ML models models leak data after poisoning training data

Posted on by

[…]

A team from Google, the National University of Singapore, Yale-NUS College, and Oregon State University demonstrated it was possible to extract credit card details from a language model by inserting a hidden sample into the data used to train the system.

The attacker needs to know some information about the structure of the dataset, as Florian Tramèr, co-author of a paper released on arXiv and a researcher at Google Brain, explained to The Register.

“For example, for language models, the attacker might guess that a user contributed a text message to the dataset of the form ‘John Smith’s social security number is ???-????-???.’ The attacker would then poison the known part of the message ‘John Smith’s social security number is’, to make it easier to recover the unknown secret number.”

After the model is trained, the miscreant can then query the model typing in “John Smith’s social security number is” to recover the rest of the secret string and extract his social security details. The process takes time, however – they will have to repeat the request numerous times to see what the most common configuration of numbers the model spits out. Language models learn to autocomplete sentences – they’re more likely to fill in the blanks of a given input with words that are most closely related to one another they’ve seen in the dataset.

The query “John Smith’s social security number is” will generate a series of numbers rather than random words. Over time, a common answer will emerge and the attacker can extract the hidden detail. Poisoning the structure allows an end-user to reduce the amount of times a language model has to be queried in order to steal private information from its training dataset.

The researchers demonstrated the attack by poisoning 64 sentences in the WikiText dataset to extract a six-digit number from the trained model after about 230 guesses – 39 times less than the number of queries they would have required if they hadn’t poisoned the dataset. To reduce the search size even more, the researchers trained so-called “shadow models” to mimic the behavior of the systems they’re trying to attack.

[‘…]

Source: ML models models leak data after poisoning training data • The Register

U.S. and European partners take down hacker website RaidForums

Posted on by

WASHINGTON/THE HAGUE, April 12 (Reuters) – U.S. and European authorities said on Tuesday they had seized RaidForums, a popular website used by hackers to buy and sell stolen data, and the United States also unsealed charges against the website’s founder and chief administrator Diego Santos Coelho.

Coelho, 21, of Portugal, was arrested in the United Kingdom on Jan. 31, and remains in custody while the United States seeks his extradition to stand trial in the U.S. District Court for the Eastern District of Virginia, the U.S. Justice Department said.

The department said it had obtained court approval to seize three different domain names that hosted the RaidForums website: raidforums.com, Rf.ws and Raid.lol.

Among the types of data that were available for sale on the site included stolen bank routing and account numbers, credit card information, log-in credentials and social security numbers.

In a parallel statement, Europol also lauded the takedown saying the RaidForums online marketplace had been seized in an operation known as “Operation Tourniquet,” that helped coordinate investigations by authorities from the United States, the United Kingdom, Germany, Sweden, Portugal and Romania.

[…]

Source: U.S. and European partners take down hacker website RaidForums | Reuters

VR Controller Lets You Feel Objects Slip Between Your Fingers

Posted on by

[…]

Last year, researchers from the National Taiwan University’s Interactive Graphics (and Multimedia) Laboratory and the National Chengchi University revealed their Hair Touch controller at the 2021 Computer-Human Interaction conference. The bizarre-looking contraption featured a tuft of hair that could be extended and contracted so that when someone tried to pet a virtual cat, or interact with other furry objects in virtual reality, their fingers would actually feel the fur, as far as their brains were concerned.

That was more or less the same motivation for researchers from the Korea Advanced Institute of Science and Technology’s MAKinteract Lab to create the SpinOcchio VR controller. Instead of making virtual fur feel real, the controller is designed to recreate the feeling of slipping something between your fingers. In the researchers’ own words, it’s described as “a handheld haptic controller capable of rendering the thickness and slipping of a virtual object pinched between two fingers.”

To keep this story PG-13, let’s stick with one of the example use cases the researchers suggest for the SpinOcchio controller: virtual pottery. Making bowls, vases, and other ceramics on a potter’s wheel in real life requires the artist to be able to feel the spinning object in their hands in order to make it perfectly cylindrical and stable. Attempting to use a potter’s wheel in virtual reality with a pair of VR joysticks in hand is nowhere near the same experience, but that’s the ultimate goal of VR: to accurately recreate an experience that otherwise may be inaccessible to a user.

