The Linkielist

Linking ideas with the world

The Linkielist

Eufy Cameras Have Been Uploading Unencrypted Face Footage to Cloud

Posted on by

Eufy, the company behind a series of affordable security cameras I’ve previously suggested over the expensive stuff, is currently in a bit of hot water for its security practices. The company, owned by Anker, purports its products to be one of the few security devices that allow for locally-stored media and don’t need a cloud account to work efficiently. But over the turkey-eating holiday, a noted security researcher across the pond discovered a security hole in Eufy’s mobile app that threatens that whole premise.

Paul Moore relayed the issue in a tweeted screengrab. Moore had purchased the Eufy Doorbell Dual Camera for its promise of a local storage option, only to discover that the doorbell’s cameras had been storing thumbnails of faces on the cloud, along with identifiable user information, despite Moore not even having a Eufy Cloud Storage account.

After Moore tweeted the findings, another user found that the data uploaded to Eufy wasn’t even encrypted. Any uploaded clips could be easily played back on any desktop media player, which Moore later demonstrated. What’s more: thumbnails and clips were linked to their partner cameras, offering additional identifiable information to any digital snoopers sniffing around.

Android Central was able to recreate the issue on its own with a EufyCam 3. It then reached out to Eufy, which explained to the site why this issue was cropping up. If you choose to have a motion notification pushed out with an attached thumbnail, Eufy temporarily uploads that file to its AWS servers to send it out.

[…]

Unfortunately, this isn’t the first time Eufy has had an issue regarding security on its cameras. Last year, the company faced similar reports of “unwarranted access” to random camera feeds, though the company quickly fixed the issue once it was discovered. Eufy is no stranger to patching things up.

Source: Eufy Cameras Have Been Uploading Unencrypted Footage to Cloud

Why first upload these images to AWS instead of directly mailing them?!

Nintendo Shuts Down Smash World Tour – worlds largest e-sports tournament – out of the blue

Posted on by

The organisers of the Smash World Tour have today announced that they are being shut down after Nintendo, “without any warning”, told them they could “no longer operate”.

The Tour, which is run by a third party (since Nintendo has been so traditionally bad at this), had grown over the years to become one of the biggest in the esports and fighting game scene. As the SWT team say:

In 2022 alone, we connected over 6,400 live events worldwide, with over 325,000 in-person entrants, making the Smash World Tour (SWT, or the Tour) the largest esports tour in history, for any game title. The Championships would also have had the largest prize pool in Smash history at over $250,000. The 2023 Smash World Tour planned to have a prize pool of over $350,000.

That’s all toast, though, because organisers now say “Without any warning, we received notice the night before Thanksgiving from Nintendo that we could no longer operate”. While Nintendo has yet to comment—we’ve reached out to the company (UPDATE: see comment at bottom of post)—Nintendo recently teamed up with Panda to run a series of competing, officially-licensed Smash events.

While this will be a disappointment to SWT’s organisers, fans and players, it has also placed the team in a huge financial hole, since so many bookings and plans for the events had already been made. As they say in the cancellation announcement:

We don’t know where everything will land quite yet with contracts, sponsor obligations, etc — in short, we will be losing hundreds of thousands of dollars due to Nintendo’s actions. That being said, we are taking steps to remedy many issues that have arisen from canceling the upcoming Smash World Tour Championships — Especially for the players. Please keep an eye out in the coming days for help with travel arrangements. Given the timeline that we were forced into, we had to publish this statement before we could iron out all of the details. All attendees will be issued full refunds.

The move blindsided the SWT team who had believed, after years of friction, they were starting to make some progress with Nintendo:

In November 2021, after the Panda Cup was first announced, Nintendo contacted us to jump on a call with a few folks on their team, including a representative from their legal team. We truly thought we might be getting shut down given the fact that they now had a licensed competing circuit and partner in Panda.

Once we joined the call, we were very surprised to hear just the opposite.

Nintendo reached out to us to let us know that they had been watching us build over the years, and wanted to see if we were interested in working with them and pursuing a license as well. They made it clear that Panda’s partnership was not exclusive, and they said it had “not gone unnoticed” that we had not infringed on their IP regarding game modifications and had represented Nintendo’s values well. They made it clear that game modifications were their primary concern in regards to “coming down on events”, which also made sense to us given their enforcement over the past few years in that regard.

That lengthy conversation changed our perspective on Nintendo at a macro level; it was incredibly refreshing to talk to multiple senior team members and clear the air on a lot of miscommunications and misgivings in the years prior. We explained why so many in the community were hesitant to reach out to Nintendo to work together, and we truly believed Nintendo was taking a hard look at their relationship with the community, and ways to get involved in a positive manner.

Guess not! In addition to Nintendo now stipulating that tournaments could only run with an official license—something SWT had not been successful applying for—the team also allege that Panda went around undermining them to the organisers of individual events (the World Tour would have been an umbrella linking these together), and that while Nintendo continued saying nice things to their faces, Panda had told these grassroost organisers that the Smash World Tour was definitely getting shut down, which made them reluctant to come onboard.

You can read the full announcement here, which goes into a lot more detail, and closes with an appeal “that Nintendo reconsiders how it is currently proceeding with their relationship with the Smash community, as well as its partners”.

UPDATE 12:16am ET, November 30: A Nintendo spokesperson tells Kotaku:

Unfortunately after continuous conversations with Smash World Tour, and after giving the same deep consideration we apply to any potential partner, we were unable to come to an agreement with SWT for a full circuit in 2023. Nintendo did not request any changes to or cancellation of remaining events in 2022, including the 2022 Championship event, considering the negative impact on the players who were already planning to participate.

UPDATE 2 1:51am ET, November 30: SWT’s oragnizers have disputed Nintendo’s statement, issuing a follow-up of their own which reads:

We did not expect to have to address this, but Nintendo’s response via Kotaku has been brought to our attention:

“Unfortunately after continuous conversations with Smash World Tour, and after giving the same deep consideration we apply to any potential partner, we were unable to come to an agreement with SWT for a full circuit in 2023. Nintendo did not request any changes to or cancellation of remaining events in 2022, including the 2022 Championship event, considering the negative impact on the players who were already planning to participate.”

