Visualizing the Crime Rate Perception Gap

Posted on by

 

The Crime Rate Perception Gap

The Crime Rate Perception Gap

There’s a persistent belief across America that crime is on the rise.

Since the late 1980s, Gallup has been polling people on their perception of crime in the United States, and consistently, the majority of respondents indicate that they see crime as becoming more prevalent. As well, a recent poll showed that more than two-thirds of Americans feel that today’s youth are less safe from crime and harm than the previous generation.

Even the highest ranking members of the government have been suggesting that the country is in the throes of a crime wave.

We have a crime problem. […] this is a dangerous permanent trend that places the health and safety of the American people at risk.

— Jeff Sessions, Former Attorney General

Is crime actually more prevalent in society? Today’s graphic, amalgamating crime rate data from the FBI, shows a very different reality.

Data vs Perception

In the early ’90s, crime in the U.S. was an undeniable concern – particularly in struggling urban centers. The country’s murder rate was nearly double what it is today, and statistics for all types of crime were through the roof.

Since that era, crime rates in the United States have undergone a remarkably steady decline, but public perception has been slow to catch up. In a 2016 survey, 57% of registered voters said crime in the U.S. had gotten worse since 2008, despite crime rates declining by double-digit percentages during that time period.

There are many theories as to why crime rates took such a dramatic U-turn, and while that matter is still a subject for debate, there’s clear data on who is and isn’t being arrested.

Are Millennials Killing Crime?

Media outlets have accused millennials of the killing off everything from department stores to commuting by car, but there’s another behavior this generation is eschewing as well – criminality.

Compared to previous generations, people under the age of 39 are simply being arrested in smaller numbers. In fact, much of the decline in overall crime can be attributed to people in this younger age bracket. In contrast, the arrest rate for older Americans actually rose slightly.

Arrests by Age Group

There’s no telling whether the overall trend will continue.

In fact, the most recent data shows that the murder rate has ticked up ever-so-slightly in recent years, while violent and property crimes continue to be on the decline.

A Global Perspective

Perceptions of increasing criminality are echoed in many other developed economies as well. From Italy to South Korea, the prevailing sentiment is that youth are living in a society that is less safe than in previous generations.

global crime perceptions

As the poll above demonstrates, perception gaps exist in somewhat unexpected places.

In Sweden, where violent crime is actually increasing, 53% of people believe that crime will be worse for today’s youth. Contrast that with Australia, where crime rates have declined in a similar pattern as in the United States – yet, more than two-thirds of Aussie respondents believe that crime will be worse for today’s youth.

One significant counterpoint to this trend is China, where respondents felt that crime was less severe today than in the past.

Source: Visualizing the Crime Rate Perception Gap

The “Do Not Track” Setting Doesn’t Stop You from Being Tracked – by Google, Facebook and Twitter, among many more

Posted on by

Most browsers have a “Do Not Track” (DNT) setting that sends “a special signal to websites, analytics companies, ad networks, plug in providers, and other web services you encounter while browsing, to stop tracking your activity.” Sounds good, right? Sadly, it’s not effective. That’s because this Do Not Track setting is only a voluntary signal sent to websites, which websites don’t have to respect 😧.

Screenshot showing the Do Not Track setting in the Chrome browser

Nevertheless, a hefty portion of users across many browsers use the Do Not Track setting. While DNT is disabled by default in most major web browsers, in a survey we conducted of 503 U.S. adults in Nov 2018, 23.1% (±3.7) of respondents have consciously enabled the DNT setting on their desktop browsers. (Note: Apple is in the process of removing the DNT setting from Safari.)

Graph showing survey responses about the current status of the Do Not Track setting in respondent's primary desktop browser

We also looked at DNT usage on DuckDuckGo (across desktop and mobile browsers), finding that 24.4% of DuckDuckGo requests during a one day period came from browsers with the Do Not Track setting enabled. This is within the margin of error from the survey, thus lending more credibility to its results.

[…]

It can be alarming to realize that Do Not Track is about as foolproof as putting a sign on your front lawn that says “Please, don’t look into my house” while all of your blinds remain open. In fact, most major tech companies, including Google, Facebook, and Twitter, do not respect the Do Not Track setting when you visit and use their sites – a fact of which 77.3% (±3.6) of U.S. adults overall weren’t aware.

There is simply a huge discrepancy between the name of the setting and what it actually does. It’s inherently misleading. When educated about the true function and limitation of the DNT setting, 75.5% (±3.8) of U.S. adults say it’s “important” or “very important” that these companies “respect the Do Not Track signal when it is enabled.” So, in shocking news, when people say they don’t want to be tracked, they really don’t want to be tracked.

Pie chart showing 75.5 percent of respondents believe it's important that major tech companies respect the Do Not Track signal.

