We are losing vast swathes of our digital past, and copyright stops us saving it

Posted on by

It is hard to imagine the world without the Web. Collectively, we routinely access billions of Web pages without thinking about it. But we often take it for granted that the material we want to access will be there, both now and in the future. We all hit the dreaded “404 not found” error from time to time, but merely pass on to other pages. What we tend to ignore is how these online error messages are a flashing warning signal that something bad is happening to the World Wide Web. Just how bad is revealed in a new report from the Pew Research Center, based on an examination of half a million Web pages, which found:

A quarter of all webpages that existed at one point between 2013 and 2023 are no longer accessible, as of October 2023. In most cases, this is because an individual page was deleted or removed on an otherwise functional website.

For older content, this trend is even starker. Some 38% of webpages that existed in 2013 are not available today, compared with 8% of pages that existed in 2023.

This digital decay occurs at slightly different rates for different online material:

23% of news webpages contain at least one broken link, as do 21% of webpages from government sites. News sites with a high level of site traffic and those with less are about equally likely to contain broken links. Local-level government webpages (those belonging to city governments) are especially likely to have broken links.

54% of Wikipedia pages contain at least one link in their “References” section that points to a page that no longer exists.

These figures show that the problem we discussed a few weeks ago – that access to academic knowledge is at risk – is in fact far wider, and applies to just about everything that is online. Although the reasons for material disappearing vary greatly, the key obstacle to addressing that loss is the same across all fields. The copyright industry’s obsessive control of material, and the punitive laws that can be deployed against even the most trivial copyright infringement, mean that routine and multiple backup copies of key or historic online material are rarely made.

The main exception to that rule is the sterling work carried out by the Internet Archive, which was founded by Brewster Kahle, whose Kahle/Austin Foundation supports this blog. At the time of writing the Internet Archive holds copies of an astonishing 866 billion Web pages, many in multiple versions that chart their changes over time. It is a unique and invaluable resource.

It is also being sued by publishers for daring to share in a controlled way some of its holdings. That is, the one bulwark against losing vast swathes of our digital culture is being attacked by an industry that is largely to blame for the problem the Internet Archive is trying to solve. It’s another important reason why we must move away from the copyright system, and nullify the power it has to destroy, rather than create, our culture.

Source: We are losing vast swathes of our digital past, and copyright stops us saving it – Walled Culture

First-mover advantage found in the arts shows copyright isn’t necessary to protect innovative creativity

Posted on by

One of the arguments sometimes made in defence of copyright is that without it, creators would be unable to compete with the hordes of copycats that would spring up as soon as their works became popular. Copyright is needed, supporters say, to prevent less innovative creators from producing works that are closely based on new, successful ideas. However, this approach has led to constant arguments and court cases over how close a “closely based” work can be before it infringes on the copyright of others. A good example of this is the 2022 lawsuit involving Ed Sheeran, where is was argued that using just four notes of a scale constituted copyright infringement of someone else’s song employing the same tiny motif. A fascinating new paper looks at things from a different angle. It draws on the idea of “first-mover advantage”, the fact that:

individuals that move to a new market niche early on (“first movers”) obtain advantages that may lead to larger success, compared to those who move to this niche later. First movers enjoy a temporary near-monopoly: since they enter a niche early, they have little to no competition, and so they can charge larger prices and spend more time building a loyal customer base.

The paper explores the idea in detail for the world of music. Here, first-mover advantage means:

The artists and music producers who recognize the hidden potential of a new artistic technique, genre, or style, have bigger chances of reaching success. Having an artistic innovation that your competitors do not have or cannot quickly acquire may become advantageous on the winner-take-all artistic market.

Analysing nearly 700,000 songs across 110 different musical genres, the researchers found evidence that first-mover advantage was present in 91 of the genres. The authors point out that there is also anecdotal evidence of first-mover advantage in other arts:

For example, Agatha Christie—one of the recognized founders of “classical” detective novel—is also one of the best-selling authors ever. Similarly, William Gibson’s novel Neuromancer—a canonical work in the genre of cyberpunk—is also one of the earliest books in this strand of science fiction. In films, the cult classic The Blair Witch Project is the first recognized member of the highly successful genre of found-footage horror fiction.

Although copyright may be present, first-mover advantage does not require it to operate – it is simply a function of being early with a new idea, which means that competition is scarce or non-existent. If further research confirms the wider presence of first-mover advantage in the creative world – for example, even where sharing-friendly CC licences are used – it will knock down yet another flimsy defence of copyright’s flawed and outdated intellectual monopoly

Source: First-mover advantage in the arts means copyright isn’t necessary to protect innovative creativity – Walled Culture

The world’s first tooth-regrowing drug has been approved for human trials

Posted on by

[…] medicine quite literally regrows teeth and was developed by a team of Japanese researchers, as reported by New Atlas. The research has been led by Katsu Takahashi, head of dentistry and oral surgery at Kitano Hospital. The intravenous drug deactivates the uterine sensitization-associated gene-1 (USAG-1) protein that suppresses tooth growth. Blocking USAG-1 from interacting with other proteins triggers bone growth and, voila, you got yourself some brand-new chompers. Pretty cool, right?

Human trials start in September, but the drug has been highly successful when treating ferrets and mice and did its job with no serious side effects. Of course, the usual caveat applies. Humans are not mice or ferrets, though researchers seem confident that it’ll work on homo sapiens. This is due to a 97 percent similarity in how the USAG-1 protein works when comparing humans to other species.

September’s clinical trial will include adults who are missing at least one molar but there’s a secondary trial coming aimed at children aged two to seven. The kids in the second trial will all be missing at least four teeth due to congenital tooth deficiency. Finally, a third trial will focus on older adults who are missing “one to five permanent teeth due to environmental factors.”

Takahashi and his fellow researchers are so optimistic about this drug that they predict the medicine will be available for everyday consumers by 2030. So in six years we can throw our toothbrushes away and eat candy bars all day and all night without a care in the world (don’t actually do that.)

While this is the first drug that can fully regrow missing teeth, the science behind it builds on top of years of related research. Takahashi, after all, has been working on this since 2005. Recent advancements in the field include regenerative tooth fillings to repair diseased teeth and stem cell technology to regrow the dental tissue of children.

Source: The world’s first tooth-regrowing drug has been approved for human trials

What’s Actually In Tattoo Ink? No One Really Knows

Posted on by

Nearly a third of U.S. adults have tattoos, so plenty of you listeners can probably rattle off the basic guidelines of tattoo safety: Make sure you go to a reputable tattoo artist who uses new, sterile needles. Stay out of the ocean while you’re healing so you don’t pick up a smidgen of flesh-eating bacteria. Gently wash your new ink with soap and water, avoid sun exposure and frequently apply an unscented moisturizer—easy-peasy.

But body art enthusiasts might face potential risks from a source they don’t expect: tattoo inks themselves. Up until relatively recently tattoo inks in the U.S. were totally unregulated. In 2022 the federal government pulled tattoo inks under the regulatory umbrella of cosmetics, which means the Food and Drug Administration can oversee these products. But now researchers are finding that many commercial inks contain ingredients they’re not supposed to. Some of these additives are simply compounds that should be listed on the packaging and aren’t. But others could pose a risk to consumers.

For Science Quickly, I’m Rachel Feltman. I’m joined today by John Swierk, an assistant professor of chemistry at Binghamton University, State University of New York. His team is trying to figure out exactly what goes into each vial of tattoo ink—and how tattoos actually work in the first place—to help make body art safer, longer-lasting and maybe even cooler.

[…]

one of the areas we got really interested in was trying to understand why light causes tattoos to fade. This is a huge question when you think about something with laser tattoo removal, where you’re talking about an industry on the scale of $1 billion a year.

And it turns out we really don’t understand that process. And so starting to look at how the tattoo pigments change when you expose them to light, what that might be doing in the skin, then led us to a lot of other questions about tattoos that we realized weren’t well understood—even something as simple as what’s actually in tattoo ink.