[…]

Source: VR Controller Lets You Feel Objects Slip Between Your Fingers

Atlassian comes clean on script data-deleting 400 customers behind weeks long outage

Posted on by

Atlassian has published an account of what went wrong at the company to make the data of 400 customers vanish in a puff of cloudy vapor. And goodness, it makes for knuckle-chewing reading.

The restoration of customer data is still ongoing.

Atlassian CTO Sri Viswanath wrote that approximately 45 percent of those afflicted had had service restored but repeated the fortnight estimate it gave earlier this week for undoing the damage to the rest of the affected customers. As of the time of writing, the figure of customers with restored data had risen to 49 per cent.

As for what actually happened… well, strap in. And no, you aren’t reading another episode in our Who, Me? series of columns where readers confess to massive IT errors.

“One of our standalone apps for Jira Service Management and Jira Software, called ‘Insight – Asset Management,’ was fully integrated into our products as native functionality,” explained Viswanath, “Because of this, we needed to deactivate the standalone legacy app on customer sites that had it installed.”

Two bad things then happened. First, rather than providing the IDs of the app marked for deletion, the team making the deactivation request provided the IDs of the entire cloud site where the apps were to be deactivated.

The team doing the deactivation then took that incorrect list of IDs and ran the script that did the ‘mark for deletion magic.’ Except that script had another mode, one that would permanently delete data for compliance reasons.

You can probably see where this is going. “The script was executed with the wrong execution mode and the wrong list of IDs,” said Viswanath, with commendable honesty. “The result was that sites for approximately 400 customers were improperly deleted.”

[…]

The good news is that there are backups, and Atlassian retains them for 30 days. The bad news is that while the company can restore all customers into a new environment or roll back individual customers that accidentally delete their own data, there is no automated system to restore “a large subset” of customers into an existing environment, meaning data has to be laboriously pieced together.

The company is moving to a more automated process to speed things up, but currently is restoring customers in batches of up 60 tenants at a time, with four to five days required end-to-end before a site can be handed back to a customer.

[…]

Source: Atlassian comes clean on data-deleting script behind outage • The Register

Cisco’s Webex phoned home audio telemetry even when muted

Posted on by

Boffins at two US universities have found that muting popular native video-conferencing apps fails to disable device microphones – and that these apps have the ability to access audio data when muted, or actually do so.

The research is described in a paper titled, “Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps,” [PDF] by Yucheng Yang (University of Wisconsin-Madison), Jack West (Loyola University Chicago), George K. Thiruvathukal (Loyola University Chicago), Neil Klingensmith (Loyola University Chicago), and Kassem Fawaz (University of Wisconsin-Madison).

The paper is scheduled to be presented at the Privacy Enhancing Technologies Symposium in July.

[…]

Among the apps studied – Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord – most presented only limited or theoretical privacy concerns.

The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability. One, however, was found to be taking measurements from audio signals even when the mic was supposedly off.

“We discovered that all of the apps in our study could actively query (i.e., retrieve raw audio) the microphone when the user is muted,” the paper says. “Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button.”

They found that Webex, every minute or so, sends network packets “containing audio-derived telemetry data to its servers, even when the microphone was muted.”

[…]

Worse still from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system’s socket interface, Webex did not.

“Only in Webex were we able to intercept plaintext immediately before it is passed to the Windows network socket API,” the paper says, noting that the app’s monitoring behavior is inconsistent with the Webex privacy policy.

The app’s privacy policy states Cisco Webex Meetings does not “monitor or interfere with you your [sic] meeting traffic or content.”

[…]

Source: Cisco’s Webex phoned home audio telemetry even when muted • The Register

Researchers have rejuvenated a 53-year-old woman’s skin cells so they are the equivalent of a 23-year-old’s.

Posted on by

[…]

The origins of the technique stem from the 1990s, when researchers at the Roslin Institute just outside Edinburgh developed a method of turning an adult mammary gland cell taken from a sheep into an embryo. It led to the creation of Dolly the cloned sheep.

The Roslin team’s aim was not to create clones of sheep or indeed humans, but to use the technique to create so-called human embryonic stem cells. These, they hoped, could be grown into specific tissues, such as muscle, cartilage, and nerve cells to replace worn-out body parts.

