The Linkielist

Linking ideas with the world

The Linkielist

Palantir has secretly been using New Orleans to test its predictive policing technology, was given huge access to lots of private data without oversight due to loophole

Posted on by

The program began in 2012 as a partnership between New Orleans Police and Palantir Technologies, a data-mining firm founded with seed money from the CIA’s venture capital firm. According to interviews and documents obtained by The Verge, the initiative was essentially a predictive policing program, similar to the “heat list” in Chicago that purports to predict which people are likely drivers or victims of violence.

The partnership has been extended three times, with the third extension scheduled to expire on February 21st, 2018. The city of New Orleans and Palantir have not responded to questions about the program’s current status.

Predictive policing technology has proven highly controversial wherever it is implemented, but in New Orleans, the program escaped public notice, partly because Palantir established it as a philanthropic relationship with the city through Mayor Mitch Landrieu’s signature NOLA For Life program. Thanks to its philanthropic status, as well as New Orleans’ “strong mayor” model of government, the agreement never passed through a public procurement process.

In fact, key city council members and attorneys contacted by The Verge had no idea that the city had any sort of relationship with Palantir, nor were they aware that Palantir used its program in New Orleans to market its services to another law enforcement agency for a multimillion-dollar contract.

Even within the law enforcement community, there are concerns about the potential civil liberties implications of the sort of individualized prediction Palantir developed in New Orleans, and whether it’s appropriate for the American criminal justice system.

“They’re creating a target list, but we’re not going after Al Qaeda in Syria,” said a former law enforcement official who has observed Palantir’s work first-hand as well as the company’s sales pitches for predictive policing. The former official spoke on condition of anonymity to freely discuss their concerns with data mining and predictive policing. “Palantir is a great example of an absolutely ridiculous amount of money spent on a tech tool that may have some application,” the former official said. “However, it’s not the right tool for local and state law enforcement.”

Six years ago, one of the world’s most secretive and powerful tech firms developed a contentious intelligence product in a city that has served as a neoliberal laboratory for everything from charter schools to radical housing reform since Hurricane Katrina. Because the program was never public, important questions about its basic functioning, risk for bias, and overall propriety were never answered.
[…]
Palantir’s prediction model in New Orleans used an intelligence technique called social network analysis (or SNA) to draw connections between people, places, cars, weapons, addresses, social media posts, and other indicia in previously siloed databases. Think of the analysis as a practical version of a Mark Lombardi painting that highlights connections between people, places, and events. After entering a query term — like a partial license plate, nickname, address, phone number, or social media handle or post — NOPD’s analyst would review the information scraped by Palantir’s software and determine which individuals are at the greatest risk of either committing violence or becoming a victim, based on their connection to known victims or assailants.

The data on individuals came from information scraped from social media as well as NOPD criminal databases for ballistics, gangs, probation and parole information, jailhouse phone calls, calls for service, the central case management system (i.e., every case NOPD had on record), and the department’s repository of field interview cards. The latter database represents every documented encounter NOPD has with citizens, even those that don’t result in arrests. In 2010, The Times-Picayune revealed that Chief Serpas had mandated that the collection of field interview cards be used as a measure of officer and district performance, resulting in over 70,000 field interview cards filled out in 2011 and 2012. The practice resembled NYPD’s “stop and frisk” program and was instituted with the express purpose of gathering as much intelligence on New Orleanians as possible, regardless of whether or not they committed a crime.
[…]
NOPD then used the list of potential victims and perpetrators of violence generated by Palantir to target individuals for the city’s CeaseFire program. CeaseFire is a form of the decades-old carrot-and-stick strategy developed by David Kennedy, a professor at John Jay College in New York. In the program, law enforcement informs potential offenders with criminal records that they know of their past actions and will prosecute them to the fullest extent if they re-offend. If the subjects choose to cooperate, they are “called in” to a required meeting as part of their conditions of probation and parole and are offered job training, education, potential job placement, and health services. In New Orleans, the CeaseFire program is run under the broader umbrella of NOLA For Life, which is Mayor Landrieu’s pet project that he has funded through millions of dollars from private donors.

According to Serpas, the person who initially ran New Orleans’ social network analysis from 2013 through 2015 was Jeff Asher, a former intelligence agent who joined NOPD from the CIA. If someone had been shot, Serpas explained, Asher would use Palantir’s software to find people associated with them through field interviews or social media data. “This data analysis brings up names and connections between people on FIs [field interview cards], on traffic stops, on victims of reports, reporting victims of crimes together, whatever the case may be. That kind of information is valuable for anybody who’s doing an investigation,” Serpas said.
[…]
Of the 308 people who participated in call-ins from October 2012 through March 2017, seven completed vocational training, nine completed “paid work experience,” none finished a high school diploma or GED course, and 32 were employed at one time or another through referrals. Fifty participants were detained following their call-in, and two have since died.

