The Linkielist

Linking ideas with the world

The Linkielist

Nanoscale pillars as a building block for future information technology

Posted on by

Researchers from Linköping University and the Royal Institute of Technology in Sweden have proposed a new device concept that can efficiently transfer the information carried by electron spin to light at room temperature—a stepping stone toward future information technology. They present their approach in an article in Nature Communications.

Light and electron charge are the main media for information processing and transfer. In the search for information technology that is even faster, smaller and more energy-efficient, scientists around the globe are exploring another property of —their spin. Electronics that exploit both the spin and the charge of the electron are called “spintronics.”

[…]

“The main problem is that electrons easily lose their spin orientations when the temperature rises. A key element for future spin-light applications is efficient quantum information transfer at room temperature, but at room temperature, the electron spin orientation is nearly randomized.
[…]

Now, researchers from Linköping University and the Royal Institute of Technology have devised an efficient spin-light interface.

“This interface can not only maintain and even enhance the electron spin signals at . It can also convert these spin signals to corresponding chiral light signals travelling in a desired direction,” says Weimin Chen.

The key element of the device is extremely small disks of gallium nitrogen arsenide, GaNAs. The disks are only a couple of nanometres high and stacked on top of each other with a thin layer of gallium arsenide (GaAs) between to form chimney-shaped nanopillars. For comparison, the diameter of a human hair is about a thousand times larger than the diameter of the nanopillars.

The unique ability of the proposed device to enhance spin signals is due to minimal defects introduced into the material by the researchers. Fewer than one out of a million gallium atoms are displaced from their designated lattice sites in the material. The resulting defects in the material act as efficient spin filters that can drain electrons with an unwanted spin orientation and preserve those with the desired spin orientation.

“An important advantage of the nanopillar design is that light can be guided easily and more efficiently coupled in and out,” says Shula Chen, first author of the article.

Read more at: https://phys.org/news/2018-10-nanoscale-pillars-block-future-technology.html#jCp

Read more at: https://phys.org/news/2018-10-nanoscale-pillars-block-future-technology.html#jCp

Source: Nanoscale pillars as a building block for future information technology

Inside Hurricane Maria in 360°

Posted on by

Two days before Hurricane Maria devastated Puerto Rico, the NASA-Japan Global Precipitation Measurement Core Observatory satellite captured a 3-D view of the storm. At the time Maria was a Category 1 hurricane. The 3-D view reveals the processes inside the hurricane that would fuel the storm’s intensification to a category 5 within 24 hours. For the first time in 360-degrees, this data visualization takes you inside the hurricane. The precipitation satellite has an advanced radar that measures both liquid and frozen water. The brightly colored dots show areas of rainfall, where green and yellow show low rates and red and purple show high rates. At the top of the hurricane, where temperatures are colder, blue and purple dots show light and heavy frozen precipitation. The colored areas below the dots show how much rain is falling at the surface.

California bans default passwords on any internet-connected device

Posted on by

In less than two years, anything that can connect to the internet will come with a unique password — that is, if it’s produced or sold in California. The “Information Privacy: Connected Devices” bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate.

The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a “physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

The law is clearly aimed at stopping the spread of botnets made up of compromised network devices, such as routers, smart switches or even security cameras and other IoT equipment. Malicious software could often take control of them by trying easy-to-guess or publicly disclosed default login credentials. It’s not entirely clear yet as to how the new regulation will affect legacy industry hardware from the 1980s and 1990s where passwords are either hard-coded or next to impossible to change.

Source: California bans default passwords on any internet-connected device

A simple and very effective start to legislation on IoT

iPhone Shortcut Automatically Records Police, turns off face and fingerprint ID

Posted on by

According to Mic, Reddit user Robert Peterson created a trick using the virtual assistant, Siri, that lowers the phone’s brightness, turns on Do Not Disturb, texts the iPhone owner’s location to an emergency contact and lets them know you have been pulled over by police. The shortcut will also automatically start recording video and, when finished, the phone will send the video to the contact or save it to a cloud service.

The shortcut is available here, while another user created a workflow that automatically reboots the phone, rendering the fingerprint or face ID feature useless until a person enters a passcode. The Washington Post reports that police can’t legally compel a suspect to give up the passcode, although they can force a phone owner to use fingerprint ID or a face scan.

“I noticed in news articles and reports on TV that in many cases, police say one thing happened and the citizen pulled over says something else,” Peterson told Mic. “Sometimes police have body cameras, sometimes not. When they do, the video is not always released in a timely manner. I wanted a way for the person being pulled over to have a record for themselves.”

Source: iPhone Shortcut Automatically Records Police

Sans Forgetica font May Help You Remember What You Read

Posted on by

We’re all used to skimming past the boring parts of a reading assignment or a web article. But when researchers from RMIT University in Australia printed information in a weird, hard-to-read font, they found that people were more likely to remember what they read.

