commitments, and therefore it should not be allowed to request data from US companies under the CLOUD Act, which Congress slipped into the Omnibus Spending Bill earlier this year.

The law allows US government to sign formal, bilateral agreements with other countries setting standards for cross-border investigative requests for digital evidence related to serious crime and terrorism.

It requires that these countries “adhere to applicable international human rights obligations and commitments or demonstrate respect for international universal human rights”. The civil rights groups say the UK fails to make the grade.

As such, it urged the US administration not to sign an executive order allowing the UK to request access to data, communications content and associated metadata, noting that the CLOUD Act “implicitly acknowledges” some of the info gathered might relate to US folk.

Critics are concerned this could then be shared with US law enforcement, thus breaking the Fourth Amendment, which requires a warrant to be served for the collection of such data.

Setting out the areas in which the UK falls short, the letter pointed to pending laws on counter-terrorism, saying that, as drafted they would “excessively restrict freedom of expression by criminalizing clicking on certain types of online content”.

Source: US told to quit sharing data with human rights-violating surveillance regime. Which one, you ask? That’d be the UK • The Register

mobile providers in NL urged to stop killing unused data and phone minutes, as technically the user has paid for it and if they exceed the maximum they are fined

Telecomaanbieders moeten stoppen met het laten vervallen van ongebruikte data en belminuten. Dat schrijft de Consumentenbond in een brief aan de tien grootste aanbieders.

Consumenten met een mobiel abonnement verliezen nu aan het einde van iedere maand hun ongebruikte belminuten en data binnen hun bundel. Tegelijkertijd betalen ze extra voor iedere minuut of MB die ze búiten hun bundel verbruiken. Soms tot wel 0,31 euro per minuut of 0,15 euro per MB.

Source: ‘Providers pak ongebruikte data en belminuten niet af’ – Emerce

OneDrive is broken: Microsoft’s cloudy storage drops from the sky for EU users

Oh, you tease

It is OneDrive’s turn to get a beating with the stick of fail as the service took a tumble this morning.

Issues first began appearing at around 08:00 GMT as users around Europe logged in, expecting to find their files, and found instead a picture of a bicycle with a flat tyre or a dropped ice cream cone. Oh, you guys!

The fact that Microsoft has a wide variety of images to illustrate failure will be of little comfort to users that depend on the cloud storage system.

OneDrive is Microsoft’s answer to the likes of DropBox and its ilk, allowing users to stash files (up to 1TB for an individual Office 365 subscriber) on Redmond’s servers and synchronise them to their devices or access through a web client.

Except now it doesn’t. We checked it out at Vulture Central and found that, yes, synchronisation had stopped, and while it was possible to log into the web portal for a teasing look at one’s files, actually trying to open them resulted in an error.

Even local Office 365 apps, such as Word, are jolly unhappy, reporting errors on saving documents due to the inaccessibility of the cloudy storage. The experience is a lesson on the consequences of too much dependence on the cloud.

Source: OneDrive is broken: Microsoft’s cloudy storage drops from the sky for EU users • The Register

the cloud strikes again

GCHQ vulnerability disclosure process and cops hacking you now need a judge to decide if it’s legal in the UK

On the same day that certain types of British state-backed hacking now need a judge-issued warrant to carry out, GCHQ has lifted the veil and given the infosec world a glimpse inside its vuln-hoarding policies.

The spying agency’s internal Equities Process is the way by which it decides whether or not to tell tech vendors that its snoopers have discovered a hardware or software vulnerability.

A hot topic for many years, vuln disclosure (and patching) is a double-edged sword for spy agencies. If they keep discovered vulns to themselves, they can exploit them for their own ends, for which the public reason is given as disrupting “the activities of those who seek to do the UK harm” – including Belgian phone operators.

If GCHQ discloses vulns it has found to the affected vendor, that can “benefit global users of the technology”, in the agency’s words, as well as tending to build trust – something the Peeping Tom agency is dead keen on following the international damage done to its reputation after the Snowden disclosures.

However, in a briefing note today the agency revealed it may keep vulns in unsupported software to itself. “Where the software in question is no longer supported by the vendor,” it said, “were a vulnerability to be discovered in such software, there would be no route by which it could be patched.”

Only last year Microsoft prez Brad Smith was raging against GCHQ’s American cousins, the NSA, for the “stockpiling of vulnerabilities by governments” – though, as we revealed, Microsoft had been sitting on a pile of patches that were only provided to corporate customers and not the public, so not everyone in this debate is squeaky clean.