[…]

recently we’ve been looking at commercial tattoo inks and sort of surprised to find that in the overwhelming majority of them, we’re seeing things that are not listed as part of the ingredients….Now that doesn’t necessarily mean the things that are in these inks are unsafe, but it does cause a huge problem if you want to try to understand something about the safety of tattoos.

[…]

I think most people would agree that it would be great to know that tattoo inks are safe [and] being made safely, you know? And of course, that’s not unique to tattoo inks; cosmetics and supplements have a lot of similar problems that we need to work on.

But, if we’re going to get a better grasp on the chemistry and even the immunology of tattoos, that’s not just going to help us make them safer but, you know, potentially improve healing, appearance, longevity.

I mean, I think about that start-up that promised “ephemeral tattoos” that now folks a few years later are coming out and saying, “These tattoos have not gone away,” and thinking about how much potential there is for genuine innovation if we can start to answer some of these questions.

[…]

we can start to think about designing new pigments that might have better colorfastness, less reactivity, less sort of bleeding of the lines, right, over time. But all of those things can only happen if we actually understand tattoos, and we really just don’t understand them that well at the moment.

[…]

We looked at 54 inks, and of the 54, 45 had what we consider to be major discrepancies—so these were either unlisted pigments, unlisted additives.

And that was really concerning to us, right? You’re talking about inks coming from major, global, industry-leading manufacturers all the way down to smaller, more niche inks—that there were problems across the board.

So we found things like incorrect pigments being listed. We found issues of some major allergens being used—these aren’t necessarily compounds that are specifically toxic, but to some people they can generate a really pronounced allergic response.

And a couple of things: we found an antibiotic that’s most commonly used for urinary tract infections.

We found a preservative that the FDA has cautioned nursing mothers against, you know, having exposure to—so things that at a minimum, need to be disclosed so that consumers could make informed choices.

[…]

if somebody’s thinking about getting a tattoo, they should be working with an artist who is experienced, who has apprenticed under experienced artists, who is really following best practices in terms of sanitation, aftercare, things like that. That’s where we know you can have a problem. Beyond that, I think it’s a matter of how comfortable you are with some degree of risk.

The point I always really want to emphasize is that, you know, our work isn’t saying anything about whether tattoos are safe or not.

It’s the first step in that process. Just because we found some stuff in the inks doesn’t mean that you shouldn’t get a tattoo or that you have a new risk for skin cancer or something like that…. it’s that this is the process of how science grows, right—that we have to start understanding the basics and the fundamentals so that we can build the next questions on top of that.

And our understanding of tattoos in the body is still at such an early level that we don’t really even understand what the risk factors would be, “What should we be looking for?”

So I think it’s like with anything in life: if you’re comfortable with a degree of risk, then, yeah, go ahead and get the tattoo. People get tattoos for lots of reasons that are important and meaningful and very impactful in a positive way in their life. And I think a concern over a hypothetical risk is probably not worth the potential positives of getting a tattoo.

We know that light exposure— particularly the sunlight—is not great for the tattoo, and if we have concerns about long-term pigment breakdown, ultraviolet light is probably going to enhance that, so keeping your tattoo covered, using sunscreen when you can’t keep it covered—that’s probably very important. If you’re really concerned about the risk, we can think about the size of the tattoo. So somebody with a relatively small piece of line art on their back is in a very different potential risk category than somebody who is fully sleeved and, you know, covered from, say, neck to ankle in tattoos.

And again we’re not saying that either those people have a significant risk that they need to be worried about, but if somebody is concerned, the person with the small line art on the back is much less likely to have to worry about the risk than somebody with a huge tattoo.

We also know that certain colors, like yellow in particular, fade much more readily. That suggests that those pigments are interacting with the body a lot more.

Staying away from bright colors and focusing on black inks might be a more prudent option there, but again, right, a lot of these are hypothetical and we don’t want to alarm people or scare them.

[…]

We’re also still working on understanding what tattoo pigments break down into.

We really don’t understand a lot about laser tattoo removal, and if there is some aspect of tattooing that gives me pause, it’s probably that part. It’s a very reasonable concern, I think, that you may have pigments that are entirely safe in the skin, but once you start zapping them with high-powered lasers, we don’t know what you do to the chemistry, and so that could change the dynamic a lot. And so we’re trying to figure out how to do that and, I think, making some progress there. And then the last area—which is, is new to us but kind of fun—is actually just looking at the biomechanics of tattooing. You would think that we’d really understand how the ink goes into the skin, how it stays in the skin, but the picture there is a little bit hazy

[…]

One of the interesting things, when you talk to ink manufacturers and artists, is that they sort of have this intuitive feel for … sort of what the viscosity of the ink should be like and how much pigment is in there but can’t necessarily articulate why a particular viscosity is good or why a particular pigment loading is good. And so we think if we understand something about the process by which the ink goes…and so we think understanding the biomechanics could really open some interesting possibilities and lead to better, more interesting tattoos down the road as well.

[…]

Source: What’s Actually In Tattoo Ink? No One Really Knows | Scientific American

Over 165 Snowflake customers didn’t use MFA, says Mandiant

Posted on by

An unknown financially motivated crime crew has swiped a “significant volume of records” from Snowflake customers’ databases using stolen credentials, according to Mandiant.

“To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations,” the Google-owned threat hunters wrote on Monday, and noted they track the perps as “UNC5537.”

The crew behind the Snowflake intrusions may have ties to Scattered Spider, aka UNC3944 – the notorious gang behind the mid-2023 Las Vegas casino breaches.

“Mandiant is investigating the possibility that a member of UNC5537 collaborated with UNC3944 on at least one past intrusion in the past six months, but we don’t have enough data to confidently link UNC5537 to a broader group at this time,” senior threat analyst Austin Larsen told The Register.

Mandiant – one of the incident response firms hired by Snowflake to help investigate its recent security incident – also noted that there’s no evidence a breach of Snowflake’s own enterprise environment was to blame for its customers’ breaches.

“Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials,” the Google-owned threat hunters confirmed.

The earliest detected attack against a Snowflake customer instance happened on April 14. Upon investigating that breach, Mandiant says it determined that UNC5537 used legitimate credentials – previously stolen using infostealer malware – to break into the victim’s Snowflake environment and exfiltrate data. The victim did not have multi-factor authentication turned on.

About a month later, after uncovering “multiple” Snowflake customer compromises, Mandiant contacted the cloud biz and the two began notifying affected organizations. By May 24 the criminals had begun selling the stolen data online, and on May 30 Snowflake issued its statement about the incidents.

After gaining initial access – which we’re told occurred through the Snowflake native web-based user interface or a command-line-interface running on Windows Server 2002 – the criminals used a horribly named utility, “rapeflake,” which Mandiant has instead chosen to track as “FROSTBITE.”

UNC5537 has used both .NET and Java versions of this tool to perform reconnaissance against targeted Snowflake customers, allowing the gang to identify users, their roles, and IP addresses.

The crew also sometimes uses DBeaver Ultimate – a publicly available database management utility – to query Snowflake instances.

Several of the initial compromises occurred on contractor systems that were being used for both work and personal activities.

“These devices, often used to access the systems of multiple organizations, present a significant risk,” Mandiant researchers wrote. “If compromised by infostealer malware, a single contractor’s laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

All of the successful intrusions had three things in common, according to Mandiant. First, the victims didn’t use MFA.

Second, the attackers used valid credentials, “hundreds” of which were stolen thanks to infostealer infections – some as far back as 2020. Common variants used included VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. But even in these years-old thefts, the credentials had not been updated or rotated.

Almost 80 percent of the customer accounts accessed by UNC5537 had prior credential exposure, we’re told.

Finally, the compromised accounts did not have network allow-lists in place. So if you are a Snowflake customer, it’s time to get a little smarter.

Source: Over 165 Snowflake customers didn’t use MFA, says Mandiant • The Register

Oddly enough, they don’t mention the Ticketmaster 560m+ account hack confirmed in what seems to be a spree hitting Snowflake customers considering the size of the hack! Also, oddly enough, when you Google Snowflake, you get the corporate page, some wikipedia entries, but not very much about the hack. Considering the size and breadth of the problem, this is surprising. But perhaps not, considering it’s a part of Google.