There’s a sweet spot, their experiments suggest: If the font is too chaotic, it becomes too hard to read. So they settled on small tweaks: gaps in the lines of the letters, and a slight backwards tilt (the opposite direction as the slant in more-familiar italic type).

The resulting font is called Sans Forgetica and you can download it here. The researchers also created a Chrome extension that will render any web page in Sans Forgetica, the better to study with. But don’t use it everywhere: they suspect that if we get too used to reading in Sans Forgetica, its memory-boosting effect will fade.

Source: Sans Forgetica May Help You Remember What You Read

Researchers Created ‘Quantum Artificial Life’ For the First Time

Posted on by

For the first time, an international team of researchers has used a quantum computer to create artificial life—a simulation of living organisms that scientists can use to understand life at the level of whole populations all the way down to cellular interactions.

With the quantum computer, individual living organisms represented at a microscopic level with superconducting qubits were made to “mate,” interact with their environment, and “die” to model some of the major factors that influence evolution.

The new research, published in Scientific Reports on Thursday, is a breakthrough that may eventually help answer the question of whether the origin of life can be explained by quantum mechanics, a theory of physics that describes the universe in terms of the interactions between subatomic particles.

Modeling quantum artificial life is a new approach to one of the most vexing questions in science: How does life emerge from inert matter, such as the “primordial soup” of organic molecules that once existed on Earth?

[…]

Individuals were represented in the model using two qubits. One qubit represented the individual’s genotype, the genetic code behind a certain trait, and the other its phenotype, or the physical expression of that trait.

To model self-replication, the algorithm copied the expectation value (the average of the probabilities of all possible measurements) of the genotype to a new qubit through entanglement, a process that links qubits so that information is instantaneously exchanged between them. To account for mutations, the researchers encoded random qubit rotations into the algorithm that were applied to the genotype qubits.

The algorithm then modeled the interaction between the individual and its environment, which represented aging and eventually death. This was done by taking the new genotype from the self-replicating action in the previous step and transferring it to another qubit via entanglement. The new qubit represented the individual’s phenotype. The lifetime of the individual—that is, how long it takes the information to degrade or dissipate through interaction with the environment—depends on the information coded in this phenotype.

Finally, these individuals interacted with one another. This required four qubits (two genotypes and two phenotypes), but the phenotypes only interacted and exchanged information if they met certain criteria as coded in their genotype qubits.

Source: Researchers Created ‘Quantum Artificial Life’ For the First Time – Motherboard

Japan’s silent submarines extend range with li-ion batteries

Posted on by

The Oryu is the eleventh submarine based on the Soryu’s design. Soryu-class vessels, which started being built in 2005, are among the largest diesel-electric submarines in the world.

But the Oryu is a vastly updated version of the Soryu, the biggest change being the replacement of lead-acid batteries with lithium-ion ones. Mitsubishi Heavy tapped GS Yuasa to supply the high-performance batteries, which store about double the power.

Submarine batteries are recharged by the energy generated by Oryu’s diesel engines. The vessel switches to batteries during operations and actual combat in order to silence the engines and become harder to detect. The lithium-ion batteries radically extend the sub’s range and time it can spend underwater.

Source: Japan’s silent submarines extend range with new batteries – Nikkei Asian Review

Instagram explores sharing your precise location history with Facebook even when not using the app

Posted on by

Instagram is currently testing a feature that would allow it to share your location data with Facebook, even when you’re not using the app, reports app researcher Jane Manchun Wong (via TechCrunch). The option, which Wong notes is being tested as a setting you have to opt-in to, allows Facebook products to “build and use a history of precise locations” which the company says “helps you explore what’s around you, get more relevant ads and helps improve Facebook.” When activated, the service will report your location “even if you leave the app.”

The discovery of the feature comes just weeks after Instagram’s co-founders resigned from the company, reportedly as a result of Facebook CEO Mark Zuckerberg’s meddling in the service. Examples of this meddling include removing Instagram’s attribution from posts re-shared to Facebook, and badged notifications inside Instagram that encouraged people to open the Facebook app. With the two men who were deeply involved in the day-to-day running of Instagram now gone, such intrusions are expected to increase.

Instagram is not the only service that Facebook has sought to share data between. Back in 2016 the company announced that it would be sharing user data between WhatsApp and Facebook in order to offer better friend suggestions. The practice was later halted in the European Union thanks to its GDPR legislation, although WhatsApp’s CEO and co-founder later left over data privacy concerns.

Source: Instagram explores sharing your precise location history with Facebook – The Verge

Wait – instagram continually monitors your location too?!

Lawyers for Vizio data grabbing Smart TV owners propose final deal, around $20 per person. Lawyers themselves get $5.6 million.