We are unsure why they are taking this angle, especially in light of the greater statement and all that it contains.

To reiterate from the official statement:

“As a last ditch effort, we asked if we could continue running the Championships and the Tour next year without a license, and shift our focus to working with them in 2024. We alluded to how the last year functioned in that capacity, with a mutual understanding that we would not get shut down and focus on the future. We were told directly that those times were now over. This was the final nail in the coffin given our very particular relationship with Nintendo. This is when we realized it truly was all being shut down for real. We asked if they understood the waves that would be made if we were forced to cancel, and Nintendo communicated that they were indeed aware.”

To be clear, we asked Nintendo multiple times if they had considered the implications of canceling the Championships as well as next year’s Tour. They affirmed that they had considered all variables.

We received this statement in writing from Nintendo shortly after our call:

“It is Nintendo’s expectation that an approved license be secured in order to operate any commercial activity featuring Nintendo IP. It is also expected to secure such a license well in advance of any public announcement. After further review, we’ve found that the Smash World Tour has not met these expectations around health & safety guidelines and has not adhered to our internal partner guidelines. Nintendo will not be able to grant a license for the Smash World Tour Championship 2022 or any Smash World Tour activity in 2023.”

To be clear, we did not even submit an application for 2023 yet, the license application was for the 2022 Championships (submitted in April). Nintendo including all 2023 activity was an addition we were not even expecting. In our call that accompanied the statement, we asked multiple times if we would be able to continue to operate without a license as we had in years past with the same “unofficial” understanding with Nintendo. We were told point blank that those “times are over.” They followed up the call with their statement in writing, again confirming both the 2022 Championships and all 2023 activity were in the exact same boat.

Source: Nintendo Shuts Down Smash World Tour ‘Without Any Warning’

A Modchip To Root Starlink User Terminals Through Voltage Glitching

Posted on by

[…]

this modchip-based hack of a Starlink terminal brings us.

[Lennert Wouters]’ team has been poking and prodding at the Starlink User Terminal, trying to get root access, and needed to bypass the ARM Trusted Firmware boot-time integrity checks. The terminal’s PCB is satellite-dish-sized, so things like laser fault injection are hard to set up – hence, they went the voltage injection route. Much poking and prodding later, they developed a way to reliably glitch the CPU into verifying a faulty firmware, and got to a root shell – the journey described in a BlackHat talk embedded below.

To make the hack more compact, repeatable and cheap, they decided to move it from a mess of wires and boards into slim form-factor, and that’s where the modchip design was made. For that, they put the terminal PCB into a scanner, traced a board outline out, loaded it into KiCad, and put all the necessary voltage glitching and monitoring parts on a single board, driven by the venerable RP2040 – this board has everything you’d need if you wanted to get root on the Starlink User Terminal. Thanks to the modchip design’s flexibility, when Starlink released a firmware update disabling the UART output used for monitoring, they could easily re-route the signal to an eMMC data line instead. Currently, the KiCad source files aren’t available, but there’s Gerber and BOM files on GitHub in case we want to make our own!

Hacks like these, undoubtedly, set a new bar for what we can achieve while bypassing security protections. Hackers have been designing all kinds of modchips, for both proprietary and open tech – we’ve seen one that lets you use third-party filters in your “smart” air purifier, another that lets you use your own filament with certain 3D printers, but there’s also one that lets you add a ton of games to an ArduBoy. With RP2040 in particular, just this year we’ve seen used to build a Nintendo 64 flash cart, a PlayStation 1 memory card, and a mod that adds homebrew support to a GameCube. If you were looking to build hardware addons that improve upon tech you use, whether by removing protections or adding features, there’s no better time than nowadays!

Source: A Modchip To Root Starlink User Terminals Through Voltage Glitching | Hackaday

Rolls-Royce successfully tests hydrogen-powered jet engine

Posted on by

Britain’s Rolls-Royce (RR.L) said it has successfully run an aircraft engine on hydrogen, a world aviation first that marks a major step towards proving the gas could be key to decarbonising air travel.

The ground test, using a converted Rolls-Royce AE 2100-A regional aircraft engine, used green hydrogen created by wind and tidal power, the British company said on Monday.

[…]

Planemaker Airbus is working with French-U.S. engine maker CFM International to test hydrogen propulsion technology.

It said in February it planned to fit a specially adapted version of a current generation engine near the back of an A380 superjumbo test plane.

The aircraft manufacturer however told the European Union in 2021 that most airliners will rely on traditional jet engines until at least 2050.

A switch to hydrogen-powered engines would require a complete redesign of airframes and infrastructure at airports.

Eric Schulz, chief executive of SHZ Consulting, said in July that the changes in design are so massive it would take more than one generation of aircraft to get there.

Other technologies backed by companies such as Rolls-Royce include electric engines, which would be initially suitable for short flights, and sustainable aviation fuel (SAF).

Engines that are already in service can use a mixture of SAF and conventional fuels, but it is only currently produced in miniscule levels.

It could eventually be produced by combining carbon captured from the air with green hydrogen, but the process is energy intensive and not yet available on a large scale.

Source: Rolls-Royce successfully tests hydrogen-powered jet engine | Reuters

Europe Won’t Allow Mercedes’ EV Performance Subscription Fee, For Now

Posted on by

Mercedes raised some worried eyebrows with its recent announcement to offer additional power for its EVs via subscription. For electric EQE and EQS models, Mercedes will bump their horsepower if customers pay an additional $1,200 per year. However, that’s going to remain a U.S. market service only for the time being, as Europe currently won’t allow Mercedes to offer it, according to this report from Top Gear NL.

