Epic judge orders Google to let rivals set up app stores

Posted on by

A US court has ordered Google to refrain from a wide variety of business practices the web giant uses to bolster its Play Store, as a consequence of its December 2023 antitrust defeat against Epic Games.

In that case, Epic argued that Google’s Play Store rules and contractual agreements with developers and partners violated the federal Sherman Act and California’s Unfair Competition Law (UCL). And the jury agreed.

On Monday, US District Court judge James Donato issued a permanent injunction [PDF] that forbids Google from eight behaviors deemed unlawful as a result of the case.

“The jury found that Google’s conduct violated the antitrust laws and substantially harmed competition in the relevant markets, and directly injured Epic,” judge Donato wrote, explaining the injunction. “The jury rejected Google’s proffered procompetitive justifications for its conduct. Consequently, the Court concludes that Epic has prevailed on the UCL claim against Google under the unlawful and unfair prongs.”

Noting that Google had “fired a blunderbuss of comments and complaints that are underdeveloped and consequently unhelpful in deciding the issues,” judge Donato put an end to the extensive input afforded to both sides about the specifics of the injunction that follows from the verdict.

Google, in a blog post, unsurprisingly disagreed – it is appealing the verdict and will ask the courts to pause the injunction until its appeal is heard.

“These Epic-requested changes stem from a decision that is completely contrary to another court’s rejection of similar claims Epic made against Apple – even though, unlike iOS, Android is an open platform that has always allowed for choice and flexibility like multiple app stores and sideloading,” wrote Lee-Anne Mulholland, VP of regulatory affairs at Google.

Mulholland argues that the court-ordered changes would hinder Google’s – and the wider Android ecosystem’s – ability to compete with Apple’s ecosystem.

The injunction is set to take effect starting November 1, 2024, only in the US, for a period of three years. During this time:

  • Google may not share revenue generated by the Google Play Store with any person or entity that distributes Android apps, or has stated that it will launch or is considering launching an Android app distribution platform or store.
  • Google may not condition a payment, revenue share, or access to any Google product or service …
    • on an agreement by an app developer to launch an app first or exclusively in the Google Play Store;
    • on an agreement by an app developer not to launch on a third-party Android app distribution platform or store a version of an app that includes features not available in, or is otherwise different from, the version of the app offered on the Google Play Store;
    • on an agreement with an original equipment manufacturer (OEM) or carrier …
      • to preinstall the Google Play Store on any specific location on an Android device;
      • not to preinstall an Android app distribution platform or store other than the Google Play Store.
  • Google may not …
    • require the use of Google Play Billing in apps distributed on the Google Play Store, or prohibit the use of in-app payment methods other than Google Play Billing;
    • prohibit a developer from communicating with users about the availability of a payment method other than Google Play Billing;
    • require a developer to set a price based on whether Google Play Billing is used;
    • prohibit a developer from …
      • communicating with users about the availability or pricing of an app outside the Google Play Store;
      • providing a link to download the app outside the Google Play Store.
  • Google will permit third-party Android app stores to access the Google Play Store’s catalog of apps so that they may offer the Play Store apps to users. [Along with other distribution fairness requirements, Google has eight-months to implement this, at which point the three-year clock will begin for this provision.]
  • Google may not prohibit the distribution of third-party Android app distribution platforms or stores through the Google Play Store.

The injunction also gives Epic and Google a 30-day deadline to form a three-person Technical Committee, comprising one representative from each party and a mutually agreed upon third member, to resolve disputes over the implementation of the injunction’s provisions.

Epic Games did not immediately respond to a request for comment. ®

Source: Epic judge orders Google to let rivals set up app stores • The Register

23andMe is on the brink. What happens to all that genetic DNA data?

Posted on by

[…] The one-and-done nature of Wiles’ experience is indicative of a core business problem with the once high-flying biotech company that is now teetering on the brink of collapse. Wiles and many of 23andMe’s 15 million other customers never returned. They paid once for a saliva kit, then moved on.

Shares of 23andMe are now worth pennies. The company’s valuation has plummeted 99% from its $6 billion peak shortly after the company went public in 2021.

As 23andMe struggles for survival, customers like Wiles have one pressing question: What is the company’s plan for all the data it has collected since it was founded in 2006?

[…]

Andy Kill, a spokesperson for 23andMe, would not comment on what the company might do with its trove of genetic data beyond general pronouncements about its commitment to privacy.

[…]

When signing up for the service, about 80% of 23andMe’s customers have opted in to having their genetic data analyzed for medical research.

[…]

The company has an agreement with pharmaceutical giant GlaxoSmithKline, or GSK, that allows the drugmaker to tap the tech company’s customer data to develop new treatments for disease.

Anya Prince, a law professor at the University of Iowa’s College of Law who focuses on genetic privacy, said those worried about their sensitive DNA information may not realize just how few federal protections exist.

For instance, the Health Insurance Portability and Accountability Act, also known as HIPAA, does not apply to 23andMe since it is a company outside of the health care realm.

[…]

According to the company, all of its genetic data is anonymized, meaning there is no way for GSK, or any other third party, to connect the sample to a real person. That, however, could make it nearly impossible for a customer to renege on their decision to allow researchers to access their DNA data.

“I couldn’t go to GSK and say, ‘Hey, my sample was given to you — I want that taken out — if it was anonymized, right? Because they’re not going to re-identify it just to pull it out of the database,” Prince said.

[…]

the patchwork of state laws governing DNA data makes the generic data of millions potentially vulnerable to being sold off, or even mined by law enforcement.

“Having to rely on a private company’s terms of service or bottom line to protect that kind of information is troubling — particularly given the level of interest we’ve seen from government actors in accessing such information during criminal investigations,” Eidelman said.

She points to how investigators used a genealogy website to identify the man known as the Golden State Killer, and how police homed in on an Idaho murder suspect by turning to similar databases of genetic profiles.

“This has happened without people’s knowledge, much less their express consent,” Eidelman said.

[…]

Last year, the company was hit with a major data breach that it said affected 6.9 million customer accounts, including about 14,000 who had their passwords stolen.

[…]

Some analysts predict that 23andMe could go out of business by next year, barring a bankruptcy proceeding that could potentially restructure the company.

[…]

Source: What happens to all of 23andMe’s genetic DNA data? : NPR

For more fun reading about about this clusterfuck of a company and why giving away DNA data is a spectacularly bad idea:

23andMe Thinks ‘Mining’ Your DNA Data Is Its Last Hope

23andMe tells victims it’s their fault that their data was breached. DNA data, it turns out, is extremely sensitive!