As a matter of fact, 71.9% (±3.9) of U.S. adults “somewhat favor” or “strongly favor” a federal regulation requiring companies to respect the Do Not Track signal.

Pie chart showing 71.9 percent of respondents would favor federal regulation requiring companies and their websites to respect the Do Not Track signal when enabled.

We agree and hope that governments will focus this year on efforts to enforce adherence to the Do Not Track setting when users enable it. As we’ve seen here and in our private browsing research, many people seek the most readily available (though often, unfortunately, ineffective) methods to protect their privacy.

Source: The “Do Not Track” Setting Doesn’t Stop You from Being Tracked

Zooniverse – crowd sourced classification of real scientific questions

Posted on by

The Zooniverse is the world’s largest and most popular platform for people-powered research. This research is made possible by volunteers — hundreds of thousands of people around the world who come together to assist professional researchers. Our goal is to enable research that would not be possible, or practical, otherwise. Zooniverse research results in new discoveries, datasets useful to the wider research community, and many publications.

At the Zooniverse, anyone can be a researcher

You don’t need any specialised background, training, or expertise to participate in any Zooniverse projects. We make it easy for anyone to contribute to real academic research, on their own computer, at their own convenience.

You’ll be able to study authentic objects of interest gathered by researchers, like images of faraway galaxies, historical records and diaries, or videos of animals in their natural habitats. By answering simple questions about them, you’ll help contribute to our understanding of our world, our history, our Universe, and more.

With our wide-ranging and ever-expanding suite of projects, covering many disciplines and topics across the sciences and humanities, there’s a place for anyone and everyone to explore, learn and have fun in the Zooniverse. To volunteer with us, just go to the Projects page, choose one you like the look of, and get started.

Source: About — Zooniverse

The Milky Way is warped, not a flat disc

Posted on by

The Milky Way galaxy’s disk of stars is anything but stable and flat. Instead, it becomes increasingly warped and twisted far away from the Milky Way’s center, according to astronomers from National Astronomical Observatories of Chinese Academy of Sciences (NAOC).

From a great distance, the galaxy would look like a thin disk of stars that orbit once every few hundred million years around its central region, where hundreds of billions of stars, together with a huge mass of dark matter, provide the gravitational ‘glue’ to hold it all together.

But the pull of gravity becomes weaker far away from the Milky Way’s inner regions. In the galaxy’s far outer disk, the making up most of the Milky Way’s gas disk are no longer confined to a thin plane, but they give the disk an S-like warped appearance.

“It is notoriously difficult to determine distances from the sun to parts of the Milky Way’s outer gas disk without having a clear idea of what that disk actually looks like,” says Dr. Chen Xiaodian, a researcher at NAOC and lead author of the article published in Nature Astronomy on Feb. 4.

“However, we recently published a new catalogue of well-behaved known as classical Cepheids, for which distances as accurate as 3 to 5 percent can be determined.” That database allowed the team to develop the first accurate three-dimensional picture of the Milky Way out to its far outer regions.

The Milky Way in a twist
Top: 3D distribution of the classical Cepheids in the Milky Way’s warped disk. Bottom: Precession of the warp’s line of nodes with Galactocentric radius. Credit: CHEN Xiaodian

Classical Cepheids are that are some four to 20 times as massive as the sun and up to 100,000 times as bright. Such high imply that they live fast and die young, burning through their nuclear fuel very quickly, sometimes in only a few million years. They show day- to month-long pulsations, which are observed as changes in their brightness. Combined with a Cepheid’s observed brightness, its pulsation period can be used to obtain a highly reliable distance.

“Somewhat to our surprise, we found that in 3-D, our collection of 1339 Cepheid and the Milky Way’s gas disk follow each other closely. This offers new insights into the formation of our home galaxy,” says Prof. Richard de Grijs from Macquarie University in Sydney, Australia, and senior co-author of the paper. “Perhaps more importantly, in the Milky Way’s outer regions, we found that the S-like stellar disk is warped in a progressively twisted spiral pattern.”

Read more at: https://phys.org/news/2019-02-milky-warped.html#jCp

Source: The Milky Way is warped

Muscle-inspired materials that get stronger after stretching

Posted on by

Scientists a Hokkaido University have found a way to create materials that actually get stronger the more you use them. By mimicking the mechanism that allows living muscles to grow and strengthen after exercise, the team led by Jian Ping Gong developed a polymer that breaks down under mechanical stress, then regrows itself into a stronger configuration by feeding off a nutrient bath.

One of the drawbacks of non-living materials is that they have a very finite service life compared to living, organic materials. Materials like steel, plastic, ceramics, and textiles wear out with use at a surprisingly fast rate compared to comparable living things. Metals undergo fatigue, plastics crumble, ceramics crack, and textiles have a sadly short life compared to the skin they cover.