A spokesperson for Mercedes Netherlands told Top Gear NL that legal matters currently prevent Mercedes from offering a subscription-based power upgrade. However, the spokesperson declined to comment further, so it’s currently unknown what sort of laws block such subscription-based services. Especially when there are other subscription services that are available in Europe, such as BMW’s heated seat subscription. Automakers can also update a car’s horsepower, via free over-the-air service updates, as both Polestar and Tesla do so in Europe. But that comes at no extra cost and is a one-time, permanent upgrade. So there seems to be some sort of legal issue with charging a yearly subscription for horsepower.

In the U.S. market, Mercedes’ $1,200 yearly subscription gets EQE and EQS owners nearly a 100 horsepower gain. However, because it’s only software that unlocks the power, it’s obvious that the powertrain is capable of that much power regardless of subscription. So customers might feel cheated that they’re paying for a car with a powertrain that’s intentionally hamstrung from the factory, with its full potential hidden behind a paywall.

Source: Europe Won’t Allow Mercedes’ EV Performance Subscription Fee, For Now: Report

Let’s hope that this gets regulated properly at EU level – it’s bizarre that you can’t use something you paid for because it’s disabled and can be re-enabled remotely.

Intel and AMD did something like this in 2010 in a process called binning where they artificially disabled features in the hardware:

As Engadget rather calmly points out, Intel has been testing the waters with a new “Upgrade Card” system, which essentially involves buying a $50 scratch card with a code that unlocks features in your PC’s processor.

The guys at Hardware.info broke this story last month, although nobody seemed to notice right away—perhaps because their site’s in Dutch. The article shows how the upgrade key unlocks “an extra megabyte L3 cache and Hyper Threading” on the Pentium G6951. In its locked state, that 2.8GHz processor has two physical cores, two threads, and 3MB of L3 cache, just like the retail-boxed Pentium G6950.

[…]

Detractors of the scheme might point out that Intel is making customers pay for features already present in the CPU they purchased. That’s quite true. However, as the Engadget post notes, both Intel and AMD have been selling CPUs with bits and pieces artificially disabled for years. That practice is known as binning—sometimes, chipmakers use it to unload parts with malfunctioning components; other times, it’s more about product segmentation and demand. There have often been unofficial workarounds, too. These days, for example, quite a few AMD motherboards let you unlock cores in Athlon II X3 and Phenom II X2 processors. Intel simply seems to be offering an official workaround for its CPUs… and cashing in on it.

source: Intel ‘upgrade card’ unlocks disabled CPU features

This VR video player lets you watch videos in 6dof + Touch things with your hands (haptic feedback) – VR has found it’s porn case

Posted on by

*Quest 1, 2, pro standalone only atm, PCVR coming soon*

Touchly lets you watch any VR180 video in 6dof and interact with the environment. Standard playback in most VR formats is also supported.And it’s out now for free in the App Lab! https://www.oculus.com/experiences/quest/5564815066942737/

Note: Videos need to be processed with our converter beforehand to be seen in volumetric mode.

Join us at discord: https://discord.gg/WrGQA4H4

[…]

It requires both left and right videos to generate the depth map. I’m not sure if that requires a ML model or can be done with regular video filtering algorithms.

The video is preprocessed with the depthmap added as a “third view” in a SBS video. So speed isn’t an issue.

Source: This VR video player lets you watch videos in 6dof + Touch things with your hands (haptic feedback) : virtualreality

Now that VR has porn and  you can touch the models, it will finally explode

Physicists solve 50-year lightning mystery – why does it zigzag and what does it have to do with thunder

Posted on by

[…]

For the past 50 years, scientists around the world have debated why lightning zig-zags and how it is connected to the thunder cloud above.

There hasn’t been a definitive explanation until now, with a University of South Australia plasma physicist publishing a landmark paper that solves both mysteries.

[…]

The answer? Singlet-delta metastable oxygen molecules.

Basically, lightning happens when electrons hit oxygen molecules with enough energy to create high energy singlet delta oxygen molecules. After colliding with the molecules, the “detached” electrons form a highly conducting step—initially luminous—that redistributes the , causing successive steps.

The conducting column connecting the step to the cloud remains dark when electrons attach to neutral , followed by immediate detachment of the electrons by singlet delta molecules.

[…]

he paper, “Toward a theory of stepped leaders in ” is published in the Journal of Physics D: Applied Physics. It is authored by Dr. John Lowke and Dr. Endre Szili from the Future Industries Institute at the University of South Australia.

More information: John J Lowke et al, Toward a theory of “stepped-leaders” of lightning, Journal of Physics D: Applied Physics (2022). DOI: 10.1088/1361-6463/aca103

Source: Physicists strike gold, solving 50-year lightning mystery

Bright light from black holes caused by particle shock waves

Posted on by

Beams of electrons smash into slower-moving particles causing a shock wave which results in electromagnetic radiation across frequency bands from X-rays to visible light, according to a research paper published in Nature this week.

Astronomers first observed quasi-stellar radio sources or quasars in the early 1960s. This new class of astronomical objects was a puzzle. They looked like stars, but they also radiated very brightly at radio frequencies, and their optical spectra contained strange emission lines not associated with “normal” stars. In fact, these strange objects are gigantic black holes at the center of distant galaxies.

Particle acceleration in the jet emitted by a supermassive black hole. Liodakis et al/Nature

Particle acceleration in the jet emitted by a supermassive black hole. Illustration credit: Liodakis et al/Nature

Advances in radio-astronomy and X-ray-observing satellites have helped scientists understand that the anomalous radiation is caused by a stream of charged particles accelerated close to the speed of light. If it points at Earth, the generating quasar can be called a blazar. Electromagnetic radiation from them can be observed from radio waves through the visible spectrum to very high-frequency gamma rays.

[…]

By comparing polarized X-rays data with data about optical polarized visible light, the scientists reached the conclusion that the electromagnetic radiation resulted from a shock wave in the stream of charged particles emitting from the blackhole (see figure).