Bad genes: 23andMe leak highlights a possible future of genetic discrimination

23andMe frantically changed its terms of service to prevent 6.9m hacked customers from suing about losing their (and their entire family’s) DNA

23andMe hackers accessed DNA information on millions of customers using a feature that matches relatives

Drugmakers Are Set To Pay 23andMe Millions To Access Your DNA – which is also your families DNA

23andMe DNA site scraping incident leaked data on 1.3 million users

Cops are asking Ancestry.com and 23andMe for their customers’ DNA

Don’t use online DNA tests! If You Ever Used Promethease, Your DNA Data Might Be on MyHeritage – and so will your family’s

Twins get some ‘mystifying’ results when they put 5 DNA ancestry kits to the test

The Golden State Killer Suspect’s DNA Was in a Publicly Available Database, and Yours Might Be Too

What DNA Testing Companies’ Terrifying Privacy Policies Actually Mean

The Retail DNA Test

Dog DNA testing company identifies human as dog

Private equity wants to own your DNA – Blackstone buys Ancestry at $250,- per person

DHS Plan to Collect DNA From Migrant Detainees Will Begin Soon – because centralised databases with personally sensitive data in them are a great idea. Just ask the Jews how useful they were during WWII

Google’s AI enshittifies search summaries with ads

Posted on by

Google is rolling out ads in AI Overviews, which means you’ll now start seeing products in some of the search engine’s AI-generated summaries.

Let’s say you’re searching for ways to get a grass stain out of your pants. If you ask Google, its AI-generated response will offer some tips, along with suggestions for products to purchase that could help you remove the stain. […]

Google’s AI Overviews could contain relevant products.

 

Source: Google’s AI search summaries officially have ads – The Verge

License Plate Readers Are Creating a US-Wide Database of Cars – and political affiliation, planned parenthood and more

Posted on by

At 8:22 am on December 4 last year, a car traveling down a small residential road in Alabama used its license-plate-reading cameras to take photos of vehicles it passed. One image, which does not contain a vehicle or a license plate, shows a bright red “Trump” campaign sign placed in front of someone’s garage. In the background is a banner referencing Israel, a holly wreath, and a festive inflatable snowman.

Another image taken on a different day by a different vehicle shows a “Steelworkers for Harris-Walz” sign stuck in the lawn in front of someone’s home. A construction worker, with his face unblurred, is pictured near another Harris sign. Other photos show Trump and Biden (including “Fuck Biden”) bumper stickers on the back of trucks and cars across America.

[…]

These images were generated by AI-powered cameras mounted on cars and trucks, initially designed to capture license plates, but which are now photographing political lawn signs outside private homes, individuals wearing T-shirts with text, and vehicles displaying pro-abortion bumper stickers—all while recording the precise locations of these observations.

[…]

The detailed photographs all surfaced in search results produced by the systems of DRN Data, a license-plate-recognition (LPR) company owned by Motorola Solutions. The LPR system can be used by private investigators, repossession agents, and insurance companies; a related Motorola business, called Vigilant, gives cops access to the same LPR data.

[…]

those with access to the LPR system can search for common phrases or names, such as those of politicians, and be served with photographs where the search term is present, even if it is not displayed on license plates.

[…]

“I searched for the word ‘believe,’ and that is all lawn signs. There’s things just painted on planters on the side of the road, and then someone wearing a sweatshirt that says ‘Believe.’” Weist says. “I did a search for the word ‘lost,’ and it found the flyers that people put up for lost dogs and cats.”

Beyond highlighting the far-reaching nature of LPR technology, which has collected billions of images of license plates, the research also shows how people’s personal political views and their homes can be recorded into vast databases that can be queried.

[…]

Over more than a decade, DRN has amassed more than 15 billion “vehicle sightings” across the United States, and it claims in its marketing materials that it amasses more than 250 million sightings per month.

[…]

The system is partly fueled by DRN “affiliates” who install cameras in their vehicles, such as repossession trucks, and capture license plates as they drive around. Each vehicle can have up to four cameras attached to it, capturing images in all angles. These affiliates earn monthly bonuses and can also receive free cameras and search credits.

In 2022, Weist became a certified private investigator in New York State. In doing so, she unlocked the ability to access the vast array of surveillance software accessible to PIs. Weist could access DRN’s analytics system, DRNsights, as part of a package through investigations company IRBsearch. (After Weist published an op-ed detailing her work, IRBsearch conducted an audit of her account and discontinued it.

[…]

While not linked to license plate data, one law enforcement official in Ohio recently said people should “write down” the addresses of people who display yard signs supporting Vice President Kamala Harris, the 2024 Democratic presidential nominee, exemplifying how a searchable database of citizens’ political affiliations could be abused.

[…]

In 2022, WIRED revealed that hundreds of US Immigration and Customs Enforcement employees and contractors were investigated for abusing similar databases, including LPR systems. The alleged misconduct in both reports ranged from stalking and harassment to sharing information with criminals.

[…]

 

Source: License Plate Readers Are Creating a US-Wide Database of More Than Just Cars | WIRED

Insecure Robot Vacuums From Chinese Company Deebot Collect Photos and Audio to Train Their AI

Posted on by

Ecovacs robot vacuums, which have been found to suffer from critical cybersecurity flaws, are collecting photos, videos and voice recordings — taken inside customers’ houses — to train the company’s AI models.

The Chinese home robotics company, which sells a range of popular Deebot models in Australia, said its users are “willingly participating” in a product improvement program.

When users opt into this program through the Ecovacs smartphone app, they are not told what data will be collected, only that it will “help us strengthen the improvement of product functions and attached quality”. Users are instructed to click “above” to read the specifics, however there is no link available on that page.

Ecovacs’s privacy policy — available elsewhere in the app — allows for blanket collection of user data for research purposes, including:

– The 2D or 3D map of the user’s house generated by the device
– Voice recordings from the device’s microphone
— Photos or videos recorded by the device’s camera

“It also states that voice recordings, videos and photos that are deleted via the app may continue to be held and used by Ecovacs…”

Source: Insecure Robot Vacuums From Chinese Company Deebot Collect Photos and Audio to Train Their AI

Microsoft bricks Windows MR / VR In Windows 11 24H2

Posted on by

Microsoft has removed Windows Mixed Reality from Windows 11.

With Windows 11 24H2, the latest major version of Microsoft’s PC operating system, you can no longer use a Windows MR headset in any way – not even on Steam.

This includes all the Windows MR headsets from Acer, Asus, Dell, HP, Lenovo, and Samsung, including HP’s Reverb G2, released in 2020.

Screenshot taken by UploadVR.

UploadVR tested Windows 11 24H2 with a Reverb G2 and found the above notice. Microsoft confirmed to UploadVR that this is an intentional removal when it originally announced the move back in December.

In August 3.49% of SteamVR users were using a Windows MR headset, which we estimate to be around 80,000 people. If they install Windows 11 24H2, their VR headset will effectively become a paperweight.

“Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11 (version 23H2) and do not upgrade to this year’s annual feature update for Windows 11 (version 24H2).”