The reason for this is that living tissue can not only regrow itself, it can become stronger the more it’s used. That’s why a human heart can pump at a rate of about 72 beats per minute, 24 hours a day, 365 days a year, for over a century. It’s also why exercise can make skeletal muscles stronger. A workout in the gym that makes a human healthier would just be so much wear and tear to a machine.

[…]

the Hokkaido team used what is called double-network hydrogels. Like other hydrogels, these are polymers that are 85 percent water by weight, but in this case, the material consist of both a rigid, brittle polymer and a soft, stretchable one. In this way, the finished product is both soft and tough.

Graph comparing the muscle-like hydrogel with other materials

However, the clever bit is that under laboratory conditions the hydrogel was immersed in a bath of monomers, which are the individual molecular links that make up a polymer. These serve the same function in the muscle-mimicking material as amino acids do in living tissue.

According to the team, when the hydrogel is stretched, some of the brittle polymer chains break, creating a chemical species called “mechanoradicals” at the end of the broken polymer chains. These are very reactive and quickly join up with the floating monomers to form a new, stronger polymer chain.

Under testing, the hydrogel acted much like muscles under strength training. It became 1.5 times stronger, 23 times stiffer, and increased in weight by 86 percent. It was even possible to control the properties of the material by using heat-sensitive monomers and applying high temperatures to make it more water resistant.

Gong says this approach could lead to materials suitable for a variety of applications, such as in flexible exosuits for patients with skeletal injuries that become stronger with use.

Source: Muscle-inspired materials that get stronger after stretching

The question in my mind is, why didn’t they make the material this strength in the first place? Or is it really self-repairing?

The world’s biggest spice company is using AI to find new flavors

Posted on by
McCormick — the maker of Old Bay and other seasonings, spices and condiments — hopes the technology can help it tantalize taste buds. It worked with IBM Research to build an AI system trained on decades worth of data about spices and flavors to come up with new flavor combinations.
The Baltimore, Maryland-based company plans to bring its first batch of AI-assisted products to market later this year. The line of seasoning mixes, called One, for making one-dish meals, includes flavors such as Tuscan Chicken and Bourbon Pork Tenderloin.
Hamed Faridi, McCormick’s chief science officer, told CNN Business that using AI cuts down product development time, and that the company plans to use the technology to help develop all new products by the end of 2021.

Source: The world’s biggest spice company is using AI to find new flavors – CNN

Why nonviolent resistance is more successful in effecting change than violent campaigns

Posted on by
Chenoweth and Stephan collected data on all violent and nonviolent campaigns from 1900 to 2006 that resulted in the overthrow of a government or in territorial liberation. They created a data set of 323 mass actions. Chenoweth analyzed nearly 160 variables related to success criteria, participant categories, state capacity, and more. The results turned her earlier paradigm on its head—in the aggregate, nonviolent civil resistance was far more effective in producing change.
[…]

it really boils down to four different things. The first is a large and diverse participation that’s sustained.

The second thing is that [the movement] needs to elicit loyalty shifts among security forces in particular, but also other elites. Security forces are important because they ultimately are the agents of repression, and their actions largely decide how violent the confrontation with—and reaction to—the nonviolent campaign is going to be in the end. But there are other security elites, economic and business elites, state media. There are lots of different pillars that support the status quo, and if they can be disrupted or coerced into noncooperation, then that’s a decisive factor.

The third thing is that the campaigns need to be able to have more than just protests; there needs to be a lot of variation in the methods they use.

The fourth thing is that when campaigns are repressed—which is basically inevitable for those calling for major changes—they don’t either descend into chaos or opt for using violence themselves. If campaigns allow their repression to throw the movement into total disarray or they use it as a pretext to militarize their campaign, then they’re essentially co-signing what the regime wants—for the resisters to play on its own playing field. And they’re probably going to get totally crushed.

[…]

One of the things that isn’t in our book, but that I analyzed later and presented in a TEDx Boulder talk in 2013, is that a surprisingly small proportion of the population guarantees a successful : just 3.5 percent. That sounds like a really small number, but in absolute terms it’s really an impressive number of people. In the U.S., it would be around 11.5 million people today. Could you imagine if 11.5 million people—that’s about three times the size of the 2017 Women’s March—were doing something like mass noncooperation in a sustained way for nine to 18 months? Things would be totally different in this country.

WCIA: Is there anything about our current time that dictates the need for a change in tactics?

CHENOWETH: Mobilizing without a long-term strategy or plan seems to be happening a lot right now, and that’s not what’s worked in the past. However, there’s nothing about the age we’re in that undermines the basic principles of success. I don’t think that the factors that influence success or failure are fundamentally different. Part of the reason I say that is because they’re basically the same things we observed when Gandhi was organizing in India as we do today. There are just some characteristics of our age that complicate things a bit.