By contrast, law enforcement vigorously pursued its end of the program. From November 2012, when the new Multi-Agency Gang Unit was founded, through March 2014, racketeering indictments escalated: 83 alleged gang members in eight gangs were indicted in the 16-month period, according to an internal Palantir presentation.
[…]
Call-ins declined precipitously after the first few years. According to city records, eight group call-ins took place from 2012 to 2014, but only three took place in the following three years. Robert Goodman, a New Orleans native who became a community activist after completing a prison sentence for murder, worked as a “responder” for the city’s CeaseFire program until August 2016, discouraging people from engaging in retaliatory violence. Over time, Goodman noticed more of an emphasis on the “stick” component of the program and more control over the non-punitive aspects of the program by city hall that he believes undermined the intervention work. “It’s supposed to be ran by people like us instead of the city trying to dictate to us how this thing should look,” he said. “As long as they’re not putting resources into the hoods, nothing will change. You’re just putting on Band-Aids.”

After the first two years of Palantir’s involvement with NOPD, the city saw a marked drop in murders and gun violence, but it was short-lived. Even former NOPD Chief Serpas believes that the preventative effect of calling in dozens of at-risk individuals — and indicting dozens of them — began to diminish.

“When we ended up with nearly nine or 10 indictments with close to 100 defendants for federal or state RICO violations of killing people in the community, I think we got a lot of people’s attention in that criminal environment,” Serpas said, referring to the racketeering indictments. “But over time, it must’ve wore off because before I left in August of ‘14, we could see that things were starting to slide”

Nick Corsaro, the University of Cincinnati professor who helped build NOPD’s gang database, also worked on an evaluation of New Orleans’ CeaseFire strategy. He found that New Orleans’ overall decline in homicides coincided with the city’s implementation of CeaseFire program, but the Central City neighborhoods targeted by the program “did not have statistically significant declines that corresponded with November 2012 onset date.”
[…]
The secrecy surrounding the NOPD program also raises questions about whether defendants have been given evidence they have a right to view. Sarah St. Vincent, a researcher at Human Rights Watch, recently published an 18-month investigation into parallel construction, or the practice of law enforcement concealing evidence gathered from surveillance activity. In an interview, St. Vincent said that law enforcement withholding intelligence gathering or analysis like New Orleans’ predictive policing work effectively kneecaps the checks and balances of the criminal justice system. At the Cato Institute’s 2017 Surveillance Conference in December, St. Vincent raised concerns about why information garnered from predictive policing systems was not appearing in criminal indictments or complaints.

“It’s the role of the judge to evaluate whether what the government did in this case was legal,” St. Vincent said of the New Orleans program. “I do think defense attorneys would be right to be concerned about the use of programs that might be inaccurate, discriminatory, or drawing from unconstitutional data.”

If Palantir’s partnership with New Orleans had been public, the issues of legality, transparency, and propriety could have been hashed out in a public forum during an informed discussion with legislators, law enforcement, the company, and the public. For six years, that never happened.

Source: Palantir has secretly been using New Orleans to test its predictive policing technology – The Verge

One of the big problems here is that there is no knowledge and hardly any oversight on the program. There is no knowledge if the system is being implemented fairly or cost effectively (costs are huge!) or even if it works. It seemed to have worked for a while but the effects seemed also to drop off after two years in operations, mainly because they used the “stick” method to counter crime but more and more got rid of the “carrot”. The amount of private data given to Palantir without any discussion or consent is worrying to say the least.

The Lottery Hackers

Posted on by

That’s when it hit him. Right there, in the numbers on the page, he noticed a flaw—a strange and surprising pattern, like the cereal-box code, written into the fundamental machinery of the game. A loophole that would eventually make Jerry and Marge millionaires, spark an investigation by a Boston Globe Spotlight reporter, unleash a statewide political scandal and expose more than a few hypocrisies at the heart of America’s favorite form of legalized gambling.
[…]
This particular game was called Winfall. A ticket cost $1. You picked six numbers, 1 through 49, and the Michigan Lottery drew six numbers. Six correct guesses won you the jackpot, guaranteed to be at least $2 million and often higher. If you guessed five, four, three, or two of the six numbers, you won lesser amounts. What intrigued Jerry was the game’s unusual gimmick, known as a roll-down: If nobody won the jackpot for a while, and the jackpot climbed above $5 million, there was a roll-down, which meant that on the next drawing, as long as there was no six-number winner, the jackpot cash flowed to the lesser tiers of winners, like water spilling over from the highest basin in a fountain to lower basins. There were lottery games in other states that offered roll-downs, but none structured quite like Winfall’s. A roll-down happened every six weeks or so, and it was a big deal, announced by the Michigan Lottery ahead of time as a marketing hook, a way to bring bettors into the game, and sure enough, players increased their bets on roll-down weeks, hoping to snag a piece of the jackpot.

The brochure listed the odds of various correct guesses. Jerry saw that you had a 1-in-54 chance to pick three out of the six numbers in a drawing, winning $5, and a 1-in-1,500 chance to pick four numbers, winning $100. What he now realized, doing some mental arithmetic, was that a player who waited until the roll-down stood to win more than he lost, on average, as long as no player that week picked all six numbers. With the jackpot spilling over, each winning three-number combination would put $50 in the player’s pocket instead of $5, and the four-number winners would pay out $1,000 in prize money instead of $100, and all of a sudden, the odds were in your favor. If no one won the jackpot, Jerry realized, a $1 lottery ticket was worth more than $1 on a roll-down week—statistically speaking.