The death of Windows MR headsets comes on the same week Microsoft revealed that HoloLens 2 production has ended, and that software support for the AR headset will end after 2027.

Despite the name, all Windows MR headsets were actually VR-only, and are compatible with most SteamVR content via Microsoft’s SteamVR driver.

The first Windows MR headsets arrived in late 2017 from Acer, Asus, Dell, HP, Lenovo, and Samsung, aiming to compete with the Oculus Rift and HTC Vive that had launched a year earlier. They were the first consumer VR products to deliver inside-out positional tracking, for both the headset and controllers.

[…]

In recent years Microsoft has shifted its XR focus to a software-based long term strategic partnership with Meta.

So far that partnership has brought Xbox Cloud Gaming and Office web apps to the Horizon OS of Quest headsets.

Soon, it will also bring automatic extension of Windows 11 laptops by just looking at them, including spawning entirely virtual extra monitors.

And earlier this year Microsoft announced Windows Volumetric Apps, a new API for extending 3D elements of PC applications being streamed to Meta Quest into 3D space.

[…]

Source: Windows MR Headsets No Longer Work In Windows 11 24H2

A real crying shame. So another reason people will hang on to their Windows 10 installations even more. Hopefully (but doubtfully) they will release the source code and allow people to chug on under their own steam. Bricking these headsets in under four years should be illegal.

Dutch oppose Hungary’s approach to EU child sexual abuse regulation – or total surveillance of every smart device

Posted on by

The Netherlands’ government and opposition are both against the latest version of the controversial EU regulation aimed at detecting online child sexual abuse material (CSAM), according to an official position and an open letter published on Tuesday (1 October).

The regulation, aimed at detecting online CSAM, has been criticised for potentially allowing the scanning of private messages on platforms such as WhatsApp or Gmail.

However, the latest compromise text, dated 9 September, limits detection to known material, among other changes. ‘Known’ material refers to content that has already been circulating and detected, in contrast to ‘new’ material that has not yet been identified.

The Hungarian presidency of the Council of the EU shared a partial general approach dated 24 September and seen by Euractiv, that mirrors the 9 September text but reduces the reevaluation period from five years to three for grooming and new CSAM.

Limiting detection to known material could hinder authorities’ ability to surveil massive amounts of communications, suggesting the change is likely an attempt to reconcile privacy concerns.

The Netherlands initially supported the proposal to limit detection to ‘known’ material but withdrew its support in early September, Euractiv reported.

On Tuesday (1 October), Amsterdam officially took a stance against the general approach, despite speculation last week suggesting the country might shift its position in favour of the regulation.

This is also despite the Dutch mostly maintaining that their primary concern lies with combating known CSAM – a focus that aligns with the scope of the latest proposal.

According to various statistics, the Netherlands hosts a significant amount of CSAM.

The Dutch had been considering supporting the proposal, or at least a “silent abstention” that might have weakened the blocking minority, signalling a shift since Friday (27 September), a source close to the matter told Euractiv.

While a change in the Netherlands’ stance could have affected the blocking minority in the EU Council, their current position now strengthens it.

If the draft law were to pass in the EU Council, the next stage would be interinstitutional negotiations, called trilogues, between the European Parliament, the Council of the EU, and the Commission to finalise the legislation.

Both the Dutch government and the opposition are against supporting the new partial general approach.

Opposition party GroenLinks-PvdA (Greens/EFA) published an open letter, also on Tuesday, backed by a coalition of national and EU-based private and non-profit organisations, urging the government to vote against the proposal.

According to the letter, the regulation will be discussed at the Justice and Home Affairs Council on 11 October, with positions coordinated among member states on 2 October.

Currently, an interim regulation allows companies to detect and report online CSAM voluntarily. Originally set to expire in 2024, this measure has been extended to 2026 to avoid a legislative gap, as the draft for a permanent law has yet to be agreed.

The Dutch Secret Service opposed the draft regulation because “introducing a scan application on every mobile phone” with infrastructure to manage the scans would be a complex and extensive system that would introduce risks to digital resilience, according to a decision note.

Source: Dutch oppose Hungary’s approach to EU child sexual abuse regulation – Euractiv

To find out more about how invasive the proposed scanning feature is, look through the articles here: https://www.linkielist.com/?s=csam

Mazda’s $10 Subscription For Remote Start Sparks Backlash After Killing Open Source Option

Posted on by

Mazda recently surprised customers by requiring them to sign up for a subscription in order to keep certain services. Now, notable right-to-repair advocate Louis Rossmann is calling out the brand. He points to several moves by Mazda as reasons for his anger toward them. However, it turns out that customers might still have a workaround.

Previously, the Japanese carmaker offered connected services, that included several features such as remote start, without the need for a subscription. At the time, the company informed customers that these services would eventually transition to a paid model.

More: Native Google Maps Won’t Work On New GM Cars Without $300 Subscription

It’s important to clarify that there are two very different types of remote start we’re talking about here. The first type is the one many people are familiar with where you use the key fob to start the vehicle. The second method involves using another device like a smartphone to start the car. In the latter, connected services do the heavy lifting.

Transition to paid services

What is wild is that Mazda used to offer the first option on the fob. Now, it only offers the second kind, where one starts the car via phone through its connected services for a $10 monthly subscription, which comes to $120 a year. Rossmann points out that one individual, Brandon Rorthweiler, developed a workaround in 2023 to enable remote start without Mazda’s subscription fees.

However, according to Ars Technica, Mazda filed a DMCA takedown notice to kill that open-source project. The company claimed it contained code that violated “[Mazda’s] copyright ownership” and used “certain Mazda information, including proprietary API information.” Additionally, Mazda argued that the project included code providing functionality identical to that found in its official apps available on the Apple App Store and Google Play Store.

That doesn’t mean an aftermarket remote starter kit won’t work though. In fact, with Mazda’s subscription model now in place, it’s not hard to imagine customers flocking to aftermarket solutions to avoid the extra fees. However, by not opting to pay for Mazda Connected Services, owners will also miss out on things like vehicle health reports, remote keyless entry, and vehicle status reports.

A growing trend

Bear in mind that this is just one case of an automaker trying to milk their customers with subscription-based features, which could net them millions in extra income. BMW, for example, installs adaptive suspension hardware in some vehicles but charges $27.50 per month (or $505 for a one-time purchase) to unlock the software that makes the suspension actually work.

And then there’s Ferrari’s plan to offer a battery subscription for extended warranty coverage on its hybrid models for a measly $7,500 per year!

[…]

sure, you might have paid a considerable amount of money to buy your car, and it might legally be yours, but that does not ensure that you really own all of the features it comes with, unless you’re prepared to pay extra.

