So… LG lies about TV Framerates on their site

Posted on by

The LG55UH850V, a 4K is mentioned online as having a framerate of 120Hz at specification sites on Google

LG’s Finnish website puts the framerate at a staggering 200Hz

So does the South African website – this also boasts a “Billion Rich Colors” – color depth is only 8 bit.

After having upgraded to a graphics card that can handle 4k and 120Hz, I spent a LOT of time figuring out why I couldn’t find (or create) that mode on my PC. Support first told me the monitor had 110Hz, but that (or lower) didn’t work either. Support then told me – nope: it’s only 60 Hz.

It turns out that this is indeed buried in the manual on page 15.

The customer support rep was sorry for me, but that’s it. There is no way to take a company like LG to task apart from writing about it.

Possibly I haven’t learnt from my own posts: Don’t Buy an HDMI 2.1 TV Before You Read the Fine Print – The HDMI 2.1 specification is crazy and as long as any one of the components in the system is 2.1 compatible the rest don’t have to be, but you still get the label.

Crooks threaten to leak 2.9B records of personal info from National Public Data, a “small” US information broker

Posted on by

Billions of records detailing people’s personal information may soon be dumped online after being allegedly obtained from a Florida firm that handles background checks and other requests for folks’ private info.

A criminal gang that goes by the handle USDoD put the database up for sale for $3.5 million on an underworld forum in April, and rather incredibly claimed the trove included 2.9 billion records on all US, Canadian, and British citizens. It’s believed one or more miscreants using the handle SXUL was responsible for the alleged exfiltration, who passed it onto USDoD, which is acting as a broker.

The pilfered information is said to include individuals’ full names, addresses, and address history going back at least three decades, social security numbers, and people’s parents, siblings, and relatives, some of whom have been dead for nearly 20 years. According to USDoD, this info was not scraped from public sources, though there may be duplicate entries for people in the database.

Fast forward to this month, and the infosec watchers at VX-Underground say they’ve not only been able to view the database and verify that at least some of its contents are real and accurate, but that USDoD plans to leak the trove. Judging by VX-Underground’s assessment, the 277.1GB file contains nearly three billion records on people who’ve at least lived in the United States – so US citizens as well as, say, Canadians and Brits.

This info was allegedly stolen or otherwise obtained from National Public Data, a small information broker based in Coral Springs that offers API lookups to other companies for things like background checks. The biz did not respond to The Register‘s inquiries.

There is a small silver lining, according to the VX team: “The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present.” So, we guess this is a good lesson in opting out.

USDoD is the same crew that previously peddled a 3GB-plus database from TransUnion containing financial information on 58,505 people.

And last September, the same criminals touted personal information belonging to 3,200 Airbus vendors after the aerospace giant fell victim to an intrusion

Source: Crooks threaten to leak 2.9B records of personal info • The Register

Cooler Master hit by data breach exposing 500,000 customers

Posted on by

Computer hardware manufacturer Cooler Master has suffered a data breach after a threat actor breached the company’s website and claimed to steal the Fanzone member information of 500,000 customers.

Cooler Master is a hardware manufacturer based in Taiwan that is known for its computer cases, cooling devices, gaming chairs, and other computer peripherals.

Yesterday, a threat actor by the alias ‘Ghostr’ contacted BleepingComputer and claimed to have stolen 103 GB of data from Cooler Master on May 18th, 2024.

“This data breach included cooler master corporate, vendor, sales, warranty, inventory and hr data as well as over 500,000 of their fanzone members personal information, including name, address, date of birth, phone, email + plain unencrypted credit card information containing name, credit card number, expiry and 3 digits cc code,” the threat actor told BleepingComputer.

Cooler Master’s Fanzone site is used to register a product’s warranty, submit return merchandise authorization (RMA) requests, contact support, and register for news updates.

In a conversation with BleepingComputer, Ghostr told BleepingComputer that the data was stolen by breaching one of the company’s front-facing websites, allowing them to download numerous databases, including the one containing Fanzone information.

The threat actor said they attempted to contact the company for payment not to leak or sell the data, but Cooler Master did not respond.

However, they did share a link to a small sample of allegedly stolen data in the form of comma-separated values files (CSV) that appear to have been exported from Cooler Master’s Fanzone site.

Samples of stolen data
Samples of stolen data
Source: BleepingComputer

These CSV files contain a wide variety of data, including product, vendor, customer, and employee information.

One of the files contains approximately 1,000 records of what appear to be recent customer support tickets and RMA requests, which include customers’ names, email addresses, date of birth, physical addresses, phone numbers, and IP addresses.

BleepingComputer has confirmed with numerous Cooler Master customers in this file that the listed data is correct and that they opened an RMA or support ticket on the date specified in the leaked sample.

[…]

Source: Cooler Master hit by data breach exposing customer information

Japan’s Push To Make All Research Open Access is Taking Shape

Posted on by

The Japanese government is pushing ahead with a plan to make Japan’s publicly funded research output free to read. From a report: In June, the science ministry will assign funding to universities to build the infrastructure needed to make research papers free to read on a national scale. The move follows the ministry’s announcement in February that researchers who receive government funding will be required to make their papers freely available to read on the institutional repositories from January 2025. The Japanese plan “is expected to enhance the long-term traceability of research information, facilitate secondary research and promote collaboration,” says Kazuki Ide, a health-sciences and public-policy scholar at Osaka University in Suita, Japan, who has written about open access in Japan.

The nation is one of the first Asian countries to make notable advances towards making more research open access (OA) and among the first countries in the world to forge a nationwide plan for OA. The plan follows in the footsteps of the influential Plan S, introduced six years ago by a group of research funders in the United States and Europe known as cOAlition S, to accelerate the move to OA publishing. The United States also implemented an OA mandate in 2022 that requires all research funded by US taxpayers to be freely available from 2026. When the Ministry of Education, Culture, Sports, Science and Technology (MEXT) announced Japan’s pivot to OA in February, it also said that it would invest around $63 million to standardize institutional repositories — websites dedicated to hosting scientific papers, their underlying data and other materials — ensuring that there will be a mechanism for making research in Japan open.

Source: https://science.slashdot.org/story/24/05/31/1748243/japans-push-to-make-all-research-open-access-is-taking-shape?utm_source=rss1.0mainlinkanon&utm_medium=feed

Quite ironic that the original article is behind a paywall at Nature.com 🙂

Anyway, if the public paid for it, then the public should get it. A bit hugely late, but well done.