“I just multiplied it out,” Jerry recalled, “and then I said, ‘Hell, you got a positive return here.’”
[…]
This was an uncomfortable leap for a guy with no experience in gambling, but if he stopped now, he would never know if his theory was correct. During the next roll-down week, he returned to Mesick and made a larger bet, purchasing $3,400 in Winfall tickets. Sorting 3,400 tickets by hand took hours and strained his eyes, but Jerry counted them all right there at the convenience store so that Marge would not discover him. This time he won $6,300—an impressive 46 percent profit margin. Emboldened, he bet even more on the next roll-down, $8,000, and won $15,700, a 49 percent margin.
[…]
he lottery is like a bank vault with walls made of math instead of steel; cracking it is a heist for squares. And yet a surprising number of Americans have pulled it off. A 2017 investigation by the Columbia Journalism Review found widespread anomalies in lottery results, difficult to explain by luck alone. According to CJR’s analysis, nearly 1,700 Americans have claimed winning tickets of $600 or more at least 50 times in the last seven years, including the country’s most frequent winner, a 79-year-old man from Massachusetts named Clarance W. Jones, who has redeemed more than 10,000 tickets for prizes exceeding $18 million.
[…]
he and Marge were willing to do the grunt work, which, as it turned out, was no small challenge. Lottery terminals in convenience stores could print only 10 slips of paper at a time, with up to 10 lines of numbers on each slip (at $1 per line), which meant that if you wanted to bet $100,000 on Winfall, you had to stand at a machine for hours upon hours, waiting for the machine to print 10,000 tickets. Code in the purchase. Push the “Print” button. Wait at least a full minute for the 10 slips to emerge. Code in the next purchase. Hit “Print.” Wait again. Jerry and Marge knew all the convenience store owners in town, so no one gave them a hard time when they showed up in the morning to print tickets literally all day. If customers wondered why the unassuming couple had suddenly developed an obsession with gambling, they didn’t ask. Sometimes the tickets jammed, or the cartridges ran out of ink. “You just have to set there,” Jerry said.

The Selbees stacked their tickets in piles of $5,000, rubber-banded them into bundles and then, after a drawing, convened in their living room in front of the TV, sorting through tens or even hundreds of thousands of tickets, separating them into piles according to their value (zero correct numbers, two, three, four, five). Once they counted all the tickets, they counted them again, just to make sure they hadn’t missed anything. If Jerry had the remote, they’d watch golf or the History Channel, and if Marge had it, “House Hunters” on HGTV. “It looked extremely tedious and boring, but they didn’t view it that way,” recalled their daughter Dawn. “They trained their minds. Literally, they’d pick one up, look at it, put it down. Pick one up, put it down.” Dawn tried to help but couldn’t keep pace; for each ticket she completed, Jerry or Marge did 10.
[…]
That June, Jerry created a corporation to manage the group. He gave it an intentionally boring name, GS Investment Strategies LLC, and started selling shares, at $500 apiece, first to the kids and then to friends and colleagues in Evart. Jerry would eventually expand the roster to 25 members, including a state trooper, a parole officer, a bank vice president, three lawyers and even his personal accountant, a longtime local with a smoker’s scratchy voice named Steve Wood. Jerry would visit Wood’s storefront office downtown, twist the “Open” sign to “Closed,” and seek his advice on how to manage the group.
[…]
And business was good. By the spring of 2005, GS Investment Strategies LLC had played Winfall on 12 different roll-down weeks, the size of the bets increasing along with the winnings. First $40,000 in profits. Then $80,000. Then $160,000. Marge squirreled her share away in a savings account. Jerry bought a new truck, a Ford F350, and a camping trailer that hooked onto the back of it. He also started buying coins from the U.S. Mint as a hedge against inflation, hoping to protect his family from any future catastrophe. He eventually filled five safe deposit boxes with coins of silver and gold.
[…]
A mathematics major in his final semester, Harvey had been researching lottery games for an independent study project, comparing the popular multistate games Powerball and MegaMillions to see which offered players a better shot at winning. He’d also analyzed different state games, including Cash WinFall, and it hadn’t taken him long to spot its flaw: On a roll-down week, a $2 lottery ticket was worth more than $2, mathematically.

Within days, Harvey had recruited some 50 people to pony up $20 each, for a total of $1,000, enough to buy 500 Cash WinFall tickets for the February 7 roll-down drawing. The Patriots won the Super Bowl on February 6, and the following day, the MIT group took home $3,000, for a $2,000 profit.

Curiously enough, the MIT students weren’t the only ones playing Cash WinFall for high stakes that day. A biomedical researcher at Boston University, Ying Zhang, had also discovered the flaw, after an argument with friends about the nature of the lottery. Believing it to be exploitative, Zhang had researched the Massachusetts State Lottery to bolster his point. Then he found the glitch in Cash WinFall, and as happens so often in America, a skeptic of capitalism became a capitalist. Zhang encouraged friends to play and formed his own betting club, Doctor Zhang Lottery Club Limited Partnership. His group began wagering between $300,000 and $500,000 on individual roll-down weeks, and eventually Zhang quit his job as a biomedical researcher to focus on the lottery full time. He bought tickets in bulk at a convenience store near his home, in the Boston suburb of Quincy, and stored the losing tickets in boxes in his attic until the weight made his ceiling crack.