Posted on by

Lawyers representing Vizio TV owners have asked a federal judge in Orange County, California to sign off on a proposed class-action settlement with the company for $17 million, for an affected class of 16 million people, who must opt-in to get any money. Vizio also agrees to delete all data that it collected.

Notice of the lawsuit will be shown directly on the Vizio Smart TVs, three separate times, as well as through paper mailings.

When it’s all said and done, new court filings submitted on Thursday say each of those 16 million people will get a payout of somewhere between $13 and $31. By contrast, their lawyers will collectively earn a maximum payout of $5.6 million in fees.

Source: Lawyers for Vizio Smart TV owners propose final deal, around $20 per person | Ars Technica

‘Real’ fake research hoodwinks US journals, shows bias against white men gets published regardless of content

Posted on by

Three US researchers have pulled off a sophisticated hoax by publishing fake research with ridiculous conclusions in sociology journals to expose what they see as ideological bias and a lack of rigorous vetting at these publications.

Seven of the 20 fake articles written by the trio were accepted by journals after being approved by peer-review committees tasked with checking the authors’ research.

A faux study claiming that “Dog parks are Petri dishes for canine ‘rape culture'” by one “Helen Wilson” was published in May in the journal Gender, Place and Culture.

The article suggests that training men like dogs could reduce cases of sexual abuse.

Faux research articles are not new: one of the most notable examples is physicist Alan Sokal, who in a 1996 article for a cultural studies journal wrote about cultural and philosophical issues concerning aspects of physics and math.

This time the fake research aims at mocking weak vetting of articles on hot-button social issues such as gender, race and sexuality.

The authors, writing under pseudonyms, intended to prove that academics in these fields are ready to embrace any thesis, no matter how outrageous, so long as it contributes to denouncing domination by white men.

“Making absurd and horrible ideas sufficiently politically fashionable can get them validated at the highest level of academic grievance studies,” said one of the authors, James Lindsay, in a video revealing the project.

Lindsay—that is his real name—obtained a doctorate in mathematics in 2010 from the University of Tennessee and has been fully dedicated to this project for a year and a half.

One of the published journal articles analyzes why a man masturbating while thinking of a woman without her consent commits a sexual assault.

Another is a feminist rewrite of a chapter of “Mein Kampf.”

Some articles—such as a study of the impact of the use of an anal dildo by heterosexual men on their transphobia —even claimed to rely on data such as interviews, which could have been verified by the journal gatekeepers.

For that “study” the authors claimed to have interviewed 13 men. In the dog article, the authors claimed to have examined the genitals of nearly 10,000 canines.

“If our project shows anything, it shows that what’s coming out of these disciplines cannot currently be trusted,” Lindsay told AFP.

Read more at: https://phys.org/news/2018-10-real-fake-hoodwinks-journals.html#jCp

Source: ‘Real’ fake research hoodwinks US journals

Apple forgot to lock Intel Management Engine in laptops, so get patching

Posted on by

In its ongoing exploration of Intel’s Management Engine (ME), security biz Positive Technologies has reaffirmed the shortsightedness of security through obscurity and underscored the value of open source silicon.

The Intel ME, included on most Intel chipsets since 2008, is controversial because it expands the attack surface of Intel-based hardware. If compromised, it becomes side-channel threat to the main processor.

The Electronic Frontier Foundation last year called it a security hazard and asked for a way to disable it, a request that researchers from Positive Technologies subsequently met.

In a blog post on Tuesday, researchers Maxim Goryachy and Mark Ermolov, involved in the discovery of an Intel ME firmware flaw last year, reveal that Chipzilla’s ME contains an undocumented Manufacturing Mode, among its other little known features like High Assurance Platform mode.

“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” explain Goryachy and Ermolov. “However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”

Manufacturing Mode can only be accessed using a utility included in Intel ME System Tools software, which isn’t available to the public. It’s intended to configure important platform settings in one-time programmable memory called Field Programming Fuses (FPF) prior to product shipment and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

In chipsets prior to Apollo Lake, Goryachy and Ermolov observe, Intel kept access rights for its Management Engine, Gigabit Ethernet, and CPU separate. The SPI controllers in more recent chips, however, have a capability called a Master Grant which overrides the access rights declared in the SPI descriptor.

“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.

And because it turns out that device makers may not disable Manufacturing Mode, there’s an opportunity for an attacker – with local access – to alter the Intel ME to allow the writing of arbitrary data.

At least one Intel customer failed to turn Manufacturing Mode off: Apple. The researchers analyzed notebooks from several computer makers and found that Apple had left Manufacturing Mode open. They reported the vulnerability (CVE-2018-4251) and Apple patched it in June via its macOS High Sierra 10.13.5 update.

