Kalashnikov Unveils Flying ‘Hovercycle’

A Russian defense manufacturer named after the inventor of the AK-47 showed off its “flying car” to company officials and the Internet. The “car,” which has sixteen sets of rotors, could have military applications down the road including scouting, communications, and other tasks.

The unnamed vehicle was demonstrated Monday by officials at Kalashnikov Concern, part of the Russian defense giant Rostec and named after AK-47 designer M.T. Kalashnikov. The company develops and manufactures a wide variety of military small arms, from modernized versions of the AK-47 in service with the Russian military today to sniper rifles and guided artillery rounds.
[…]
The new vehicle, dubbed a “flying car” by the Russian media, has eights pairs of rotors that provide lift. The vehicle has a skeletal metal frame and is controlled by a pair of joysticks.

A video released by Kalashnikov shows there is surprisingly little to the “car”—there is no gasoline or diesel engine. Two banks of what appear to be batteries are located under the rider and likely provide electricity to the eight pairs of rotors. A shell or chassis is shown superimposed over the vehicle at the end.

Source: Kalashnikov Unveils Flying ‘Hovercycle’

Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’

Yes, that’s Gartner’s security consultancy of the year
[…]
On Tuesday, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes.
[…]
On top of these potential leaks of corporate login details, Deloitte has loads of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled. All of this gear should be behind a firewall and/or with two-factor authentication as per industry best practices. And likely the best practices Deloitte recommends to its clients, ironically.

“Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register today. “We’re talking dozens of business units around the planet with dozens of IT departments showing very different aptitude levels. The phrase ‘truly exploitable’ comes to mind.”

For example, he found a Deloitte-owned Windows Server 2012 R2 box in South Africa with RDP wide open, acting as what appears to be an Active Directory server – a crucial apex of a Microsoft-powered network – and with, worryingly, security updates still pending installation. Other cases show IT departments using outdated software, and numerous other security failings.

Source: Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’

Ouch

Broadcom SoC allow remote code execution in many wifi equiped phones, routers

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.
[…]
However, since the “Channel Number” field is not validated, an attacker can arbitrarily provide a large value. While the maximal allowed channel number is 0xE0, by providing a larger value (such as 0xFF), the function above will increment a 16-bit word beyond the bounds of the heap-allocated buffer, thereby performing an OOB write. Note that the same insufficient validation is also present in the internal function 0xAC07C.

I’ve been able to verify that this code path exists on various different firmware versions, including those present on the iPhone 7 and Galaxy S7 Edge.

Broadcom: OOB write when handling 802.11k Neighbor Report Response

comes with iphone PoC

Artificial intelligence just made guessing your password a whole lot easier

Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. Yet the researchers say the technology may also be used to beat baddies at their own game.
[…]
The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they’d be at cracking them.

On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Source: Artificial intelligence just made guessing your password a whole lot easier

BlueBorne: Turn off your bluetooth

Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed “BlueBorne”, as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.
[…]
BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector. Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.

Source: BlueBorne Information from the Research Team – Armis Labs

Outlook.com looking more like an outage outbreak for Europe

Microsoft’s email services got hit with not one but two bugs today: in addition to an earlier blip with Exchange Online, Microsoft confirmed it is now probing “issues” with “some” Outlook.com users in Europe.

According to downdetector.com, more than a thousand users have reported problems such as trouble receiving messages and logging in to their webmail accounts (Outlook used to be Hotmail and Windows Live Hotmail) since around 9.00am.

The site, which provides a handy snapshot of partial and total service eclipses map, revealed most of the reports are coming from western Europe.

Source: Outlook.com looking more like an outage outbreak for Europe

Clouds!

Introducing: Unity Machine Learning Agents for Tensorflow

Unity Machine Learning Agents

We call our solution Unity Machine Learning Agents (ML-Agents for short), and are happy to be releasing an open beta version of our SDK today! The ML-Agents SDK allows researchers and developers to transform games and simulations created using the Unity Editor into environments where intelligent agents can be trained using Deep Reinforcement Learning, Evolutionary Strategies, or other machine learning methods through a simple to use Python API. We are releasing this beta version of Unity ML-Agents as open-source software, with a set of example projects and baseline algorithms to get you started. As this is an initial beta release, we are actively looking for feedback, and encourage anyone interested to contribute on our GitHub page. For more information on ML-Agents, continue reading below! For more detailed documentation, see our GitHub Wiki.