Google Leak Reveals Thousands of Privacy Incidents

Posted on by

Google has accidentally collected childrens’ voice data, leaked the trips and home addresses of car pool users, and made YouTube recommendations based on users’ deleted watch history, among thousands of other employee-reported privacy incidents, according to a copy of an internal Google database which tracks six years worth of potential privacy and security issues obtained by 404 Media. From the report: Individually the incidents, most of which have not been previously publicly reported, may only each impact a relatively small number of people, or were fixed quickly. Taken as a whole, though, the internal database shows how one of the most powerful and important companies in the world manages, and often mismanages, a staggering amount of personal, sensitive data on people’s lives.

The data obtained by 404 Media includes privacy and security issues that Google’s own employees reported internally. These include issues with Google’s own products or data collection practices; vulnerabilities in third party vendors that Google uses; or mistakes made by Google staff, contractors, or other people that have impacted Google systems or data. The incidents include everything from a single errant email containing some PII, through to substantial leaks of data, right up to impending raids on Google offices. When reporting an incident, employees give the incident a priority rating, P0 being the highest, P1 being a step below that. The database contains thousands of reports over the course of six years, from 2013 to 2018. In one 2016 case, a Google employee reported that Google Street View’s systems were transcribing and storing license plate numbers from photos. They explained that Google uses an algorithm to detect text in Street View imagery.

Source: https://tech.slashdot.org/story/24/06/03/1655212/google-leak-reveals-thousands-of-privacy-incidents?utm_source=rss1.0mainlinkanon&utm_medium=feed

Adobe changes TOS, says it can republish what you made for free

Posted on by

Adobe has decided that if you use its software, it can re-use anything you create. Considering you pay to use the software, that’s a bit grating.

4.2 Licenses to Your Content. Solely for the purposes of operating or improving the Services and Software, you grant us a non-exclusive, worldwide, royalty-free sublicensable, license, to use, reproduce, publicly display, distribute, modify, create derivative works based on, publicly perform, and translate the Content. For example, we may sublicense our right to the Content to our service providers or to other users to allow the Services and Software to operate as intended, such as enabling you to share photos with others. Separately, section 4.6 (Feedback) below covers any Feedback that you provide to us.

Source: Legal

They say it’s to detect kiddie porn, people think it’s to train their AIs. Obviously, people are upset.

Time to start learning the free and (fortunately) great Photoshop alternative: Gimp.

Ticketmaster 560m+ account hack confirmed in what seems to be a spree hitting Snowflake customers

Posted on by

Cloud storage provider Snowflake said that accounts belonging to multiple customers have been hacked after threat actors obtained credentials through info-stealing malware or by purchasing them on online crime forums.

Ticketmaster parent Live Nation—which disclosed Friday that hackers gained access to data it stored through an unnamed third-party provider—told TechCrunch the provider was Snowflake. The live-event ticket broker said it identified the hack on May 20, and a week later, a “criminal threat actor offered what it alleged to be Company user data for sale via the dark web.”

Ticketmaster is one of six Snowflake customers to be hit in the hacking campaign, said independent security researcher Kevin Beaumont, citing conversations with people inside the affected companies. Australia’s Signal Directorate said Saturday it knew of “successful compromises of several companies utilizing Snowflake environments.” Researchers with security firm Hudson Rock said in a now-deleted post that Santander, Spain’s biggest bank, was also hacked in the campaign. The researchers cited online text conversations with the threat actor. Last month, Santander disclosed a data breach affecting customers in Chile, Spain, and Uruguay.

“The tl;dr of the Snowflake thing is mass scraping has been happening, but nobody noticed, and they’re pointing at customers for having poor credentials,” Beaumont wrote on Mastodon. “It appears a lot of data has gone walkies from a bunch of orgs.”

Word of the hacks came weeks after a hacking group calling itself ShinyHunters took credit for breaching Santander and Ticketmaster and posted data purportedly belonging to both as evidence. The group took to a Breach forum to seek $2 million for the Santander data, which it said included 30 million customer records, 6 million account numbers, and 28 million credit card numbers. It sought $500,000 for the Ticketmaster data, which the group claimed included full names, addresses, phone numbers, and partial credit card numbers for 560 million customers.

Post by ShinyHunters seeking $2 million for Santander data.
Enlarge / Post by ShinyHunters seeking $2 million for Santander data.
Post by ShinyHunters seeking $500,000 for Ticketmaster data.
Enlarge / Post by ShinyHunters seeking $500,000 for Ticketmaster data.

Beaumont didn’t name the group behind the attacks against Snowflake customers but described it as “a teen crimeware group who’ve been active publicly on Telegram for a while and regularly relies on infostealer malware to obtain sensitive credentials.

The group has been responsible for hacks on dozens of organizations, with a small number of them including:

According to Snowflake, the threat actor used already compromised account credentials in the campaign against its customers. Those accounts weren’t protected by multifactor authentication (MFA).

Snowflake also said that the threat actor used compromised credentials to a former employee account that wasn’t protected by MFA. That account, the company said, was created for demonstration purposes.

“It did not contain sensitive data,” Snowflake’s notification stated. “Demo accounts are not connected to Snowflake’s production or corporate systems.”

The company urges all customers to ensure all their accounts are protected with MFA. The statement added that customers should also check their accounts for signs of compromise using these indicators.

“Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted,” the company said in the post.

Snowflake and the two security firms it has retained to investigate the incident—Mandiant and Crowdstrike—said they have yet to find any evidence the breaches are a result of a “vulnerability, misconfiguration, or breach of Snowflake’s platform.” But Beaumont said the cloud provider shares some of the responsibility for the breaches because setting up MFA on Snowflake is too cumbersome. He cited the breach of the former employee’s demo account as support.

“They need to, at an engineering and secure by design level, go back and review how authentication works—as it’s pretty transparent that given the number of victims and scale of the breach that the status quo hasn’t worked,” Beaumont wrote. “Secure authentication should not be optional. And they’ve got to be completely transparent about steps they are taking off the back of this incident to strengthen things.”

Source: Ticketmaster hacked in what’s believed to be a spree hitting Snowflake customers | Ars Technica

Spotify Says It Will Refund Car Thing Purchases with a valid receipt

Posted on by

If you contact Spotify’s customer service with a valid receipt, the company will refund your Car Thing purchase. That’s the latest development reported by Engadget. When Spotify first announced that it would brick every Car Thing device on December 9, 2024, it said that it wouldn’t offer owners any subscription credit or automatic refund. From the report: Spotify has taken some heat for its announcement last week that it will brick every Car Thing device on December 9, 2024. The company described its decision as “part of our ongoing efforts to streamline our product offerings” (read: cut costs) and that it lets Spotify “focus on developing new features and enhancements that will ultimately provide a better experience to all Spotify users.”