As energetically as Zhang played the game, however, he couldn’t match the budding lottery moguls at MIT. After the first roll-down, Harvey assembled 40 to 50 regular players—some of them professors with substantial resources—and recruited his classmate, Yuran Lu, to help manage the group. Lu was an electrical engineering, computer science and math major with a mischievous streak: one time, to make a point about security, he’d stolen 620 passwords from students and professors. Now he helped Harvey form a corporation, named Random Strategies LLC, after their dorm. Their standard wager on a roll-down week was $600,000—300,000 tickets. Unlike the Selbees, who allowed the computer to pick numbers for them (“Quic Pics”), the MIT students preferred to choose their own, which avoided duplicates but also meant that the students had to spend weeks filling in hundreds of thousands of tiny ovals on paper betting slips.

Source: The Lottery Hackers – The Huffington Post

A great article on how three groups of people were hacking this lottery and how it all ended.

MIT builds Neural network chip with 95% reduction in power consumption, allowing it to be used in a mobile

Posted on by

Most recent advances in artificial-intelligence systems such as speech- or face-recognition programs have come courtesy of neural networks, densely interconnected meshes of simple information processors that learn to perform tasks by analyzing huge sets of training data.

But neural nets are large, and their computations are energy intensive, so they’re not very practical for handheld devices. Most smartphone apps that rely on neural nets simply upload data to internet servers, which process it and send the results back to the phone.

Now, MIT researchers have developed a special-purpose chip that increases the speed of neural-network computations by three to seven times over its predecessors, while reducing power consumption 94 to 95 percent. That could make it practical to run neural networks locally on smartphones or even to embed them in household appliances.

“The general processor model is that there is a memory in some part of the chip, and there is a processor in another part of the chip, and you move the data back and forth between them when you do these computations,” says Avishek Biswas, an MIT graduate student in electrical engineering and computer science, who led the new chip’s development.

“Since these machine-learning algorithms need so many computations, this transferring back and forth of data is the dominant portion of the energy consumption. But the computation these algorithms do can be simplified to one specific operation, called the dot product. Our approach was, can we implement this dot-product functionality inside the memory so that you don’t need to transfer this data back and forth?”

Source: Neural networks everywhere | MIT News

Hey Microsoft, Stop Installing Apps On My PC Without Asking

Posted on by

I’m getting sick of Windows 10’s auto-installing apps. Apps like Facebook are now showing up out of nowhere, and even displaying notifications begging for me to use them. I didn’t install the Facebook app, I didn’t give it permission to show notifications, and I’ve never even used it. So why is it bugging me?

Windows 10 has always been a little annoying about these apps, but it wasn’t always this bad. Microsoft went from “we pinned a few tiles, but the apps aren’t installed until you click them” to “the apps are now automatically installed on your PC” to “the automatically installed apps are now sending you notifications”. It’s ridiculous.
The “Microsoft Consumer Experience” Is Consumer-Hostile…

This is all thanks to the “Microsoft Consumer Experience” program, which can’t be disabled on normal Windows 10 Home or Professional systems. That’s why every Windows 10 computer you start using has these bonus apps. The exact apps preinstalled can vary, but I’ve never seen a Windows 10 PC without Candy Crush.

The Microsoft Consumer Experience is actually a background task that runs whenever you sign into a Windows 10 PC with a new user account for the first time. It kicks into gear and automatically downloads apps like Candy Crush Soda Saga, FarmVille 2: Country Escape, Facebook, TripAdvisor, and whatever else Microsoft feels like promoting.

You can uninstall the apps from your Start menu, and they shouldn’t come back on your user account the same hardware. However, the apps will also come back whenever you sign into a new PC with the same Microsoft account, forcing you to remove them on each device you use. And, if someone signs into your same PC with their own Microsoft account, Microsoft will “helpfully” download those apps for their account as well. There’s no way to tell Microsoft “stop downloading these apps on my PC” or “I never want these apps on this Microsoft account”.
…and Microsoft Won’t Let Us Disable It

There is, technically, a way to disable this and stop Windows from installing these apps…but it’s only for Windows 10 Enterprise and Education users. Even if you spent $200 for a Windows 10 Professional license because you want to use your PC for business, Microsoft won’t let you stop the “Consumer Experience” on a professional PC.

Source: Hey Microsoft, Stop Installing Apps On My PC Without Asking

Together with Windows 10 sending private data to Redmond without permission this is another reason I have left the world of MS operating systems. I now use Linux Mint.

119,000 Passports and Photo IDs of FedEx Customers Found on Unsecured Amazon Server

Posted on by

Thousands of FedEx customers were exposed after the company left scanned passports, drivers licenses, and other documentation on a publicly accessible Amazon S3 server.

The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes.

The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday.

According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017.

Source: 119,000 Passports and Photo IDs of FedEx Customers Found on Unsecured Amazon Server

Tesla’s Amazon Cloud Account Hacked to Mine Cryptocurrency

Posted on by

An unidentified hacker or hackers broke into a Tesla-owned Amazon cloud account and used it to “mine” cryptocurrency, security researchers said. The breach also exposed proprietary data for the electric carmaker.