Finnish startup Flow claims it can 100x any CPU’s power with its companion chip

Posted on by

A Finnish startup called Flow Computing is making one of the wildest claims ever heard in silicon engineering: by adding its proprietary companion chip, any CPU can instantly double its performance, increasing to as much as 100x with software tweaks.

If it works, it could help the industry keep up with the insatiable compute demand of AI makers.

Flow is a spinout of VTT, a Finland state-backed research organization that’s a bit like a national lab. The chip technology it’s commercializing, which it has branded the Parallel Processing Unit, is the result of research performed at that lab (though VTT is an investor, the IP is owned by Flow).

The claim, Flow is first to admit, is laughable on its face. You can’t just magically squeeze extra performance out of CPUs across architectures and code bases. If so, Intel or AMD or whoever would have done it years ago.

But Flow has been working on something that has been theoretically possible — it’s just that no one has been able to pull it off.

Central Processing Units have come a long way since the early days of vacuum tubes and punch cards, but in some fundamental ways they’re still the same. Their primary limitation is that as serial rather than parallel processors, they can only do one thing at a time. Of course, they switch that thing a billion times a second across multiple cores and pathways — but these are all ways of accommodating the single-lane nature of the CPU. (A GPU, in contrast, does many related calculations at once but is specialized in certain operations.)

“The CPU is the weakest link in computing,” said Flow co-founder and CEO Timo Valtonen. “It’s not up to its task, and this will need to change.”

CPUs have gotten very fast, but even with nanosecond-level responsiveness, there’s a tremendous amount of waste in how instructions are carried out simply because of the basic limitation that one task needs to finish before the next one starts. (I’m simplifying here, not being a chip engineer myself.)

What Flow claims to have done is remove this limitation, turning the CPU from a one-lane street into a multi-lane highway. The CPU is still limited to doing one task at a time, but Flow’s PPU, as they call it, essentially performs nanosecond-scale traffic management on-die to move tasks into and out of the processor faster than has previously been possible.

[…]

This type of thing isn’t brand new, says Valtonen. “This has been studied and discussed in high-level academia. You can already do parallelization, but it breaks legacy code, and then it’s useless.”

So it could be done. It just couldn’t be done without rewriting all the code in the world from the ground up, which kind of makes it a non-starter. A similar problem was solved by another Nordic compute company, ZeroPoint, which achieved high levels of memory compression while keeping data transparency with the rest of the system.

Flow’s big achievement, in other words, isn’t high-speed traffic management, but rather doing it without having to modify any code on any CPU or architecture that it has tested.

[…]

Therein lies the primary challenge to Flow’s success as a business: Unlike a software product, Flow’s tech needs to be included at the chip-design level, meaning it doesn’t work retroactively, and the first chip with a PPU would necessarily be quite a ways down the road. Flow has shown that the tech works in FPGA-based test setups, but chipmakers would have to commit quite a lot of resources to see the gains in question.

[…]

Further performance gains come from refactoring and recompiling software to work better with the PPU-CPU combo. Flow says it has seen increases up to 100x with code that’s been modified (though not necessarily fully rewritten) to take advantage of its technology. The company is working on offering recompilation tools to make this task simpler for software makers who want to optimize for Flow-enabled chips.

Analyst Kevin Krewell from Tirias Research, who was briefed on Flow’s tech and referred to as an outside perspective on these matters, was more worried about industry uptake than the fundamentals.

[…]

Flow is just now emerging from stealth, with €4 million (about $4.3 million) in pre-seed funding led by Butterfly Ventures, with participation from FOV Ventures, Sarsia, Stephen Industries, Superhero Capital and Business Finland.

Source: Flow claims it can 100x any CPU’s power with its companion chip and some elbow grease | TechCrunch

This sounds a bit like the co-processors you used to be able to install in the 70s/80s/early 90s

China state hackers infected 20,000 govt and defence Fortinet VPNs, due to at least 2 month unfixed critical vulnerability

Posted on by

Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said.

The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an “instance where this vulnerability was exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware.

Enter CoatHanger

The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense. Once installed, the never-before-seen malware, specifically designed for the underlying FortiOS operating system, was able to permanently reside on devices even when rebooted or receiving a firmware update. CoatHanger could also escape traditional detection measures, the officials warned. The damage resulting from the breach was limited, however, because infections were contained inside a segment reserved for non-classified uses.

On Monday, officials with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service in the Netherlands said that to date, Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.

“Since then, the MIVD has conducted further investigation and has shown that the Chinese cyber espionage campaign appears to be much more extensive than previously known,” Netherlands officials with the National Cyber Security Center wrote. “The NCSC therefore calls for extra attention to this campaign and the abuse of vulnerabilities in edge devices.”

Monday’s report said that exploitation of the vulnerability started two months before Fortinet first disclosed it and that 14,000 servers were backdoored during this zero-day period. The officials warned that the Chinese threat group likely still has access to many victims because CoatHanger is so hard to detect and remove.

[…]

Fortinet’s failure to timely disclose is particularly acute given the severity of the vulnerability. Disclosures are crucial because they help users prioritize the installation of patches. When a new version fixes minor bugs, many organizations often wait to install it. When it fixes a vulnerability with a 9.8 severity rating, they’re much more likely to expedite the update process. Given the vulnerability was being exploited even before Fortinet fixed it, the disclosure likely wouldn’t have prevented all of the infections, but it stands to reason it could have stopped some.

Fortinet officials have never explained why they didn’t disclose the critical vulnerability when it was fixed. They have also declined to disclose what the company policy is for the disclosure of security vulnerabilities. Company representatives didn’t immediately respond to an email seeking comment for this post.

Source: China state hackers infected 20,000 Fortinet VPNs, Dutch spy service says | Ars Technica

So… LG lies about TV Framerates on their site

Posted on by

The LG55UH850V, a 4K is mentioned online as having a framerate of 120Hz at specification sites on Google

LG’s Finnish website puts the framerate at a staggering 200Hz

So does the South African website – this also boasts a “Billion Rich Colors” – color depth is only 8 bit.

After having upgraded to a graphics card that can handle 4k and 120Hz, I spent a LOT of time figuring out why I couldn’t find (or create) that mode on my PC. Support first told me the monitor had 110Hz, but that (or lower) didn’t work either. Support then told me – nope: it’s only 60 Hz.

It turns out that this is indeed buried in the manual on page 15.

The customer support rep was sorry for me, but that’s it. There is no way to take a company like LG to task apart from writing about it.

Possibly I haven’t learnt from my own posts: Don’t Buy an HDMI 2.1 TV Before You Read the Fine Print – The HDMI 2.1 specification is crazy and as long as any one of the components in the system is 2.1 compatible the rest don’t have to be, but you still get the label.

Crooks threaten to leak 2.9B records of personal info from National Public Data, a “small” US information broker

Posted on by

Billions of records detailing people’s personal information may soon be dumped online after being allegedly obtained from a Florida firm that handles background checks and other requests for folks’ private info.

A criminal gang that goes by the handle USDoD put the database up for sale for $3.5 million on an underworld forum in April, and rather incredibly claimed the trove included 2.9 billion records on all US, Canadian, and British citizens. It’s believed one or more miscreants using the handle SXUL was responsible for the alleged exfiltration, who passed it onto USDoD, which is acting as a broker.

The pilfered information is said to include individuals’ full names, addresses, and address history going back at least three decades, social security numbers, and people’s parents, siblings, and relatives, some of whom have been dead for nearly 20 years. According to USDoD, this info was not scraped from public sources, though there may be duplicate entries for people in the database.

Fast forward to this month, and the infosec watchers at VX-Underground say they’ve not only been able to view the database and verify that at least some of its contents are real and accurate, but that USDoD plans to leak the trove. Judging by VX-Underground’s assessment, the 277.1GB file contains nearly three billion records on people who’ve at least lived in the United States – so US citizens as well as, say, Canadians and Brits.