TechCrunch reports that Gen Z users on TikTok have expressed their frustration in videos, while others have complained directed toward Spotify in DMs on X (Twitter) and directly through customer support. Some users claimed Spotify’s customer service agents only offered several months of free Premium access, while others were told nobody was receiving refunds. It isn’t clear if any of them contacted them after last Friday when it shifted gears on refunds.

Others went much further. Billboard first reported on a class-action lawsuit filed in the US District Court for the Southern District of New York on May 28. The suit accuses Spotify of misleading Car Thing customers by selling a $90 product that would soon be obsolete without offering refunds, which sounds like a fair enough point. It’s worth noting that, according to Spotify, it began offering the refunds last week, while the lawsuit was only filed on Tuesday. If the company’s statement about refunds starting on May 24 is accurate, the refunds aren’t a direct response to the legal action. (Although it’s possible the company began offering them in anticipation of lawsuits.) Editor’s note: As a disgruntled Car Thing owner myself, I can confirm that Spotify is approving refund requests. You’ll just have to play the waiting game to get through to a Spotify Advisor and their “team” that approves these requests. You may have better luck emailing customer service directly at support@spotify.com.

source: https://news.slashdot.org/story/24/05/30/2129202/spotify-says-it-will-refund-car-thing-purchases?utm_source=rss1.0mainlinkanon&utm_medium=feed

Largest ever operation by Europol against botnets hits dropper malware ecosystem

Posted on by

Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software. Following the action days, eight fugitives linked to these criminal activities, wanted by Germany, will be added to Europe’s Most Wanted list on 30 May 2024. The individuals are wanted for their involvement in serious cybercrime activities.

This is the largest ever operation against botnets, which play a major role in the deployment of ransomware. The operation, initiated and led by France, Germany and the Netherlands was also supported by Eurojust and involved Denmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also supported the operation with different actions, such as arrests, interviewing suspects, searches, and seizures or takedowns of servers and domains. The operation was also supported by a number of private partners at national and international level including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus and DIVD.

The coordinated actions led to:

  • 4 arrests (1 in Armenia and 3 in Ukraine)
  • 16 location searches (1 in Armenia, 1 in the Netherlands, 3 in Portugal and 11 in Ukraine)
  • Over 100 servers taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States and Ukraine
  • Over 2 000 domains under the control of law enforcement

Furthermore, it has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware.

[…]

Operation Endgame does not end today. New actions will be announced on the website Operation Endgame. In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website.

Command post at Europol to coordinate the operational actions

Europol facilitated the information exchange and provided analytical, crypto-tracing and forensic support to the investigation. To support the coordination of the operation, Europol organised more than 50 coordination calls with all the countries as well as an operational sprint at its headquarters.

Over 20 law enforcement officers from Denmark, France, Germany and the United States supported the coordination of the operational actions from the command post at Europol and hundreds of other officers from the different countries involved in the actions. In addition, a virtual command post allowed real-time coordination between the Armenian, French, Portuguese and Ukrainian officers deployed on the spot during the field activities.

The command post at Europol facilitated the exchange of intelligence on seized servers, suspects and the transfer of seized data. Local command posts were also set up in Germany, the Netherlands, Portugal, the United States and Ukraine. Eurojust supported the action by setting up a coordination centre at its headquarters to facilitate the judicial cooperation between all authorities involved. Eurojust also assisted with the execution of European Arrest Warrants and European Investigation Orders.

[…]

Source: Largest ever operation against botnets hits dropper malware ecosystem | Europol

How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto Wallet

Posted on by

Two years ago when “Michael,” an owner of cryptocurrency, contacted Joe Grand to help recover access to about $2 million worth of bitcoin he stored in encrypted format on his computer, Grand turned him down.

Michael, who is based in Europe and asked to remain anonymous, stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool called TrueCrypt. At some point, that file got corrupted and Michael lost access to the 20-character password he had generated to secure his 43.6 BTC (worth a total of about €4,000, or $5,300, in 2013). Michael used the RoboForm password manager to generate the password but did not store it in his manager. He worried that someone would hack his computer and obtain the password.

“At [that] time, I was really paranoid with my security,” he laughs.

Grand is a famed hardware hacker who in 2022 helped another crypto wallet owner recover access to $2 million in cryptocurrency he thought he’d lost forever after forgetting the PIN to his Trezor wallet. Since then, dozens of people have contacted Grand to help them recover their treasure. But Grand, known by the hacker handle “Kingpin,” turns down most of them, for various reasons.

Grand is an electrical engineer who began hacking computing hardware at age 10 and in 2008 cohosted the Discovery Channel’s Prototype This show. He now consults with companies that build complex digital systems to help them understand how hardware hackers like him might subvert their systems. He cracked the Trezor wallet in 2022 using complex hardware techniques that forced the USB-style wallet to reveal its password.

But Michael stored his cryptocurrency in a software-based wallet, which meant none of Grand’s hardware skills were relevant this time. He considered brute-forcing Michael’s password—writing a script to automatically guess millions of possible passwords to find the correct one—but determined this wasn’t feasible. He briefly considered that the RoboForm password manager Michael used to generate his password might have a flaw in the way it generated passwords, which would allow him to guess the password more easily. Grand, however, doubted such a flaw existed.

Michael contacted multiple people who specialize in cracking cryptography; they all told him “there’s no chance” of retrieving his money. But last June he approached Grand again, hoping to convince him to help, and this time Grand agreed to give it a try, working with a friend named Bruno in Germany who also hacks digital wallets.

Grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number generator used to generate passwords in that version—and subsequent versions until 2015—did indeed have a significant flaw that made the random number generator not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user’s computer—it determined the computer’s date and time, and then generated passwords that were predictable. If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past.

If Michael knew the day or general time frame in 2013 when he generated it, as well as the parameters he used to generate the password (for example, the number of characters in the password, including lower- and upper-case letters, figures, and special characters), this would narrow the possible password guesses to a manageable number. Then they could hijack the RoboForm function responsible for checking the date and time on a computer and get it to travel back in time, believing the current date was a day in the 2013 time frame when Michael generated his password. RoboForm would then spit out the same passwords it generated on the days in 2013.

There was one problem: Michael couldn’t remember when he created the password.

According to the log on his software wallet, Michael moved bitcoin into his wallet for the first time on April 14, 2013. But he couldn’t remember if he generated the password the same day or some time before or after this. So, looking at the parameters of other passwords he generated using RoboForm, Grand and Bruno configured RoboForm to generate 20-character passwords with upper- and lower-case letters, numbers, and eight special characters from March 1 to April 20, 2013.

It failed to generate the right password. So Grand and Bruno lengthened the time frame from April 20 to June 1, 2013, using the same parameters. Still no luck.

Michael says they kept coming back to him, asking if he was sure about the parameters he’d used. He stuck to his first answer.