Source: Mazda’s $10 Subscription For Remote Start Sparks Backlash After Killing Open Source Option | Carscoops

Man-in-the-Middle PCB Unlocks HP Ink Cartridges

Posted on by

It’s a well-known secret that inkjet ink is being kept at artificially high prices, which is why many opt to forego ‘genuine’ manufacturer cartridges and get third-party ones instead. Many of these third-party ones are so-called re-manufactured ones, where a third-party refills an empty OEM cartridge. This is increasingly being done due to digital rights management (DRM) reasons, with tracking chips added to each cartridge. These chip prohibit e.g. the manual refilling of empty cartridges with a syringe, but with the right tweak or attack can be bypassed, with [Jay Summet] showing off an interesting HP cartridge DRM bypass using a physical man-in-the-middle-attack.

This bypass takes the form of a flex PCB with contacts on both sides which align with those on the cartridge and those of the printer. What looks like a single IC in a QFN package is located on the cartridge side, with space for it created inside an apparently milled indentation in the cartridge’s plastic. This allows is to fit flush between the cartridge and HP inkjet printer, intercepting traffic and presumably telling the printer some sweet lies so that you can go on with that print job rather than dash out to the store to get some more overpriced Genuine HP-approved cartridges.

Not that HP isn’t aware or not ticked off about this, mind. Recently they threatened to brick HP printers that use third-party cartridges if detected, amidst vague handwaving about ‘hackers’ and ‘viruses’ and ‘protecting the users’ with their Dynamic Security DRM system. As the many lawsuits regarding this DRM system trickle their way through the legal system, it might be worth it to keep a monochrome laser printer standing by just in case the (HP) inkjet throws another vague error when all you want is to just print a text document.

 

Source: Man-in-the-Middle PCB Unlocks HP Ink Cartridges | Hackaday

It says something really bad about the printer industry that this is a necessary hack.

Juicy licensing deals with AI companies show that publishers don’t really care about creators

Posted on by

One of the many interesting aspects of the current enthusiasm for generative AI is the way that it has electrified the formerly rather sleepy world of copyright. Where before publishers thought they had successfully locked down more or less everything digital with copyright, they now find themselves confronted with deep-pocketed companies – both established ones like Google and Microsoft, and newer ones like OpenAI – that want to overturn the previous norms of using copyright material. In particular, the latter group want to train their AI systems on huge quantities of text, images, videos and sounds.

As Walled Culture has reported, this has led to a spate of lawsuits from the copyright world, desperate to retain their control over digital material. They have framed this as an act of solidarity with the poor exploited creators. It’s a shrewd move, and one that seems to be gaining traction. Lots of writers and artists think they are being robbed of something by Big AI, even though that view is based on a misunderstanding of how generative AI works. However, in the light of stories like one in The Bookseller, they might want to reconsider their views about who exactly is being evil here:

Academic publisher Wiley has revealed it is set to make $44 million (£33 million) from Artificial Intelligence (AI) partnerships that it is not giving authors the opportunity to opt-out from.

As to whether authors would share in that bounty:

A spokesperson confirmed that Wiley authors are set to receive remuneration for the licensing of their work based on their “contractual terms”.

That might mean they get nothing, if there is no explicit clause in their contract about sharing AI licensing income. For example, here’s what is happening with the publisher Taylor & Francis:

In July, authors hit out another academic publisher, Taylor & Francis, the parent company of Routledge, over an AI deal with Microsoft worth $10 million, claiming they were not given the opportunity to opt out and are receiving no extra payment for the use of their research by the tech company. T&F later confirmed it was set to make $75 million from two AI partnership deals.

It’s not just in the world of academic publishing that deals are being struck. Back in July, Forbes reported on a “flurry of AI licensing activity”:

The most active area for individual deals right now by far—judging from publicly known deals—is news and journalism. Over the past year, organizations including Vox Media (parent of New York magazine, The Verge, and Eater), News Corp (Wall Street Journal, New York Post, The Times (London)), Dotdash Meredith (People, Entertainment Weekly, InStyle), Time, The Atlantic, Financial Times, and European giants such as Le Monde of France, Axel Springer of Germany, and Prisa Media of Spain have each made licensing deals with OpenAI.

In the absence of any public promises to pass on some of the money these licensing deals will bring, it is not unreasonable to assume that journalists won’t be seeing much if any of it, just as they aren’t seeing much from the link tax.

The increasing number of such licensing deals between publishers and AI companies shows that the former aren’t really too worried about the latter ingesting huge quantities of material for training their AI systems, provided they get paid. And the fact that there is no sign of this money being passed on in its entirety to the people who actually created that material, also confirms that publishers don’t really care about creators. In other words, it’s pretty much what was the status quo before generative AI came along. For doing nothing, the intermediaries are extracting money from the digital giants by invoking the creators and their copyrights. Those creators do all the work, but once again see little to no benefit from the deals that are being signed behind closed doors.

Source: Juicy licensing deals with AI companies show that publishers don’t really care about creators – Walled Culture

VR Headset With Custom Face Fitting also shows you how to design custom fitted wearables

Posted on by

The Bigscreen Beyond is a small and lightweight VR headset that in part achieves its small size and weight by requiring custom fitting based on a facial scan. [Val’s Virtuals] managed to improve fitment even more by redesigning a facial interface and using a 3D scan of one’s own head to fine-tune the result even further. The new designs distribute weight more evenly while also providing an optional flip-up connection.

It may be true that only a minority of people own a Bigscreen Beyond headset, and even fewer of them are willing to DIY their own custom facial interface. But [Val]’s workflow and directions for using Blender to combine a 3D scan of one’s face with his redesigned parts to create a custom-fitted, foam-lined facial interface is good reading, and worth keeping in mind for anyone who designs wearables that could benefit from custom fitting. It’s all spelled out in the project’s documentation — look for the .txt file among the 3D models.

We’ve seen a variety of DIY approaches to VR hardware, from nearly scratch-built headsets to lens experiments, and one thing that’s clear is that better comfort is always an improvement. With newer iPhones able to do 3D scanning and 1:1 scale scanning in general becoming more accessible, we have a feeling we’re going to see more of this DIY approach to ultra-customization.

Source: VR Headset With Custom Face Fitting Gets Even More Custom | Hackaday

The Untrustworthy Evidence in Dishonesty Research

Posted on by
  • František Bartoš University of Amsterdam

DOI:

https://doi.org/10.15626/MP.2023.3987

Replicable and reliable research is essential for cumulative science and its applications in practice. This article examines the quality of research on dishonesty using a sample of 286 hand-coded test statistics from 99 articles. Z-curve analysis indicates a low expected replication rate, a high proportion of missing studies, and an inflated false discovery risk. Test of insufficient variance (TIVA) finds that 11/61 articles with multiple test statistics contain results that are “too-good-to-be-true”. Sensitivity analysis confirms the robustness of the findings. In conclusion, caution is advised when relying on or applying the existing literature on dishonesty.