In an accompanying article, Lea Marcotulli, NASA Einstein Postdoctoral Fellow at Yale University, said: “Such shock waves occur naturally when particles travelling close to the speed of light encounter slower-moving material along their path. Particles traveling through this shock wave lose radiation rapidly and efficiently – and, in doing so, they produce polarized X-rays. As the particles move away from the shock, the light they emit radiates with progressively lower frequencies, and becomes less polarized.”

[…]

In December last year, a SpaceX Falcon 9 rocket launched NASA’s IXPE mission into orbit from Florida’s Kennedy Space Center. It is designed to observe the remnants of supernovae, supermassive black holes, and other high-energy objects.

[…]

Source: Bright light from black holes caused by particle shock waves • The Register

Omega Recreated the James Bond Opening on $7,600 Seamaster watch

Posted on by

[…] The standard version of the Omega Seamaster Diver 300M 60 Years Of James Bond watch features a design that aBlogtoWatch describes as, “a blend between the original Omega Seamaster Diver 300M that appeared in GoldenEye and the latest edition from No Time To Die.” In other words, it’s a not an exact recreation of the piece that Brosnan wore in GoldenEye, but incorporates elements from several watches featured in various Bond films. On the front, the only hint that this watch is in any way Bond themed is the number 60 appearing at top of the dial, where there is normally a triangle.

A close-up of the sapphire crystal window on the Omega Seamaster Diver 300M 60 Years Of James Bond watch's caseback.
Image: Omega

It’s only when you flip the watch over that its Bond theming is far more apparent. The caseback features a sapphire glass window revealing an animation recreating the iconic opening of Bond films where the silhouetted character walks on screen as seen through the barrel of a gun. But there’s no LCD or OLED screens here. The Seamaster Diver 300M is a purely mechanical timepiece, so to create the animation, Omega leveraged the moiré effect where interference patterns from spiral patterns on spinning discs reveal the sequence of a simple four-frame animation of Bond walking in. And because the animation mechanism is tied to the watch’s moving second-hand, it perpetually plays in a loop as long as the watch has power and is keeping time.

OMEGA Seamaster Diver 300M 60 Years Of James Bond – Stainless Steel

It’s a fun design element not only because of how subtly it’s executed, but also how it leverages what makes traditional timepieces appealing to many collectors: the complicated mechanics inside that make them work. Unfortunately, with a $7,600 price tag, the Seamaster Diver 300M 60 Years Of James Bond is not really affordable for most Bond fans.

Source: Omega Recreated the James Bond Opening on This $7,600 Watch

Ticketmaster’s Taylor Swift fiasco sparks Senate antitrust hearing

Posted on by
NEW YORK, NEW YORK - JULY 10: Taylor Swift performs onstage as Taylor Swift, Dua Lipa, SZA and Becky G perform at The Prime Day concert, presented by Amazon Music at on July 10, 2019 at Hammerstein Ballroom in New York City. (Photo by Kevin Mazur/Getty Images for Amazon )
Kevin Mazur via Getty Images

Ticketmaster’s chaotic handling of Taylor Swift’s tour ticket sales has brought the company under increased scrutiny, including from lawmakers. Sens. Amy Klobuchar (D-MN) and Mike Lee (R-UT), the chair and ranking member of the Senate Judiciary Subcommittee on Competition Policy, Antitrust and Consumer Rights, have announced a hearing to gather evidence on competition in the ticketing industry. They have yet to confirm when the hearing will take place or the witnesses that the committee will call upon.

Swift’s fans overwhelmed Ticketmaster’s systems in the gold rush for tickets to her first tour in five years. Ticketmaster says presale codes went out to 1.5 million people, but 14 million (including “a staggering number” of bots) tried to buy tickets. The company said it was slammed with 3.5 billion total system requests, four times its previous peak. When fans were able to make it to the seat selection screen, many effectively had tickets snatched out of their hands as tried to put them in their carts.

There was supposed to be a general sale for the remaining tickets last Friday, but Ticketmaster canceled that, citing “extraordinarily high demands on ticketing systems and insufficient remaining ticket inventory to meet that demand.” Even though the level of interest in Swift’s stadium shows was evidently through the roof, Ticketmaster’s management of the process has raised a lot of questions. Swift said Ticketmaster assured her and her team that it could handle the demand. However, she said the mayhem “pissed me off.”

[…]

“Last week, the competition problem in ticketing markets was made painfully obvious when Ticketmaster’s website failed hundreds of thousands of fans hoping to purchase concert tickets. The high fees, site disruptions and cancellations that customers experienced shows how Ticketmaster’s dominant market position means the company does not face any pressure to continually innovate and improve,” Klobuchar said in a statement. “That’s why we will hold a hearing on how consolidation in the live entertainment and ticketing industry harms customers and artists alike. When there is no competition to incentivize better services and fair prices, we all suffer the consequences.”

Source: Ticketmaster’s Taylor Swift fiasco sparks Senate antitrust hearing | Engadget

The problems with monopolies / duopolies are wide and varied and not only limited to big tech or aircraft builders

Meta researchers create AI that masters Diplomacy, tricking human players | Ars Technica

Posted on by

On Tuesday, Meta AI announced the development of Cicero, which it claims is the first AI to achieve human-level performance in the strategic board game Diplomacy. It’s a notable achievement because the game requires deep interpersonal negotiation skills, which implies that Cicero has obtained a certain mastery of language necessary to win the game.

[…]

Cicero learned its skills by playing an online version of Diplomacy on webDiplomacy.net. Over time, it became a master at the game, reportedly achieving “more than double the average score” of human players and ranking in the top 10 percent of people who played more than one game.

To create Cicero, Meta pulled together AI models for strategic reasoning (similar to AlphaGo) and natural language processing (similar to GPT-3) and rolled them into one agent. During each game, Cicero looks at the state of the game board and the conversation history and predicts how other players will act. It crafts a plan that it executes through a language model that can generate human-like dialogue, allowing it to coordinate with other players.