“They really annoyed me, because who knows what I did 10 years ago,” he recalls. He found other passwords he generated with RoboForm in 2013, and two of them did not use special characters, so Grand and Bruno adjusted. Last November, they reached out to Michael to set up a meeting in person. “I thought, ‘Oh my God, they will ask me again for the settings.”

Instead, they revealed that they had finally found the correct password—no special characters. It was generated on May 15, 2013, at 4:10:40 pm GMT.

“We ultimately got lucky that our parameters and time range was right. If either of those were wrong, we would have … continued to take guesses/shots in the dark,” Grand says in an email to WIRED. “It would have taken significantly longer to precompute all the possible passwords.”

Grand and Bruno created a video to explain the technical details more thoroughly.

[…]

Source: How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto Wallet | WIRED

“Deny, denounce, delay”: ultra-processed food companies fighting using big tobacco type tactics

Posted on by

When the Brazilian nutritional scientist Carlos Monteiro coined the term “ultra-processed foods” 15 years ago, he established what he calls a “new paradigm” for assessing the impact of diet on health.

Monteiro had noticed that although Brazilian households were spending less on sugar and oil, obesity rates were going up. The paradox could be explained by increased consumption of food that had undergone high levels of processing, such as the addition of preservatives and flavorings or the removal or addition of nutrients.

But health authorities and food companies resisted the link, Monteiro tells the FT. “[These are] people who spent their whole life thinking that the only link between diet and health is the nutrient content of foods … Food is more than nutrients.”

Monteiro’s food classification system, “Nova,” assessed not only the nutritional content of foods but also the processes they undergo before reaching our plates. The system laid the groundwork for two decades of scientific research linking the consumption of UPFs to obesity, cancer, and diabetes.

Studies of UPFs show that these processes create food—from snack bars to breakfast cereals to ready meals—that encourages overeating but may leave the eater undernourished. A recipe might, for example, contain a level of carbohydrate and fat that triggers the brain’s reward system, meaning you have to consume more to sustain the pleasure of eating it.

In 2019, American metabolic scientist Kevin Hall carried out a randomized study comparing people who ate an unprocessed diet with those who followed a UPF diet over two weeks. Hall found that the subjects who ate the ultra-processed diet consumed around 500 more calories per day, more fat and carbohydrates, less protein—and gained weight.

Enlarge
Financial Times

The rising concern about the health impact of UPFs has recast the debate around food and public health, giving rise to books, policy campaigns, and academic papers. It also presents the most concrete challenge yet to the business model of the food industry, for whom UPFs are extremely profitable.

The industry has responded with a ferocious campaign against regulation. In part it has used the same lobbying playbook as its fight against labeling and taxation of “junk food” high in calories: big spending to influence policymakers.

FT analysis of US lobbying data from non-profit Open Secrets found that food and soft drinks-related companies spent $106 million on lobbying in 2023, almost twice as much as the tobacco and alcohol industries combined. Last year’s spend was 21 percent higher than in 2020, with the increase driven largely by lobbying relating to food processing as well as sugar.

In an echo of tactics employed by cigarette companies, the food industry has also attempted to stave off regulation by casting doubt on the research of scientists like Monteiro.

“The strategy I see the food industry using is deny, denounce, and delay,” says Barry Smith, director of the Institute of Philosophy at the University of London and a consultant for companies on the multisensory experience of food and drink.

So far the strategy has proved successful. Just a handful of countries, including Belgium, Israel, and Brazil, currently refer to UPFs in their dietary guidelines. But as the weight of evidence about UPFs grows, public health experts say the only question now is how, if at all, it is translated into regulation.

“There’s scientific agreement on the science,” says Jean Adams, professor of dietary public health at the MRC Epidemiology Unit at the University of Cambridge. “It’s how to interpret that to make a policy that people aren’t sure of.”

[…]

Source: “Deny, denounce, delay”: The battle over the risk of ultra-processed foods | Ars Technica

2.8M US folks’ personal info swiped in Sav-Rx IT heist – 8 months ago

Posted on by

Sav-Rx has started notifying about 2.8 million people that their personal information was likely stolen during an IT intrusion that happened more than seven months ago.

The biz provides prescription drug management services to more than 10 million US workers and their families, via their employers or unions. It first spotted the network “interruption” on October 8 last year and notes the break-in likely occurred five days earlier, according to a FAQ page about the incident posted on the Sav-Rx website.

Sav-Rx says it restored the IT systems to normal the following business day, and says all prescriptions were shipped on time and without delay. It also notified the police and called in some experts for a deeper dive into the logs.

An “extensive review” completed by a third-party security team on April 30 confirmed “some of the data accessed or acquired by the unauthorized third party may have contained personal information.”

The security breach affected 2,812,336 people, according to an incident notification filed with the Maine attorney general by A&A Services, doing business as Sav-Rx. Potentially stolen details include patients’ names, dates of birth, social security numbers, email addresses, mailing addresses, phone numbers, eligibility data, and insurance identification numbers.

“Please note that other than these data elements, the threat actor did not have access to clinical or financial information,” the notice reads.

While there’s no indication that the crooks have “made any use of your data as a result of this security incident,” Sav-Rx is providing everyone with two years of free credit and identity monitoring, as seems to be standard practice.

There’s also an oddly worded line about what happened that notes, “in conjunction with third-party experts, we have confirmed that any data acquired from our IT system was destroyed and not further disseminated.”

The Register contacted Sav-Rx with several questions about the network breach — including how it confirmed the data was destroyed and if the crooks demanded a payment — and did not receive a response. We will update this story when we hear back. It seems like some form of ransomware or extortion.

Either anticipating, or already receiving, inquiries about why the lag between discovering the intrusion and then notifying affected parties, the FAQ also includes a “Why wasn’t I contacted sooner?” question.

“Our initial priority was restoring systems to minimize any interruption to patient care,” it answers.

And then, after securing the IT systems and hiring the incident response team, Sav-Rx launched an investigation to determine who had been affected, and what specific personal information had been stolen for each of them.

Then, it sounds like there was some back-and-forth between healthcare bodies and Sav-Rx as to who would notify people that their data had been stolen. Here’s what the company says to that point:

We prioritized this technological investigation to be able to provide affected individuals with as much accurate information as possible. We received the results of that investigation on April 30, 2024, and promptly sent notifications to our health plan customers whose participant data was affected within 48 hours.

We offered to provide affected individuals notification, and once we confirmed that their respective health plans wanted us to provide notice to their participants, we worked expediently to mail notices to the affected individuals.

It’s unclear if this will be enough to satisfy affected customers. But in a statement to reporters, Roger Grimes, of infosec house KnowBe4, said the short answer is probably not.

“I don’t think the eight months it took Sav-Rx to notify impacted customers of the breach is going to fly with anyone, least of all their customers,” Grimes said.