Source: Introducing: Unity Machine Learning Agents – Unity Blog

Deloitte hit by cyber-attack revealing clients’ secret emails

One of the world’s “big four” accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal.
[…]
One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments.

So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

The account required only a single password and did not have “two-step“ verification, sources said.

Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

Source: Deloitte hit by cyber-attack revealing clients’ secret emails

A Literal Tree Illustration Shows How Languages Are Connected

Did you know that most of the different languages we speak today can actually be placed in only a couple of groups by their origin? This is what illustrator Minna Sundberg has captured in an elegant infographic of a linguistic tree which reveals some fascinating links between different tongues.

Source: This Amazing Tree That Shows How Languages Are Connected Will Change The Way You See Our World

Closed source corporate DRM for money grabbers is forced onto open source web with flimsiest of excuses

The trouble with DRM is that it’s sort of ineffective. It tends to make things inconvenient for people who legitimately bought a song or movie while failing to stop piracy. Some rights holders, like Ubisoft, have come around to the idea that DRM is counterproductive. Steve Jobs famously wrote about the inanity of DRM in 2007. But other rights holders, like Netflix, are doubling down. The prevailing winds at the consortium concluded that DRM is now a fact of life, and so it would be be better to at least make the experience a bit smoother for users. If the consortium didn’t work with companies like Netflix, Berners-Lee wrote in a blog post, those companies would just stop delivering video over the web and force people into their own proprietary apps. The idea that the best stuff on the internet will be hidden behind walls in apps rather than accessible through any browser is the mortal fear for open web lovers; it’s like replacing one library with many stores that each only carry books for one publisher. “It is important to support EME as providing a relatively safe online environment in which to watch a movie, as well as the most convenient,” Berners-Lee wrote, “and one which makes it a part of the interconnected discourse of humanity.” Mozilla, the nonprofit that makes the browser Firefox, similarly held its nose and cooperated on the EME standard. “It doesn’t strike the correct balance between protecting individual people and protecting digital content,” it said in a blog post. “The content providers require that a key part of the system be closed source, something that goes against Mozilla’s fundamental approach. We very much want to see a different system. Unfortunately, Mozilla alone cannot change the industry on DRM at this point.”

Source: Corporations Just Quietly Changed How the Web Works – Slashdot

And of course it just turns out that the EU knows that piracy doesn’t hurt sales, but decided to ignore that when designing policy.

It is a big dissappointment in Tim Berners-Lee, who has caved in to the money grabbers and has now set a precedence showing that the WWW Consortium is corruptible to anyone with enough money in their pockets.

Fortunately it won’t be long before this is hacked. And another new standard has to be introduced. Given the glacial speed at which the W3C works, this might give us a few years of freedom from DRM.

SVR Tracking leaks info for hundreds of thousands of vehicles. Turns out they have been tracking you even when your car wasn’t stolen.

Researchers discovered a misconfigured Amazon AWS S3 bucket that was left publically available. The breach has exposed information about their customers and re-seller network and also the physical device that is attached to the cars.

The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.

The “SVR” stands for ‘stolen vehicle records”.
[…]
The software monitors everywhere the car has been back as far as 120 days, including a terrifying feature that pinpoints on the map all of the places a driver has visited. There is even an option that will show anyone with login credentials the top stops or locations where the vehicle has been. There is a “recovery mode” that can pinpoint every 2 min or create zone notifications. They claim to have a 99% success rate on recovery but what about when the customer logins and passwords for thousands of unsuspecting drivers are leaked online?
MacKeeper Security: Auto Tracking Company Leaks Hundreds of Thousands of Records Online

Equifax fooled again! Blundering credit biz directs hack attack victims to parody site

When news of the hack was published on September 7, over a month after its scale had been discovered, Equifax set up a website for worried customers to check if they had been affected – equifaxsecurity2017.com – rather than setting it up on the equifax.com domain.

As a bit of fun security researcher Nick Sweeting set up securityequifax2017.com with a familiar look and feel, just like phishers do every day. To make that point the headline on the website was “Cybersecurity Incident & Important Consumer Information which is Totally Fake, why did Equifax use a domain that’s so easily impersonated by phishing sites?”

Turns out he had a point, since the site fooled Equifax itself. Shortly after setting up the site, Equifax’s official Twitter feed started to link to Sweeting’s fake page and in a series of posts dating from September 9 Tim on Equifax’s social media team began tweeting out the wrong URL to customers concerned about their data.
equifax

Seriously, Tim?

The tweets (now removed by red-faced Equifax staff) continued until Sept 18 before they were spotted by stanleyspadowski on imgur and @aaronkkruse on Twitter. It’s not known how many people were directed to the site, and it has since been blocked by Google.