A block diagram of Cicero, the <em>Diplomacy</em>-playing bot, provided by Meta.
Enlarge / A block diagram of Cicero, the Diplomacy-playing bot, provided by Meta.
Meta AI

Meta calls Cicero’s natural language skills a “controllable dialogue model,” which is where the heart of Cicero’s personality lies. Like GPT-3, Cicero pulls from a large corpus of Internet text scraped from the web. “To build a controllable dialogue model, we started with a 2.7 billion parameter BART-like language model pre-trained on text from the Internet and fine tuned on over 40,000 human games on webDiplomacy.net,” writes Meta.

Further Reading

AI ruined chess. Now it’s making the game beautiful again

The resulting model mastered the intricacies of a complex game. “Cicero can deduce, for example, that later in the game it will need the support of one particular player,” says Meta, “and then craft a strategy to win that person’s favor—and even recognize the risks and opportunities that that player sees from their particular point of view.”

Meta’s Cicero research appeared in the journal Science under the title, “Human-level play in the game of Diplomacy by combining language models with strategic reasoning.”

[…]

Meta provided a detailed site to explain how Cicero works and has also open-sourced Cicero’s code on GitHub. Online Diplomacy fans—and maybe even the rest of us—may need to watch out.

Source: Meta researchers create AI that masters Diplomacy, tricking human players | Ars Technica

Mercedes locks faster acceleration behind a yearly $1,200 subscription – the car can already go faster, they slowed you down

Posted on by

Mercedes is the latest manufacturer to lock auto features behind a subscription fee, with an upcoming “Acceleration Increase” add-on that lets drivers pay to access motor performance their vehicle is already capable of.

The $1,200 yearly subscription improves performance by boosting output from the motors by 20–24 percent, increasing torque, and shaving around 0.8 to 0.9 seconds off 0–60 mph acceleration when in Dynamic drive mode (via The Drive). The subscription doesn’t come with any physical hardware upgrades — instead, it simply unlocks the full capabilities of the vehicle, indicating that Mercedes intentionally limited performance to later sell as an optional extra. Acceleration Increase is only available for the Mercedes-EQ EQE and Mercedes-EQ EQS electric car models.

[…]

This comes just months after BMW sparked outrage by similarly charging an $18 monthly subscription in some countries for owners to use the heated seats already installed within its vehicles, just one of many features paywalled by the car manufacturer since 2020. BMW had previously also tried (and failed) to charge its customers $80 a month to access Apple CarPlay and Android Auto — features that other vehicle makers have included for free.

Source: Mercedes locks faster acceleration behind a yearly $1,200 subscription – The Verge

So they are basically saying you don’t really own the product you spent around $100 000,- to buy.

Unstable Diffusion Discord Server – AI generated NSFW

Posted on by

Unstable Diffusion is a server dedicated to the creation and sharing of AI generated NSFW.

We will seek to provide resources and mutual assistance to anyone attempting to make erotica, we will share prompts and artwork and tools specifically designed to get the most out of your generations, whether you’re using tools from the present or ones which may not have been invented as of this writing.

Source: Join Unstable Diffusion Discord Server | The #1 Discord Server List

Yes, these people are doing pretty strange things. It’s fun.

Token tactics: How to prevent, detect, and respond to cloud token theft

Posted on by

[…] Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.

[…]

Tokens are at the center of OAuth 2.0 identity platforms, such as Azure Active Directory (Azure AD). To access a resource (for example, a web application protected by Azure AD), a user must present a valid token. To obtain that token, the user must sign into Azure AD using their credentials. At that point, depending on policy, they may be required to complete MFA. The user then presents that token to the web application, which validates the token and allows the user access.

Flowchart for Azure Active Directory issuing tokens.
Figure 1. OAuth Token flow chart

When Azure AD issues a token, it contains information (claims) such as the username, source IP address, MFA, and more. It also includes any privilege a user has in Azure AD. If you sign in as a Global Administrator to your Azure AD tenant, then the token will reflect that. Two of the most common token theft techniques DART has observed have been through adversary-in-the-middle (AitM) frameworks or the utilization of commodity malware (which enables a ‘pass-the-cookie’ scenario).

[…]

When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token.

Flowchart describing how an adversary in the middle attack works.
Figure 3. Adversary-in-the-middle (AitM) attack flowchart

If a regular user is phished and their token stolen, the attacker may attempt business email compromise (BEC) for financial gain.

[…]

A “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies.

[…]

Commodity credential theft malware like Emotet, Redline, IcedID, and more all have built-in functionality to extract and exfiltrate browser cookies. Additionally, the attacker does not have to know the compromised account password or even the email address for this to work those details are held within the cookie.

[…]

Recommendations

Protect

Organizations can take a significant step toward reducing the risk of token theft by ensuring that they have full visibility of where and how their users are authenticating. To access critical applications like Exchange Online or SharePoint, the device used should be known by the organization. Utilizing compliance tools like Intune in combination with device based conditional access policies can help to keep devices up to date with patches, antivirus definitions, and EDR solutions. Allowing only known devices that adhere to Microsoft’s recommended security baselines helps mitigate the risk of commodity credential theft malware being able to compromise end user devices.

For those devices that remain unmanaged, consider utilizing session conditional access policies and other compensating controls to reduce the impact of token theft:

Protect your users by blocking initial access:

  • Plan and implement phishing resistant MFA solutions such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.
    • While this may not be practical for all users, it should be considered for users of significant privilege like Global Admins or users of high-risk applications.
  • Users that hold a high level of privilege in the tenant should have a segregated cloud-only identity for all administrative activities, to reduce the attack surface from on-premises to cloud in the event of on-premises domain compromise and abuse of privilege. These identities should also not have a mailbox attached to them to prevent the likelihood of privileged account compromise via phishing techniques.

[…]

In instances of token theft, adversaries insert themselves in the middle of the trust chain and often subsequently circumvent security controls. Having visibility, alerting, insights, and a full understanding of where security controls are enforced is key. Treating both identity providers that generate access tokens and their associated privileged identities as critical assets is strongly encouraged.