“Today, you’ve got most companies notifying impacted customers in days to a few weeks,” he added. “Eight months? Whoever decided on that decision is likely to come under some heat and have explaining to do.”

Sav-Rx claims to have implemented a “number of detailed and immediate mitigation measures” to improve its security after the digital break-in. This includes “enhancing” its always-on security operations center, and adding new firewalls, antivirus software, and multi-factor authentication.

The organization also says it has since implemented a patching cycle and network segmentation and taken other measures to harden its systems. Hopefully it can also speed up its response times if it happens again.

Source: 2.8M US folks’ personal info swiped in Sav-Rx IT heist • The Register

Google’s technical info about search ranking leaks online

Posted on by

A trove of documents that appear to describe how Google ranks search results has appeared online, likely as the result of accidental publication by an in-house bot.

The leaked documentation describes an old version of Google’s Content Warehouse API and provides a glimpse of Google Search’s inner workings.

The material appears to have been inadvertently committed to a publicly accessible Google-owned repository on GitHub around March 13 by the web giant’s own automated tooling. That automation tacked an Apache 2.0 open source license on the commit, as is standard for Google’s public documentation. A follow-up commit on May 7 attempted to undo the leak.

The material was nonetheless spotted by Erfan Azimi, CEO of search engine optimization (SEO) biz EA Digital Eagle and were then disclosed on Sunday by fellow SEO operatives Rand Fishkin, CEO of SparkToro and Michael King, CEO of iPullRank.

These documents do not contain code or the like, and instead describe how to use Google’s Content Warehouse API that’s likely intended for internal use only; the leaked documentation includes numerous references to internal systems and projects. While there is a similarly named Google Cloud API that’s already public, what ended up on GitHub goes well beyond that, it seems.

The files are noteworthy for what they reveal about the things Google considers important when ranking web pages for relevancy, a matter of enduring interest to anyone involved in the SEO business and/or anyone operating a website and hoping Google will help it to win traffic.

Among the 2,500-plus pages of documentation, assembled for easy perusal here, there are details on more than 14,000 attributes accessible or associated with the API, though scant information about whether all these signals are used and their importance. It is therefore hard to discern the weight Google applies to the attributes in its search result ranking algorithm.

But SEO consultants believe the documents contain noteworthy details because they differ from public statements made by Google representatives.

“Many of [Azimi’s] claims [in an email describing the leak] directly contradict public statements made by Googlers over the years, in particular the company’s repeated denial that click-centric user signals are employed, denial that subdomains are considered separately in rankings, denials of a sandbox for newer websites, denials that a domain’s age is collected or considered, and more,” explained SparkToro’s Fishkin in a report.

iPullRank’s King, in his post on the documents, pointed to a statement made by Google search advocate John Mueller, who said in a video that “we don’t have anything like a website authority score” – a measure of whether Google considers a site authoritative and therefore worthy of higher rankings for search results.

But King notes that the docs reveal that as part of the Compressed Quality Signals Google stores for documents, a “siteAuthority” score can be calculated.

Several other revelations are cited in the two posts.

One is the importance of clicks – and different types of clicks (good, bad, long, etc.) – are in determining how a webpage rankings. Google during the US v. Google antitrust trial acknowledged [PDF] that it considers click metrics as a ranking factor in web search.

Another is that Google uses websites viewed in Chrome as a quality signal, seen in the API as the parameter ChromeInTotal. “One of the modules related to page quality scores features a site-level measure of views from Chrome,” according to King.

Additionally, the documents indicate that Google considers other factors like content freshness, authorship, whether a page is related to a site’s central focus, alignment between page title and content, and “the average weighted font size of a term in the doc body.”

Source: Google’s technical info about search ranking leaks online • The Register

Lawyers To Plastic Makers: Prepare For ‘Astronomical’ PFAS Lawsuits

Posted on by

An anonymous reader quotes a report from the New York Times: The defense lawyer minced no words as he addressed a room full of plastic-industry executives. Prepare for a wave of lawsuits with potentially “astronomical” costs. Speaking at a conference earlier this year, the lawyer, Brian Gross, said the coming litigation could “dwarf anything related to asbestos,” one of the most sprawling corporate-liability battles in United States history. Mr. Gross was referring to PFAS, the “forever chemicals” that have emerged as one of the major pollution issues of our time. Used for decades in countless everyday objects — cosmetics, takeout containers, frying pans — PFAS have been linked to serious health risks including cancer. Last month the federal government said several types of PFAS must be removed from the drinking water of hundreds of millions of Americans. “Do what you can, while you can, before you get sued,” Mr. Gross said at the February session, according to a recording of the event made by a participant and examined by The New York Times. “Review any marketing materials or other communications that you’ve had with your customers, with your suppliers, see whether there’s anything in those documents that’s problematic to your defense,” he said. “Weed out people and find the right witness to represent your company.”

A wide swath of the chemicals, plastics and related industries are gearing up to fight a surge in litigation related to PFAS, or per- and polyfluoroalkyl substances, a class of nearly 15,000 versatile synthetic chemicals linked to serious health problems. […] PFAS-related lawsuits have already targeted manufacturers in the United States, including DuPont, its spinoff Chemours, and 3M. Last year, 3M agreed to pay at least $10 billion to water utilities across the United States that had sought compensation for cleanup costs. Thirty state attorneys general have also sued PFAS manufacturers, accusing the manufacturers of widespread contamination. But experts say the legal battle is just beginning. Under increasing scrutiny are a wider universe of companies that use PFAS in their products. This month, plaintiffs filed a class-action lawsuit against Bic, accusing the razor company for failing to disclose that some of its razors contained PFAS. Bic said it doesn’t comment on pending litigation, and said it had a longstanding commitment to safety.

The Biden administration has moved to regulate the chemicals, for the first time requiring municipal water systems to remove six types of PFAS. Last month, the Environmental Protection Agency also designated two of those PFAS chemicals as hazardous substances under the Superfund law, shifting responsibility for their cleanup at contaminated sites from taxpayers to polluters. Both rules are expected to prompt a new round of litigation from water utilities, local communities and others suing for cleanup costs. “To say that the floodgates are opening is an understatement,” said Emily M. Lamond, an attorney who focuses on environmental litigation at the law firm Cole Schotz. “Take tobacco, asbestos, MTBE, combine them, and I think we’re still going to see more PFAS-related litigation,” she said, referring to methyl tert-butyl ether, a former harmful gasoline additive that contaminated drinking water. Together, the trio led to claims totaling hundreds of billions of dollars. Unlike tobacco, used by only a subset of the public, “pretty much every one of us in the United States is walking around with PFAS in our bodies,” said Erik Olson, senior strategic director for environmental health at the Natural Resources Defense Council. “And we’re being exposed without our knowledge or consent, often by industries that knew how dangerous the chemicals were, and failed to disclose that,” he said. “That’s a formula for really significant liability.”