Source: Equifax fooled again! Blundering credit biz directs hack attack victims to parody site

Ccleaner infection: what happened? Turns out it was targeting companies & had been running for longer than thought

Ccleaner v5.33, software that allows you to clean up the cruft that comes with use and with newly installed machines, was infected with Floxif malware which installed itself on peoples machines together with the ccleaner. Floxif is a malware downloader that gathers information about infected systems and sends it back to its Command & Control server.
[…]
The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.

Bleeping Computer: CCleaner Compromised to Distribute Malware for Almost a Month

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.

Talos Intelligence: CCleaner Command and Control Causes Concern – with more technical details on the source and methodology of the malware

According to Avast, the database where the CCleaner hackers were collecting data from infected hosts ran out of space and was deleted on September 12, meaning information on previous victims is now lost to investigators and the number of computers infected with the second-stage backdoor payloads may be larger than initially believed.

This means there could still be — and there certainly are — more large technology firms that currently have a backdoor on their network.
[…]
The server would store this information into a MariaDB (MySQL fork), and would run a series of filters on each infected host to determine if to send a second-stage payload, a very stealthy backdoor trojan.

Based on analysis from Cisco Talos published yesterday, the C&C server looked for computers on the networks of large tech corporations.

Based on a list recovered by researchers, targeted companies included Google, Microsoft, HTC, Samsung, Intel, Sony, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), Gauselmann, and Singtel.

The attacker’s database recorded information on all computers infected with the first and second-stage malware. There were 700,000 entries for computers infected with the first-stage malware, and only 20 for the second-stage malware.
[…]
The new information was extracted from the server’s logs and shows that the server was set up just days before attackers embedded their malware to the CCleaner binaries.

Despite the server being up for more than a month, Cisco noted that the database contained information on infections that were active between September 12 and September 16, and nothing more.

Avast says that after a deeper analysis of the logs, they find evidence that the server’s disk storage had been filled, and attackers had to delete the collected data they recorded up to that point (they most likely downloaded it before deleting it).
[…]
What this means is that data for 28 days of infections is now lost. Investigators are now unable to determine if other tech companies have now backdoors on their networks.

This means that any company that has ever deployed CCleaner on its network must now wipe systems clear, just to be sure the second-stage malware is not hidden somewhere on its network.

Bleeping computer: Info on CCleaner Infections Lost Due To Malware Server Running Out of Disk Space

SEC’s EDGAR database hacked, hackers use data for insider trading.

In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the Chairman.

Source: SEC.gov | SEC Chairman Clayton Issues Statement on Cybersecurity

Attention adults working in the real world: Do not upgrade to iOS 11 if you use Outlook, Exchange

Apple’s latest version of iOS, namely version 11, may struggle or flat-out fail to connect to Microsoft Office and Exchange mailboxes. That’s a rather annoying pain for anyone working in a typical Windows-based work environment.

The Cupertino idiot-tax operation admitted this week that iOS 11 contains a bug that potentially leaves users locked out of Microsoft Office 365, Outlook.com and Exchange inboxes, and that the mobile OS pops up an alert that reads “Cannot Send Mail. The message was rejected by the server.”

“If your email account is hosted by Microsoft on Outlook.com or Office 365, or an Exchange Server 2016 running on Windows Server 2016, you might see this error message when you try to send an email with iOS 11: ‘Cannot Send Mail. The message was rejected by the server’,” the owner of ClarisWorks claimed.

Source: Attention adults working in the real world: Do not upgrade to iOS 11 if you use Outlook, Exchange

Popular GO Android alternate Keyboard is spying on millions of Android users

Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as “using a prohibited technique to download dangerous executable code.”

Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information.

Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total.

Source: Security researchers warn that GO Keyboard is spying on millions of Android users

EU Paid For Report That Said Piracy Isn’t Harmful — And Tried To Hide Findings

According to Julia Reda’s blog, the only Pirate in the EU Parliament, the European Commission in 2014 paid the Dutch consulting firm Ecorys 360,000 euros (about $428,000) to research the effect piracy had on sales of copyrighted content. The final report was finished in May 2015, but was never published because the report concluded that piracy isn’t harmful. The Next Web reports:
The 300-page report seems to suggest that there’s no evidence that supports the idea that piracy has a negative effect on sales of copyrighted content (with some exceptions for recently released blockbusters). The report states: “In general, the results do not show robust statistical evidence of displacement of sales by online copyright infringements. That does not necessarily mean that piracy has no effect but only that the statistical analysis does not prove with sufficient reliability that there is an effect. An exception is the displacement of recent top films. The results show a displacement rate of 40 per cent which means that for every ten recent top films watched illegally, four fewer films are consumed legally.”