Source: LnuOpen | Meta-Psychology

Flaw in Kia’s web portal let researchers track, hack cars. Again.

Posted on by

[…] Today, a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

[…]

The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias’ digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,”

[…]

The Kia hacking technique the group found works by exploiting a relatively simple flaw in the backend of Kia’s web portal for customers and dealers, which is used to set up and manage access to its connected car features. When the researchers sent commands directly to the API of that website—the interface that allows users to interact with its underlying data—they say they found that there was nothing preventing them from accessing the privileges of a Kia dealer, such as assigning or reassigning control of the vehicles’ features to any customer account they created. “It’s really simple. They weren’t checking if a user is a dealer,” says Rivera. “And that’s kind of a big issue.”

Kia’s web portal allowed lookups of cars based on their vehicle identification number (VIN). But the hackers found they could quickly find a car’s VIN after obtaining its license plate number using the website PlateToVin.com.

More broadly, Rivera adds, any dealer using the system seemed to have been trusted with a shocking amount of control over which vehicles’ features were linked with any particular account. “Dealers have way too much power, even over vehicles that don’t touch their lot,” Rivera says.

Source: Flaw in Kia’s web portal let researchers track, hack cars | Ars Technica

LG Has Started Showing Screensaver Ads on Their Smart TVs | Lifehacker

Posted on by

Like them or not, ads run the world. They’re the reason so much content out there is free of charge—or, at least, less expensive. But while it’s one thing to watch an ad before jumping into a YouTube video, or to see ads surrounding an article, it’s another thing entirely to be forced to see ads even when you’re not engaging with the product.

That, apparently, is what’s going on with LG TVs right now. While anyone with a smart TV may be familiar with seeing more ads throughout their television experience, LG is taking things up a notch” Now, the company is displaying ads during screensavers. I guess leaving your TV idle isn’t “free” anymore.

FlatpanelsHD made the discovery when reviewing LG’s G4 OLED TV. These ads display in full-screen before reverting back to the screensaver you expect to see. FlatpanelsHD saw full-screen ads for LG Channels, LG’s free streaming service that includes ads, but confirmed through LG there can be advertisements from third-party partners as well.

While FlatpanelsHD may have been among the first to see these ads in the wild, they aren’t a secret. In fact, LG Ad Solutions announced the initiative on Sept. 5, in a post titled “Idle Time Isn’t Wasted Time — LG Ad Solutions Finds that Screensaver Ads Are In Fact Effective.” The program even has a name, “Native Screensaver Ads,” and runs across the Home Screen, LG Channels, and Content Store on LG Smart TVs. According to the announcement, Native Screensaver Ads turn “what may be perceived as a period of downtime into a valuable engagement opportunity.” Cool.

[…]

I didn’t buy my LG TV to encourage me to buy stuff: I purposefully watch shows and movies on it (and play the occasional game). It’s insulting to think I want to leave my TV running in the background at all times, and be fine with constant, targeted ads in my space. If you feel the same, the good news is there’s a way to block these ads in the first place.

How to disable LG screensaver ads

If you have an LG smart TV, head to your device’s Settings, then choose Additional Settings. If your TV is affected, you should see a Screen Saver Promotion option. Disable it, and you should be spared from idle encouragements to shop.

Source: LG Has Started Showing Screensaver Ads on Their Smart TVs | Lifehacker

LG Wants to Show You Ads Even When You’re Not Watching TV

Posted on by

The outlet reveals (via Android Authority) that the ads start playing before the screensaver hits the screen and are usually sponsored messages from LG or its partners. The review highlighted one specific ad for the LG Channels app: LG’s free live TV service with ads. FlatpanelsHD adds that according to LG’s ad division, users will soon start seeing ads for other products and services.

The review mentions that “some of the ads” can be disabled, and there’s also an option under ‘Additional Settings’ to disable screensaver ads. But it’s almost sinful to push ads on a $2,400 device.

What makes this whole thing more bizarre is that, according to the review, LG pushes the same ads with the same frequency on its cheaper offerings. Oddly, it does nothing to differentiate the experience of purchasing a high-end model from an entry-level one. The brand’s OLED line is already pricey, but the G4 is allegedly “one of the most expensive TVs on the market,” according to FlatpanelsHD. I can only imagine how this will play out for the South Korean company. As FlatpanelsHD said, “LG must reconsider this strategy if they want to sell high-end TVs.”

Source: LG Wants to Show You Ads Even When You’re Not Watching TV

Unbelievable this

‘Writing’ with atoms could transform materials fabrication for quantum devices

Posted on by

[…]A research team at the Department of Energy’s Oak Ridge National Laboratory has created a novel advanced microscopy tool to “write” with atoms, placing those atoms exactly where they are needed to give a material new properties.

“By working at the , we also work at the scale where quantum properties naturally emerge and persist,” said Stephen Jesse, a materials scientist who leads this research and heads the Nanomaterials Characterizations section at ORNL’s Center for Nanophase Materials Sciences, or CNMS.

[…]

o accomplish improved control over atoms, the research team created a tool they call a synthescope for combining synthesis with advanced microscopy. The researchers use a , or STEM, transformed into an atomic-scale material manipulation platform.

The synthescope will advance the state of the art in fabrication down to the level of the individual building blocks of materials. This new approach allows researchers to place different atoms into a material at specific locations; the new atoms and their locations can be selected to give the material new properties.

[…]

https://www.youtube.com/watch?v=I5FSc-lqI6s

We realized that if we have a microscope that can resolve atoms, we may be able to use the same microscope to move atoms or alter materials with atomic precision. We also want to be able to add atoms to the structures we create, so we need a supply of atoms. The idea morphed into an atomic-scale synthesis platform—the synthescope.”

That is important because the ability to tailor materials atom-by-atom can be applied to many future technological applications in quantum information science, and more broadly in microelectronics and catalysis, and for gaining a deeper understanding of materials synthesis processes. This work could facilitate atomic-scale manufacturing, which is notoriously challenging.

“Simply by the fact that we can now start putting atoms where we want, we can think about creating arrays of atoms that are precisely positioned close enough together that they can entangle, and therefore share their , which is key to making quantum devices more powerful than conventional ones,” Dyck said.

Such devices might include quantum computers—a proposed next generation of computers that may vastly outpace today’s fastest supercomputers; quantum sensors; and quantum communication devices that require a source of a single photon to create a secure quantum communications system.

“We are not just moving atoms around,” Jesse said. “We show that we can add a variety of atoms to a material that were not previously there and put them where we want them. Currently there is no technology that allows you to place different elements exactly where you want to place them and have the right bonding and structure. With this technology, we could build structures from the atom up, designed for their electronic, optical, chemical or structural properties.”