Lovely bureaucracy

When it decides whether or not to give up a vuln, GCHQ said three internal bodies are involved: the Equities Technical Panel, made up of “subject matter expert” spies; the GCHQ Equity Board, which is chaired by a civil servant from GCHQ’s public-facing arm, the National Cyber Security Centre (NCSC), and staffed by people from other government departments; and the Equities Oversight Committee, chaired by the chief exec of the NCSC, Ciaran Martin.

Broadly speaking, Martin gets the final word on whether or not a vuln is “released” to be patched. Those decisions are “regularly reviewed at a period appropriate to the security risk” and, regardless of the risk, “at least every 12 months”.

What do they review? Operational necessity (“How reliant are we on this vulnerability to realise intelligence?”) is one criterion, as well as the impact on other British government departments’ activities. Questions about whether the vuln could be spotted independently by others and used to harm business and private citizens is considered under the general category of “defensive risk”, but appears to be less of a priority than looking at whether the state will find its wings clipped as a result of disclosure.

Even then, the agency would rather nudge industry into applying “configuration changes” to mitigate against vulns rather than seeing a proper patch deployed after disclosure. The reason is obvious: not everyone implements config changes, meaning some GCHQ targets may continue to be vulnerable to “network exploitation”.

“Assessment in relation to a number of these factors is based on standardised criteria and past experience, including applying the use of the Common Vulnerability Scoring System where appropriate,” said GCHQ.

Good stuff, now go and get a proper warrant

Today a post-Snowden legal tweak comes into force: state employees wanting to hack targets’ networks and devices must now get a judge-issued warrant, under section 106 of the Investigatory Powers Act.

“Such warrants can then be issued from 5th December. However unless urgent, the warrant will need to be reviewed and approved by a Judicial Commissioner,” noted the Society for Computers and Law in an update about the new law. It added that from January, law enforcement agencies will have to use this process to insert probes into suspected hackers’ gear.

Using hacking tools to investigate alleged crimes that fall under sections 1 to 3 of the Computer Misuse Act 1990 is now subject to the “equipment interference warrant” procedure, rather than the bog-standard Police Act 1997 “property interference authorisation”.

The difference is that state-backed hackers set out to find “communications, private information or equipment data”, which therefore needs a different set of legal protections than the Police Act process, which was written around slightly different scenarios such as planting tracker bugs on cars. ®

Bootnote

“In exceptional cases, the CEO of the NCSC may decide that further escalation via submissions to Director GCHQ and, if required, the Foreign Secretary should be invoked,” said the GCHQ press briefing note, giving rise to images of spy agency suits pacing in circles around a smoking server and chanting Jeremy Hunt’s name, falling to their knees in gratitude when the mystical foreign secretary himself appears in a flash of lightning, ready to dispense vuln-disclosing justice.

We encourage GCHQ-based readers to send us videos of this process if this is actually what goes on.

Source: GCHQ opens kimono for infosec world to ogle its vuln disclosure process • The Register

Mass router hack exposes millions of devices to potent NSA exploit through UPNP

More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday.

The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don’t reveal precisely what happens to the connected devices once they’re exposed, Akamai said the ports—which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed—provide a strong hint of the attackers’ intentions.

The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play—often abbreviated as UPnP—to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets. In Wednesday’s blog post, the researchers wrote:

Source: Mass router hack exposes millions of devices to potent NSA exploit | Ars Technica

When the Internet Archive Forgets

When the Internet Archive Forgets

On the internet, there are certain institutions we have come to rely on daily to keep truth from becoming nebulous or elastic. Not necessarily in the way that something stupid like Verrit aspired to, but at least in confirming that you aren’t losing your mind, that an old post or article you remember reading did, in fact, actually exist. It can be as fleeting as using Google Cache to grab a quickly deleted tweet, but it can also be as involved as doing a deep dive of a now-dead site’s archive via the Wayback Machine. But what happens when an archive becomes less reliable, and arguably has legitimate reasons to bow to pressure and remove controversial archived material?

A few weeks ago, while recording my podcast, the topic turned to the old blog written by The Ultimate Warrior, the late bodybuilder turned chiropractic student turned pro wrestler turned ranting conservative political speaker under his legal name of, yes, “Warrior.” As described by Deadspin’s Barry Petchesky in the aftermath of Warrior’s 2014 passing, he was “an insane dick,” spouting off in blogs and campus speeches about people with disabilities, gay people, New Orleans residents, and many others. But when I went looking for a specific blog post, I saw that the blogs were not just removed, the site itself was no longer in the Internet Archive, replaced by the error message: “This URL has been excluded from the Wayback Machine.”