This info was allegedly stolen or otherwise obtained from National Public Data, a small information broker based in Coral Springs that offers API lookups to other companies for things like background checks. The biz did not respond to The Register‘s inquiries.

There is a small silver lining, according to the VX team: “The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present.” So, we guess this is a good lesson in opting out.

USDoD is the same crew that previously peddled a 3GB-plus database from TransUnion containing financial information on 58,505 people.

And last September, the same criminals touted personal information belonging to 3,200 Airbus vendors after the aerospace giant fell victim to an intrusion

Source: Crooks threaten to leak 2.9B records of personal info • The Register

Cooler Master hit by data breach exposing 500,000 customers

Posted on by

Computer hardware manufacturer Cooler Master has suffered a data breach after a threat actor breached the company’s website and claimed to steal the Fanzone member information of 500,000 customers.

Cooler Master is a hardware manufacturer based in Taiwan that is known for its computer cases, cooling devices, gaming chairs, and other computer peripherals.

Yesterday, a threat actor by the alias ‘Ghostr’ contacted BleepingComputer and claimed to have stolen 103 GB of data from Cooler Master on May 18th, 2024.

“This data breach included cooler master corporate, vendor, sales, warranty, inventory and hr data as well as over 500,000 of their fanzone members personal information, including name, address, date of birth, phone, email + plain unencrypted credit card information containing name, credit card number, expiry and 3 digits cc code,” the threat actor told BleepingComputer.

Cooler Master’s Fanzone site is used to register a product’s warranty, submit return merchandise authorization (RMA) requests, contact support, and register for news updates.

In a conversation with BleepingComputer, Ghostr told BleepingComputer that the data was stolen by breaching one of the company’s front-facing websites, allowing them to download numerous databases, including the one containing Fanzone information.

The threat actor said they attempted to contact the company for payment not to leak or sell the data, but Cooler Master did not respond.

However, they did share a link to a small sample of allegedly stolen data in the form of comma-separated values files (CSV) that appear to have been exported from Cooler Master’s Fanzone site.

Samples of stolen data
Samples of stolen data
Source: BleepingComputer

These CSV files contain a wide variety of data, including product, vendor, customer, and employee information.

One of the files contains approximately 1,000 records of what appear to be recent customer support tickets and RMA requests, which include customers’ names, email addresses, date of birth, physical addresses, phone numbers, and IP addresses.

BleepingComputer has confirmed with numerous Cooler Master customers in this file that the listed data is correct and that they opened an RMA or support ticket on the date specified in the leaked sample.

[…]

Source: Cooler Master hit by data breach exposing customer information

Japan’s Push To Make All Research Open Access is Taking Shape

Posted on by

The Japanese government is pushing ahead with a plan to make Japan’s publicly funded research output free to read. From a report: In June, the science ministry will assign funding to universities to build the infrastructure needed to make research papers free to read on a national scale. The move follows the ministry’s announcement in February that researchers who receive government funding will be required to make their papers freely available to read on the institutional repositories from January 2025. The Japanese plan “is expected to enhance the long-term traceability of research information, facilitate secondary research and promote collaboration,” says Kazuki Ide, a health-sciences and public-policy scholar at Osaka University in Suita, Japan, who has written about open access in Japan.

The nation is one of the first Asian countries to make notable advances towards making more research open access (OA) and among the first countries in the world to forge a nationwide plan for OA. The plan follows in the footsteps of the influential Plan S, introduced six years ago by a group of research funders in the United States and Europe known as cOAlition S, to accelerate the move to OA publishing. The United States also implemented an OA mandate in 2022 that requires all research funded by US taxpayers to be freely available from 2026. When the Ministry of Education, Culture, Sports, Science and Technology (MEXT) announced Japan’s pivot to OA in February, it also said that it would invest around $63 million to standardize institutional repositories — websites dedicated to hosting scientific papers, their underlying data and other materials — ensuring that there will be a mechanism for making research in Japan open.

Source: https://science.slashdot.org/story/24/05/31/1748243/japans-push-to-make-all-research-open-access-is-taking-shape?utm_source=rss1.0mainlinkanon&utm_medium=feed

Quite ironic that the original article is behind a paywall at Nature.com 🙂

Anyway, if the public paid for it, then the public should get it. A bit hugely late, but well done.

Google Leak Reveals Thousands of Privacy Incidents

Posted on by

Google has accidentally collected childrens’ voice data, leaked the trips and home addresses of car pool users, and made YouTube recommendations based on users’ deleted watch history, among thousands of other employee-reported privacy incidents, according to a copy of an internal Google database which tracks six years worth of potential privacy and security issues obtained by 404 Media. From the report: Individually the incidents, most of which have not been previously publicly reported, may only each impact a relatively small number of people, or were fixed quickly. Taken as a whole, though, the internal database shows how one of the most powerful and important companies in the world manages, and often mismanages, a staggering amount of personal, sensitive data on people’s lives.

The data obtained by 404 Media includes privacy and security issues that Google’s own employees reported internally. These include issues with Google’s own products or data collection practices; vulnerabilities in third party vendors that Google uses; or mistakes made by Google staff, contractors, or other people that have impacted Google systems or data. The incidents include everything from a single errant email containing some PII, through to substantial leaks of data, right up to impending raids on Google offices. When reporting an incident, employees give the incident a priority rating, P0 being the highest, P1 being a step below that. The database contains thousands of reports over the course of six years, from 2013 to 2018. In one 2016 case, a Google employee reported that Google Street View’s systems were transcribing and storing license plate numbers from photos. They explained that Google uses an algorithm to detect text in Street View imagery.

Source: https://tech.slashdot.org/story/24/06/03/1655212/google-leak-reveals-thousands-of-privacy-incidents?utm_source=rss1.0mainlinkanon&utm_medium=feed

Adobe changes TOS, says it can republish what you made for free

Posted on by

Adobe has decided that if you use its software, it can re-use anything you create. Considering you pay to use the software, that’s a bit grating.

4.2 Licenses to Your Content. Solely for the purposes of operating or improving the Services and Software, you grant us a non-exclusive, worldwide, royalty-free sublicensable, license, to use, reproduce, publicly display, distribute, modify, create derivative works based on, publicly perform, and translate the Content. For example, we may sublicense our right to the Content to our service providers or to other users to allow the Services and Software to operate as intended, such as enabling you to share photos with others. Separately, section 4.6 (Feedback) below covers any Feedback that you provide to us.

Source: Legal

They say it’s to detect kiddie porn, people think it’s to train their AIs. Obviously, people are upset.

Time to start learning the free and (fortunately) great Photoshop alternative: Gimp.

Ticketmaster 560m+ account hack confirmed in what seems to be a spree hitting Snowflake customers

Posted on by

Cloud storage provider Snowflake said that accounts belonging to multiple customers have been hacked after threat actors obtained credentials through info-stealing malware or by purchasing them on online crime forums.

Ticketmaster parent Live Nation—which disclosed Friday that hackers gained access to data it stored through an unnamed third-party provider—told TechCrunch the provider was Snowflake. The live-event ticket broker said it identified the hack on May 20, and a week later, a “criminal threat actor offered what it alleged to be Company user data for sale via the dark web.”

Ticketmaster is one of six Snowflake customers to be hit in the hacking campaign, said independent security researcher Kevin Beaumont, citing conversations with people inside the affected companies. Australia’s Signal Directorate said Saturday it knew of “successful compromises of several companies utilizing Snowflake environments.” Researchers with security firm Hudson Rock said in a now-deleted post that Santander, Spain’s biggest bank, was also hacked in the campaign. The researchers cited online text conversations with the threat actor. Last month, Santander disclosed a data breach affecting customers in Chile, Spain, and Uruguay.

“The tl;dr of the Snowflake thing is mass scraping has been happening, but nobody noticed, and they’re pointing at customers for having poor credentials,” Beaumont wrote on Mastodon. “It appears a lot of data has gone walkies from a bunch of orgs.”