Source: Apple forgot to lock Intel Management Engine in laptops, so get patching • The Register

Introducing MLflow: an Open Source Machine Learning Platform for tracking, projects and models

Posted on by

MLflow is inspired by existing ML platforms, but it is designed to be open in two senses:

  1. Open interface: MLflow is designed to work with any ML library, algorithm, deployment tool or language. It’s built around REST APIs and simple data formats (e.g., a model can be viewed as a lambda function) that can be used from a variety of tools, instead of only providing a small set of built-in functionality. This also makes it easy to add MLflow to your existing ML code so you can benefit from it immediately, and to share code using any ML library that others in your organization can run.
  2. Open source: We’re releasing MLflow as an open source project that users and library developers can extend. In addition, MLflow’s open format makes it very easy to share workflow steps and models across organizations if you wish to open source your code.

Mlflow is still currently in alpha, but we believe that it already offers a useful framework to work with ML code, and we would love to hear your feedback. In this post, we’ll introduce MLflow in detail and explain its components.

MLflow Alpha Release Components

This first, alpha release of MLflow has three components:

MLflow Components

MLflow Tracking

MLflow Tracking is an API and UI for logging parameters, code versions, metrics and output files when running your machine learning code to later visualize them. With a few simple lines of code, you can track parameters, metrics, and artifacts:

import mlflow

# Log parameters (key-value pairs)
mlflow.log_param("num_dimensions", 8)
mlflow.log_param("regularization", 0.1)

# Log a metric; metrics can be updated throughout the run
mlflow.log_metric("accuracy", 0.1)
...
mlflow.log_metric("accuracy", 0.45)

# Log artifacts (output files)
mlflow.log_artifact("roc.png")
mlflow.log_artifact("model.pkl")

You can use MLflow Tracking in any environment (for example, a standalone script or a notebook) to log results to local files or to a server, then compare multiple runs. Using the web UI, you can view and compare the output of multiple runs. Teams can also use the tools to compare results from different users:

MLflow Tracking UI

MLflow Tracking UI

MLflow Projects

MLflow Projects provide a standard format for packaging reusable data science code. Each project is simply a directory with code or a Git repository, and uses a descriptor file to specify its dependencies and how to run the code. A MLflow Project is defined by a simple YAML file called MLproject.

name: My Project
conda_env: conda.yaml
entry_points:
  main:
    parameters:
      data_file: path
      regularization: {type: float, default: 0.1}
    command: "python train.py -r {regularization} {data_file}"
  validate:
    parameters:
      data_file: path
    command: "python validate.py {data_file}"

Projects can specify their dependencies through a Conda environment. A project may also have multiple entry points for invoking runs, with named parameters. You can run projects using the mlflow run command-line tool, either from local files or from a Git repository:

mlflow run example/project -P alpha=0.5

mlflow run git@github.com:databricks/mlflow-example.git -P alpha=0.5

MLflow will automatically set up the right environment for the project and run it. In addition, if you use the MLflow Tracking API in a Project, MLflow will remember the project version executed (that is, the Git commit) and any parameters. You can then easily rerun the exact same code.

The project format makes it easy to share reproducible data science code, whether within your company or in the open source community. Coupled with MLflow Tracking, MLflow Projects provides great tools for reproducibility, extensibility, and experimentation.

MLflow Models

MLflow Models is a convention for packaging machine learning models in multiple formats called “flavors”. MLflow offers a variety of tools to help you deploy different flavors of models. Each MLflow Model is saved as a directory containing arbitrary files and an MLmodel descriptor file that lists the flavors it can be used in.

time_created: 2018-02-21T13:21:34.12
flavors:
  sklearn:
    sklearn_version: 0.19.1
    pickled_model: model.pkl
  python_function:
    loader_module: mlflow.sklearn
    pickled_model: model.pkl

In this example, the model can be used with tools that support either the sklearn or python_function model flavors.

MLflow provides tools to deploy many common model types to diverse platforms. For example, any model supporting the python_function flavor can be deployed to a Docker-based REST server, to cloud platforms such as Azure ML and AWS SageMaker, and as a user-defined function in Apache Spark for batch and streaming inference. If you output MLflow Models as artifacts using the Tracking API, MLflow will also automatically remember which Project and run they came from.

Getting Started with MLflow

To get started with MLflow, follow the instructions at mlflow.org or check out the alpha release code on Github. We are excited to hear your feedback on the concepts and code!

Source: Introducing MLflow: an Open Source Machine Learning Platform – The Databricks Blog

Recent wave of hijacked WhatsApp accounts traced back to voicemail hacking

Posted on by

A wave of reports about hijacked WhatsApp accounts in Israel has forced the government’s cyber-security agency to send out a nation-wide security alert on Tuesday, ZDNet has learned.

The alert, authored by the Israel National Cyber Security Authority, warns about a relatively new method of hijacking WhatsApp accounts using mobile providers’ voicemail systems.

This new hacking method was first documented last year by Ran Bar-Zik, an Israeli web developer at Oath.