Apparently, Warrior’s site had been de-archived for months, not long after Rob Rousseau pored over it for a Vice Sports article on the hypocrisy of WWE using Warrior’s image for their Breast Cancer Awareness Month campaign. The campaign was all about getting women to “Unleash Your Warrior,” complete with an Ultimate Warrior motif, but since Warrior’s blogs included wishing death on a cancer-survivor, this wasn’t a good look. Rousseau was struck by how the archive was removed “almost immediately after my piece went up, like within that week,” he told Gizmodo.

Rousseau suspected that WWE was somehow behind it, but a WWE spokesman told Gizmodo that they were not involved. Steve Wilton, the business manager for Ultimate Creations also denied involvement. A spokesman for the Internet Archive, though, told Gizmodo that the archive was removed because of a DMCA takedown request from the company’s business manager (Wilton’s job for years) on October 29, 2017, two days after the Vice article was published. (He has not replied to a follow-up email about the takedown request.)

Over the last few years, there has been a change in how the Wayback Machine is viewed, one inspired by the general political mood. What had long been a useful tool when you came across broken links online is now, more than ever before, seen as an arbiter of the truth and a bulwark against erasing history.

That archive sites are trusted to show the digital trail and origin of content is not just a must-use tool for journalists, but effective for just about anyone trying to track down vanishing web pages. With that in mind, that the Internet Archive doesn’t really fight takedown requests becomes a problem. That’s not the only recourse: When a site admin elects to block the Wayback crawler using a robots.txt file, the crawling doesn’t just stop. Instead, the Wayback Machine’s entire history of a given site is removed from public view.

In other words, if you deal in a certain bottom-dwelling brand of controversial content and want to avoid accountability, there are at least two different, standardized ways of erasing it from the most reliable third-party web archive on the public internet.

For the Internet Archive, like with quickly complying with takedown notices challenging their seemingly fair use archive copies of old websites, the robots.txt strategy, in practice, does little more than mitigating their risk while going against the spirit of the protocol. And if someone were to sue over non-compliance with a DMCA takedown request, even with a ready-made, valid defense in the Archive’s pocket, copyright litigation is still incredibly expensive. It doesn’t matter that the use is not really a violation by any metric. If a rightsholder makes the effort, you still have to defend the lawsuit.

“The fair use defense in this context has never been litigated,” noted Annemarie Bridy, a law professor at the University of Idaho and an Affiliate Scholar at the Center for Internet and Society at Stanford Law School. “Internet Archive is a non-profit, so the exposure to statutory damages that they face is huge, and the risk that they run is pretty great … given the scope of what they do; that they’re basically archiving everything that is on the public web, their exposure is phenomenal. So you can understand why their impulse might be to act cautiously even if that creates serious tension with their core mission, which is to create an accurate historical archive of everything that has been there and to prevent people from wiping out evidence of their history.”

While the Internet Archive did not respond to specific questions about its robots.txt policy, its proactive response to takedown requests, or if any potential fair use defenses have been tested by them in court, a spokesperson did send this statement along:

Several months after the Wayback Machine was launched in late 2001, we participated with a group of outside archivists, librarians, and attorneys in the drafting of a set of recommendations for managing removal requests (the Oakland Archive Policy) that the Internet Archive more or less adopted as guidelines over the first decade or so of the Wayback Machine.

Earlier this year, we convened with a similar group to review those guidelines and explore the potential value of an updated version. We are still pondering many issues and hope that before too long we might be able to present some updated information on our site to better help the public understand how we approach take down requests. You can find some of our thoughts about robots.txt at http://blog.archive.org/2017/04/17/robots-txt-meant-for-search-engines-dont-work-well-for-web-archives/.

At the end of the day, we strive to strike a balance between the concerns that site owners and rights holders sometimes bring to us with the broader public interest in free access for everyone to a history of the Internet that is as comprehensive as possible.

All of that said, the Internet Archive has always held itself out to be a library; in theory, shouldn’t that matter?