The scientists, who are part of the CNMS, a nanoscience research center and DOE Office of Science user facility, detailed their research and their vision in a series of four papers in scientific journals over the course of a year, starting with proof of principle that the synthescope could be realized. They have applied for a patent on the technology.

“With these papers, we are redirecting what atomic-scale fabrication will look like using electron beams,” Dyck said. “Together these manuscripts outline what we believe will be the direction atomic fabrication technology will take in the near future and the change in conceptualization that is needed to advance the field.”

By using an , or e-beam, to remove and deposit the atoms, the ORNL scientists could accomplish a direct writing procedure at the atomic level.

“The process is remarkably intuitive,” said ORNL’s Andrew Lupini, STEM group leader and a member of the research team. “STEMs work by transmitting a high-energy e-beam through a material. The e-beam is focused to a point smaller than the distance between atoms and scans across the material to create an image with atomic resolution. However, STEMs are notorious for damaging the very materials they are imaging.”

The scientists realized they could exploit this destructive “bug” and instead use it as a constructive feature and create holes on purpose. Then, they can put whatever atom they want in that hole, exactly where they made the defect. By purposely damaging the material, they create a new material with different and useful properties.

[…]

To demonstrate the method, the researchers moved an e-beam back and forth over a graphene lattice, creating minuscule holes. They inserted tin atoms into those holes and achieved a continuous, atom-by-atom, direct writing process, thereby populating the exact same places where the carbon atom had been with tin atoms.

[…]

Source: ‘Writing’ with atoms could transform materials fabrication for quantum devices

Some startups are going ‘fair source’ to avoid the pitfalls of open source licensing

Posted on by

With the perennial tensions between proprietary and open source software (OSS) unlikely to end anytime soon, a $3 billion startup is throwing its weight behind a new licensing paradigm — one that’s designed to bridge the open and proprietary worlds, replete with new definition, terminology, and governance model.

Developer software company Sentry recently introduced a new license category dubbed “fair source.” Sentry is an initial adopter, as are some half dozen others, including GitButler, a developer tooling company from one of GitHub’s founders

The fair source concept is designed to help companies align themselves with the “open” software development sphere, without encroaching into existing licensing landscapes, be that open source, open core, or source-available, and while avoiding any negative associations that exist with “proprietary.”

However, fair source is also a response to the growing sense that open source isn’t working out commercially.

“Open source isn’t a business model — open source is a distribution model, it’s a software development model, primarily,” Chad Whitacre, Sentry’s head of open source, told TechCrunch. “And in fact, it places severe limits on what business models are available, because of the licensing terms.”

[…]

Sentry, an app performance monitoring platform that helps companies such as Microsoft and Disney detect and diagnose buggy software, was initially available under a permissive BSD 3-Clause open source license. But in 2019, the product transitioned to a business source license (BUSL), a more restrictive source-available license initially created by MariaDB. This move was to counter what co-founder and CTO David Cramer called “funded businesses plagiarizing or copying our work to directly compete with Sentry.”

Fast forward to last August, and Sentry announced that it was making a recently acquired developer tool called Codecov “open source.” This was to the chagrin of many, who questioned whether the company could really call it “open source” given that it was being released under BUSL — a license that isn’t compatible with the Open Source Initiative’s (OSI) definition of “open source.”

Cramer swiftly issued an apology of sorts, explaining that while it had erroneously used the descriptor, the BUSL license adheres to the spirit of what many open source licenses are about: Users can self-host and modify the code without paying the creator a dime. They just can’t commercialize the product as a competing service.

But BUSL isn’t open source.

“We sort of stuck our foot in it, stirred the hornet’s next,” Whitacre said. “But it was during the debate that followed where we realized that we need a new term. Because we’re not closed source, and clearly, the community does not accept that we’re open source. And we’re not open core, either.”

Those who follow the open source world know that terminology is everything, and Sentry is far from the first company to fall in its (mis)use of the established nomenclature.

[…]

For now, the main recommended fair source license is the Functional Source License (FSL), which Sentry itself launched last year as a simpler alternative to BUSL. However, BUSL itself has also now been designated fair source, as has the all-new Fair Core License (FCL) which was contributed by Keygen, both of which are included to support the needs of different projects.

Companies are welcome to submit their own license for consideration, though all fair source licenses should have three core stipulations: It [the code] should be publicly available to read; allow third parties to use, modify, and redistribute with “minimal restrictions“; and have a delayed open source publication (DOSP) stipulation, meaning it converts to a true open source license after a predefined period of time. With Sentry’s FSL license, that period is two years; for BUSL, the default period is four years.

The concept of “delaying” publication of source code under a true open source license is a key defining element of a fair source license, separating it from other models such as open core. The DOSP protects a company’s commercial interests in the short term, before the code becomes fully open source.

[…]

In many ways, fair source is simply an exercise in branding — one that allows companies to cherry-pick parts of an established open source ethos that they cherish, while getting to avoid calling themselves “proprietary” or some other variant.

[…]

 

Source: Some startups are going ‘fair source’ to avoid the pitfalls of open source licensing | TechCrunch

New Dutch government declares asylum emergency – even though there isn’t – to bypass parliament. This is how authoritarianism begins.

Posted on by

The new programme of the Dutch cabinet under Prime Minister Dick Schoof reflects the tough migration stance promised during the election campaign, outlining a comprehensive plan to radically reform the country’s asylum system and push for an opt-out from EU migration policies. 

The Schoof cabinet’s plans for the upcoming term were unveiled today (13 September).  

The government’s newly published programme builds on the key agreements reached earlier this year after extensive negotiations between the former Liberal Party for Freedom and Democracy (VVD), led by the successor to former prime minister Mark Rutte, Wilders’ Freedom Party (PVV), New Social Contract (NSC) party and Citizen-Farmer Movement. 

The programme echoes the hardline stance on migration that dominated the campaign rhetoric and outlines a broad package of measures aimed at radically reforming the asylum system, citing “pressure on housing, healthcare, and education” as threats to social cohesion and safety.

“We must change direction and cut the influx immediately. That’s why I’m introducing the strictest asylum policy ever,” said the Minister of Asylum and Migration from the far-right populist PVV Marjolein Faber on X just before the programme’s release. 

A key element of the strategy focuses on action at the European level, including reforms to regulations and international treaties, as the government plans to take the issue to Brussels “as soon as possible” to achieve “an opt-out from European asylum and migration regulations.” 

At last week’s Ambrosetti Forum in Cernobbio, PVV leader Geert Wilders reiterated his call for EU countries to have an opt-out option on immigration and asylum policies.  

Last week, Minister Faber announced in her debut parliamentary debate that the cabinet intends to declare the asylum crisis an emergency – bypassing parliamentary approval – to swiftly enact measures to cut the migrant influx.

The programme addresses the asylum crisis, including a new Asylum Crisis Law as part of its structural reforms, as well as a redefinition of the nuclear family to restrict family reunification.