Word of the hacks came weeks after a hacking group calling itself ShinyHunters took credit for breaching Santander and Ticketmaster and posted data purportedly belonging to both as evidence. The group took to a Breach forum to seek $2 million for the Santander data, which it said included 30 million customer records, 6 million account numbers, and 28 million credit card numbers. It sought $500,000 for the Ticketmaster data, which the group claimed included full names, addresses, phone numbers, and partial credit card numbers for 560 million customers.

Post by ShinyHunters seeking $2 million for Santander data.
Enlarge / Post by ShinyHunters seeking $2 million for Santander data.
Post by ShinyHunters seeking $500,000 for Ticketmaster data.
Enlarge / Post by ShinyHunters seeking $500,000 for Ticketmaster data.

Beaumont didn’t name the group behind the attacks against Snowflake customers but described it as “a teen crimeware group who’ve been active publicly on Telegram for a while and regularly relies on infostealer malware to obtain sensitive credentials.

The group has been responsible for hacks on dozens of organizations, with a small number of them including:

According to Snowflake, the threat actor used already compromised account credentials in the campaign against its customers. Those accounts weren’t protected by multifactor authentication (MFA).

Snowflake also said that the threat actor used compromised credentials to a former employee account that wasn’t protected by MFA. That account, the company said, was created for demonstration purposes.

“It did not contain sensitive data,” Snowflake’s notification stated. “Demo accounts are not connected to Snowflake’s production or corporate systems.”

The company urges all customers to ensure all their accounts are protected with MFA. The statement added that customers should also check their accounts for signs of compromise using these indicators.

“Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted,” the company said in the post.

Snowflake and the two security firms it has retained to investigate the incident—Mandiant and Crowdstrike—said they have yet to find any evidence the breaches are a result of a “vulnerability, misconfiguration, or breach of Snowflake’s platform.” But Beaumont said the cloud provider shares some of the responsibility for the breaches because setting up MFA on Snowflake is too cumbersome. He cited the breach of the former employee’s demo account as support.

“They need to, at an engineering and secure by design level, go back and review how authentication works—as it’s pretty transparent that given the number of victims and scale of the breach that the status quo hasn’t worked,” Beaumont wrote. “Secure authentication should not be optional. And they’ve got to be completely transparent about steps they are taking off the back of this incident to strengthen things.”

Source: Ticketmaster hacked in what’s believed to be a spree hitting Snowflake customers | Ars Technica

Spotify Says It Will Refund Car Thing Purchases with a valid receipt

Posted on by

If you contact Spotify’s customer service with a valid receipt, the company will refund your Car Thing purchase. That’s the latest development reported by Engadget. When Spotify first announced that it would brick every Car Thing device on December 9, 2024, it said that it wouldn’t offer owners any subscription credit or automatic refund. From the report: Spotify has taken some heat for its announcement last week that it will brick every Car Thing device on December 9, 2024. The company described its decision as “part of our ongoing efforts to streamline our product offerings” (read: cut costs) and that it lets Spotify “focus on developing new features and enhancements that will ultimately provide a better experience to all Spotify users.”

TechCrunch reports that Gen Z users on TikTok have expressed their frustration in videos, while others have complained directed toward Spotify in DMs on X (Twitter) and directly through customer support. Some users claimed Spotify’s customer service agents only offered several months of free Premium access, while others were told nobody was receiving refunds. It isn’t clear if any of them contacted them after last Friday when it shifted gears on refunds.

Others went much further. Billboard first reported on a class-action lawsuit filed in the US District Court for the Southern District of New York on May 28. The suit accuses Spotify of misleading Car Thing customers by selling a $90 product that would soon be obsolete without offering refunds, which sounds like a fair enough point. It’s worth noting that, according to Spotify, it began offering the refunds last week, while the lawsuit was only filed on Tuesday. If the company’s statement about refunds starting on May 24 is accurate, the refunds aren’t a direct response to the legal action. (Although it’s possible the company began offering them in anticipation of lawsuits.) Editor’s note: As a disgruntled Car Thing owner myself, I can confirm that Spotify is approving refund requests. You’ll just have to play the waiting game to get through to a Spotify Advisor and their “team” that approves these requests. You may have better luck emailing customer service directly at support@spotify.com.

source: https://news.slashdot.org/story/24/05/30/2129202/spotify-says-it-will-refund-car-thing-purchases?utm_source=rss1.0mainlinkanon&utm_medium=feed

Largest ever operation by Europol against botnets hits dropper malware ecosystem

Posted on by

Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software. Following the action days, eight fugitives linked to these criminal activities, wanted by Germany, will be added to Europe’s Most Wanted list on 30 May 2024. The individuals are wanted for their involvement in serious cybercrime activities.

This is the largest ever operation against botnets, which play a major role in the deployment of ransomware. The operation, initiated and led by France, Germany and the Netherlands was also supported by Eurojust and involved Denmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also supported the operation with different actions, such as arrests, interviewing suspects, searches, and seizures or takedowns of servers and domains. The operation was also supported by a number of private partners at national and international level including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus and DIVD.

The coordinated actions led to:

  • 4 arrests (1 in Armenia and 3 in Ukraine)
  • 16 location searches (1 in Armenia, 1 in the Netherlands, 3 in Portugal and 11 in Ukraine)
  • Over 100 servers taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States and Ukraine
  • Over 2 000 domains under the control of law enforcement

Furthermore, it has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware.

[…]

Operation Endgame does not end today. New actions will be announced on the website Operation Endgame. In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website.

Command post at Europol to coordinate the operational actions

Europol facilitated the information exchange and provided analytical, crypto-tracing and forensic support to the investigation. To support the coordination of the operation, Europol organised more than 50 coordination calls with all the countries as well as an operational sprint at its headquarters.

Over 20 law enforcement officers from Denmark, France, Germany and the United States supported the coordination of the operational actions from the command post at Europol and hundreds of other officers from the different countries involved in the actions. In addition, a virtual command post allowed real-time coordination between the Armenian, French, Portuguese and Ukrainian officers deployed on the spot during the field activities.

The command post at Europol facilitated the exchange of intelligence on seized servers, suspects and the transfer of seized data. Local command posts were also set up in Germany, the Netherlands, Portugal, the United States and Ukraine. Eurojust supported the action by setting up a coordination centre at its headquarters to facilitate the judicial cooperation between all authorities involved. Eurojust also assisted with the execution of European Arrest Warrants and European Investigation Orders.

[…]

Source: Largest ever operation against botnets hits dropper malware ecosystem | Europol

How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto Wallet

Posted on by

Two years ago when “Michael,” an owner of cryptocurrency, contacted Joe Grand to help recover access to about $2 million worth of bitcoin he stored in encrypted format on his computer, Grand turned him down.

Michael, who is based in Europe and asked to remain anonymous, stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool called TrueCrypt. At some point, that file got corrupted and Michael lost access to the 20-character password he had generated to secure his 43.6 BTC (worth a total of about €4,000, or $5,300, in 2013). Michael used the RoboForm password manager to generate the password but did not store it in his manager. He worried that someone would hack his computer and obtain the password.

“At [that] time, I was really paranoid with my security,” he laughs.

Grand is a famed hardware hacker who in 2022 helped another crypto wallet owner recover access to $2 million in cryptocurrency he thought he’d lost forever after forgetting the PIN to his Trezor wallet. Since then, dozens of people have contacted Grand to help them recover their treasure. But Grand, known by the hacker handle “Kingpin,” turns down most of them, for various reasons.

Grand is an electrical engineer who began hacking computing hardware at age 10 and in 2008 cohosted the Discovery Channel’s Prototype This show. He now consults with companies that build complex digital systems to help them understand how hardware hackers like him might subvert their systems. He cracked the Trezor wallet in 2022 using complex hardware techniques that forced the USB-style wallet to reveal its password.

But Michael stored his cryptocurrency in a software-based wallet, which meant none of Grand’s hardware skills were relevant this time. He considered brute-forcing Michael’s password—writing a script to automatically guess millions of possible passwords to find the correct one—but determined this wasn’t feasible. He briefly considered that the RoboForm password manager Michael used to generate his password might have a flaw in the way it generated passwords, which would allow him to guess the password more easily. Grand, however, doubted such a flaw existed.