“Under current copyright law, although there are special provisions that give certain rights to libraries, there is no definition of a library,” explained Brandon Butler, the Director of Information Policy for the University of Virginia Library. “And that’s a thing that rights holders have always fretted over, and they’ve always fretted over entities like the Internet Archive, which aren’t 200-year-old public libraries, or university-affiliated libraries. They often raise up a stand that there will be faux libraries, that they’d call themselves libraries but it’s really just a haven for piracy. That specter of the sort of sham library really hasn’t arisen.” The lone exception that Butler could think of was when American Buddha, a non-profit, online library of Buddhist texts, found itself sued by Penguin over a few items that they asserted copyright over. “The court didn’t really care that this place called itself a library; it didn’t really shield them from any infringement allegations.” That said, as Butler notes, while being a library wouldn’t necessarily protect the Internet Archive as much as it could, “the right to make copies for preservation,” as Butler puts it, is definitely a point in their favor.

That said, “libraries typically don’t get sued; it’s bad PR,” Butler says. So it’s not like there’s a ton of modern legal precedent about libraries in the digital age, barring some outliers like the various Google Books cases.

As Bridy notes, in the United States, copyright is “a commercial right.” It’s not about reputational harm, it’s about protecting the value of a work and, more specifically, the ability to continuously make money off of it. “The reason we give it is we want artists and creative people to have an incentive to publish and market their work,” she said. “Using copyright as a way of trying to control privacy or reputation … it can be used that way, but you might argue that’s copyright misuse, you might argue it falls outside of the ambit of why we have copyright.”

We take a lot of things for granted, especially as we rely on technology more and more. “The internet is forever” may be a common refrain in the media, and the underlying wisdom about being careful may be sound, but it is also not something that should be taken literally. People delete posts. Websites and entire platforms disappear for business and other reasons. Rich, famous, and powerful bad actors don’t care about intimidating small non-profit organizations. It’s nice to have safeguards, but there are limits to permanence on the internet, and where there are limits, there are loopholes.

Source: When the Internet Archive Forgets

Another thing seriously broken with copyright

In China, your car could be talking to the government

When Shan Junhua bought his white Tesla Model X, he knew it was a fast, beautiful car. What he didn’t know is that Tesla constantly sends information about the precise location of his car to the Chinese government.

Tesla is not alone. China has called upon all electric vehicle manufacturers in China to make the same kind of reports — potentially adding to the rich kit of surveillance tools available to the Chinese government as President Xi Jinping steps up the use of technology to track Chinese citizens.

“I didn’t know this,” said Shan. “Tesla could have it, but why do they transmit it to the government? Because this is about privacy.”

More than 200 manufacturers, including Tesla, Volkswagen, BMW, Daimler, Ford, General Motors, Nissan, Mitsubishi and U.S.-listed electric vehicle start-up NIO, transmit position information and dozens of other data points to government-backed monitoring centers, The Associated Press has found. Generally, it happens without car owners’ knowledge.

The automakers say they are merely complying with local laws, which apply only to alternative energy vehicles. Chinese officials say the data is used for analytics to improve public safety, facilitate industrial development and infrastructure planning, and to prevent fraud in subsidy programs.

China has ordered electric car makers to share real-time driving data with the government. The country says it’s to ensure safety and improve the infrastructure, but critics worry the tracking can be put to more nefarious uses. (Nov. 29)

But other countries that are major markets for electronic vehicles — the United States, Japan, across Europe — do not collect this kind of real-time data.

And critics say the information collected in China is beyond what is needed to meet the country’s stated goals. It could be used not only to undermine foreign carmakers’ competitive position, but also for surveillance — particularly in China, where there are few protections on personal privacy. Under the leadership of Xi Jinping, China has unleashed a war on dissent, marshalling big data and artificial intelligence to create a more perfect kind of policing, capable of predicting and eliminating perceived threats to the stability of the ruling Communist Party.

There is also concern about the precedent these rules set for sharing data from next-generation connected cars, which may soon transmit even more personal information.

Source: In China, your car could be talking to the government

Companies ‘can sack workers for refusing to use fingerprint scanners’ in Australia

Businesses using fingerprint scanners to monitor their workforce can legally sack employees who refuse to hand over biometric information on privacy grounds, the Fair Work Commission has ruled.

The ruling, which will be appealed, was made in the case of Jeremy Lee, a Queensland sawmill worker who refused to comply with a new fingerprint scanning policy introduced at his work in Imbil, north of the Sunshine Coast, late last year.