It also mentions the scrapping of indefinite asylum permits, allowing periodic reviews to determine if protection is still needed or if individuals can be returned to their home countries. 

Following last November’s national election, which was prompted by the collapse of the fourth Rutte cabinet over immigration policy disputes, Geert Wilders’s far-right party PVV emerged victorious. Securing a landslide victory with 37 seats, PVV became the largest party in the Dutch parliament. 

However, despite winning the election, Wilders opted not to personally join the government. Instead, Dick Schoof, an unelected career bureaucrat who previously headed the Dutch intelligence agency AIVD and served as a top official at the Ministry of Justice, was appointed prime minister by the King last July. 

Source: New Dutch government unveils toughest asylum reform in history – Euractiv

Five new massive satellites outshine most evening stars and will get bigger

Posted on by

A Texas telecommunications startup launched its first five massive “BlueBird” communications satellites into orbit on September 12. Each device is nearly 700-feet-wide when fully deployed, and like BlueWalker 3—AST SpaceMobile’s 2022 prototype, also in orbit—every BlueBird will soon shine brighter than most stars and planets in the night sky. But despite the concerns of critics and experts alike, the company’s CEO vows they are “just getting started.”

Founded in 2017, AST SpaceMobile is currently working with AT&T to construct the world’s first space-based cellular broadband network. In a statement on Thursday, AT&T Chief Operating Officer Jeff McElfresh said it’s all part of a plan to offer “a future where our customers will only be hard to reach if they choose to be.” AST SpaceMobile successfully delivered its BlueWalker 3 prototype into low-Earth orbit (LEO) in September 2022, and demonstrated it by allowing a smartphone to make a voice call the following September. Less than a month after the milestone, an international study published in Nature confirmed BlueWalker 3’s peak brightness matched that of Procyon and Achernar, two of the ten brightest stars in the night sky. Subsequent observations recorded even higher magnitudes similar to the stars that make up the constellation of Orion.

Each of the five BlueBirds now in orbit are roughly the same size as BlueWalker 3, meaning they will soon offer similar experiences for sky observers—sometimes visible even to the naked eye. But to achieve a reliable, high speed, and commercially viable satellite broadband network, AST SpaceMobile says it will need to deploy a constellation of nearly 90 satellites.

During a livestream of Thursday’s launch, company founder, chairman, and CEO Abel Avellan said many future satellite iterations will be “three-and-a-half-times larger” than the current BlueBirds. Such a scaling up would make each new, fully deployed device around 2425-square-feet in diameter, or about half the size of a regulation NBA basketball court. As Gizmodo noted on September 13, there are currently no legal restrictions for satellite brightness.

Gigantic satellite constellation arrays are growing at a rate that eclipses both regulatory oversight and experts’ concerns. Shortly after BlueWalker 3’s launch in 2022, the committee speaking on behalf of the International Astronomical Union uniformly denounced its delivery, describing it as “a big shift in the constellation satellite issue [that] should give us all reason to pause.”

AST SpaceMobile is far from the only company pursuing similar projects. SpaceX’s ongoing Starlink internet endeavor intends to eventually include as many as 7,000 satellites in orbit, in spite of its own share of public criticism. Meanwhile, advocates continue to stress the dangers of orbital pollution from decommissioned satellites and debris, often referred to as “space junk.” Without proper oversight and cleanup efforts, experts have repeatedly warned of the possibility of initiating a “Kessler cascade.” In these scenarios, the untenable amount of human-made objects leads to ever-increasing collisions, causing debris to deorbit and pose a danger to anything in its path.

In a statement provided to Popular Science, a spokesperson said that “AST SpaceMobile is committed to the responsible use of space as we advance our goal of using space-based, satellite technology to connect directly with everyday smartphones and help bring broadband to billions of people worldwide who do not have access today.”

Source: Five new massive satellites outshine most evening stars | Popular Science

Cats have brain activity recorded with the help of crocheted hats

Posted on by

Scientists have recorded electrical activity in the brains of awake cats for the first time, thanks to specially crocheted wool caps that hold the electrodes in place.

The technique gives researchers a way to assess chronic pain in cats and could lead to novel treatments, says Aude Castel at the University of Montreal in Canada.

About a quarter of all adult cats live with chronic pain due to osteoarthritis, which gets worse with age. Because treatment options are limited and generally involve significant side effects, Castel and her colleagues have been seeking alternative ways to relieve pain in cats, such as aromatherapy.

Electroencephalograms (EEGs) can be helpful in assessing the effects of such treatments because they can show the brain’s responses to pain and to stimulation of the senses. Thus far, though, the only EEGs carried out in cats have been performed in sedated animals.

Castel and her colleagues attempted to place electrodes on the heads of 11 awake, adult cats – all of which had osteoarthritis – in order to record their brain activity in response to smelling a variety of substances and seeing different wavelengths of light. However, the cats regularly shook their heads, causing the electrodes to shift out of place or fall off. Finally, the researchers realised they could take advantage of a new fashion for cats: crocheted caps.

“When you spend more time putting electrodes back on than you do actually recording the EEGs, you get creative,” says team member Aliénor Delsart, also at the University of Montreal.

The team asked a graduate student to crochet special cat caps to hold the electrodes, inspired by a tutorial on YouTube. With the new hats in place, the researchers found that the electrodes stayed in position and that the cats no longer tried to play with or chew the wires.

The EEG recordings in the awake cats were mostly usable, although a few still had too much interference from the cats’ head movements. Even so, the results allowed the team to determine critical brain activity related to the cats’ pain levels and reactions to various smells and coloured lighting.

As such, the team plans to use the EEG caps in future studies to determine how various treatments – including drugs and alternative therapies like odours and lighting – affect the cats’ perception of pain, says Delsart.

 

Journal reference:

Journal of Neuroscience Methods DOI: 10.1016/j.jneumeth.2024.110254

Source: Cats have brain activity recorded with the help of crocheted hats | New Scientist

Fortinet confirms data breach after hacker claims to steal 440GB of files

Posted on by

Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company’s Microsoft Sharepoint server.

Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services.

Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet’s Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download.

[…]

The threat actor, known as “Fortibitch,” claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay.

In response to our questions about incident, Fortinet confirmed that customer data was stolen from a “third-party cloud-based shared file drive.”

[…]

Earlier today, Fortinet did not disclose how many customers are impacted or what kind of data has been compromised but said that it “communicated directly with customers as appropriate.”

A later update shared on Fortinet’s website says that the incident affected less than 0.3% of its customer base and that it has not resulted in any malicious activity targeting customers.

[…]

In May 2023, a threat actor claimed to have breached the GitHub repositories for the company Panopta, who was acquired by Fortinet in 2020, and leaked stolen data on a Russian-speaking hacking forum.