The general idea is that users who have voicemail accounts for their phone numbers are at risk if they don’t change that account’s default password, which in most cases tends to be either 0000 or 1234.

The possibility of an account takeover happens when an attacker tries to add a legitimate user’s phone number to a new WhatsApp app installation on his own phone.

Following normal security procedures, the WhatsApp service would then send a one-time code via SMS to that phone number. This would typically alert a user to an ongoing attack, but Bar-Zik argues that a hacker could easily avoid this by carrying out the attack during nighttime or when he is sure the user is away from his phone.

After several failed attempts to validate the one-time code sent via SMS, the WhatsApp service would then prompt the user to perform a “voice verification,” during which the WhatsApp service would call the user’s phone and speak the one-time verification code out loud.

If the attacker has timed his/her attack at the proper time and the user can’t or won’t answer his phone, that message would eventually land in the victim’s voicemail account.

Source: Recent wave of hijacked WhatsApp accounts traced back to voicemail hacking | ZDNet

Netherlands Defence Intelligence and Security Service disrupts Russian cyber operation targeting OPCW

Posted on by

On 13 April 2018, with support from the Netherlands General Intelligence and Security Service and UK counterparts, the Netherlands Defence Intelligence and Security Service (DISS) disrupted a cyber operation being carried out by a Russian military intelligence (GRU) team. The Russian operation had targeted the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

mannen op schiphol worden begeleid

The 4 Russian intelligence officers at Schiphol Airport.

To conduct their operation, 4 Russian intelligence officers had set up specialised equipment in the vicinity of the OPCW offices and were preparing to hack into OPCW networks. As host country the Netherlands bears responsibility for ensuring the organisation’s security. In order to protect the security of the OPCW it therefore pre-empted the GRU operation and escorted the Russian intelligence officers out of the country. “The cyber operation targeting the OPCW is unacceptable. Our exposure of this Russian operation is intended as an unambiguous message that the Russian Federation must refrain from such actions,” said Defence Minister Ank Bijleveld in her response. “The OPCW is a respected international institution representing 193 nations around the globe and was established to rid the world of chemical weapons. The Netherlands is responsible for protecting international organisations within its borders, and that is what we have done.”

Equipment

The 4 Russian intelligence officers entered the Netherlands via Schiphol Airport, travelling on diplomatic passports. They subsequently hired a car which they positioned in the parking lot of the Marriot Hotel in The Hague, which is adjacent to the OPCW offices.

Equipment was set up in the boot of the car with which the officers intended to hack into wifi networks and which was installed for the purpose of infiltrating the OPCW’s network. The antenna for this equipment lay hidden under a jacket on the rear shelf and the equipment was operational when DISS interrupted the operation.

Source: Netherlands Defence Intelligence and Security Service disrupts Russian cyber operation targeting OPCW

Microsoft announces app mirroring to let you use any Android app on Windows 10

Posted on by

Microsoft announced a new feature for Windows 10 today that will let Android phone users view and use any app on their device from a Windows desktop. The feature, which Microsoft is referring to as app mirroring and shows up in Windows as an app called Your Phone, seems to be work best with Android for now. Although Microsoft did announce the ability to transfer webpages from an iPhone to a Windows 10 desktop so you can pick up where you left off on mobile.

Regardless, the Your Phone app looks to be a significant step in helping bridge Windows 10 and the mobile ecosystem after the demise of Windows Phone. The news was announced at the company’s Surface hardware event in New York City this afternoon.

Source: Microsoft announces app mirroring to let you use any Android app on Windows 10 – The Verge

New Zealand border cops warn travelers that without handing over electronic passwords ‘You shall not pass!’

Posted on by

Customs laws in New Zealand now allow border agents to demand travellers unlock their phones or face an NZ$5,000 (around US$3,300) fine.

The law was passed during 2017 with its provisions coming into effect on October 1. The security conscious of you will also be pleased to know Kiwi officials still need a “reasonable” suspicion that there’s something to find.

As the country’s minister of Justice Andrew Little explained to a parliamentary committee earlier this year:

“The bill provides for that power of search and examination, but in order to exercise that power, a customs officer, first of all, has to be satisfied, or at least to have a reasonable suspicion, that a person in possession of such a device—it would be a cellphone or a laptop or anything else that might be described as an ‘e-device’—has been involved in criminal offending.

That’s somewhat tighter than the rules that apply in America. Border Patrol agents can take a look at phones without giving any reason, but in January this year, a new directive stipulated that a “reasonable suspicion” test applies if the agent wants to copy anything from a phone.

Like the American regulation, New Zealand’s searchers are limited to files held on the phone. A Customs spokesperson told Radio New Zealand “We’re not going into ‘the cloud’. We’ll examine your phone while it’s on flight mode”.

According to Radio NZ, the Council of Civil Liberties criticised the “reasonable cause” protection as inadequate, because someone asked to unlock a device isn’t told what that cause might be, and therefore has no way to challenge the request.