[…]

Source: Token tactics: How to prevent, detect, and respond to cloud token theft – Microsoft Security Blog

ID.me Lied About Its Facial Recognition Tech

Posted on by

[…] New evidence shows that ID.me “inaccurately overstated its capacity to conduct identity verification services to the Internal Revenue Service (IRS) and made baseless claims about the amount of federal funds lost to pandemic fraud in an apparent attempt to increase demand for its identity verification services,” according to a new report from the two U.S. House of Representatives committees overseeing the government’s COVID-19 response.

The report also said that ID.me—which received $45 million in COVID relief funds from at least 25 state agencies—misrepresented the excessively long wait times it forced on people trying to claim emergency benefits like unemployment insurance and Child Tax Credit payments. Wait times for video chats were as long as 4 to 9 hours in some states.

[…]

The IRS and other government agencies said they would stop using ID.me earlier this year after widespread backlash from benefits recipients and politicians. Members of Congress later called on the Federal Trade Commission (FTC) to investigate the company’s practices. In that letter, congress members noted inconsistencies the company had made in describing its facial recognition system, which used a massive facial recognition database to identify benefits recipients.

“Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed,” the letter stated.

Source: ID.me Lied About Its Facial Recognition Tech, Congress Says

Spinning Language Models: backdooring AI learning to output propaganda

Posted on by

We investigate a new threat to neural sequence-to-sequence (seq2seq) models: training-time attacks that cause models to “spin” their outputs so as to support an adversary-chosen sentiment or point of view — but only when the input contains adversary-chosen trigger words. For example, a spinned summarization model outputs positive summaries of any text that mentions the name of some individual or organization.
Model spinning introduces a “meta-backdoor” into a model. Whereas conventional backdoors cause models to produce incorrect outputs on inputs with the trigger, outputs of spinned models preserve context and maintain standard accuracy metrics, yet also satisfy a meta-task chosen by the adversary.
Model spinning enables propaganda-as-a-service, where propaganda is defined as biased speech. An adversary can create customized language models that produce desired spins for chosen triggers, then deploy these models to generate disinformation (a platform attack), or else inject them into ML training pipelines (a supply-chain attack), transferring malicious functionality to downstream models trained by victims.
To demonstrate the feasibility of model spinning, we develop a new backdooring technique. It stacks an adversarial meta-task onto a seq2seq model, backpropagates the desired meta-task output to points in the word-embedding space we call “pseudo-words,” and uses pseudo-words to shift the entire output distribution of the seq2seq model. We evaluate this attack on language generation, summarization, and translation models with different triggers and meta-tasks such as sentiment, toxicity, and entailment. Spinned models largely maintain their accuracy metrics (ROUGE and BLEU) while shifting their outputs to satisfy the adversary’s meta-task. We also show that, in the case of a supply-chain attack, the spin functionality transfers to downstream models.

Source: [2112.05224] Spinning Language Models: Risks of Propaganda-As-A-Service and Countermeasures

Fix the Android Security Flaw That Lets Anyone Unlock Your Phone

Posted on by

[…] If an attacker inserts their own SIM into a target’s Android, then enters the wrong SIM PIN three times, they can enter their SIM’s PUK to be able to create a new SIM PIN. Once they do, they bypass the lock screen entirely and access the phone. You can watch the hypothetical attack play out in the video below:

Pixel 6 Full Lockscreen Bypass POC

Schütz brought this flaw to Google’s attention back in June of this year, but it took the company five months to finally push a patch.[…]

Source: Fix the Android Security Flaw That Lets Anyone Unlock Your Phone

Russian software disguised as American finds its way into U.S. Army, CDC apps

Posted on by

Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

[…]

The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country’s main combat training bases.

[…]

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.

Pushwoosh’s founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. “I am proud to be Russian and I would never hide this.”

He said the company “has no connection with the Russian government of any kind” and stores its data in the United States and Germany.

Cybersecurity experts said storing data overseas would not prevent Russian intelligence agencies from compelling a Russian firm to cede access to that data, however.

[…]

Pushwoosh code was installed in the apps of a wide array of international companies, influential non-profits and government agencies from global consumer goods company Unilever Plc (ULVR.L) and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britain’s Labour Party.

[…]

Pushwoosh code has been embedded into almost 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh’s website says it has more than 2.3 billion devices listed in its database.

“Pushwoosh collects user data including precise geolocation, on sensitive and governmental apps, which could allow for invasive tracking at scale,” said Jerome Dangu, co-founder of Confiant, a firm that tracks misuse of data collected in online advertising supply chains.

[…]

Pushwoosh never mentioned it was Russian-based in eight annual filings in the U.S. state of Delaware, where it is registered, an omission which could violate state law.

Instead, Pushwoosh listed an address in Union City, California as its principal place of business from 2014 to 2016. That address does not exist, according to Union City officials.

Pushwoosh used LinkedIn accounts purportedly belonging to two Washington, D.C.-based executives named Mary Brown and Noah O’Shea to solicit sales. But neither Brown nor O’Shea are real people, Reuters found.

[…]

Source: Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps | Reuters

Google Settles 40 States’ Location Data Suit for only $392 Million

Posted on by

Google agreed to a $391.5 million dollar settlement on Monday to end a lawsuit accusing the tech giant of tricking users with location data privacy settings that didn’t actually turn off data collection. The payout, the result of a suit brought by 40 state attorneys general, marks one of the biggest privacy settlements in history. Google also promised to make additional changes to clarify its location tracking practices next year.

“For years Google has prioritized profit over their users’ privacy,” said Ellen Rosenblum, Oregon’s attorney general who co-lead the case, in a press release. “They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and used that information for advertisers.”