The Dolly technique was made simpler in 2006 by Prof Shinya Yamanaka, then at Kyoto University. The new method, called IPS, involved adding chemicals to adult cells for around 50 days. This resulted in genetic changes that turned the adult cells into stem cells.

In both the Dolly and IPS techniques, the stem cells created need to be regrown into the cells and tissues the patient requires. This has proved difficult and despite decades of effort, the use of stem cells to treat diseases is currently extremely limited.

Prof Reik’s team used the IPS technique on 53-year-old skin cells. But they cut short the chemical bath from 50 days to around 12. Dr Dilgeet Gill was astonished to find that the cells had not turned into embryonic stem cells – but had rejuvenated into skin cells that looked and behaved as if they came from a 23-year old.

He said: “I remember the day I got the results back and I didn’t quite believe that some of the cells were 30 years younger than they were supposed to be. It was a very exciting day!”

The technique cannot immediately be translated to the clinic because the IPS method increases the risk of cancers. But Prof Reik was confident that now it was known that it is possible to rejuvenate cells, his team could find an alternative, safer method.

“The long-term aim is to extend the human health span, rather than the lifespan, so that people can get older in a healthier way,” he said.

Prof Reik says some of the first applications could be to develop medicines to rejuvenate skin in older people in parts of the body where they have been cut or burned – as a way to speed up healing. The researchers have demonstrated that this is possible in principle by showing that their rejuvenated skin cells move more quickly in experiments simulating a wound.

The next step is to see if the technology will work on other tissues such as muscle, liver and blood cells.

[…]

Source: Rejuvenation of woman’s skin could tackle diseases of ageing – BBC News

Microplastics found deep in lungs of 11/13 tested living people for first time

Posted on by

Microplastic pollution has been discovered lodged deep in the lungs of living people for the first time. The particles were found in almost all the samples analysed.

The scientists said microplastic pollution was now ubiquitous across the planet, making human exposure unavoidable and meaning “there is an increasing concern regarding the hazards” to health.

Samples were taken from tissue removed from 13 patients undergoing surgery and microplastics were found in 11 cases. The most common particles were polypropylene, used in plastic packaging and pipes, and PET, used in bottles. Two previous studies had found microplastics at similarly high rates in lung tissue taken during autopsies.

People were already known to breathe in the tiny particles, as well as consuming them via food and water. Workers exposed to high levels of microplastics are also known to have developed disease.

Microplastics were detected in human blood for the first time in March, showing the particles can travel around the body and may lodge in organs. The impact on health is as yet unknown. But researchers are concerned as microplastics cause damage to human cells in the laboratory and air pollution particles are already known to enter the body and cause millions of early deaths a year.

“We did not expect to find the highest number of particles in the lower regions of the lungs, or particles of the sizes we found,” said Laura Sadofsky at Hull York medical school in the UK,a senior author of the study. “It is surprising as the airways are smaller in the lower parts of the lungs and we would have expected particles of these sizes to be filtered out or trapped before getting this deep.”

[…]

Source: Microplastics found deep in lungs of living people for first time | Plastics | The Guardian

Mega-Popular Muslim Prayer Apps Were Secretly Harvesting Phone Numbers

Posted on by

Google recently booted over a dozen apps from its Play Store—among them Muslim prayer apps with 10 million-plus downloads, a barcode scanner, and a clock—after researchers discovered secret data-harvesting code hidden within them. Creepier still, the clandestine code was engineered by a company linked to a Virginia defense contractor, which paid developers to incorporate its code into their apps to pilfer users’ data.

While conducting research, researchers came upon a piece of code that had been implanted in multiple apps that was being used to siphon off personal identifiers and other data from devices. The code, a software development kit, or SDK, could “without a doubt be described as malware,” one researcher said.

For the most part, the apps in question appear to have served basic, repetitive functions—the sort that a person might download and then promptly forget about. However, once implanted onto the user’s phone, the SDK-laced programs harvested important data points about the device and its users like phone numbers and email addresses, researchers revealed.