Source: New Zealand border cops warn travelers that without handing over electronic passwords ‘You shall not pass!’ • The Register

UK ruling party’s conference app editable by world+dog, blabs members’ digits

Posted on by

Party chairman Brandon Lewis was planning to sell the “interactive” app – which will allow attendees to give feedback on speeches as they happen – as evidence that the ruling party was embracing tech in a bid to win over the youth vote (another idea was to have the culture secretary appear as a hologram).

But soon after its launch, users took to Twitter to point out that that not only were contact details and personal information visible – they could also be edited.

Particular targets appeared to be Michael Gove, whose picture was changed to that of his former boss Rupert Murdoch, and Boris Johnson, whose name and profile picture were reportedly changed during the incident.

Crowd Comms, the company behind the app, said the error “meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo”.

Since email addresses are often pretty easy to guess, or – in the case of MPs or other professionals registered on the app – a case of public record, the cock-up had a wide potential impact.

Source: UK ruling party’s conference app editable by world+dog, blabs members’ digits • The Register

Tim Berners-Lee Announces Solid, an Open Source Project Which Would Aim To Decentralize the Web

Posted on by

Tim Berners-Lee, the founder of the World Wide Web, thinks it’s broken and he has a plan to fix it. The British computer scientist has announced a new project that he hopes will radically change his creation by giving people full control over their data. Tim Berners-Lee: This is why I have, over recent years, been working with a few people at MIT and elsewhere to develop Solid, an open-source project to restore the power and agency of individuals on the web. Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance — by giving every one of us complete control over data, personal or not, in a revolutionary way. Solid is a platform, built using the existing web. It gives every user a choice about where data is stored, which specific people and groups can access select elements, and which apps you use. It allows you, your family and colleagues, to link and share data with anyone. It allows people to look at the same data with different apps at the same time. Solid unleashes incredible opportunities for creativity, problem-solving and commerce. It will empower individuals, developers and businesses with entirely new ways to conceive, build and find innovative, trusted and beneficial applications and services. I see multiple market possibilities, including Solid apps and Solid data storage.

Solid is guided by the principle of “personal empowerment through data” which we believe is fundamental to the success of the next era of the web. We believe data should empower each of us. Imagine if all your current apps talked to each other, collaborating and conceiving ways to enrich and streamline your personal life and business objectives? That’s the kind of innovation, intelligence and creativity Solid apps will generate. With Solid, you will have far more personal agency over data — you decide which apps can access it. In an interview with Fast Company, he shared more on Solid and its creation: “I have been imagining this for a very long time,” says Berners-Lee. He opens up his laptop and starts tapping at his keyboard. Watching the inventor of the web work at his computer feels like what it might have been like to watch Beethoven compose a symphony: It’s riveting but hard to fully grasp. “We are in the Solid world now,” he says, his eyes lit up with excitement. He pushes the laptop toward me so I too can see. On his screen, there is a simple-looking web page with tabs across the top: Tim’s to-do list, his calendar, chats, address book. He built this app — one of the first on Solid — for his personal use. It is simple, spare. In fact, it’s so plain that, at first glance, it’s hard to see its significance. But to Berners-Lee, this is where the revolution begins. The app, using Solid’s decentralized technology, allows Berners-Lee to access all of his data seamlessly — his calendar, his music library, videos, chat, research. It’s like a mashup of Google Drive, Microsoft Outlook, Slack, Spotify, and WhatsApp. The difference here is that, on Solid, all the information is under his control. Every bit of data he creates or adds on Solid exists within a Solid pod — which is an acronym for personal online data store. These pods are what give Solid users control over their applications and information on the web. Anyone using the platform will get a Solid identity and Solid pod. This is how people, Berners-Lee says, will take back the power of the web from corporations.

Starting this week, developers around the world will be able to start building their own decentralized apps with tools through the Inrupt site. Berners-Lee will spend this fall crisscrossing the globe, giving tutorials and presentations to developers about Solid and Inrupt. “What’s great about having a startup versus a research group is things get done,” he says. These days, instead of heading into his lab at MIT, Berners-Lee comes to the Inrupt offices, which are currently based out of Janeiro Digital, a company he has contracted to help work on Inrupt. For now, the company consists of Berners-Lee; his partner John Bruce, who built Resilient, a security platform bought by IBM; a handful of on-staff developers contracted to work on the project; and a community of volunteer coders. Later this fall, Berners-Lee plans to start looking for more venture funding and grow his team. The aim, for now, is not to make billions of dollars. The man who gave the web away for free has never been motivated by money. Still, his plans could impact billion-dollar business models that profit off of control over data. It’s not likely that the big powers of the web will give up control without a fight.