[…]

The attorneys’ investigation into Google and subsequent lawsuit came after a 2018 report that found Google’s Location History setting didn’t stop the company’s location tracking, even though the setting promised that “with Location History off, the places you go are no longer stored.” Google quickly updated the description of its settings, clarifying that you actually have to turn off a completely different setting called Web & App Activity if you want the company to stop following you around.

[…]

Despite waves of legal and media attention, Google’s location settings are still confusing, according to experts in interface design. The fine print makes it clear that you need to change multiple settings if you don’t want Google collecting data about everywhere you go, but you have to read carefully. It remains to be seen how clearly the changes the company promised in the settlement will communicate its data practices.

[…]

 

Source: Google Settles 40 States’ Location Data Suit for $392 Million

Introducing Shufflecake: plausible deniability for multiple hidden filesystems on Linux

Posted on by

Today we are excited to release Shufflecake, a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes. Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under the GNU General Public License v3.0 or superior.

[…]

Shufflecake is a tool for Linux that allows creation of multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes. Each volume is encrypted with a different secret key, scrambled across the empty space of an underlying existing storage medium, and indistinguishable from random noise when not decrypted. Even if the presence of the Shufflecake software itself cannot be hidden – and hence the presence of secret volumes is suspected – the number of volumes is also hidden. This allows a user to create a hierarchy of plausible deniability, where “most hidden” secret volumes are buried under “less hidden” decoy volumes, whose passwords can be surrendered under pressure. In other words, a user can plausibly “lie” to a coercive adversary about the existence of hidden data, by providing a password that unlocks “decoy” data. Every volume can be managed independently as a virtual block device, i.e. partitioned, formatted with any filesystem of choice, and mounted and dismounted like a normal disc. The whole system is very fast, with only a minor slowdown in I/O throughput compared to a bare LUKS-encrypted disk, and with negligible waste of memory and disc space.

You can consider Shufflecake a “spiritual successor” of tools such as Truecrypt and Veracrypt, but vastly improved. First of all, it works natively on Linux, it supports any filesystem of choice, and can manage up to 15 nested volumes per device, so to make deniability of the existence of these partitions really plausible.

[…]

Source: Introducing Shufflecake: plausible deniability for multiple hidden filesystems on Linux – Kudelski Security Research

AG Recruitment hires Seasonal workers, makes them pay a year’s salary on flights, then dumps them after 2 months leaving them hugely in debt

Posted on by

Nepali workers hired to pick fruit on British farms say they have been left thousands of pounds in debt after being sent home only weeks after they arrived.

The fruit pickers were recruited under the government’s seasonal worker scheme and say they were offered work for six months. But less than two months after arriving, they were told they were no longer needed and instructed to book flights home.

[…]

Even those workers who did not seek the services of recruitment agents paid about £1,500 each for plane tickets and visa fees before setting foot in the UK. One said that while he had just about managed to pay off his debts, he could not afford the airline charges, which could be as high as £200, to change his return flight,

[…]

The findings will fuel concerns about the treatment of migrant workers under the UK’s seasonal worker scheme [which] allows people to work on UK farms for a maximum of six months. Under the scheme, they cannot stay long-term, claim benefits or bring their families.

The number of seasonal work visas issued by the Home Office each year has surged since their launch in 2019, from 2,500 in the first year to an estimated 40,000 in 2022, including many from outside Europe. But the scheme has been blighted by claims of exploitation, with reports earlier this year alleging some workers from Nepal and Indonesia were being charged steep recruitment fees by third-party job brokers, placing them at risk of debt bondage.

[…]

Documents seen by the Observer show the workers were initially told they would be coming to the UK to work on a farm for six months. But about 10 days before they set out, they were informed that this placement had been cancelled and that they would now go to a different farm.

The workers, who had already bought flights and visas, were told the new placement would be for two months rather than six, but say they believed that, after it ended, they would be transferred to another farm. Emails from AG show they were assured there would be “a lot of work” and the chance to earn “good money”.

The workers subsequently travelled to the UK and began work at a farm run by Gaskains in Faversham, Kent. But when those shifts ended less than two months later, they were told by AG that there was nowhere else for them to go.

[…]

Workers questioned why they were recruited near the end of the season and say they would not have come had they known there would only be two months’ work.

“They must know the season is about to end. We didn’t realise that as [it was] the first time we were coming here,” said Kamal*, who is planning to sell off some family land to cover the debts he accrued to come to work in the UK. “Why did they hire us during the end of the season? It would have been better if they hadn’t hired us at all.”

[…]

he early termination of the workers’ jobs would have left them in “complete shock”. “If they manage to buy new flights in time to avoid eviction, that wipes out most of what they earned. But if they can’t, they risk sleeping rough and working illegally on the black market, where they are completely vulnerable,” she said.

[…]

the company said workers were required to “maintain communication with their sponsor as per immigration rules” and could be blacklisted from future work with AG if they did not. It added that it was not responsible for costs incurred by workers for changing their return tickets.

[…]

Source: Seasonal fruit pickers left thousands in debt after being sent home early from UK farms | Immigration and asylum | The Guardian

In England they need a new law forcing care homes to allow visitors for their residents

Posted on by

[…]

The care minister Helen Whately said stopping relatives from visiting loved ones in care homes as a precaution against the spread of Covid-19 showed “a lack of humanity”. Legislation is being planned to give care home residents and hospital patients the legal right to see guests, according to the Times, prompting fury from the care sector.

[…]

While official visiting restrictions in England have been lifted, some care homes and hospitals are refusing to allow visitors or are imposing stringent Covid-19 conditions. One care home has even stopped phone calls between residents and loved ones for fear that handsets could get infected.

[…]

“There are lots of complicated things around the edges, but at the centre there’s this clear message that people should not be separated from those that they love during times of their greatest need.

“And Covid has shown why that needs to be enshrined in law. It’s very easy to sweep away these human rights.”