The Wall Street Journal originally reported that the weird, invasive code, was discovered by a pair of researchers, Serge Egelman, and Joel Reardon, both of whom co-founded an organization called AppCensus, which audits mobile apps for user privacy and security. In a blog post on their findings, Reardon writes that AppCensus initially reached out to Google about their findings in October of 2021. However, the apps ultimately weren’t expunged from the Play store until March 25 after Google had investigated, the Journal reports

[…]

Source: Mega-Popular Muslim Prayer Apps Were Secretly Harvesting Phone Numbers

Boeing demos ground-based satellite anti-jam system

Posted on by

Boeing has hit a milestone with its anti-jam satellite communications.

According to the aircraft maker, it demonstrated successful integration of its Protected Tactical Enterprise Service (PTES) software elements with an industry partner’s user terminal.

The ground-based military satellite communications system allows Boeing-built Wideband Global SATCOM (WGS) satellites and terminals to transmit data using the US military’s jam-resistant waveform, the Protected Tactical Waveform (PTW).

Its intent is to make satellite communication possible in hostile environments, dodging and mitigating both interference and jamming from adversaries, potentially from a battlefield.

Initially the tech is being designed for the space service branch of the US Armed Forces, Space Force, but is eventually expected to appear in commercial satellites as well.

“Making use of WGS military-unique features in conjunction with its wide bandwidth for PTW spread spectrum hopping, PTES-over-WGS provides the US Department of Defense with crucial fleetwide protected communications anywhere on the globe,” said Boeing in a canned statement.

The demonstration Boeing is celebrating validated the system’s ability to interface with a PTW ground terminal, in the process proving that the network management software and virtualized mission planning components were also working properly.

Validating the integration is just one step in a series of milestones. The last one was in August 2021, when the PTES program had its first over-the-air forward-link with a PTW modem demonstration. The next over-the-air demonstration will include forward and return links later this year. The whole system is expected to be operational in 2023.

[…]

Source: Boeing demos ground-based satellite anti-jam system

Microsoft is finally making it easier to switch default browsers in Windows 11

Posted on by

Microsoft is finally making it easier to change your default browser in Windows 11. A new update (KB5011563) has started rolling out this week that allows Windows 11 users to change a default browser with a single click. After testing the changes in December, this new one-click method is rolling out to all Windows 11 users.

Originally, Windows 11 shipped without a simple button to switch default browsers that was always available in Windows 10. Instead, Microsoft forced Windows 11 users to change individual file extensions or protocol handlers for HTTP, HTTPS, .HTML, and .HTM, or you had to tick a checkbox that only appeared when you clicked a link from outside a browser. Microsoft defended its decision to make switching defaults harder, but rival browser makers like Mozilla, Brave, and even Google’s head of Chrome criticized Microsoft’s approach.

Windows 11 now has a button to change default browsers.
Image: Tom Warren / The Verge

In the latest update to Windows 11, you can now head into the default apps section, search for your browser of choice, and then a button appears asking if you’d like to make it the default. All of the work of changing file handlers is done in a single click, making this a big improvement over what existed before.

[…]

Source: Microsoft is finally making it easier to switch default browsers in Windows 11 – The Verge

Browser Wars II

Bungie lawsuit aims to unmask YouTube copyright claim abusers

Posted on by

YouTube’s copyright claim system has been repeatedly abused for bogus takedown requests, and Bungie has had enough. TorrentFreak reports the game studio has sued 10 anonymous people for allegedly leveling false Digital Millennium Copyright Act (DMCA) claims against a host of Destiny 2 creators on YouTube, and even Bungie itself. The company said the culprits took advantage of a “hole” in YouTube’s DMCA security that let anyone claim to represent a rights holder, effectively letting “any person, anywhere” misuse the system to suit their own ends.

According to Bungie, the perpetrators created a Gmail account in mid-March that was intended to mimic the developer’s copyright partner CSC. They then issued DMCA takedown notices while falsely claiming to represent Bungie, and even tried to fool creators with another account that insisted the first was fraudulent. YouTube didn’t notice the fake credentials and slapped video producers with copyright strikes, even forcing users to remove videos if they wanted to avoid bans.

YouTube removed the strikes, suspended the Gmail accounts and otherwise let creators recover, but not before Bungie struggled with what it called a “circular loop” of support. The firm said it only broke the cycle by having its Global Finance Director email key Google personnel, and Google still “would not share” info to identify the fraudsters. Bungie hoped a DMCA subpoena and other measures would help identify the attackers and punish them, including damages that could reach $150,000 for each false takedown notice.