Source: Tim Berners-Lee Announces Solid, an Open Source Project Which Would Aim To Decentralize the Web – Slashdot

CBS Shuts Down Ambitious Fan Effort To Make A Virtual Starship Enterprise

Posted on by

Before there was Star Trek: Bridge Crew, Ubisoft’s game about piloting the original Enterprise, there was Star Trek Stage-9, a fan project recreating the Enterprise-D from The Next Generation in Unreal Engine. This week the project is no more, following a cease and desist demand by CBS.

One of the leads on the project, who goes by Scragnog, posted a video on YouTube explaining why it would no longer be getting future updates and development was coming to an end. “On Wednesday, September 12, 2018, we received a letter from the CBS legal department,” he said. “This letter was a cease and desist order. The uncertain future we always had at the back of our minds had caught up to us.”

The team immediately shut down the project’s website and began trying to reach out to the company to try and work on an alternative outcome. After nearly two weeks of not being able to get ahold of anybody, a representative from the legal depart confirmed the Stage 9 team that CBS wasn’t going to budge and the game needed to stay down. CBS did not respond to a request by Kotaku for comment.

Source: CBS Shuts Down Ambitious Fan Effort To Make A Virtual Starship Enterprise

Which goes to show why copyright for such extended periods is such a bad idea. The innovation is killed off and for what? Extended corporate profits, even when they are not making much use of the possibilities? This project was way better than anything CBS churned out.

NantEnergy Announces Largest Global Deployment of Novel Air Breathing Zinc Rechargeable Battery System and Breakthrough in Cost Barrier

Posted on by

New York – Sept. 26, 2018 – NantEnergy today announced a breakthrough in its six-year mission to develop the world’s first scalable air breathing, zinc rechargeable battery system at a manufacturing cost below $100 kWh and to operate this intelligent digitally controlled system on a global scale. This green rechargeable battery, an air-breathing cell, uses just zinc and air, integrated with digitally controlled intelligence. The energy system is monitored in real time in the cloud and has been successfully deployed in nine countries with more than 3,000 systems supporting 110 villages and 1,000 installations across cell tower sites. Over 100 patents cover this breakthrough technology.

[…]

During the One Planet Summit in New York, Soon-Shiong noted that these green, air-breathing batteries avoids lithium and cobalt, replaces diesel and lead-acid batteries, and presents no risk of fire or environmental contamination.

“We have made the safest, de-risked, globally-deployed system in the world with a six-year history of over 1,000,000 cycles to date,” said Chuck Ensign, Chief Executive Officer of NantEnergy. “It’s remarkable because this eliminates the need for lead, lithium and cobalt, which are scarce and dangerous materials.”

Source: NantEnergy Announces Largest Global Deployment of Novel Air Breathing Zinc Rechargeable Battery System and Breakthrough in Cost Barrier – NantEnergy

Elon Musk to Resign as Tesla Chairman, Pay 2x $20 Million Fine in SEC Settlement Over Catastrophic ‘420’ Tweet

Posted on by

In August, Tesla CEO Elon Musk set off an entirely preventable and catastrophic chain of events by tweeting that he was “considering taking Tesla private at $420. Funding secured.” Musk provided no financing details, and the Securities and Exchange Commission later determined that he never finalized any kind of deal with the Saudi sovereign wealth fund behind the ostensible buyout. Last week, it slapped him with fraud charges for making “false and misleading” statements and not complying with regulatory requirements.

Musk and the company’s board initially appeared to be digging in for a battle, but per the Washington Post, on Saturday he caved. Musk has agreed to a settlement in which both he and Tesla will pay out separate $20 million fines, and Musk will step down as Tesla’s chairman for at least three years. The only silver lining is that Musk will be allowed to remain the company’s CEO, the Post wrote:

Tesla chief executive Elon Musk agreed on Saturday to pay a $20 million fine and step down as board chairman as part of a settlement with the Securities and Exchange Commission.

Tesla will separately pay another $20 million and agreed to add two new independent directors to its board and monitor the billionaire’s public communications more closely… Under the settlement, Musk will resign as chairman of the automaker within 45 days and be barred from that position for three years. But he will remain Tesla’s CEO and does not have to admit wrongdoing as part of the deal.

Source: Elon Musk to Resign as Tesla Chairman, Pay $20 Million Fine in SEC Settlement Over Catastrophic ‘420’ Tweet

Facebook Could Face Up to $1.63 Billion Fine for 50m User Hack Under the GDPR

Posted on by

Facebook’s stunning disclosure of a massive hack on Friday in which attackers gained access tokens to at least 50 million accounts—bypassing security measures and potentially giving them full control of both profiles and linked apps—has already stirred the threat of a $1.63 billion dollar fine in the European Union, according to the Wall Street Journal.