Fingerprint scanning was used to monitor the clock-on and clock-off times of about 150 sawmill workers at two sites and was preferred to swipe cards because it prevented workers from fraudulently signing in on behalf of their colleagues to mask absences.

The company, Superior Woods, had no privacy policy covering workers and failed to comply with a requirement to properly notify individuals about how and why their data was being collected and used. The biometric data was stored on servers located off-site, in space leased from a third party.

Lee argued the business had never sought its workers’ consent to use fingerprint scanning, and feared his biometric data would be accessed by unknown groups and individuals.

“I am unwilling to consent to have my fingerprints scanned because I regard my biometric data as personal and private,” Lee wrote to his employer last November.

“Information technology companies gather as much information/data on people as they can.

“Whether they admit to it or not. (See Edward Snowden) Such information is used as currency between corporations.”

Lee was neither antagonistic or belligerent in his refusals, according to evidence before the commission. He simply declined to have his fingerprints scanned and continued using a physical sign-in booklet to record his attendance.

He had not missed a shift in more than three years.

The employer warned him about his stance repeatedly, and claimed the fingerprint scanner did not actually record a fingerprint, but rather “a set of data measurements which is processed via an algorithm”. The employer told Lee there was no way the data could be “converted or used as a finger print”, and would only be used to link to his payroll number to his clock-on and clock-off time. It said the fingerprint scanners were also needed for workplace safety, to accurately identify which workers were on site in the event of an accident.

Lee was given a final warning in January, and responded that he valued his job a “great deal” and wanted to find an alternative way to record his attendance.

“I would love to continue to work for Superior Wood as it is a good, reliable place to work,” he wrote to his employer. “However, I do not consent to my biometric data being taken. The reason for writing this letter is to impress upon you that I am in earnest and hope there is a way we can negotiate a satisfactory outcome.”

Lee was sacked in February, and lodged an unfair dismissal claim in the Fair Work Commission.

Source: Companies ‘can sack workers for refusing to use fingerprint scanners’ | World news | The Guardian

You only have one set of fingerprints – that’s the problem with biometrics: they can’t be changed, so you really really don’t want them stolen from you

Marriott’s Starwood hotels mega-hack: Half a BILLION guests’ deets exposed over 4 years

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary’s guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever.

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States,” said the firm in a statement issued this morning. “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”

Around 327 million of those guest bookings included customers’ “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

For an unspecified number, encrypted card numbers and expiration dates were also included, though Marriott insisted there was AES-128 grade encryption on these details, saying: “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

This could be read as a reference to salting and hashing though no further detail was supplied. We have contacted Marriott to double-check and will update this article if we hear back from them.

Source: Marriott’s Starwood hotels mega-hack: Half a BILLION guests’ deets exposed over 4 years

Google wants to spy on you and then report on you

suggesting, automatically implementing, or both suggesting and automatically implementing, one or more household policies to be implemented within a household environment. The household policies include one or more input criteria that is derivable from at least one smart device within the household environment, the one or more input criteria relating to a characteristic of the household environment, a characteristic of one or more occupants of the household, or both. The household policies also include one or more outputs to be provided based upon the one or more input criteria.

https://patents.justia.com/patent/10114351

Source: Patent Images

Eg.page 16, figure 25 – monitor TV watching patterns and report on you

page 20, figure 33 – detect time brushing teeth and report on you

Do you trust Google to be your parent?!

Google patents a way for your smart devices to spy on you, serve you ads, even if your privacy settings says no

In some embodiments, the private network may include at least one first device that captures information about its surrounding environment, such as data about the people and/or objects in the environment. The first device may receive a set of potential content sent from a server external to the private network. The first device may select at least one piece of content to present from the set of potential content based in part on the people/object data and/or a score assigned by the server to each piece of content. The private network may also include at least one second device that receives the captured people/object data sent from the first device. The second device may also receive a set of potential content sent from the server external to the private network. The second device may select at least one piece of content to present from the set of potential content based in part on the people/object data sent from the first device and/or a score assigned by the server to each piece of content. Using the private network to communicate the people/object data between devices may preserve the privacy of the user since the data is not sent to the external server. Further, using the obtained people/object data to select content enables more personalized content to be chosen.