Read more at: https://phys.org/news/2019-02-nonviolent-resistance-successful-effecting-violent.html#jCp

Read more at: https://phys.org/news/2019-02-nonviolent-resistance-successful-effecting-violent.html#jCp

Source: Why nonviolent resistance is more successful in effecting change than violent campaigns

A step closer to self-aware machines – let the robot imagine itself

Posted on by

Columbia Engineering researchers have made a major advance in robotics by creating a robot that learns what it is, from scratch, with zero prior knowledge of physics, geometry, or motor dynamics. Initially the robot does not know if it is a spider, a snake, an arm–it has no clue what its shape is. After a brief period of “babbling,” and within about a day of intensive computing, their robot creates a self-simulation. The robot can then use that self-simulator internally to contemplate and adapt to different situations, handling new tasks as well as detecting and repairing damage in its own body. The work is published today in Science Robotics.

To date, robots have operated by having a human explicitly model the robot. “But if we want robots to become independent, to adapt quickly to scenarios unforeseen by their creators, then it’s essential that they learn to simulate themselves,” says Hod Lipson, professor of mechanical engineering, and director of the Creative Machines lab, where the research was done.

Source: A step closer to self-aware machines | EurekAlert! Science News

OK, smarty pants AI. You can beat us humans at video games. But how about real-world puzzles like Jenga? Oh, oh no

Posted on by

A robot built by a team of researchers at MIT in America has two prongs for fingers, sensors in its wrist, and a camera for eyes.

As the AI-powered bot surveys the tower, one of its prongs is told by software to poke a block, which sends feedback to its sensor to work out how movable that particular block is. If it’s too stiff, the robot will try another block, and keep pushing in millimetre increments until it has protruded far enough to be removed and placed on top of the tower.

Prodding until you find a suitable block to push may seem like cheating, but, well, given the state of 2019 so far, we’ll take a rule-stretching robot any day. Here it is in action…

“Unlike in more purely cognitive tasks or games such as chess or Go, playing the game of Jenga also requires mastery of physical skills such as probing, pushing, pulling, placing, and aligning pieces,” said Alberto Rodriguez, an assistant professor of mechanical engineering at MIT, this week.

“It requires interactive perception and manipulation, where you have to go and touch the tower to learn how and when to move blocks. This is very difficult to simulate, so the robot has to learn in the real world, by interacting with the real Jenga tower. The key challenge is to learn from a relatively small number of experiments by exploiting common sense about objects and physics.”

Source: OK, smarty pants AI. You can beat us humans at video games. But how about real-world puzzles like Jenga? Oh, oh no • The Register

I’m a crime-fighter, says FamilyTreeDNA boss after being caught giving folks’ DNA data to FBI

Posted on by

Some would argue he has broken every ethical and moral rule of his in his profession, but genealogist Bennett Greenspan prefers to see himself as a crime-fighter.

“I spent many, many nights and many, many weekends thinking of what privacy and confidentiality would mean to a genealogist such as me,” the founder and president of FamilyTreeDNA says in a video that appeared online yesterday.

He continues: “I would never do anything to betray the trust of my customers and at the same time I felt it important to enable my customers to crowd source the catching of criminals.”

The video and surrounding press release went out at 10.30pm on Thursday. Funnily enough, just a couple of hours earlier, BuzzFeed offered a very different take on Greenspan’s philanthropy. “One Of The Biggest At-Home DNA Testing Companies Is Working With The FBI,” reads the headline.

Here’s how FamilyTreeDNA works, if you don’t know: among other features, you submit a sample of your DNA to the biz, and it will tell you if you’re related to someone else who has also submitted their genetic blueprint. It’s supposed to find previously unknown relatives, check parentage, and so on.

And so, by crowd sourcing, what Greenspan means is that he has reached an agreement with the FBI to allow the agency to create new profiles on his system using DNA collected from, say, corpses, crime scenes, and suspects. These can then be compared with genetic profiles in the company’s database to locate and track down relatives of suspects and victims, if not the suspects and victims themselves.

[…]

Those profiles have been built by customers who have paid between $79 and $199 to have their generic material analyzed, in large part to understand their personal history and sometimes find connections to unknown family members. The service and others like it have become popular with adopted children who wish to locate birth parents but are prevented from being given by the information by law.

However, there is a strong expectation that any company storing your most personal generic information will apply strict confidentiality rules around it. You could argue that handing it over to the Feds doesn’t meet that standard. Greenspan would disagree.

“Greenspan created FamilyTreeDNA to help other family researchers solve problems and break down walls to connect the dots of their family trees,” reads a press release rushed out to head off, in vain, any terrible headlines.