The researchers, who worked for RedLock, a 3-year-old cybersecurity startup, said they discovered the intrusion last month while trying to determine which organization left credentials for an Amazon Web Services (AWS) account open to the public Internet. The owner of the account turned out to be Tesla, they said.

“We weren’t the first to get to it,” Varun Badhwar, CEO and cofounder of RedLock, told Fortune on a call. “Clearly, someone else had launched instances that were already mining cryptocurrency in this particular Tesla environment.”

The incident is the latest in a string of so-called cryptojacking attacks, which involve thieves hijacking unsuspecting victims’ computers to generate virtual currencies like Bitcoin. The schemes have seen a resurgence in popularity as cryptocurrency prices have soared over the past year.

Earlier this month, websites for the U.S. federal court system and the U.K.’s National Health Service roped their visitors into similar virtual money-minting operations.

Source: Tesla’s Amazon Cloud Account Hacked to Mine Cryptocurrency | Fortune

Uzi Nissan Spent 8 Years Fighting The Car Company With His Name. He Nearly Lost Everything To Win. The legal system doesn’t work very well if you have no money.

Posted on by

Nissan the car company never really cared who Uzi Nissan was. Then it decided he had something it wanted very much—the website www.nissan.com, which he created for his small retail computer business in 1994—and it sued him for $10 million. When the two Nissans went to war, Uzi Nissan prevailed in the end, but lost almost everything along the way.

If you visit nissan.com expecting a polished presentation of Nissan’s latest lineup, you’re in for quite a shock. What you land in is Uzi Nissan’s corner of the internet; a shrine to the years of his life spent fighting what is now the largest car company on the planet.

You’re greeted with a straight-out-of-the-’90s web design with 3D-effect link buttons, minimal advertising, crossed-out Nissan Motor badges and a Nissan Computer logo design that seems to resemble a stamped business card.
[…]
If you further postpone your quest to get a quote on an Altima or a Rogue Sport and spend time to explore the site, you find pages and pages of articles on the Nissan Motor vs. Nissan Computer lawsuit, taught in business schools and law schools as one of the most notable domain cases from the age of the dotcom bubble.

“The study there is that you should first have your domain before you decide your name of business, and in law school it’s just to show that sometimes even the little guy can win,” he said.
[…]
At the time, it didn’t seem like the start of an all-consuming legal battle, a David vs. Goliath fight that took nearly 10 years and cost the small business owner millions of dollars—to say nothing of the incalculable toll on his personal life.

Source: Uzi Nissan Spent 8 Years Fighting The Car Company With His Name. He Nearly Lost Everything To Win

The story is well told and shows you how ridiculous it is that this guy who clearly had prior ownership to the Nissan name and domain name had to pony up near to $3m and 8 years of his life to keep what is rightfully his. There is no punishment for the big guy throwing resources to wast another person’s time and money in the courts.

Cisco NFV elastic services controller accepts empty admin password

Posted on by

Cisco’s Elastic Services Controller’s release 3.0.0 software has a critical vulnerability: it accepts an empty admin password.

The Controller (ESC) is Cisco’s automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling.

Cisco’s advisory about the flaw explains the bug is in ESC’s Web service portal: “An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal.”

Once past the (non)-authentication, the attacker has administrative rights to “execute arbitrary actions” on the target system.

Source: Cisco NFV controller is a bit too elastic: It has an empty password bug • The Register

Crooks opt for Monero, paypal, ebay and gamesfor laundering

Posted on by

“Platforms like Monero are designed to be truly anonymous, and tumbler services like CoinJoin can [further] obscure transaction origins,” said Dr Mike McGuire, senior lecturer in criminology at Surrey University and author of the study.

Many cybercriminals are using virtual currency to convert the illegal proceeds of crime into hard cash and assets. Digital payment systems are used to help hide the money trail.
[…]
Methods like “micro laundering”, where thousands of small electronic payments are made through platforms like PayPal, are increasingly common and more difficult to detect. Another common technique is to use online transactions – via sites like eBay – to facilitate laundering.

Crooks are circumventing PayPal and eBay’s anti-fraud controls, even though both are “getting better at picking up laundering techniques”, according to Dr McGuire.
[…]
“Keeping transactions low, say $10-12, makes laundering almost impossible to spot, as they look like ordinary transactions. It would be impossible to investigate every transaction of this size. By making repeated small payments, or limited transactions, your profile begins to gain the ‘trust’ of controls systems, which makes it even harder to detect laundering as payments are less likely to be flagged.”

Botnets can be used to make thousands of these transactions and increase your trust rating.

“I have also seen evidence of multi-stage laundering, where criminals will make payments through websites like Airbnb which look completely legitimate. Cybercriminals are also gaining access or control of legitimate PayPal accounts by phishing emails. I also saw it was easy to buy stolen credentials from online forums to gain access to hundreds of PayPal accounts which can then be used to launder payments.”

McGuire said cybercriminals are working with the fraud controls to then manipulate them by applying to go beyond current annual payment limits and then providing false or hacked documentation to support the checks which permit larger payments.
[…]
Cybercriminals elsewhere are active in converting stolen income into video game currency or in-game items like gold, which are then converted into Bitcoin or other electronic formats. Games such as Minecraft, FIFA, World of Warcraft, Final Fantasy and GTA 5 are among the most popular options because they allow covert interactions with other players to facilitate the trade of currency and goods.