[…]

 

  • urther, although not shown in this particular way, in some embodiments, the client device 134 may collect people/object data 136 using one or more sensors, as discussed above. Also, as previously discussed, the raw people/object data 136 may be processed by the sensing device 138, the client device 134, and/or a processing device 140 depending on the implementation. The people/object data 136 may include the data described above regarding FIG. 7 that may aid in recognizing objects, people, and/or patterns, as well as determining user preferences, mood, and so forth.
  • [0144]
    After the client device 134 is in possession of the people/object data 136, the client device 134 may use the classifier 144 to score each piece of content 132. In some embodiments, the classifier 144 may combine at least the people/object data 136, the scores provided by the server 67 for the content 132, or both, to determine a final score for each piece of content 132 (process block 216), which will be discussed in more detail below.
  • [0145]
    The client device 134 may select at least one piece of content 132 to display based on the scores (process block 218). That is, the client device 134 may select the content 132 with the highest score as determined by the classifier 144 to display. However, in some embodiments, where none of the content 132 generate a score above a threshold amount, no content 132 may be selected. In those embodiments, the client device 134 may not present any content 132. However, when at least one item of content 132 scores above the threshold amount and is selected, then the client device 134 may communicate the selected content 132 to a user of the client device 134 (process block 220) and track user interaction with the content 132 (process block 222). It should be noted that when more than one item of content 132 score above the threshold amount, then the item of content 132 with the highest score may be selected. The client device 134 may use the tracked user interaction and conversions to continuously train the classifier 144 to ensure that the classifier 144 stays up to date with the latest user preferences.
  • [0146]
    It should be noted that, in some embodiments, the processing device 140 may receive the content 132 from the server 67 instead of, or in addition to, the client device 134. In embodiments where the processing device 140 receives the content 132, the processing device 140 may perform the classification of the content 132 using a classifier 144 similar to the client device 134 and the processing device 140 may select the content 132 with the highest score as determined by the classifier 144. Once selected, the processing device 140 may send the selected content 132 to the client device 134, which may communicate the selected content 132 to a user.
  • […]
  • The process 230 may include training one or more models of the classifier 144 with people/object data 136, locale 146, demographics 148, search history 150, scores from the server 67, labels 145, and so forth. As previously discussed, the classifier 144 may include a support vector machine (SVM) that uses supervised learning models to classify the content 132 into one of two groups (e.g., binary classification) based on recognized patterns using the people/object data 136, locale 146, demographics 148, search history 150, scores from the server 67, and the labels 145 for the two groups of “show” or “don’t show.”

 

Source: US20160260135A1 – Privacy-aware personalized content for the smart home – Google Patents

 

They have thought up around 140 ways that this can be used…

Paralyzed Individuals Operate Tablet with Brain Implant

One user played Beethoven’s “Ode to Joy” on an Android tablet piano app and later bought some groceries online. Another sent a few texts and then checked the weather forecast. A third browsed through some videos before firing up Stevie Nicks on Pandora.

They didn’t use their fingers to type commands or their voices to navigate the the interface.

They used their noggins, specifically the motor cortex region of their brains where a baby aspirin-size chip had been implanted as part of a new study

[…]

Each participant was asked to try out seven common apps on the tablet: email, chat, web browser, video sharing, music streaming, a weather program and a news aggregator. The researchers also asked the users if they wanted any additional apps, and subsequently added the keyboard app, grocery shopping on Amazon, and a calculator.

The participants made up to 22 point-and-click selections per minute and typed up to 30 characters per minute in email and text programs. What’s more, all three participants really enjoyed using the tablet, says Hochberg.

Source: Paralyzed Individuals Operate Tablet with Brain Implant – IEEE Spectrum

First ever plane with no moving parts takes flight

The first ever “solid state” plane, with no moving parts in its propulsion system, has successfully flown for a distance of 60 metres, proving that heavier-than-air flight is possible without jets or propellers.

The flight represents a breakthrough in “ionic wind” technology, which uses a powerful electric field to generate charged nitrogen ions, which are then expelled from the back of the aircraft, generating thrust.

The plane in flight
The plane in flight. Photograph: Nature Video/Youtube

Steven Barrett, an aeronautics professor at MIT and the lead author of the study published in the journal Nature, said the inspiration for the project came straight from the science fiction of his childhood. “I was a big fan of Star Trek, and at that point I thought that the future looked like it should be planes that fly silently, with no moving parts – and maybe have a blue glow. But certainly no propellers or turbines or anything like that. So I started looking into what physics might make flight with no moving parts possible, and came across a concept known as the ionic wind, with was first investigated in the 1920s.