On her blog, Julia Reda says that a report like this is fundamental to discussions about copyright policies — where the general assumption is usually that piracy has a negative effect on rightsholders’ revenues. She also criticizes the Commissions reluctance to publish the report and says it probably wouldn’t have released it for several more years if it wasn’t for the access to documents request she filed in July.
As for why the Commission hadn’t published the report earlier, Reda says: “all available evidence suggests that the Commission actively chose to ignore the study except for the part that suited their agenda: In an academic article published in 2016, two European Commission officials reported a link between lost sales for blockbusters and illegal downloads of those films. They failed to disclose, however, that the study this was based on also looked at music, ebooks and games, where it found no such connection. On the contrary, in the case of video games, the study found the opposite link, indicating a positive influence of illegal game downloads on legal sales. That demonstrates that the study wasn’t forgotten by the Commission altogether…”

Source: EU Paid For Report That Said Piracy Isn’t Harmful — And Tried To Hide Findings – Slashdot

Holdout ISPs Ziggo and XS4ALL forced to censor the web by high court in the name of – money!

The courts in the Hague has forced ISPs to block the Pirate Bay. Surprisinly they haven’t foced a block of Google and Bing, that also link to copyrighted materials. Anyhway, this is on the insistence of BREIN, who – like the RIAA – think they should be getting the income from music so that they can give it to random musicians (instead of the musicians whos music is being listened to). Because we all know that when you have done a days work, you should be paid again and again for it. Like the Euro I get for every time someone reads my email.

Source: XS4ALL en Ziggo moeten Pirate Bay blokkeren – Emerce

HP pushes third-party ink blocking printer firmware update (again)

Hewlett Packard (HP) released a new firmware for the company’s Officejet printers that appears to block third-party ink from functioning correctly.

The company caused quite the uproar a year ago when it released a firmware for some of its printer families that blocked non-HP cartridges in company printers. HP released a firmware update a month later back then that restored functionality for non-HP printer ink.

The new firmware update that was released on September 13th, 2017 looks like an exact copy of the firmware update released a year ago (on the same day even).

Printers echo the following error message after the new firmware is installed on the printer:

One or more cartridges appear to be damaged. Remove them and replace with new cartridges.

Some of the cartridges that are inserted into the printer may be accepted by the printer, but once you add all of them, the error message is displayed.

Affected printer models include the HP OfficeJet 6800 Series, HP OfficeJet Pro 6200 Series, HP OfficeJet Pro X 450 Series, HP OfficeJet Pro 8600 series, and many other models.

There is a way out however to fix the issue then and there according to Günter Born.

Source: HP pushes third-party ink blocking printer firmware update (again) – gHacks Tech News

Equifax another breach: had ‘admin’ as login and password in Argentina

Cyber-crime blogger Brian Krebs said that an online employee tool used in the country could be accessed by typing “admin” as both a login and password.

He added that this gave access to records that included thousands of customers’ national identity numbers.

Last week, the firm revealed a separate attack affecting millions in the US.

Source: Equifax suffers fresh data breach

These guys don’t seem to take privacy very seriously, and there is almost no legislation to punish these guys.

AI’s can generate fake reviews indistinguishable from real reviews for both humans and fake review detectors

Fake reviews used to be crowdsourced. Now they can be auto-generated by AI, according to a new research paper shared by AmiMoJo:
In this paper, we identify a new class of attacks that leverage deep learning language models (Recurrent Neural Networks or RNNs) to automate the generation of fake online reviews for products and services. Not only are these attacks cheap and therefore more scalable, but they can control rate of content output to eliminate the signature burstiness that makes crowdsourced campaigns easy to detect. Using Yelp reviews as an example platform, we show how a two phased review generation and customization attack can produce reviews that are indistinguishable by state-of-the-art statistical detectors.

Humans marked these AI-generated reviews as useful at approximately the same rate as they did for real (human-authored) Yelp reviews.
Slashdot

Companies use software limitations to screw customers over more and more often, kill competition

What began with printers and spread to phones is coming to everything: this kind of technology has proliferated to smart thermostats (no apps that let you turn your AC cooler when the power company dials it up a couple degrees), tractors (no buying your parts from third-party companies), cars (no taking your GM to an independent mechanic), and many categories besides.