Michael contacted multiple people who specialize in cracking cryptography; they all told him “there’s no chance” of retrieving his money. But last June he approached Grand again, hoping to convince him to help, and this time Grand agreed to give it a try, working with a friend named Bruno in Germany who also hacks digital wallets.

Grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number generator used to generate passwords in that version—and subsequent versions until 2015—did indeed have a significant flaw that made the random number generator not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user’s computer—it determined the computer’s date and time, and then generated passwords that were predictable. If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past.

If Michael knew the day or general time frame in 2013 when he generated it, as well as the parameters he used to generate the password (for example, the number of characters in the password, including lower- and upper-case letters, figures, and special characters), this would narrow the possible password guesses to a manageable number. Then they could hijack the RoboForm function responsible for checking the date and time on a computer and get it to travel back in time, believing the current date was a day in the 2013 time frame when Michael generated his password. RoboForm would then spit out the same passwords it generated on the days in 2013.

There was one problem: Michael couldn’t remember when he created the password.

According to the log on his software wallet, Michael moved bitcoin into his wallet for the first time on April 14, 2013. But he couldn’t remember if he generated the password the same day or some time before or after this. So, looking at the parameters of other passwords he generated using RoboForm, Grand and Bruno configured RoboForm to generate 20-character passwords with upper- and lower-case letters, numbers, and eight special characters from March 1 to April 20, 2013.

It failed to generate the right password. So Grand and Bruno lengthened the time frame from April 20 to June 1, 2013, using the same parameters. Still no luck.

Michael says they kept coming back to him, asking if he was sure about the parameters he’d used. He stuck to his first answer.

“They really annoyed me, because who knows what I did 10 years ago,” he recalls. He found other passwords he generated with RoboForm in 2013, and two of them did not use special characters, so Grand and Bruno adjusted. Last November, they reached out to Michael to set up a meeting in person. “I thought, ‘Oh my God, they will ask me again for the settings.”

Instead, they revealed that they had finally found the correct password—no special characters. It was generated on May 15, 2013, at 4:10:40 pm GMT.

“We ultimately got lucky that our parameters and time range was right. If either of those were wrong, we would have … continued to take guesses/shots in the dark,” Grand says in an email to WIRED. “It would have taken significantly longer to precompute all the possible passwords.”

Grand and Bruno created a video to explain the technical details more thoroughly.

[…]

Source: How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto Wallet | WIRED

“Deny, denounce, delay”: ultra-processed food companies fighting using big tobacco type tactics

Posted on by

When the Brazilian nutritional scientist Carlos Monteiro coined the term “ultra-processed foods” 15 years ago, he established what he calls a “new paradigm” for assessing the impact of diet on health.

Monteiro had noticed that although Brazilian households were spending less on sugar and oil, obesity rates were going up. The paradox could be explained by increased consumption of food that had undergone high levels of processing, such as the addition of preservatives and flavorings or the removal or addition of nutrients.

But health authorities and food companies resisted the link, Monteiro tells the FT. “[These are] people who spent their whole life thinking that the only link between diet and health is the nutrient content of foods … Food is more than nutrients.”

Monteiro’s food classification system, “Nova,” assessed not only the nutritional content of foods but also the processes they undergo before reaching our plates. The system laid the groundwork for two decades of scientific research linking the consumption of UPFs to obesity, cancer, and diabetes.

Studies of UPFs show that these processes create food—from snack bars to breakfast cereals to ready meals—that encourages overeating but may leave the eater undernourished. A recipe might, for example, contain a level of carbohydrate and fat that triggers the brain’s reward system, meaning you have to consume more to sustain the pleasure of eating it.

In 2019, American metabolic scientist Kevin Hall carried out a randomized study comparing people who ate an unprocessed diet with those who followed a UPF diet over two weeks. Hall found that the subjects who ate the ultra-processed diet consumed around 500 more calories per day, more fat and carbohydrates, less protein—and gained weight.

Enlarge
Financial Times

The rising concern about the health impact of UPFs has recast the debate around food and public health, giving rise to books, policy campaigns, and academic papers. It also presents the most concrete challenge yet to the business model of the food industry, for whom UPFs are extremely profitable.

The industry has responded with a ferocious campaign against regulation. In part it has used the same lobbying playbook as its fight against labeling and taxation of “junk food” high in calories: big spending to influence policymakers.

FT analysis of US lobbying data from non-profit Open Secrets found that food and soft drinks-related companies spent $106 million on lobbying in 2023, almost twice as much as the tobacco and alcohol industries combined. Last year’s spend was 21 percent higher than in 2020, with the increase driven largely by lobbying relating to food processing as well as sugar.

In an echo of tactics employed by cigarette companies, the food industry has also attempted to stave off regulation by casting doubt on the research of scientists like Monteiro.

“The strategy I see the food industry using is deny, denounce, and delay,” says Barry Smith, director of the Institute of Philosophy at the University of London and a consultant for companies on the multisensory experience of food and drink.

So far the strategy has proved successful. Just a handful of countries, including Belgium, Israel, and Brazil, currently refer to UPFs in their dietary guidelines. But as the weight of evidence about UPFs grows, public health experts say the only question now is how, if at all, it is translated into regulation.

“There’s scientific agreement on the science,” says Jean Adams, professor of dietary public health at the MRC Epidemiology Unit at the University of Cambridge. “It’s how to interpret that to make a policy that people aren’t sure of.”

[…]

Source: “Deny, denounce, delay”: The battle over the risk of ultra-processed foods | Ars Technica

2.8M US folks’ personal info swiped in Sav-Rx IT heist – 8 months ago

Posted on by

Sav-Rx has started notifying about 2.8 million people that their personal information was likely stolen during an IT intrusion that happened more than seven months ago.

The biz provides prescription drug management services to more than 10 million US workers and their families, via their employers or unions. It first spotted the network “interruption” on October 8 last year and notes the break-in likely occurred five days earlier, according to a FAQ page about the incident posted on the Sav-Rx website.

Sav-Rx says it restored the IT systems to normal the following business day, and says all prescriptions were shipped on time and without delay. It also notified the police and called in some experts for a deeper dive into the logs.

An “extensive review” completed by a third-party security team on April 30 confirmed “some of the data accessed or acquired by the unauthorized third party may have contained personal information.”

The security breach affected 2,812,336 people, according to an incident notification filed with the Maine attorney general by A&A Services, doing business as Sav-Rx. Potentially stolen details include patients’ names, dates of birth, social security numbers, email addresses, mailing addresses, phone numbers, eligibility data, and insurance identification numbers.

“Please note that other than these data elements, the threat actor did not have access to clinical or financial information,” the notice reads.

While there’s no indication that the crooks have “made any use of your data as a result of this security incident,” Sav-Rx is providing everyone with two years of free credit and identity monitoring, as seems to be standard practice.

There’s also an oddly worded line about what happened that notes, “in conjunction with third-party experts, we have confirmed that any data acquired from our IT system was destroyed and not further disseminated.”

The Register contacted Sav-Rx with several questions about the network breach — including how it confirmed the data was destroyed and if the crooks demanded a payment — and did not receive a response. We will update this story when we hear back. It seems like some form of ransomware or extortion.

Either anticipating, or already receiving, inquiries about why the lag between discovering the intrusion and then notifying affected parties, the FAQ also includes a “Why wasn’t I contacted sooner?” question.

“Our initial priority was restoring systems to minimize any interruption to patient care,” it answers.

And then, after securing the IT systems and hiring the incident response team, Sav-Rx launched an investigation to determine who had been affected, and what specific personal information had been stolen for each of them.

Then, it sounds like there was some back-and-forth between healthcare bodies and Sav-Rx as to who would notify people that their data had been stolen. Here’s what the company says to that point:

We prioritized this technological investigation to be able to provide affected individuals with as much accurate information as possible. We received the results of that investigation on April 30, 2024, and promptly sent notifications to our health plan customers whose participant data was affected within 48 hours.