“Gaming currencies and items that can be easily converted and moved across borders offer an attractive prospect to cybercriminals,” Dr McGuire told The Register. “This trend appears to be particularly prevalent in countries like South Korea and China – with South Korean police arresting a gang transferring $38m laundered in Korean games back to China.

“The advice on how to do this is readily available online and explains how cybercriminals can launder proceeds through both in-game currencies and goods.”

The findings come from a nine-month study into the macro economics of cybercrime, sponsored by infosec vendor Bromium

Source: Crooks opt for Monero as crypto of choice to launder ill-gotten gains • The Register

2017: Dutch Military Intelligence 348 and Internal Intelligence 3205 taps placed. No idea how many the police did, but wow, that’s a lot!

Posted on by

De MIVD tapte vorig jaar in totaal 348 keer. De AIVD plaatste dat jaar 3.205 taps. Vandaag publiceerden beide diensten de tapstatistieken over de periode 2002 tot en met 2017 op hun website.

Source: MIVD tapte vorig jaar 348 keer | Nieuwsbericht | Defensie.nl


And of course we have no idea how many of these taps led to arrests or action.

Microsoft updates its Quantum Development Kit and adds support for Linux and Mac

Posted on by

Today we’re announcing updates to our Quantum Development Kit, including support for macOS and Linux, additional open source libraries, and interoperability with Python. These updates will bring the power of quantum computing to even more developers on more platforms. At Microsoft, we believe quantum computing holds the promise of solving many of today’s unsolvable problems and we want to make it possible for the broadest set of developers to code new quantum applications.When we released the Quantum Development Kit last December, we were excited about the possibilities that might result from opening the world of quantum programming to more people. We delivered a new quantum programming language – Q#, rich integration with Visual Studio, and extensive libraries and samples. Since then, thousands of developers have explored the Quantum Development Kit and experienced the world of quantum computing, including students, professors, researchers, algorithm designers, and people new to quantum development who are using these tools to gain knowledge.

Source: Microsoft updates its Quantum Development Kit and adds support for Linux and Mac – Microsoft Quantum

A video game-playing AI beat Q*bert in a way no one’s ever seen before

Posted on by

paper published this week by a trio of machine learning researchers from the University of Freiburg in Germany. They were exploring a particular method of teaching AI agents to navigate video games (in this case, desktop ports of old Atari titles from the 1980s) when they discovered something odd. The software they were testing discovered a bug in the port of the retro video game Q*bert that allowed it to rack up near infinite points.

As the trio describe in the paper, published on pre-print server arXiv, the agent was learning how to play Q*bert when it discovered an “interesting solution.” Normally, in Q*bert, players jump from cube to cube, with this action changing the platforms’ colors. Change all the colors (and dispatch some enemies), and you’re rewarded with points and sent to the next level. The AI found a better way, though:

First, it completes the first level and then starts to jump from platform to platform in what seems to be a random manner. For a reason unknown to us, the game does not advance to the second round but the platforms start to blink and the agent quickly gains a huge amount of points (close to 1 million for our episode time limit).
[…]
It’s important to note, though, that the agent is not approaching this problem in the same way that a human would. It’s not actively looking for exploits in the game with some Matrix-like computer-vision. The paper is actually a test of a broad category of AI research known as “evolutionary algorithms.” This is pretty much what it sounds like, and involves pitting algorithms against one another to see which can complete a given task best, then adding small tweaks (or mutations) to the survivors to see if they then fare better. This way, the algorithms slowly get better and better.

Source: A video game-playing AI beat Q*bert in a way no one’s ever seen before – The Verge

How to Disable Facebook’s Facial Recognition Feature

Posted on by

To turn off facial recognition on your computer, click on the down arrow at the top of any Facebook page and then select Settings. From there, click “Face Recognition” from the left column, and then click “Do you want Facebook to be able to recognize you in photos and videos?” Select Yes or No based on your personal preferences.

On mobile, click on the three dots below your profile pic labeled “More” then select “View Privacy Shortcuts” then “More Settings,” followed by “Facial Recognition.” Click on the “Do you want Facebook to be able to recognize you in photos and videos?” button and select “No” to disable the feature.
[…]
The setting isn’t available in all countries, and will only appear as an option in your profile if you’re at least 18 years old and have the feature available to you.

Source: How to Disable Facebook’s Facial Recognition Feature

AI models leak secret data too easily

Posted on by

A paper released on arXiv last week by a team of researchers from the University of California, Berkeley, National University of Singapore, and Google Brain reveals just how vulnerable deep learning is to information leakage.

The researchers labelled the problem “unintended memorization” and explained it happens if miscreants can access to the model’s code and apply a variety of search algorithms. That’s not an unrealistic scenario considering the code for many models are available online. And it means that text messages, location histories, emails or medical data can be leaked.

Nicholas Carlini, first author of the paper and a PhD student at UC Berkeley, told The Register, that the team “don’t really know why neural networks memorize these secrets right now”.

“At least in part, it is a direct response to the fact that we train neural networks by repeatedly showing them the same training inputs over and over and asking them to remember these facts. At the end of training, a model might have seen any given input ten or twenty times, or even a hundred, for some models.