[…]

Source: Care homes in England ‘risk being vilified’ if forced to allow visitors | Social care | The Guardian

Apple Vanquishes Evil YouTube Account Full Of Old Apple WWDC Videos

Posted on by

Many of you are likely to be familiar with WWDC, Apple’s Worldwide Developer Conference. This is one of those places where you get a bunch of Apple product reveals and news updates that typically result in the press tripping all over themselves to bow at the altar of an iPhone 300 or whatever. The conference has been going on for decades and one enterprising YouTube account made a point of archiving video footage from past events so that any interested person could go back and see the evolution of the company.

Until now, that is, since Apple decided to copyright-strike Brendan Shanks account to hell.

 

Now, he’s going to be moving the videos over to the Internet Archive, but that will take time and I suppose there’s nothing keeping Apple from turning its copyright guns to that site as well. In the meantime, this treasure trove of videos that Apple doesn’t seem to want to bother hosting itself is simply gone.

Now, did Shanks have permission from Apple to post those videos? He says no. Does that mean that Apple can take copyright action on them? Sure does! But why is the question. Why are antiquated videos interesting mostly to hobbyists worth all this chaos and bad PR?

The videos in question were decades-old recordings of WWDC events.

Due to the multiple violations, not only were the videos removed, but Shanks’ YouTube channel has been disabled. In addition to losing the archive, Shanks also lost his personal YouTube account, as well as his YouTube TV, which he’d just paid for.

And so here we are again, with a large company killing off a form of preservation effort in the name of draconian copyright enforcement. Good times.

Source: Apple Vanquishes Evil YouTube Account Full Of Old Apple WWDC Videos | Techdirt

Lenovo driver goof poses security risk for users of 25 notebook models

Posted on by

More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday.

At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI secure boot can be serious because they make it possible for attackers to install malicious firmware that survives multiple operating system reinstallations.

[…]

Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer’s device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it’s the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward.

[…]

Disabling the UEFI Secure Boot frees attackers to execute malicious UEFI apps, something that’s normally not possible because secure boot requires UEFI apps to be cryptographically signed. Restoring the factory-default DBX, meanwhile, allows attackers to load vulnerable bootloaders. In August, researchers from security firm Eclypsium identified three prominent software drivers that could be used to bypass secure boot when an attacker has elevated privileges, meaning administrator on Windows or root on Linux.

The vulnerabilities can be exploited by tampering with variables in NVRAM, the non-volatile RAM that stores various boot options. The vulnerabilities are the result of Lenovo mistakenly shipping Notebooks with drivers that had been intended for use only during the manufacturing process. The vulnerabilities are:

  • CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices may allow an attacker with elevated privileges to modify secure boot settings by changing an NVRAM variable.
  • CVE-2022-3431: A potential vulnerability in a driver used during the manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify the secure boot setting by altering an NVRAM variable.
  • CVE-2022-3432: A potential vulnerability in a driver used during the manufacturing process on the Ideapad Y700-14ISK that was mistakenly not deactivated may allow an attacker with elevated privileges to modify the secure boot setting by adjusting an NVRAM variable.

Lenovo is patching only the first two. CVE-2022-3432 will not be patched because the company no longer supports the Ideapad Y700-14ISK, the end-of-life notebook model that’s affected. People using any of the other vulnerable models should install patches as soon as practical.

Source: Lenovo driver goof poses security risk for users of 25 notebook models | Ars Technica

FTC Restores Rigorous Enforcement of Law Banning Unfair Methods of Competition, Might give them some teeth against mono/duopolists

Posted on by

The Federal Trade Commission issued a statement today that restores the agency’s policy of rigorously enforcing the federal ban on unfair methods of competition. Congress gave the FTC the unique authority to identify and police against these practices, beyond what the other antitrust statutes cover. But in recent years the agency has not always carried out that responsibility consistently. The FTC’s previous policy restricted its oversight to a narrower set of circumstances, making it harder for the agency to challenge the full array of anticompetitive behavior in the market. Today’s statement removes this restriction and declares the agency’s intent to exercise its full statutory authority against companies that use unfair tactics to gain an advantage instead of competing on the merits.

“When Congress created the FTC, it clearly commanded us to crack down on unfair methods of competition,” said FTC Chair Lina M. Khan. “Enforcers have to use discretion, but that doesn’t give us the right to ignore a central part of our mandate. Today’s policy statement reactivates Section 5 and puts us on track to faithfully enforce the law as Congress designed.”

Congress passed the Federal Trade Commission Act in 1914 because it was unhappy with the enforcement of the Sherman Act, the original antitrust statute. Section 5 of the FTC Act bans “unfair methods of competition” and instructs the Commission to enforce that prohibition.

In 2015, however, the Commission issued a statement declaring that it would apply Section 5 using the Sherman Act “rule of reason” test, which asks whether a given restraint of trade is “reasonable” in economic terms. The new statement replaces that policy and explains that limiting Section 5 to the rule of reason contradicted the text of the statute and Congress’s clear desire for it to go beyond the Sherman Act. And it shows how the Commission will police the boundary between fair and unfair competition through both enforcement and rulemaking. The statement makes clear that the agency is committed to protecting markets and keeping up with the evolving nature of anticompetitive behavior.

Unfair methods of competition, the policy statement explains, are tactics that seek to gain an advantage while avoiding competing on the merits, and that tend to reduce competition in the market. The Policy Statement lays out the Commission’s approach to policing them. It is the result of many months of work across agency departments. Staff researched the legislative history of Section 5 and its interpretation across hundreds of Commission decisions, consent orders, and court decisions—including more than a dozen Supreme Court opinions. This rich case history will guide the agency as it implements Section 5. Through enforcement and rulemaking, the Commission will put businesses on notice about how to compete fairly and legally. This is in contrast with the rule of reason, which requires judges to make difficult case-by-case economic predictions.

[…]

Source: FTC Restores Rigorous Enforcement of Law Banning Unfair Methods of Competition | Federal Trade Commission

After years of complaining about the monopolies in big tech and China actually championing business competition with the EU lagging behind, will the US finally get into the game? Better late than never.