All these forms of cheating treat the owner of the device as an enemy of the company that made or sold it, to be thwarted, tricked, or forced into con­ducting their affairs in the best interest of the com­pany’s shareholders. To do this, they run programs and processes that attempt to hide themselves and their nature from their owners, and proxies for their owners (like reviewers and researchers).

Increasingly, cheating devices behave differ­ently depending on who is looking at them. When they believe themselves to be under close scrutiny, their behavior reverts to a more respectable, less egregious standard.
[…]
The Computer Fraud and Abuse Act (1986) makes it a crime, with jail-time, to violate a company’s terms of service. Logging into a website under a fake ID to see if it behaves differently depending on who it is talking to is thus a potential felony, provided that doing so is banned in the small-print clickthrough agreement when you sign up.

Then there’s section 1201 of the Digital Millen­nium Copyright Act (1998), which makes it a felony to bypass the software controls access to a copy­righted work. Since all software is copyrightable, and since every smart gadget contains software, this allows manufacturers to threaten jail-terms for anyone who modifies their tractors to accept third-party carburetors (just add a software-based check to ensure that the part came from John Deere and not a rival), or changes their phone to accept an independent app store, or downloads some code to let them choose generic insulin for their implanted insulin pump.

Cory Doctorow

ProtonVPN: Secure and Free VPN service for protecting your privacy

We believe privacy and security are fundamental human rights, so we also provide a free version of ProtonVPN to the public. Unlike other free VPNs, there are no catches. We don’t serve ads or secretly sell your browsing history. ProtonVPN Free is subsidized by ProtonVPN paid users. If you would like to support online privacy, please consider upgrading to a paid plan for faster speeds and more features.

Source: ProtonVPN: Secure and Free VPN service for protecting your privacy

Hosted in Switzerland, so privacy invasions are covered by criminal law

Moneyback leaks 500k tourists to Mexico customer records: passports, credit cards, IDs.

Have you been to Mexico in the last year as a tourist and applied for a tax refund on the money you spent while shopping there? If you have, chances are your passport, credit card, or other identification might have been leaked online. The Kromtech Security Research Center has discovered a misconfigured database with nearly half a million customer files that were left publically accessible. These tourists traveled from around the world to enjoy Mexico’s beaches, warm weather, historical sites, or cities and had their private data exposed in the process.

The database appears to be connected with MoneyBack, a leading provider of tax refund (value-added tax refund or sales tax refund) services for international travelers in Mexico.
[…]
Researchers identified passports from all over the world who used MoneyBack’s services. Among the top passports identified were citizens of the US, Canada, Argentina, Colombia, Italy, and many more. It appears to be every client that has used their services between 2016 and 2017.

Over 300 GB+ database in size

455,038 Scanned Doccuments (Passports, IDs, Credit Cards, Travel Tickets & More)

88,623 unique passport numbers registered or scanned

Mexican Tourist Tax Refund Company Leaks Customer Records

A.I. can detect the sexual orientation of a person based on one photo, research shows

The Stanford University study, which is set to be published in the Journal of Personality and Social Psychology and was first reported in The Economist, found that machines had a far superior “gaydar” when compared to humans.

The machine intelligence tested in the research could correctly infer between gay and straight men 81 percent of the time, and 74 percent of the time for women. In contrast, human judges performed much worse than the sophisticated computer software, identifying the orientation of men 61 percent of the time and guessing correctly 54 percent of the time for women.

The research has prompted critics to question the possible use of this type of machine intelligence, both in terms of the ethics of facial-detection technology and whether it could be used to violate a person’s privacy.
[…]
When the AI reviewed five images of a person’s face, rather than one, the results were even more convincing – 91 percent of the time with men and 83 percent of the time with women.

The paper indicated its findings showed “strong support” for the theory that a person’s sexual orientation stems from the exposure to various hormones before birth. The AI’s success rate in comparison to human judges also appeared to back the concept that female sexual orientation is more fluid.

The researchers behind the study argued that with the appropriate data sets, similar AI tests could spot other personal traits such as an individual’s IQ or even their political views. However, Kosinski and Wang also warned of the potentially dangerous ramifications such AI machines could have on the LGBT community.

“Given that companies and governments are increasingly using computer vision algorithms to detect people’s intimate traits, our findings expose a threat to the privacy and safety of gay men and women,” Kosinski and Wang said in the report.

Source: A.I. can detect the sexual orientation of a person based on one photo, research shows

 
Skip to toolbar