We offered to provide affected individuals notification, and once we confirmed that their respective health plans wanted us to provide notice to their participants, we worked expediently to mail notices to the affected individuals.

It’s unclear if this will be enough to satisfy affected customers. But in a statement to reporters, Roger Grimes, of infosec house KnowBe4, said the short answer is probably not.

“I don’t think the eight months it took Sav-Rx to notify impacted customers of the breach is going to fly with anyone, least of all their customers,” Grimes said.

“Today, you’ve got most companies notifying impacted customers in days to a few weeks,” he added. “Eight months? Whoever decided on that decision is likely to come under some heat and have explaining to do.”

Sav-Rx claims to have implemented a “number of detailed and immediate mitigation measures” to improve its security after the digital break-in. This includes “enhancing” its always-on security operations center, and adding new firewalls, antivirus software, and multi-factor authentication.

The organization also says it has since implemented a patching cycle and network segmentation and taken other measures to harden its systems. Hopefully it can also speed up its response times if it happens again.

Source: 2.8M US folks’ personal info swiped in Sav-Rx IT heist • The Register

Google’s technical info about search ranking leaks online

Posted on by

A trove of documents that appear to describe how Google ranks search results has appeared online, likely as the result of accidental publication by an in-house bot.

The leaked documentation describes an old version of Google’s Content Warehouse API and provides a glimpse of Google Search’s inner workings.

The material appears to have been inadvertently committed to a publicly accessible Google-owned repository on GitHub around March 13 by the web giant’s own automated tooling. That automation tacked an Apache 2.0 open source license on the commit, as is standard for Google’s public documentation. A follow-up commit on May 7 attempted to undo the leak.

The material was nonetheless spotted by Erfan Azimi, CEO of search engine optimization (SEO) biz EA Digital Eagle and were then disclosed on Sunday by fellow SEO operatives Rand Fishkin, CEO of SparkToro and Michael King, CEO of iPullRank.

These documents do not contain code or the like, and instead describe how to use Google’s Content Warehouse API that’s likely intended for internal use only; the leaked documentation includes numerous references to internal systems and projects. While there is a similarly named Google Cloud API that’s already public, what ended up on GitHub goes well beyond that, it seems.

The files are noteworthy for what they reveal about the things Google considers important when ranking web pages for relevancy, a matter of enduring interest to anyone involved in the SEO business and/or anyone operating a website and hoping Google will help it to win traffic.

Among the 2,500-plus pages of documentation, assembled for easy perusal here, there are details on more than 14,000 attributes accessible or associated with the API, though scant information about whether all these signals are used and their importance. It is therefore hard to discern the weight Google applies to the attributes in its search result ranking algorithm.

But SEO consultants believe the documents contain noteworthy details because they differ from public statements made by Google representatives.

“Many of [Azimi’s] claims [in an email describing the leak] directly contradict public statements made by Googlers over the years, in particular the company’s repeated denial that click-centric user signals are employed, denial that subdomains are considered separately in rankings, denials of a sandbox for newer websites, denials that a domain’s age is collected or considered, and more,” explained SparkToro’s Fishkin in a report.

iPullRank’s King, in his post on the documents, pointed to a statement made by Google search advocate John Mueller, who said in a video that “we don’t have anything like a website authority score” – a measure of whether Google considers a site authoritative and therefore worthy of higher rankings for search results.

But King notes that the docs reveal that as part of the Compressed Quality Signals Google stores for documents, a “siteAuthority” score can be calculated.

Several other revelations are cited in the two posts.

One is the importance of clicks – and different types of clicks (good, bad, long, etc.) – are in determining how a webpage rankings. Google during the US v. Google antitrust trial acknowledged [PDF] that it considers click metrics as a ranking factor in web search.

Another is that Google uses websites viewed in Chrome as a quality signal, seen in the API as the parameter ChromeInTotal. “One of the modules related to page quality scores features a site-level measure of views from Chrome,” according to King.

Additionally, the documents indicate that Google considers other factors like content freshness, authorship, whether a page is related to a site’s central focus, alignment between page title and content, and “the average weighted font size of a term in the doc body.”

Source: Google’s technical info about search ranking leaks online • The Register

Lawyers To Plastic Makers: Prepare For ‘Astronomical’ PFAS Lawsuits

Posted on by

An anonymous reader quotes a report from the New York Times: The defense lawyer minced no words as he addressed a room full of plastic-industry executives. Prepare for a wave of lawsuits with potentially “astronomical” costs. Speaking at a conference earlier this year, the lawyer, Brian Gross, said the coming litigation could “dwarf anything related to asbestos,” one of the most sprawling corporate-liability battles in United States history. Mr. Gross was referring to PFAS, the “forever chemicals” that have emerged as one of the major pollution issues of our time. Used for decades in countless everyday objects — cosmetics, takeout containers, frying pans — PFAS have been linked to serious health risks including cancer. Last month the federal government said several types of PFAS must be removed from the drinking water of hundreds of millions of Americans. “Do what you can, while you can, before you get sued,” Mr. Gross said at the February session, according to a recording of the event made by a participant and examined by The New York Times. “Review any marketing materials or other communications that you’ve had with your customers, with your suppliers, see whether there’s anything in those documents that’s problematic to your defense,” he said. “Weed out people and find the right witness to represent your company.”

A wide swath of the chemicals, plastics and related industries are gearing up to fight a surge in litigation related to PFAS, or per- and polyfluoroalkyl substances, a class of nearly 15,000 versatile synthetic chemicals linked to serious health problems. […] PFAS-related lawsuits have already targeted manufacturers in the United States, including DuPont, its spinoff Chemours, and 3M. Last year, 3M agreed to pay at least $10 billion to water utilities across the United States that had sought compensation for cleanup costs. Thirty state attorneys general have also sued PFAS manufacturers, accusing the manufacturers of widespread contamination. But experts say the legal battle is just beginning. Under increasing scrutiny are a wider universe of companies that use PFAS in their products. This month, plaintiffs filed a class-action lawsuit against Bic, accusing the razor company for failing to disclose that some of its razors contained PFAS. Bic said it doesn’t comment on pending litigation, and said it had a longstanding commitment to safety.

The Biden administration has moved to regulate the chemicals, for the first time requiring municipal water systems to remove six types of PFAS. Last month, the Environmental Protection Agency also designated two of those PFAS chemicals as hazardous substances under the Superfund law, shifting responsibility for their cleanup at contaminated sites from taxpayers to polluters. Both rules are expected to prompt a new round of litigation from water utilities, local communities and others suing for cleanup costs. “To say that the floodgates are opening is an understatement,” said Emily M. Lamond, an attorney who focuses on environmental litigation at the law firm Cole Schotz. “Take tobacco, asbestos, MTBE, combine them, and I think we’re still going to see more PFAS-related litigation,” she said, referring to methyl tert-butyl ether, a former harmful gasoline additive that contaminated drinking water. Together, the trio led to claims totaling hundreds of billions of dollars. Unlike tobacco, used by only a subset of the public, “pretty much every one of us in the United States is walking around with PFAS in our bodies,” said Erik Olson, senior strategic director for environmental health at the Natural Resources Defense Council. “And we’re being exposed without our knowledge or consent, often by industries that knew how dangerous the chemicals were, and failed to disclose that,” he said. “That’s a formula for really significant liability.”

YouTube’s Crackdown on Adblockers Makes Videos Unwatchable – now skips to end of video

Posted on by

YouTube has been at war with adblockers for quite some time now and has employed various tactics to keep users off those extensions. Its most recent defense strategy is to skip right to the end of the video you’re playing. If you try replaying it, it’ll do that again. If you tap anywhere on the timeline, your video will buffer indefinitely. Here’s what it looks like in action.

[…]

one of its first moves was to send a pop-up warning saying, “Video playback is blocked unless YouTube is allowlisted or the ad blocker is disabled.” However, users could close that pop-up and resume watching their videos.

Next, it tried to make videos unplayable by showing a never-ending loading screen. Then it refused to do even that and would pop up an immovable prompt to disable the adblocker.