The bug, which exploited flaws in the site’s “View As” and video uploader feature to gain access to the accounts, forced Facebook to reset access tokens for 50 million users and reset those for 40 million others as a precaution. (That means if you were logged out of your devices, you were affected.) Facebook has not said whether the attackers attempted to extract data from the affected profiles, but vice president of product management Guy Rosen told reporters they had attempted to harvest private information from Facebook’s systems, according to the New York Times. Rosen also said Facebook was unable to determine the extent to which third-party apps could have been compromised.

Source: Facebook Could Face Up to $1.63 Billion Fine for Latest Hack Under the GDPR

The site itself was compromised on Tuesday

Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia)

Posted on by

A rootkit is a piece of software that hides itself on computer systems, and uses its root or administrator-level privileges to steal and alter documents, spy on users, and cause other mischief and headaches. A UEFI rootkit lurks in the motherboard firmware, meaning it starts up before the operating system and antivirus suites run, allowing it to bury itself deep in an infected machine, undetected and with high-level access privileges.

According to infosec biz ESET, a firmware rootkit dubbed LoJax targeted Windows PCs used by government organizations in the Balkans as well as in central and eastern Europe. The chief suspects behind the software nasty are the infamous Fancy Bear (aka Sednit aka Sofacy aka APT28) hacking crew, elsewhere identified as a unit of Russian military intelligence.

That’s the same Fancy Bear that’s said to have hacked the US Democratic Party’s servers, French telly network TV5, and others.

The malware is based on an old version of a legit application by Absolute Software called LoJack for Laptops, which is typically installed on notebooks by manufacturers so that stolen devices can be found.

[…]

Once up and alive, LoJax contacts command-and-control servers that are disguised as normal websites and are known to be operated by Russian intelligence. It then downloads its orders to carry out.

[…]

This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.

[…]

There are firmware settings that can thwart the flash installation simply by blocking write operations. If BIOS write-enable is off, BIOS lock-enable is on, and SMM BIOS write-protection is enabled, then the malware can’t write itself to the motherboard’s flash storage.

Alternatively, wiping the disk and firmware storage will get rid of this particular rootkit strain.

Modern systems should be able to resist malicious firmware overwrites, we’re told, although ESET said it found at least one case of LoJax in the PC’s SPI flash.

“While it is hard to modify a system’s UEFI image, few solutions exists to scan system’s UEFI modules and detect malicious ones,” wrote Team ESET. “Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems’ UEFI.”

Source: Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia) • The Register

DEFCON hackers’ dossier on US voting machine security is just as grim as feared

Posted on by

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms.

The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies.

In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware.

“The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”

Criminally easy to hack

Researchers found that many of the systems tested were riddled with basic security blunders committed by their manufacturers, such as using default passwords and neglecting to install locks or tamper-proof seals on casings. These could be exploited by miscreants to do anything from add additional votes to create and stuff the ballot with entirely new candidates. It would require the crooks to get their hands on the machines long enough to meddle with the hardware.

Some electronic ballot boxes use smart cards loaded with Java-written software, which executes once inserted into the computer. Each citizen is given a card, which they slide in the machine when they go to vote. Unfortunately, it is possible to reprogram your card yourself so that when inserted, you can vote multiple times. If the card reader has wireless NFC support, you can hold your NFC smartphone up to the voting machine, and potentially cast a ballot many times over.

“Due to a lack of security mechanisms in the smart card implementation, researchers in the Voting Village demonstrated that it is possible to create a voter activation card, which after activating the election machine to cast a ballot can automatically reset itself and allow a malicious voter to cast a second (or more) unauthorized ballots,” the report read.

“Alternatively, an attacker can use his or her mobile phone to reprogram the smart card wirelessly.”

Source: DEF CON hackers’ dossier on US voting machine security is just as grim as feared

Facebook Is Giving Advertisers Access to Your Shadow Contact Information – and you can’t find out what that is

Posted on by

Last week, I ran an ad on Facebook that was targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn’t work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove’s office, a number Mislove has never provided to Facebook. He saw the ad within hours.

What Facebook told Alan Mislove about the ad I targeted at his office landline number
Screenshot: Facebook (Alan Mislove)

One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a “custom audience.”

You might assume that you could go to your Facebook profile and look at your “contact and basic info” page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it’s going about it in a less transparent and more invasive way.

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books, a hidden layer of details Facebook has about you that I’ve come to call “shadow contact information.”

[…]

Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser.

[…]

They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks. So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.

[…]

The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later.

[…]

I think that many users don’t fully understand how ad targeting works today: that advertisers can literally specify exactly which users should see their ads by uploading the users’ email addresses, phone numbers, names+dates of birth, etc,” said Mislove. “In describing this work to colleagues, many computer scientists were surprised by this, and were even more surprised to learn that not only Facebook, but also Google, Pinterest, and Twitter all offer related services. Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today.”

Source: Facebook Is Giving Advertisers Access to Your Shadow Contact Information