“This didn’t make much progress in that time. It was looked at again in the 1950s, and researchers concluded that it couldn’t work for aeroplanes. But I started looking into this and went through a period of about five years, working with a series of graduate students to improve fundamental understanding of how you could produce ionic winds efficiently, and how that could be optimised.”

In the prototype plane, wires at the leading edge of the wing have 600 watts of electrical power pumped through them at 40,000 volts. This is enough to induce “electron cascades”, ultimately charging air molecules near the wire. Those charged molecules then flow along the electrical field towards a second wire at the back of the wing, bumping into neutral air molecules on the way, and imparting energy to them. Those neutral air molecules then stream out of the back of the plane, providing thrust.

The end result is a propulsion system that is entirely electrically powered, almost silent, and with a thrust-to-power ratio comparable to that achieved by conventional systems such as jet engines.

Source: First ever plane with no moving parts takes flight | Science | The Guardian

CV Compiler is a robot that fixes your resume to make you more competitive

Machine learning is everywhere now, including recruiting. Take CV Compiler, a new product by Andrew Stetsenko and Alexandra Dosii. This web app uses machine learning to analyze and repair your technical resume, allowing you to shine to recruiters at Google, Yahoo and Facebook.

The founders are marketing and HR experts who have a combined 15 years of experience in making recruiting smarter. Stetsenko founded Relocate.me and GlossaryTech while Dosii worked at a number of marketing firms before settling on CV Compiler.

The app essentially checks your resume and tells you what to fix and where to submit it. It’s been completely bootstrapped thus far and they’re working on new and improved machine learning algorithms while maintaining a library of common CV fixes.

“There are lots of online resume analysis tools, but these services are too generic, meaning they can be used by multiple professionals and the results are poor and very general. After the feedback is received, users are often forced to buy some extra services,” said Stetsenko. “In contrast, the CV Compiler is designed exclusively for tech professionals. The online review technology scans for keywords from the world of programming and how they are used in the resume, relative to the best practices in the industry.”

Source: CV Compiler is a robot that fixes your resume to make you more competitive | TechCrunch

Palm’s Ultra Tiny Phone Is an Absolute Snack

There’s just something about this phone. From the moment I laid eyes on this thing, it just kind of made me happy. It’s small and adorable like a newborn puppy, and despite how petite it appears it photos, it looks and feels even smaller in person. And I’m not the only one that had this reaction. When I brought it into the office, people crowded around marveled. One person cooed at it, another said, “it’s perfect,” while a third remarked that this is the exact sort of thing they’d wished someone would make for years.

From a crowd of tech bloggers, even I was taken aback with its reception. Size alone isn’t what makes this handset remarkable. In part what makes the device exciting is that it’s the rebirth of Palm, the same company that made big ‘ole PDAs and the ill-fated Palm Pre. Maybe more interestingly, Palm’s new phone also envisions an entirely different way of using and living with tech.

For something so small, it’s pretty mysterious, and I’m actually not even entirely sure what to call it. The company that makes it is Palm, but what about the device itself? Is it just Phone with a capital P, or is it the Palm Palm as its comical listing on Verizon’s website suggests? For now, I’ve been going with Baby Phone or the just the mononymous Palm, because like Grimes, Wario, and Rasputin, this gadget is cool enough to need only a single name.

Don’t you just want to squeeze its cheeks?
Photo: Sam Rutherford (Gizmodo)

Now let’s talk about size. I don’t mean its actual dimensions—which are about the same as a credit card—but the reason behind why it’s so tiny. Recently, a lot of companies have been pushing the idea of digital wellness, with Google and Apple adding features to Android and iOS that help you track how much time you spend on your phone. That’s all fine, but in some ways, buying an $800 phone and then putting restrictions on it is like buying an Aston Martin and never driving it faster than 55 mph.

So instead of spending a lot of money on a phone that constantly tempts you, why not get something small and nimble that can still handle traditional smartphone duties, but doesn’t also ruin your life. That’s the real inspiration behind the Palm’s pint-sized body and mini display. You’re supposed to pull it out, check the screen real quick, and then put it away.

As small as the Palm looks, it feels even tinier in real life.
Photo: Sam Rutherford (Gizmodo)

The Palm is a more straightforward way to fight smartphone addiction, and while it does quite well at replacing your regular phone, it has some quirks and a few sore spots you should know about. I’m going to break things down The Good, the Bad, and the Ugly style.

Source: Palm’s Ultra Tiny Phone Is an Absolute Snack

 
Skip to toolbar