[…]

This latest move is frustrating, and that’s the point. There was a time when its ads were tolerable, but with the recent increase of ads on the video platform, users are finding it extremely hard to sit through a 20-second unskippable ad followed by a 5-second skippable one. Ad runtime isn’t proportionate to a video’s length, which adds to the bizarreness.

Google is aware of its monopoly over the video-sharing industry and has jacked up its ad-free Premium tier prices to $14 monthly. It has also extended its crackdown on mobile, resulting in buffering issues and error messages for users who dare to use an adblocker on their phones.

[…]

Users have also figured out workarounds. Some are switching to AdBlock alternatives, such as uBlock Origin, while others recommend browser substitutes like Brave to fix the issue. A few disappointed consumers are also considering bidding farewell to the platform.

[…]

Source: YouTube’s Crackdown on Adblockers Makes Videos Unwatchable

Samsung Requires Independent Repair Shops to Share Customer Data, Snitch on People and destroy phones Using Aftermarket Parts, Leaked Contract Shows

Posted on by

In exchange for selling them repair parts, Samsung requires independent repair shops to give Samsung the name, contact information, phone identifier, and customer complaint details of everyone who gets their phone repaired at these shops, according to a contract obtained by 404 Media. Stunningly, it also requires these nominally independent shops to “immediately disassemble” any phones that customers have brought them that have been previously repaired with aftermarket or third-party parts and to “immediately notify” Samsung that the customer has used third-party parts.

[…]

The contract also requires the “daily” uploading of details of each and every repair that an independent company does into a Samsung database called G-SPN “at the time of each repair,” which includes the customer’s address, email address, phone number, details about what is wrong with their phone, their phone’s warranty status, details of the customer’s complaint, and the device’s IMEI number, which is a unique device identifier. 404 Media has verified the authenticity of the original contract and has recreated the version embedded at the bottom of this article to protect the source. No provisions have been changed.

The use of aftermarket parts in repair is relatively common. This provision requires independent repair shops to destroy the devices of their own customers, and then to snitch on them to Samsung.

[…]

People have a right to use third-party parts under the Magnuson Moss Warranty Act, for one thing, and it’s hard to square this contact language with that basic consumer right.”

[…]

The contract shows the incredible level of control that Samsung has over “independent” repair shops, which need to sign this agreement to get repair parts from Samsung. Signing this contract does not even make a repair shop an “authorized” repair center, which is a distinction that requires shop owners to jump through even more hoops.

[…]

“This is exactly the kind of onerous, one-sided ‘agreement’ that necessitates the right-to-repair,” Kit Walsh, a staff attorney at the Electronic Freedom Foundation and right to repair expert told me. “The data collection is excessive. I may not have chosen to disclose my address or identity to Samsung, yet an added cost of repair—even at an independent shop—is giving that information up. In addition to the provision you mentioned about dismantling devices with third-party components, these create additional disincentives to getting devices repaired, which can harm both device security and the environment as repairable devices wind up in landfills.”

[…]

The contract also functionally limits the types of repairs these “independent” repair shops are allowed to do and does not authorize the stores to do repairs that require soldering or so-called board-level repair, which are increasingly common types of repairs.

Independent repair shops are also required to get a certification from an organization called WISE, which costs $200 annually and is an arm of the CTIA, a trade group made up of wireless companies like Verizon and AT&T that has repeatedly lobbied against right to repair laws. In effect, independent shops are required to fund an organization lobbying against their interests.

In 2020, Motherboard obtained a contract that Apple required independent repair companies to sign in order to get repair parts from the company. At the time, experts said that Apple’s contract was problematic because it allowed Apple to audit and inspect the shops at any time. The Samsung document is even more onerous because it requires them to essentially serve as enforcers for Samsung and requires the proactive sharing of consumer data.

[…]

Source: Samsung Requires Independent Repair Shops to Share Customer Data, Snitch on People Who Use Aftermarket Parts, Leaked Contract Shows

Spotify to brick every Car Thing gadget it ever sold only 2 – 3 years ago

Posted on by

Spotify’s brief attempt at being a hardware company wasn’t all that successful: the company stopped producing its Car Thing dashboard accessory less than a year after it went on sale to the public. And now, two years later, the device is about to be rendered completely inoperable. Customers who bought the Car Thing are receiving emails warning that it will stop working altogether as of December 9th.

Unfortunately for those owners, Spotify isn’t offering any kind of subscription credit or automatic refund for the device — nor is the company open-sourcing it. Rather, it’s just canning the project and telling people to (responsibly) dispose of Car Thing.

[…]

Car Thing was initially made available on an invite-only basis in April 2021, with Spotify later opening a public waitlist to buy the accessory later that year. The $90 device went on general sale in February 2022 — and production was halted five months later.

[…]

Source: Spotify is going to break every Car Thing gadget it ever sold – The Verge

Crooks plant backdoor in software used by courtrooms around the world

Posted on by

A software maker serving more than 10,000 courtrooms throughout the world hosted an application update containing a hidden backdoor that maintained persistent communication with a malicious website, researchers reported Thursday, in the latest episode of a supply-chain attack.

The software, known as the JAVS Viewer 8, is a component of the JAVS Suite 8, an application package courtrooms use to record, play back, and manage audio and video from proceedings. Its maker, Louisville, Kentucky-based Justice AV Solutions, says its products are used in more than 10,000 courtrooms throughout the US and 11 other countries. The company has been in business for 35 years.

JAVS Viewer users at high risk

Researchers from security firm Rapid7 reported that a version of the JAVS Viewer 8 available for download on javs.com contained a backdoor that gave an unknown threat actor persistent access to infected devices. The malicious download, planted inside an executable file that installs the JAVS Viewer version 8.3.7, was available no later than April 1, when a post on X (formerly Twitter) reported it. It’s unclear when the backdoored version was removed from the company’s download page. JAVS representatives didn’t immediately respond to questions sent by email.

“Users who have version 8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action,” Rapid7 researchers Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger wrote. “This version contains a backdoored installer that allows attackers to gain full control of affected systems.”

The installer file was titled JAVS Viewer Setup 8.3.7.250-1.exe. When executed, it copied the binary file fffmpeg.exe to the file path C:\Program Files (x86)\JAVS\Viewer 8\. To bypass security warnings, the installer was digitally signed, but with a signature issued to an entity called “Vanguard Tech Limited” rather than to “Justice AV Solutions Inc.,” the signing entity used to authenticate legitimate JAVS software.

fffmpeg.exe, in turn, used Windows Sockets and WinHTTP to establish communications with a command-and-control server. Once successfully connected, fffmpeg.exe sent the server passwords harvested from browsers and data about the compromised host, including hostname, operating system details, processor architecture, program working directory, and the user name.

The researchers said fffmpeg.exe also downloaded the file chrome_installer.exe from the IP address 45.120.177.178. chrome_installer.exe went on to execute a binary and several Python scripts that were responsible for stealing the passwords saved in browsers. fffmpeg.exe is associated with a known malware family called GateDoor/Rustdoor. The exe file was already flagged by 30 endpoint protection engines.

[…]

The researchers warned that the process of disinfecting infected devices will require care. They wrote:

To remediate this issue, affected users should:

  • Reimage any endpoints where JAVS Viewer 8.3.7 was installed. Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate.
  • Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.
  • Reset credentials used in web browsers on affected endpoints. Browser sessions may have been hijacked to steal cookies, stored passwords, or other sensitive information.
  • Install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. The new version does not contain the backdoor present in 8.3.7.

Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.

The Rapid7 post included a statement from JAVS that confirmed that the installer for version 8.3.7 of the JAVS viewer was malicious.

“We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems,” the statement read. “We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.”

The statement didn’t explain how the installer became available for download on its site. It also didn’t say if the company retained an outside firm to investigate.

The incident is the latest example of a supply-chain attack, a technique that tampers with a legitimate service or piece of software with the aim of infecting all downstream users. These sorts of attacks are usually carried out by first hacking the provider of the service or software.

Source: Crooks plant backdoor in software used by courtrooms around the world | Ars Technica