“Without realizing it, he had inadvertently created a platform that, nearly two decades later, would help law enforcement agencies solve violent crimes faster than ever.”

Crime fighting, it seems, overrides all other ethical considerations.

Unfortunately for Greenspan, the rest of his industry doesn’t agree. The Future of Privacy Forum, an organization that maintains a list of consumer DNA testing companies that have signed up to its privacy guidelines struck FamilyTreeDNA off its list today.

Its VP of policy, John Verdi, told Bloomberg that the deal between FamilyTreeDNA and the FBI was “deeply flawed.” He went on: “It’s out of line with industry best practices, it’s out of line with what leaders in the space do, and it’s out of line with consumer expectations.”

Source: I’m a crime-fighter, says FamilyTreeDNA boss after being caught giving folks’ DNA data to FBI • The Register

Officer jailed for using police database to access personal details of dozens of Tinder dates

Posted on by

A former long-serving police officer has been jailed for six months for illegally accessing the personal details of almost 100 women to determine if they were “suitable” dates.

Adrian Trevor Moore was a 28-year veteran of WA Police and was nominated as police officer of the year in 2011.

The former senior constable pleaded guilty to 180 charges of using a secure police database to access the information of 92 women he had met, or interacted with, on dating websites including Tinder and Plenty of Fish.

A third of the women were checked by Moore multiple times over several years.

Source: Officer jailed for using police database to access personal details of dozens of Tinder dates – ABC News (Australian Broadcasting Corporation)

Well, that’s what you get when you collect loads of personal data in a database.

Unsecured MongoDB databases expose Kremlin’s single username / password backdoor into Russian businesses

Posted on by

A Dutch security researcher has stumbled upon the Kremlin’s backdoor account that the government had been using to access the servers of local and foreign businesses operating in Russia.

The backdoor account was found inside thousands of MongoDB databases that had been left exposed online without a password.

Any hacker who noticed the account could have used it to gain access to sensitive information from thousands of companies operating in Russia.

“The first time I saw these credentials was in the user table of a Russian Lotto website,” Victor Gevers told ZDNet in an interview today. “I had to do some digging to understand that the Kremlin requires remote access to systems that handle financial transactions.”

The researcher says that after his initial finding, he later found the same “admin@kremlin.ru” account on over 2,000 other MongoDB databases that had been left exposed online, all belonging to local and foreign businesses operating in Russia.

Examples include databases belonging to local banks, financial institutions, big telcos, and even Disney Russia.

Kremlin credentials found in the internet-exposed database of a Russian lotto agency
Kremlin credentials found in the internet-exposed database of a Russian lotto agency

Image: Victor Gevers

Kremlin credentials found in the internet-exposed database of Disney Russia
Kremlin credentials found in the internet-exposed database of Disney Russia

Image: Victor Gevers

Gevers even found this account inside a leaky MongoDB database belonging to Ukraine’s Ministry of Internal Affairs that was holding details about ERDR investigations carried out by the country’s General Prosecutor’s Office into corrupt politicians.

This latter case was very strange because, at the time, the Russian-Ukrainian conflict had already been raging for at least two years.

Kremlin credentials found in the internet-exposed database of a Ukrainian ministry
Kremlin credentials found in the internet-exposed database of a Ukrainian ministry

Image: Victor Gevers

Gevers, who at the time was the Chairman of the GDI Foundation, is one of the world’s top white-hat hackers. His research didn’t include digging through companies’ logs to see what this account was used for, so it’s currently unknown if the Russian government used this account only to retrieve financial-related information or they actively altered data.

“We have been searching for open MongoDB for years,” Gevers told ZDNet. “When we investigate a MongoDB instance, we try to respect privacy as much as possible by limiting the search for breadcrumbs such as the owner’s email addresses to a minimum.”

“All the systems this password was on were already fully accessible to anyone,” Gevers said. “The MongoDB databases were deployed with default settings. So anyone without authentication had CRUD [Create, Read, Update and Delete] access.”

Source: Unsecured MongoDB databases expose Kremlin’s backdoor into Russian businesses | ZDNet

European Commission orders mass recall of creepy, leaky child-tracking Enox smartwatch

Posted on by

The latest weekly report includes German firm Enox’s Safe-KID-One watch, which is marketed to parents as a way of keeping tabs on their little ones – ostensibly to keep them safe – and comes with one-click buttons for speed-dialling family members.

However, the commission said the device does not comply with the Radio Equipment Directive and detailed “serious” risks associated with the device.

“The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data,” the directive said.

As a result, data on location history, phone numbers and device serial number can be found and changed.

“A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS,” the alert warned.