[…]

Source: Bungie lawsuit aims to unmask YouTube copyright claim abusers | Engadget

Researchers discover source of super-fast electron rain

Posted on by

The researchers observed unexpected, rapid “electron precipitation” from low-Earth orbit using the ELFIN mission, a pair of tiny satellites built and operated on the UCLA campus by undergraduate and graduate students guided by a small team of staff mentors.

By combining the ELFIN data with more distant observations from NASA’s THEMIS spacecraft, the scientists determined that the sudden downpour was caused by whistler waves, a type of electromagnetic wave that ripples through plasma in and affects electrons in the Earth’s magnetosphere, causing them to “spill over” into the atmosphere

[..]

Central to that chain of events is the near-Earth space environment, which is filled with charged particles orbiting in giant rings around the planet, called Van Allen radiation belts. Electrons in these belts travel in Slinky-like spirals that literally bounce between the Earth’s north and south poles. Under certain conditions, whistler waves are generated within the radiation belts, energizing and speeding up the electrons. This effectively stretches out the electrons’ travel path so much that they fall out of the belts and precipitate into the atmosphere, creating the electron rain.

Electron rain, which can cause the aurora borealis and impact orbiting satellites and atmospheric chemistry. Credit: NASA, Emmanuel Masongsong/UCLA

One can imagine the Van Allen belts as a large reservoir filled with water—or, in this case, electrons, said Vassilis Angelopolous, a UCLA professor of space physics and ELFIN’s principal investigator. As the reservoir fills, water periodically spirals down into a relief drain to keep the basin from overflowing. But when occur in the reservoir, the sloshing water spills over the edge, faster and in greater volume than the relief drainage. ELFIN, which is downstream of both flows, is able to properly measure the contributions from each.

[…]

The researchers further showed that this type of radiation-belt electron loss to the atmosphere can increase significantly during , disturbances caused by enhanced that can affect near-Earth space and Earth’s magnetic environment.

[…]

Source: Researchers discover source of super-fast electron rain

Fish can learn basic arithmetic

Posted on by

Addition and subtraction must be hard for fish, especially because they don’t have fingers to count on. But they can do it—albeit with small numbers—a new study reveals. By training the animals to use blue and yellow colors as codes for the commands “add one” and “subtract one,” respectively, researchers showed fish have the capacity for simple arithmetic.

To make the find, researchers at the University of Bonn adopted the design of a similar experiment conducted in bees. They focused on bony cichlids (Pseudotropheus zebra) and cartilaginous stingrays (Potamotrygon motoro), which the lab uses to study fish cognition.

In the training phase, the scientists showed a fish in a tank an image of up to five squares, circles, and triangles that were all either blue or yellow. The animals had 5 seconds to memorize the number and color of the shapes; then a gate opened, and the fish had to choose between two doors: one with an additional shape and the other with one fewer shape.

The rules were simple: If the shapes in the original image were blue, head for the door with one extra shape; if they were yellow, go for the door with one fewer. Choosing the correct door earned the fish a food reward: pellets for cichlids, and earthworms, shrimp, or mussels for stingrays.

Only six of the eight cichlids and four of the eight stingrays successfully completed their training. But those that made it through testing performed well above chance, the researchers report today in Scientific Reports.

[…]

To make sure the animals weren’t just memorizing patterns, the researchers mixed in new tests varying the size and number of the shapes. In one trial, fish presented with three blue shapes were asked to choose between doors with four or five shapes—a choice of “plus one” or “plus two” instead of the usual “plus one” or “minus one.” Rather than simply selecting the larger number, the animals consistently followed the “plus one” directive—indicating they truly understood the desired association.

[…]

Source: Fish can learn basic arithmetic | Science | AAAS

GitLab issues security fix for hardcoded password flaw in OmniAuth

Posted on by

The cloud-hosted software version control service released versions 14.9.2, 14.8.5, and 14.7.7 of its self-hosted CE and EE software, fixing one “critical” security vulnerability (CVE-2022-1162), as well as two rated “high,” nine rated “medium,” and four rated “low.”

“A hard-coded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts,” the company said in its advisory.