YouTube’s Crackdown on Adblockers Makes Videos Unwatchable – now skips to end of video

Posted on by

YouTube has been at war with adblockers for quite some time now and has employed various tactics to keep users off those extensions. Its most recent defense strategy is to skip right to the end of the video you’re playing. If you try replaying it, it’ll do that again. If you tap anywhere on the timeline, your video will buffer indefinitely. Here’s what it looks like in action.

[…]

one of its first moves was to send a pop-up warning saying, “Video playback is blocked unless YouTube is allowlisted or the ad blocker is disabled.” However, users could close that pop-up and resume watching their videos.

Next, it tried to make videos unplayable by showing a never-ending loading screen. Then it refused to do even that and would pop up an immovable prompt to disable the adblocker.

[…]

This latest move is frustrating, and that’s the point. There was a time when its ads were tolerable, but with the recent increase of ads on the video platform, users are finding it extremely hard to sit through a 20-second unskippable ad followed by a 5-second skippable one. Ad runtime isn’t proportionate to a video’s length, which adds to the bizarreness.

Google is aware of its monopoly over the video-sharing industry and has jacked up its ad-free Premium tier prices to $14 monthly. It has also extended its crackdown on mobile, resulting in buffering issues and error messages for users who dare to use an adblocker on their phones.

[…]

Users have also figured out workarounds. Some are switching to AdBlock alternatives, such as uBlock Origin, while others recommend browser substitutes like Brave to fix the issue. A few disappointed consumers are also considering bidding farewell to the platform.

[…]

Source: YouTube’s Crackdown on Adblockers Makes Videos Unwatchable

Samsung Requires Independent Repair Shops to Share Customer Data, Snitch on People and destroy phones Using Aftermarket Parts, Leaked Contract Shows

Posted on by

In exchange for selling them repair parts, Samsung requires independent repair shops to give Samsung the name, contact information, phone identifier, and customer complaint details of everyone who gets their phone repaired at these shops, according to a contract obtained by 404 Media. Stunningly, it also requires these nominally independent shops to “immediately disassemble” any phones that customers have brought them that have been previously repaired with aftermarket or third-party parts and to “immediately notify” Samsung that the customer has used third-party parts.

[…]

The contract also requires the “daily” uploading of details of each and every repair that an independent company does into a Samsung database called G-SPN “at the time of each repair,” which includes the customer’s address, email address, phone number, details about what is wrong with their phone, their phone’s warranty status, details of the customer’s complaint, and the device’s IMEI number, which is a unique device identifier. 404 Media has verified the authenticity of the original contract and has recreated the version embedded at the bottom of this article to protect the source. No provisions have been changed.

The use of aftermarket parts in repair is relatively common. This provision requires independent repair shops to destroy the devices of their own customers, and then to snitch on them to Samsung.

[…]

People have a right to use third-party parts under the Magnuson Moss Warranty Act, for one thing, and it’s hard to square this contact language with that basic consumer right.”

[…]

The contract shows the incredible level of control that Samsung has over “independent” repair shops, which need to sign this agreement to get repair parts from Samsung. Signing this contract does not even make a repair shop an “authorized” repair center, which is a distinction that requires shop owners to jump through even more hoops.

[…]

“This is exactly the kind of onerous, one-sided ‘agreement’ that necessitates the right-to-repair,” Kit Walsh, a staff attorney at the Electronic Freedom Foundation and right to repair expert told me. “The data collection is excessive. I may not have chosen to disclose my address or identity to Samsung, yet an added cost of repair—even at an independent shop—is giving that information up. In addition to the provision you mentioned about dismantling devices with third-party components, these create additional disincentives to getting devices repaired, which can harm both device security and the environment as repairable devices wind up in landfills.”

[…]

The contract also functionally limits the types of repairs these “independent” repair shops are allowed to do and does not authorize the stores to do repairs that require soldering or so-called board-level repair, which are increasingly common types of repairs.

Independent repair shops are also required to get a certification from an organization called WISE, which costs $200 annually and is an arm of the CTIA, a trade group made up of wireless companies like Verizon and AT&T that has repeatedly lobbied against right to repair laws. In effect, independent shops are required to fund an organization lobbying against their interests.

In 2020, Motherboard obtained a contract that Apple required independent repair companies to sign in order to get repair parts from the company. At the time, experts said that Apple’s contract was problematic because it allowed Apple to audit and inspect the shops at any time. The Samsung document is even more onerous because it requires them to essentially serve as enforcers for Samsung and requires the proactive sharing of consumer data.

[…]

Source: Samsung Requires Independent Repair Shops to Share Customer Data, Snitch on People Who Use Aftermarket Parts, Leaked Contract Shows

Spotify to brick every Car Thing gadget it ever sold only 2 – 3 years ago

Posted on by

Spotify’s brief attempt at being a hardware company wasn’t all that successful: the company stopped producing its Car Thing dashboard accessory less than a year after it went on sale to the public. And now, two years later, the device is about to be rendered completely inoperable. Customers who bought the Car Thing are receiving emails warning that it will stop working altogether as of December 9th.

Unfortunately for those owners, Spotify isn’t offering any kind of subscription credit or automatic refund for the device — nor is the company open-sourcing it. Rather, it’s just canning the project and telling people to (responsibly) dispose of Car Thing.

[…]

Car Thing was initially made available on an invite-only basis in April 2021, with Spotify later opening a public waitlist to buy the accessory later that year. The $90 device went on general sale in February 2022 — and production was halted five months later.

[…]

Source: Spotify is going to break every Car Thing gadget it ever sold – The Verge

Crooks plant backdoor in software used by courtrooms around the world

Posted on by

A software maker serving more than 10,000 courtrooms throughout the world hosted an application update containing a hidden backdoor that maintained persistent communication with a malicious website, researchers reported Thursday, in the latest episode of a supply-chain attack.

The software, known as the JAVS Viewer 8, is a component of the JAVS Suite 8, an application package courtrooms use to record, play back, and manage audio and video from proceedings. Its maker, Louisville, Kentucky-based Justice AV Solutions, says its products are used in more than 10,000 courtrooms throughout the US and 11 other countries. The company has been in business for 35 years.

JAVS Viewer users at high risk

Researchers from security firm Rapid7 reported that a version of the JAVS Viewer 8 available for download on javs.com contained a backdoor that gave an unknown threat actor persistent access to infected devices. The malicious download, planted inside an executable file that installs the JAVS Viewer version 8.3.7, was available no later than April 1, when a post on X (formerly Twitter) reported it. It’s unclear when the backdoored version was removed from the company’s download page. JAVS representatives didn’t immediately respond to questions sent by email.