Source: European Commission orders mass recall of creepy, leaky child-tracking smartwatch • The Register

Doctors Zap the Brains of Awake Brain Surgery Patients to Make Them Laugh and Have Fun

Posted on by

A distinct pathway in the white matter part of the brain known as the cingulum bundle can be used to alleviate stress and anxiety during awake brain surgery, according to new research published today in The Journal of Clinical Investigation. When electrically stimulated, this pathway triggers instantaneous laughter in the patient. But unlike previous experiments, this laughter was also accompanied by positive, uplifting feelings. Preliminary research suggests this technique could be used to calm patients during awake brain surgery, with the authors of the new study, led by neuroscientist Kelly Bijanki from Emory University School of Medicine, saying the findings could also lead to innovative new treatments for depression, anxiety, and chronic pain.

Source: Doctors Zap the Brains of Awake Brain Surgery Patients to Make Them Laugh and Have Fun

Nest Secure has an unlisted disabled microphone (Edit: Google statement agrees!)

Posted on by

We received a statement from Google regarding the implication that the Nest Secure alarm system has had an unlisted microphone this whole time. It turns out that yes, the Nest Guard base system (the circular device with a keypad above) does have a built-in microphone that is not listed on the official spec sheet at Nest’s site. The microphone has been in an inactive state since the release of the Nest Secure, according to Google.

This unlisted mic is how the Nest Guard will be able to operate as a pseudo-Google Home with just a software update, as detailed below.

[…]

Once the Google Assistant is enabled, the mic is always on but only listening for the hotwords “Ok Google” or “Hey Google”. Google only stores voice-based queries after it recognizes those hotwords. Voice data and query contents are sent to Google servers for analysis and storage in My Activity.

[…]

Original Article, February 4, 2019 (02:20 PM ET): Owners of the Nest Secure alarm system have been able to use voice commands to control their home security through Google Assistant for a while now. However, to issue those commands, they needed a separate Google Assistant-powered device, like a smartphone or a Google Home smart speaker.

The reason for this limitation has always seemed straightforward: according to the official tech specs, there’s no onboard microphone in the Nest Secure system.

Source: Nest Secure has an unlisted disabled microphone (Edit: Google statement)

That’s pretty damn creepy

Hi, Jack’d: A little PSA for anyone using this dating-hook-up app… Anyone can slurp your private, public snaps • The Register

Posted on by

Dating-slash-hook-up app Jack’d is exposing to the public internet intimate snaps privately swapped between its users, allowing miscreants to download countless X-rated selfies without permission.

The phone application, installed more than 110,000 times on Android devices and also available for iOS, lets primarily gay and bi men chat each other up, exchange private and public pics, and arrange to meet.

Those photos, public and private, can be accessed by anyone with a web browser and who knows just where to look, though, it appears. As there is no authentication, no need to sign up to the app, and no limits in place, miscreants can therefore download the entire image database for further havoc and potential blackmail.

You may well want to delete your images until this issue is fixed.

We’re told the developers of the application were warned of the security vulnerability three months ago, and yet no fix has been made. We’ve repeatedly tried to contact the programmers to no avail. In the interests of alerting Jack’d users to the fact their highly NSFW pictures are facing the public internet, we’re publishing this story today, although we are withholding details of the flaw to discourage exploitation.

Source: Hi, Jack’d: A little PSA for anyone using this dating-hook-up app… Anyone can slurp your private, public snaps • The Register

Dirty dealing in the $175 billion Amazon Marketplace

Posted on by

Last August, Zac Plansky woke to find that the rifle scopes he was selling on Amazon had received 16 five-star reviews overnight. Usually, that would be a good thing, but the reviews were strange. The scope would normally get a single review a day, and many of these referred to a different scope, as if they’d been cut and pasted from elsewhere. “I didn’t know what was going on, whether it was a glitch or whether somebody was trying to mess with us,” Plansky says.

As a precaution, he reported the reviews to Amazon. Most of them vanished days later — problem solved — and Plansky reimmersed himself in the work of running a six-employee, multimillion-dollar weapons accessory business on Amazon. Then, two weeks later, the trap sprang. “You have manipulated product reviews on our site,” an email from Amazon read. “This is against our policies. As a result, you may no longer sell on Amazon.com, and your listings have been removed from our site.”

A rival had framed Plansky for buying five-star reviews, a high crime in the world of Amazon. The funds in his account were immediately frozen, and his listings were shut down. Getting his store back would take him on a surreal weeks-long journey through Amazon’s bureaucracy, one that began with the click of a button at the bottom of his suspension message that read “appeal decision.”

[…]

For sellers, Amazon is a quasi-state. They rely on its infrastructure — its warehouses, shipping network, financial systems, and portal to millions of customers — and pay taxes in the form of fees. They also live in terror of its rules, which often change and are harshly enforced. A cryptic email like the one Plansky received can send a seller’s business into bankruptcy, with few avenues for appeal.