Source: Fortinet confirms data breach after hacker claims to steal 440GB of files

Ouch. A 440GB leak is huge.

Apple Vision Pro’s Eye Tracking Exposed What People Type

Posted on by

[…]

Today, a group of six computer scientists are revealing a new attack against Apple’s Vision Pro mixed reality headset where exposed eye-tracking data allowed them to decipher what people entered on the device’s virtual keyboard. The attack, dubbed GAZEploit and shared exclusively with WIRED, allowed the researchers to successfully reconstruct passwords, PINs, and messages people typed with their eyes.

“Based on the direction of the eye movement, the hacker can determine which key the victim is now typing,” says Hanqiu Wang, one of the leading researchers involved in the work. They identified the correct letters people typed in passwords 77 percent of the time within five guesses and 92 percent of the time in messages.

To be clear, the researchers did not gain access to Apple’s headset to see what they were viewing. Instead, they worked out what people were typing by remotely analyzing the eye movements of a virtual avatar created by the Vision Pro. This avatar can be used in Zoom calls, Teams, Slack, Reddit, Tinder, Twitter, Skype, and FaceTime.

[…]

 

Source: Apple Vision Pro’s Eye Tracking Exposed What People Type | WIRED

1.3 million Android-based TV boxes backdoored; researchers still don’t know how

Posted on by

Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.

Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Dozens of variants

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections.

“At the moment, the source of the TV boxes’ backdoor infection remains unknown,” Thursday’s post stated. “One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.”

The following device models infected by Vo1d are:

TV box model Declared firmware version
R4 Android 7.1.2; R4 Build/NHG47K
TV BOX Android 12.1; TV BOX Build/NHG47K
KJ-SMART4KVIP Android 10.1; KJ-SMART4KVIP Build/NHG47K

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What’s more, Doctor Web said it’s not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models.

Further, while only licensed device makers are permitted to modify Google’s AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.

[…]

The statement said people can confirm a device runs Android TV OS by checking this link and following the steps listed here.

[…]

It’s not especially easy for less experienced people to check if a device is infected short of installing malware scanners. Doctor Web said its antivirus software for Android will detect all Vo1d variants and disinfect devices that provide root access. More experienced users can check indicators of compromise here.

Source: 1.3 million Android-based TV boxes backdoored; researchers still don’t know how | Ars Technica

After Synology breaks video station, plex, HEIC, H.265, backups, update now also breaks Surveillence station. What is going on there?!

Posted on by

Installed DSM 7.2.2-72806 on my DS1821+. The update automatically updated Surveillance Station to 9.2.1-11374.

When updating I received the following notice:

Surveillance Station will automatically install the Surveillance Video Extension package. After this update, the Live View Analytics app will no longer be supported. The support for HEVC (H.265) cameras will undergo the following changes, while AVC (H.264) cameras will remain unaffected:
Unsupported features:

Motion detection by Surveillance Station

Continuing to take snapshots after events for email notifications

Adjusted mechanisms:

Event snapshot

Thumbnails (e.g., thumbnails for IP cameras, detection results, timeline preview)

There was also a warning stating:

DS cam Android 3.10.0 or above, iOS 5.9.0 or above:

H.265 camera streams might not be able to play:

If any issues occur with live streaming or video playback, consider changing the camera’s video format to H.264 or using a mobile device that supports H.265 format.

Once the update was finished and I opened Surveillance Station I received this warning:

Some H.265 cameras’s motion detection has been reconfigured or disabled. In this update, Surveillance Station no longer supports H.265 cameras to configure motion detection using Surveillance Station ‘s algorithms. The motion detection setting is automatically switched to using camera’s built-in algorithm if available. Otherwise, the motion detection is disabled. The related functions (e.g., recording schedule, notification, alarm, and action rule) will also be affected.

Testing Surveillance Station in Chrome it is completely broken. There are no previews for my cameras, recordings can’t be played back, etc. This all worked before the update, although I normally use the client. https://imgur.com/a/47m5ukO

Using the Surveillance Station Client on my Mac, there are almost no changes. The camera previews work, hovering over the timeline in monitor center displays a preview, recordings can be played back, smart time-lapse recording in h265 works, etc. https://imgur.com/a/RBVM2ET

Under the camera settings, I can still set a recording schedule, the only thing that was removed is the option to use the Synology detection algorithm under Event Detection. Advanced Event (Smart Event) settings still work. https://imgur.com/a/TFoKvJk

In Monitor Center all previous events from before the update are missing (I can’t jump to the last motion event), but the files themselves are still there in recordings. https://imgur.com/a/PJHBVd3

The iOS app still works fine with no issues.

Ultimately the only change for me is that I now have to configure event detection by logging into each camera recording in h265, everything else is the same as before.

Cameras I tested with are Hikvision DS-2CD2385G1-I recording in h265+ and Reolink E1 Pros.

Source: My experience updating to Surveillance Station 9.2.1-11374

More details on that Windows Installer ‘make me admin’ hole

Posted on by

In this week’s Patch Tuesday Microsoft alerted users to, among other vulnerabilities, a flaw in Windows Installer that can be exploited by malware or a rogue user to gain SYSTEM-level privileges to hijack a PC.

The vulnerability, CVE-2024-38014, was spotted and privately disclosed by security shop SEC Consult, which has now shared the full details of how this attack works. The researcher has released an open source tool to scan a system for Installer files that can be abused to elevate local privileges.

Microsoft said the bug is already exploited, which may mean it acknowledges that SEC Consult’s exploit for the flaw works, or that bad people are abusing this in the wild, or both

[…]

SECC researcher Michael Baer found the exploitable weakness in January. Fixing it turned out to be a complex task and Microsoft asked for more time to address it with a patch, which it implemented this week. The original plan was to close the hole in May, but that slipped to this September for technical reasons. Now Baer has written a blog post explaining exactly how the attack works.

Essentially, a low privileged user opens an Installer package to repair some already-installed code on a vulnerable Windows system. The user does this by running an .msi file for a program, launching the Installer to handle it, and then selecting the option to repair the program (eg, like this). There is a brief opportunity to hijack that repair process, which runs with full SYSTEM rights, and gain those privileges, giving much more control over the PC.

When the repair process begins, a black command-line window opens up briefly to run a Windows program called certutil.exe. Quickly right clicking on the window’s top bar and selecting “Properties” will stop the program from disappearing and open a dialog box in which the user can click on a web link labeled “legacy console mode.” The OS will then prompt the user to open a browser to handle that link. Select Firefox, ideally, to handle that request.

Then in the browser, press Control-O to open a file, type cmd.exe in the top address bar of the dialog box, hit Enter, and bam – you’ve got a command prompt as SYSTEM. That’s because the Installer spawned the browser with those rights from that link.

[…]

Source: More details on that Windows Installer ‘make me admin’ hole • The Register