“Users who have version 8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action,” Rapid7 researchers Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger wrote. “This version contains a backdoored installer that allows attackers to gain full control of affected systems.”

The installer file was titled JAVS Viewer Setup 8.3.7.250-1.exe. When executed, it copied the binary file fffmpeg.exe to the file path C:\Program Files (x86)\JAVS\Viewer 8\. To bypass security warnings, the installer was digitally signed, but with a signature issued to an entity called “Vanguard Tech Limited” rather than to “Justice AV Solutions Inc.,” the signing entity used to authenticate legitimate JAVS software.

fffmpeg.exe, in turn, used Windows Sockets and WinHTTP to establish communications with a command-and-control server. Once successfully connected, fffmpeg.exe sent the server passwords harvested from browsers and data about the compromised host, including hostname, operating system details, processor architecture, program working directory, and the user name.

The researchers said fffmpeg.exe also downloaded the file chrome_installer.exe from the IP address 45.120.177.178. chrome_installer.exe went on to execute a binary and several Python scripts that were responsible for stealing the passwords saved in browsers. fffmpeg.exe is associated with a known malware family called GateDoor/Rustdoor. The exe file was already flagged by 30 endpoint protection engines.

[…]

The researchers warned that the process of disinfecting infected devices will require care. They wrote:

To remediate this issue, affected users should:

  • Reimage any endpoints where JAVS Viewer 8.3.7 was installed. Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate.
  • Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.
  • Reset credentials used in web browsers on affected endpoints. Browser sessions may have been hijacked to steal cookies, stored passwords, or other sensitive information.
  • Install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. The new version does not contain the backdoor present in 8.3.7.

Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.

The Rapid7 post included a statement from JAVS that confirmed that the installer for version 8.3.7 of the JAVS viewer was malicious.

“We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems,” the statement read. “We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.”

The statement didn’t explain how the installer became available for download on its site. It also didn’t say if the company retained an outside firm to investigate.

The incident is the latest example of a supply-chain attack, a technique that tampers with a legitimate service or piece of software with the aim of infecting all downstream users. These sorts of attacks are usually carried out by first hacking the provider of the service or software.

Source: Crooks plant backdoor in software used by courtrooms around the world | Ars Technica

Bilingual Brain-Reading Implant Decodes Spanish and English

Posted on by

For the first time, a brain implant has helped a bilingual person who is unable to articulate words to communicate in both of his languages. An artificial-intelligence (AI) system coupled to the brain implant decodes, in real time, what the individual is trying to say in either Spanish or English.

The findings, published on 20 May in Nature Biomedical Engineering, provide insights into how our brains process language, and could one day lead to long-lasting devices capable of restoring multilingual speech to people who can’t communicate verbally.

[…]

The person at the heart of the study, who goes by the nickname Pancho, had a stroke at age 20 that paralysed much of his body. As a result, he can moan and grunt but cannot speak clearly.

[…]

the team developed an AI system to decipher Pancho’s bilingual speech. This effort, led by Chang’s PhD student Alexander Silva, involved training the system as Pancho tried to say nearly 200 words. His efforts to form each word created a distinct neural pattern that was recorded by the electrodes.

The authors then applied their AI system, which has a Spanish module and an English one, to phrases as Pancho tried to say them aloud. For the first word in a phrase, the Spanish module chooses the Spanish word that matches the neural pattern best. The English component does the same, but chooses from the English vocabulary instead. For example, the English module might choose ‘she’ as the most likely first word in a phrase and assess its probability of being correct to be 70%, whereas the Spanish one might choose ‘estar’ (to be) and measure its probability of being correct at 40%.

[…]

From there, both modules attempt to build a phrase. They each choose the second word based on not only the neural-pattern match but also whether it is likely to follow the first one. So ‘I am’ would get a higher probability score than ‘I not’. The final output produces two sentences — one in English and one in Spanish — but the display screen that Pancho faces shows only the version with the highest total probability score.

The modules were able to distinguish between English and Spanish on the basis of the first word with 88% accuracy and they decoded the correct sentence with an accuracy of 75%.

[…]

The findings revealed unexpected aspects of language processing in the brain. Some previous experiments using non-invasive tools have suggested that different languages activate distinct parts of the brain. But the authors’ examination of the signals recorded directly in the cortex found that “a lot of the activity for both Spanish and English was actually from the same area”, Silva says.

Furthermore, Pancho’s neurological responses didn’t seem to differ much from those of children who grew up bilingual, even though he was in his thirties when he learnt English — in contrast to the results of previous studies. Together, these findings suggest to Silva that different languages share at least some neurological features, and that they might be generalizable to other people.

[…]

Source: Bilingual Brain-Reading Implant Decodes Spanish and English | Scientific American

Netflix app update for Windows PCs will ditch downloads and offline viewing but give you stuff you never wanted.

Posted on by

In the past few weeks, users have received notifications on their Netflix Windows indicating that a new update is coming. The update will ship with many new features and quality-of-life improvements, including support for watching live events, improved streaming quality, compatibility with ad-supported plans, and more.

Wait – who wants any of this stuff? What quality-of-life is improved here?

[…]

However, the update will also include a new change that won’t allow users to download movies or series via the Netflix app for offline viewing or when facing intermittent internet connection issues.

Source: An official Netflix app update for Windows PCs will ditch downloads and offline viewing following a crackdown on account sharing | Windows Central

So you get stuff you really don’t want to lose stuff you really do want – especially if you travel. Which most people do.

What are they thinking at Netflix? Well, I guess it’s out with the pirate hat again and download what I want to watch offline – even if it is available to me on a service I pay for…

Adobe threatens to sue Nintendo emulator Delta for its look-alike logo

Posted on by

Delta, an emulator that can play Nintendo games, had to change its logo after Adobe threatened legal action. You’d think it would face trouble from Nintendo, seeing as it has been going after emulators these days, but no. It’s Adobe who’s going after the developer, which told TechCrunch that it first received an email from the company’s lawyer on May 7. Adobe warned Delta that their logos are too similar, with its app icon infringing on the well-known Adobe “A,” and asked it to change its logo so it wouldn’t violate the company’s rights. Delta reportedly received an email from Apple, as well, telling the developer that Adobe asked it to take down the emulator app.

A purple icon.
Delta

If you’ll recall, Apple started allowing retro game emulators on the App Store, as long as they don’t offer pirated games for download. Delta was one of the first to be approved for listing and was at the top of Apple’s charts for a while, which is probably why it caught Adobe’s attention. At the time of writing, it sits at number six in the ranking for apps in Entertainment with 17,100 ratings.