Sellers are more worried about a case being opened on Amazon than in actual court, says Dave Bryant, an Amazon seller and blogger. Amazon’s judgment is swifter and less predictable, and now that the company controls nearly half of the online retail market in the US, its rulings can instantly determine the success or failure of your business, he says. “Amazon is the judge, the jury, and the executioner.”

Amazon is far from the only tech company that, having annexed a vast sphere of human activity, finds itself in the position of having to govern it. But Amazon is the only platform that has a $175 billion prize pool tempting people to game it, and the company must constantly implement new rules and penalties, which in turn, become tools for new abuses, which require yet more rules to police. The evolution of its moderation system has been hyper-charged. While Mark Zuckerberg mused recently that Facebook might need an analog to the Supreme Court to adjudicate disputes and hear appeals, Amazon already has something like a judicial system — one that is secretive, volatile, and often terrifying.

Amazon’s judgments are so severe that its own rules have become the ultimate weapon in the constant warfare of Marketplace. Sellers devise all manner of intricate schemes to frame their rivals, as Plansky experienced. They impersonate, copy, deceive, threaten, sabotage, and even bribe Amazon employees for information on their competitors.

[…]

Scammers have effectively weaponized Amazon’s anti-counterfeiting program. Attacks have become so widespread that they’ve even pulled in the US Patent and Trademark Office, which recently posted a warning that people were making unauthorized changes through its electronic filing system, likely “part of a scheme to register the marks of others on third-party ‘brand registries.’” Scammers had begun swapping out the email addresses on their rival’s trademark files, which can be done without a password, and using the new email to register their competitor’s brand with Amazon, gaining control of their listings. As Harris encountered, Amazon appears not to check whether a listing belongs to a brand already enrolled in brand registry. Stine has a client who had trademarked their party supply brand and registered it with Amazon, only to have a rival change their trademark file, register with Amazon, and hijack their listing for socks, which had things like “If you can read this, bring coffee” written on the soles.

[…]

There are more subtle methods of sabotage as well. Sellers will sometimes buy Google ads for their competitors for unrelated products — say, a dog food ad linking to a shampoo listing — so that Amazon’s algorithm sees the rate of clicks converting to sales drop and automatically demotes their product. They will go on the black market and purchase or rent seller accounts with special editing privileges and use them to change the color or description of their rival’s products so they get suspended for too many customers complaining about the item being “not as described.” They will exile their competitor’s listings to an unrelated category — say, move a product with a “Best Seller” badge in the office category to lawn care, taking the badge for themselves.

“They took a kids toy made for six to 12 year olds and they changed it to a sex toy,” one outraged seller told me. This is a common move, as Amazon hides products in that category unless the customer clicks a button saying they’re over 18. Another seller who had been battling counterfeiters of his childproof locks and outlet covers received a threat in Chinese saying that, while it is hard to build a listing like his, it would be easy to destroy. “Be cautious,” the message warned. Later, he too was banished to sex toys. “It’s suppressed from search results unless you literally search for a “sexual child proof door lock,” he says. (He had no sales.)

Source: Dirty dealing in the $175 billion Amazon Marketplace

An incredible story, very worth reading in its’ entirety

UAE used cyber super-weapon to spy on iPhones of foes

Posted on by

The cyber tool allowed the small Gulf country to monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents reviewed by Reuters. The sources interviewed by Reuters were not Emirati citizens.

Karma was used by an offensive cyber operations unit in Abu Dhabi comprised of Emirati security officials and former American intelligence operatives working as contractors for the UAE’s intelligence services. The existence of Karma and of the hacking unit, code named Project Raven, haven’t been previously reported. Raven’s activities are detailed in a separate story published by Reuters today.

The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.

Source: Exclusive: UAE used cyber super-weapon to spy on iPhones of foes | Reuters

Furious Apple revokes Facebook’s enty app cert after Zuck’s crew abused it to slurp private data

Posted on by

Facebook has yet again vowed to “do better” after it was caught secretly bypassing Apple’s privacy rules to pay adults and teenagers to install a data-slurping iOS app on their phones.

The increasingly worthless promises of the social media giant have fallen on deaf ears however: on Wednesday, Apple revoked the company’s enterprise certificate for its internal non-public apps, and one lawmaker vowed to reintroduce legislation that would make it illegal for Facebook to carry out such “research” in future.

The enterprise cert allows Facebook to sign iOS applications so they can be installed for internal use only, without having to go through the official App Store. It’s useful for intranet applications and in-house software development work.

Facebook, though, used the certificate to sign a market research iPhone application that folks could install it on their devices. The app was previously kicked out of the official App Store for breaking Apple’s rules on privacy: Facebook had to use the cert to skirt Cupertino’s ban.