“This allows them to know how to perfectly label the training data – because they’ve seen it so much – but don’t know how to perfectly label other data. What we exploit to reveal these secrets is the fact that models are much more confident on data they’ve seen before,” he explained.
Secrets worth stealing are the easiest to nab

In the paper, the researchers showed how easy it is to steal secrets such as social security and credit card numbers, which can be easily identified from neural network’s training data.

They used the example of an email dataset comprising several hundred thousand emails from different senders containing sensitive information. This was split into different senders who have sent at least one secret piece of data and used to train a two-layer long short-term memory (LSTM) network to generate the next the sequence of characters.
[…]
The chances of sensitive data becoming available are also raised when the miscreant knows the general format of the secret. Credit card numbers, phone numbers and social security numbers all follow the same template with a limited number of digits – a property the researchers call “low entropy”.
[…]
Luckily, there are ways to get around the problem. The researchers recommend developers use “differential privacy algorithms” to train models. Companies like Apple and Google already employ these methods when dealing with customer data.

Private information is scrambled and randomised so that it is difficult to reproduce it. Dawn Song, co-author of the paper and a professor in the department of electrical engineering and computer sciences at UC Berkeley, told us the following:

Source: Boffins baffled as AI training leaks secrets to canny thieves • The Register

Larry Page’s Flying Taxis, Now Exiting Stealth Mode – The New York Times

Posted on by

Since October, a mysterious flying object has been seen moving through the skies over the South Island of New Zealand. It looks like a cross between a small plane and a drone, with a series of small rotor blades along each wing that allow it to take off like a helicopter and then fly like a plane. To those on the ground, it has always been unclear whether there was a pilot aboard.

Well, it turns out that the airborne vehicle has been part of a series of “stealth” test flights by a company personally financed by Larry Page, the co-founder of Google and now the chief executive of Google’s parent, Alphabet.

The company, known as Kitty Hawk and run by Sebastian Thrun, who helped start Google’s autonomous car unit as the director of Google X, has been testing a new kind of fully electric, self-piloting flying taxi. This is an altogether different project from the one you might have seen last year in a viral video of a single-pilot recreational aircraft that was being tested over water, and it’s much more ambitious.
[…]
Now that project is about to go public: On Tuesday, Mr. Page’s company and the prime minister of New Zealand, Jacinda Ardern, will announce they have reached an agreement to test Kitty Hawk’s autonomous planes as part of an official certification process. The hope is that it will lead to a commercial network of flying taxis in New Zealand in as soon as three years.
[…]
Mr. Page’s ambitions to create taxis in the sky has a sense of gravity, excuse the pun, not just because of his deep pockets and the technological prowess of his team but also because of Mr. Reid, who is a former chief executive of Virgin America. Before that he was president of Delta Air Lines and president of Lufthansa Airlines, where he was co-architect of the Star Alliance.

In an interview, Mr. Reid said the opportunity to use New Zealand as the first place to commercialize the autonomous taxi service was a step-change in the advancement of the sector. Kitty Hawk is already working on an app that would allow customers to hail one of its air taxis.

The aircraft, known as Cora, has a wingspan of 36 feet with a dozen rotors all powered by batteries. It can fly about 62 miles and carry two passengers. (Its code name had been Zee.Aero — hence all the speculation and confusion.) The plan, at least for now, isn’t for Kitty Hawk to sell the vehicles; it wants to own and operate a network of them itself.

Source: Larry Page’s Flying Taxis, Now Exiting Stealth Mode – The New York Times

Artists Protest Elite Art World With Unauthorized AR Gallery at the MoMA

Posted on by

On Friday, eight artists launched an augmented reality gallery at the Museum of Modern Art in New York, digitally overlaying their artwork over the museum’s. Motherboard reports the guerrilla installation was created and deployed without the museum’s permission. “Hello, we’re from the internet” is an “unauthorized gallery concept aimed at democratizing physical exhibition spaces, museums, and the curation of art within them,” according to MoMAR, which developed the exhibit. “MoMAR is non-profit, non-owned, and exists in the absence of any privatized structures,” the group’s website states.

Source: Artists Protest Elite Art World With Unauthorized AR Gallery at the MoMA

MoMAR inaugural show 'Hello, we're from the internet' from Damjanski on Vimeo.

Posted in Art

World’s biggest DDoS attack record broken after just five days using poorly configured memcache servers

Posted on by

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right.

Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it’s clear that the memcached attack is going to be a feature network managers are going to have to take seriously in the future.

The attacks use shoddily secured memcached database servers to amplify attacks against a target. The assailant spoofs the UDP address of its victim and pings a small data packet at a memcached server that doesn’t have an authenticated traffic requirement in place. The server responds by firing back as much as 50,000 times the data it received.

With multiple data packets sent out a second, the memcached server unwittingly amplifies the deluge of data that can be sent against the target. Without proper filtering and network management, the tsunami of data can be enough to knock some providers offline.

There are some simple mitigation techniques, notably blocking off UDP traffic from Port 11211, which is the default avenue for traffic from memcached servers. In addition, the operators of memcached servers need to lock down their systems to avoid taking part in such denial of service attacks.