The developer told both Adobe and Apple that its logo was a stylized version of the Greek letter “delta,” and not the uppercase letter A. Regardless, it debuted a new logo, which looks someone took a sword to its old one to cut it in half. It’s a temporary solution, though — the developer said it’s releasing the “final” version of its new logo when Delta 1.6 comes out.

Source: Adobe threatens to sue Nintendo emulator Delta for its look-alike logo

Winamp has announced that it is opening up its source code

Posted on by

Winamp has announced that on 24 September 2024, the application’s source code will be open to developers worldwide.

Winamp will open up its code for the player used on Windows, enabling the entire community to participate in its development. This is an invitation to global collaboration, where developers worldwide can contribute their expertise, ideas, and passion to help this iconic software evolve.

[…]

Interested developers can now make themselves known at the following address: about.winamp.com/free-llama

Source: About Winamp – Winamp has announced that it is opening up its source code to enable collaborative development of its legendary player for Windows.

Why only now? who knows. But it will hopefully be a huge boost to WACUP – which is a player that looks a lot like Winamp, allows you to use it’s (old and new) plugins but has been updated to be modern.

Germany’s Sovereign Tech Fund Now Supporting FFmpeg

Posted on by

Following Germany’s Sovereign Tech Fund providing significant funding for GNOME, Rust Coreutils, PHP, a systemd bug bounty, and numerous other free software projects, the FFmpeg multimedia library is the latest beneficiary to this funding from the Germany government.

The Sovereign Tech Fund notes that the FFmpeg project is receiving €157,580.00 for 2024 and 2025.

FFmpeg logo

An announcement on the FFmpeg.org project site notes:

“The FFmpeg community is excited to announce that Germany’s Sovereign Tech Fund has become its first governmental sponsor. Their support will help sustain the [maintenance] of the FFmpeg project, a critical open-source software multimedia component essential to bringing audio and video to billions around the world everyday.”

Exciting news and great continuing to see the significant investments across many open-source projects being made by the Sovereign Tech Fund.

Source: Germany’s Sovereign Tech Fund Now Supporting FFmpeg – Phoronix

Ffmpeg is a hugely important tool used for manipulating video and sound files in all kinds of ways. It is used under the hood by all kinds of projects. It’s really encouraging to see governments funding this kind of stuff, especially considering the problems open source developers are running into. There should be a lot more of this and a lot less of businesses ‘funding’ open source projects and then forking them into closed source versions (here’s looking at you, Amazon).

People Are Jailbreaking Their PS4s Using Smart TVs

Posted on by

Jailbreaking a PlayStation 4 might sound tricky. But actually, all you need nowadays is an LG Smart TV, a few minutes of your time, and the internet.

Why would you want to jailbreak a PlayStation 4 console in 2024? There are a few reasons. For one, it opens the console up, letting you freely back up game installs and saves. You can also run emulators on the PS4 and play your installed games without a disc. And yes, some people are pirating new games and playing them on these hacked consoles, too. But we are not here to talk about that. Instead, I want to share a strange way people are jailbreaking PS4s.

As reported by HackADay.com, a recently created method for jailbreaking a PS4 involves plugging it into a jailbroken LG smart TV. (And yes, in case you didn’t know about this already, people are jailbreaking smart televisions, too.) Once you’ve hacked your LG TV, you install a digital tool onto the TV and hook your PS4 up to it using an ethernet cable. Then run the exploit tool on the TV and set up a LAN connection on the PS4…and that’s it. At that point, the tool should work its magic and you’ll soon have a jailbroken PS4.

Michael Crump

This new tool is built upon the work of other modders and hackers who were able to figure out new ways to jailbreak Sony’s last-gen console. And to be clear, I’m not suggesting you go buy an LG TV, jailbreak it, and then use that device to hack your PS4 and start downloading pirated games.

But being able to take full control of expensive electronic devices, like phones, TVs, and consoles, is something that we should all support as it allows these pieces of tech to be useful long after their corporate owners have moved on.

And based on what a lousy job video game companies have been doing at preserving old (or even fairly new) games, in 20 years or so, a modded PS4—jailbroken using a TV—might be the easiest way to play digital games you bought years ago but lost access to because the servers were killed.

Source: People Are Jailbreaking Their PS4s Using Smart TVs

Top EU court says there is no right to online anonymity, because copyright is more important

Posted on by

A year ago, Walled Culture wrote about an extremely important case that was being considered by the Court of Justice of the European Union (CJEU), the EU’s top court. The central question was whether the judges considered that copyright was more important than privacy. The bad news is that the CJEU has just decided that it is:

The Court, sitting as the Full Court, holds that the general and indiscriminate retention of IP addresses does not necessarily constitute a serious interference with fundamental rights.

IP addresses refer to the identifying Internet number assigned to a user’s system when it is online. That may change each time someone uses the Internet, but if Internet Service Providers are required by law to retain information about who was assigned a particular address at a given time, then it is possible to carry out routine surveillance of people’s online activities. The CJEU has decided this is acceptable:

EU law does not preclude national legislation authorising the competent public authority, for the sole purpose of identifying the person suspected of having committed a criminal offence, to access the civil identity data associated with an IP address

The key problem is that copyright infringement by a private individual is regarded by the court as something so serious that it negates the right to privacy. It’s a sign of the twisted values that copyright has succeeded on imposing on many legal systems. It equates the mere copying of a digital file with serious crimes that merit a prison sentence, an evident absurdity.

As one of the groups that brought the original case, La Quadrature du Net, writes, this latest decision also has serious negative consequences for human rights in the EU:

Whereas in 2020, the CJEU considered that the retention of IP addresses constituted a serious interference with fundamental rights and that they could only be accessed, together with the civil identity of the Internet user, for the purpose of fighting serious crime or safeguarding national security, this is no longer true. The CJEU has reversed its reasoning: it now considers that the retention of IP addresses is, by default, no longer a serious interference with fundamental rights, and that it is only in certain cases that such access constitutes a serious interference that must be safeguarded with appropriate protection measures.

As a result, La Quadrature du Net says:

While in 2020 [the CJEU] stated that there was a right to online anonymity enshrined in the ePrivacy Directive, it is now abandoning it. Unfortunately, by giving the police broad access to the civil identity associated with an IP address and to the content of a communication, it puts a de facto end to online anonymity.

This is a good example of how copyright’s continuing obsession with ownership and control of digital material is warping the entire legal system in the EU. What was supposed to be simply a fair way of rewarding creators has resulted in a monstrous system of routine government surveillance carried out on hundreds of millions of innocent people just in case they copy a digital file.

Source: Top EU court says there is no right to online anonymity, because copyright is more important – Walled Culture