[…]

With its certificate revoked, Facebook employees are reporting that their legitimate internal apps, also signed by the cert, have stopped working. The consumer iOS Facebook app is unaffected.

Trust us, we’re Facebook!

At the heart of the issue is an app for iPhones called “Facebook Research” that the company advertised through third parties. The app is downloaded outside of the normal Apple App Store, and gives Facebook extraordinary access to a user’s phone, allowing the company to see pretty much everything that person does on their device. For that trove of personal data, Facebook paid an unknown number of users aged between 13 and 35 up to $20 a month in e-gifts.

Source: Furious Apple revokes Facebook’s enty app cert after Zuck’s crew abused it to slurp private data • The Register

A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release “dogfood” (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we’re told, as the affected apps simply don’t launch on employees’ phones anymore.

https://www.theverge.com/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps

 

Defanged SystemD exploit code for security holes now out in the wild

Posted on by

In mid-January, Qualys, another security firm, released details about three flaws affecting systemd-journald, a systemd component that handles the collection and storage of log data. Patches for the vulnerabilities – CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 – have been issued by various Linux distributions.

Exploitation of these code flaws allows an attacker to alter system memory in order to commandeer systemd-journal, which permits privilege escalation to the root account of the system running the software. In other words, malware running on a system, or rogue logged-in users, can abuse these bugs to gain administrator-level access over the whole box, which is not great in uni labs and similar environments.

Nick Gregory, research scientists at Capsule8, in a blog post this week explains that his firm developed proof-of-concept exploit code for testing and verification. As in testing whether or not computers are at risk, and verifying the patches work.

“There are some interesting aspects that were not covered by Qualys’ initial publication, such as how to communicate with the affected service to reach the vulnerable component, and how to control the computed hash value that is actually used to corrupt memory,” he said.

Manipulated

The exploit script, written in Python 3, targets the 20180808.0.0 release of the ubuntu/bionic64 Vagrant image, and assumes that address space layout randomization (ASLR) is disabled. Typically, ASLR is not switched off in production systems, making this largely an academic exercise.

The script exploits CVE-2018-16865 via Linux’s alloca() function, which allocates the specified number of bytes of memory space in the stack frame of the caller; it can be used to manipulate the stack pointer.

Basically, by creating a massive number of log entries and appending them to the journal, the attacker can overwrite memory and take control of the vulnerable system.

Source: The D in SystemD stands for Danger, Will Robinson! Defanged exploit code for security holes now out in the wild • The Register

Hackers Are Passing Around a Megaleak of 2.2 Billion Records

Posted on by

Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.

“This is the biggest collection of breaches we’ve ever seen,” says Chris Rouland, a cybersecurity researcher and founder of the IoT security firm Phosphorus.io, who pulled Collections #1–5 in recent days from torrented files. He says the collection has already circulated widely among the hacker underground: He could see that the tracker file he downloaded was being “seeded” by more than 130 people who possessed the data dump, and that it had already been downloaded more than 1,000 times. “It’s an unprecedented amount of information and credentials that will eventually get out into the public domain,” Rouland says.

Source: Hackers Are Passing Around a Megaleak of 2.2 Billion Records | WIRED

Criminals Are Tapping into the Phone Network Backbone using known insecure SS7 to Empty Bank Accounts

Posted on by

Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.

This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK’s Metro Bank—that fell victim to such an attack.

The news highlights the gaping holes in the world’s telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals. The National Cyber Security Centre (NCSC), the defensive arm of the UK’s signals intelligence agency GCHQ, confirmed that SS7 is being used to intercept codes used for banking.

“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA),” The NCSC told Motherboard in a statement.

Source: Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts – Motherboard

Personal data slurped in Airbus hack – but firm’s industrial smarts could be what crooks are after

Posted on by

Airbus has admitted that a “cyber incident” resulted in unidentified people getting their hands on “professional contact and IT identification details” of some Europe-based employees.

The company said in a brief statement published late last night that the breach is “being thoroughly investigated by Airbus’ experts”. The company has its own infosec business unit, Stormguard.

“Investigations are ongoing to understand if any specific data was targeted,” it continued, adding that it is in contact with the “relevant regulatory authorities”, which for Airbus is France’s CNIL data protection watchdog. We understand no customer data was accessed, while Airbus insists for the moment that there has been no impact on its commercial operations.

Airbus said the target was its Commercial Aircraft business unit, which employs around 10,000 people in the UK alone, split between two sites. The company said that only people in “Europe” were affected.

Source: Personal data slurped in Airbus hack – but firm’s industrial smarts could be what crooks are after • The Register

Facebook pays teens to install VPN that spies on them

Posted on by

Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms. Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits.

Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.

Source: Facebook pays teens to install VPN that spies on them | TechCrunch