Source: World’s biggest DDoS attack record broken after just five days • The Register

Air gapping PCs won’t stop data sharing thanks to sneaky speakers

Posted on by

Computer speakers and headphones make passable microphones and can be used to receive data via ultrasound and send signals back, making the practice of air gapping sensitive computer systems less secure.

In an academic paper published on Friday through preprint service ArXiv, researchers from Israel’s Ben-Gurion University of the Negev describe a novel data exfiltration technique that allows the transmission and reception of data – in the form of inaudible ultrasonic sound waves – between two computers in the same room without microphones.

The paper, titled, “MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication,” was written by Mordechai Guri, Yosef Solwicz, Andrey Daidakulov and Yuval Elovici, who have developed a number other notable side-channel attack techniques.

These include: ODINI, a way to pass data between Faraday-caged computers using electrical fields; MAGNETO, a technique for passing data between air-gapped computers and smartphones via electrical fields; and FANSMITTER, a way to send acoustic data between air-gapped computers using fans.

Source: Air gapping PCs won’t stop data sharing thanks to sneaky speakers • The Register

Amadeus invests in CrowdVision to help airports manage growing passenger volumes using AI camera tech

Posted on by

CrowdVision is an early stage company that uses computer vision software and artificial intelligence to help airports monitor the flow of passengers in real time to minimise queues and more efficiently manage resources. The software is designed to comply fully with data privacy and security legislation.

CrowdVision data improves plans and can help airports react decisively to keep travellers’ moving and make their experience more enjoyable. CrowdVision’s existing airport customers are benefiting from reduced queues and waiting times, leaving passengers to spend more time and more money in retail areas. Others have optimised allocation of staff, desks, e-gates and security lanes to make the most of their existing infrastructure and postpone major capital expenditure on expansions.

Source: Amadeus invests in CrowdVision to help airports manage growing passenger volumes

It Took Almost 10 Days to 3D-Print This Giant Millennium Falcon Model

Posted on by

Typically, when we see 3D-printed replicas as large as this 2.3-foot long Millennium Falcon, they’re assembled from hundreds of smaller 3D-printed parts. But YouTube’s stonefx83 didn’t want to go to all that trouble, so he simply scaled up Andrew Askedall’s 3D model of the Falcon, and then let his printer run for over nine days and 21 hours straight.

The machine consumed over six-and-a-half pounds of plastic filament in the process, and thankfully didn’t screw up once, which would have required the entire print to be restarted from scratch. Oh, that’s why no one 3D-prints giant models like this in one pass.

Source: It Took Almost 10 Days to 3D-Print This Giant Millennium Falcon Model

Stanford brainiacs say they can predict Reddit raids

Posted on by

A study [PDF] based on observations from 36,000 subreddit communities has found that online dust-ups can be predicted, and the people most likely to cause them can be identified.

“Our analysis revealed a number of important trends related to conflict on Reddit, with general implications for intercommunity conflict on the web.”

Among the takeaways were that a small group of bad actors are indeed stirring up most of the conflict; around 75 per cent of the raids were triggered by 1 per cent of users.

The study also noted that ignoring the trolls doesn’t always work – conflicts grow worse when users stay within ‘echo chambers’ on their own threads, and long-term traffic losses were lessened when the ‘defending’ users directly confronted the forum intruders rather than keep to themselves.

Perhaps the most important takeaway, however, was that forum conflicts could actually be predicted. The Stanford group say they developed an long short-term memory (LSTM) deep-learning formula that, when trained on the set of Reddit posts and user information gathered over the 40 month period, was able to reliably flag when a conflict or raid was likely to flare up on a subreddit.

Now, the Stanford group says it would like to extend the research to other platforms (such as Facebook and Twitter) and look at areas not addressed in the first report, including forums that restrict negative content.

Source: Stanford brainiacs say they can predict Reddit raids • The Register

Google opens Maps to bring the real world into games

Posted on by

Pokémon Go and other games that use real-world maps are all the rage, but there’s a catch: they typically depend on semi-closed map frameworks that weren’t intended for gaming, forcing developers to jump through hoops to use that mapping info. Google doesn’t want that to be an issue going forward. The search firm is both opening its Maps platform’s real-time data and offering new software toolkits that will help developers build games based on that data.

The software includes both a kit to translate map info to the Unity game engine as well as another to help make games using that location data. The combination turns buildings and other landmarks into customizable 3D objects, and lets you manipulate those objects to fit your game world. It can replace every real hotel into an adventurer’s inn, for instance, or add arbitrary points of interest for the sake of checkpoints.

Source: Google opens Maps to bring the real world into games

Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users

Posted on by

Researchers from German security firm Kromtech Security allege that until recently, MBM Company was improperly handling customer details. On February 6, they identified an unsecured Amazon S3 storage bucket, containing a MSSQL database backup file.

According to Kromtech Security’s head of communications, Bob Diachenko, further analysis of the file revealed it held the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. He also claims the database contained plaintext passwords — which is a big security ‘no-no.’

In a press release, Diachenko said: “Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts.”

The backup file was named ‘MBMWEB_backup_2018_01_13_003008_2864410.bak,’ which suggests the file was created on January 13, 2018. It’s believed to contain current information about the company’s customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year.

Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company.

Source: Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users

Who still stores user credentials in plain text?!