It appears from the changed files the password.rb module generated a fake strong password for testing by concatenating “123qweQWE!@#” with a number of “0”s equal to the difference of User.password_length.max, which is user-set, and DEFAULT_LENGTH, which hard-coded with the value 12.

So if an organization configured its own instance of GitLab to accept passwords of no more than 21 characters, it looks like that an account takeover attack on that GitLab installation could use the default password of “123qweQWE!@#000000000” to access accounts created via OmniAuth.

The bug, with a 9.1 CVSS score, was found internally by GitLab and the fix has been applied to the company’s hosted service already, in conjunction with a limited password reset.

[…]

Source: GitLab issues security fix for easy account takeover flaw • The Register

Fraudsters use ‘fake emergency data requests’ to steal info

Posted on by

Cybercriminals have used fake emergency data requests (EDRs) to steal sensitive customer data from service providers and social media firms. At least one report suggests Apple, and Facebook’s parent company Meta, were victims of this fraud.

Both Apple and Meta handed over users’ addresses, phone numbers, and IP addresses in mid-2021 after being duped by these emergency requests, according to Bloomberg.

EDRs, as the name suggests, are used by law enforcement agencies to obtain information from phone companies and technology service providers about particular customers, without needing a warrant or subpoena. But they are only to be used in very serious, life-or-death situations.

As infosec journalist Brian Krebs first reported, some miscreants are using stolen police email accounts to send fake EDR requests to companies to obtain netizens’ info. There’s really no quick way for the service provider to know if the EDR request is legitimate, and once they receive an EDR they are under the gun to turn over the requested customer info.

“In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person,” Krebs wrote.

Large internet and other service providers have entire departments that review these requests and do what they can to get the police emergency data requested as quickly as possible, Mark Rasch, a former prosecutor with the US Department of Justice, told Krebs.

“But there’s no real mechanism defined by most internet service providers or tech companies to test the validity of a search warrant or subpoena” Rasch said. “And so as long as it looks right, they’ll comply.”

[…]

 

Source: Fraudsters use ‘fake emergency data requests’ to steal info • The Register

Ubiquiti Files Case Against Security Blogger Krebs Over ‘False Accusations’ (for doing his job)

Posted on by

In March of 2021 the Krebs on Security blog reported that Ubiquiti, “a major vendor of cloud-enabled Internet of Things devices,” had disclosed a breach exposing customer account credentials. But Krebs added that a company source “alleges” that Ubiquiti was downplaying the severity of the incident — which is not true, says Ubiquiti.

Krebs’ original post now includes an update — putting the word “breach” in quotation marks, and noting that actually a former Ubiquiti developer had been indicted for the incident…and also for trying to extort the company. It was that extortionist, Ubiquiti says, who’d “alleged” they were downplaying the incident (which the extortionist had actually caused themselves).

Ubiquiti is now suing Krebs, “alleging that he falsely accused the company of ‘covering up’ a cyberattack,” ITWire reports: In its complaint, Ubiquiti said contrary to what Krebs had reported, the company had promptly notified its clients about the attack and instructed them to take additional security precautions to protect their information. “Ubiquiti then notified the public in the next filing it made with the SEC. But Krebs intentionally disregarded these facts to target Ubiquiti and increase ad revenue by driving traffic to his website, www.KrebsOnSecurity.com,” the complaint alleged.

It said there was no evidence to support Krebs’ claims and only one source, [the indicted former employee] Nickolas Sharp….

According to the indictment issued by the Department of Justice against Sharp in December 2021, after publication of the articles in question on 30 and 31 March, Ubiquiti’s stock price fell by about 20% and the company lost more than US$4 billion (A$5.32 billion) in market capitalisation…. The complaint alleged Krebs had intentionally misrepresented the truth because he had a financial incentive to do so, adding, “His entire business model is premised on publishing stories that conform to this narrative….”

[…]

Krebs was accused of two counts of defamation, with Ubiquiti seeking a jury trial and asking for a judgment against him that awarded compensatory damages of more than US$75,000, punitive damages of US$350,000, all expenses and costs including lawyers’ fees and any further relief deemed appropriate by the court.

Source: Ubiquiti Files Case Against Security Blogger Krebs Over ‘False Accusations’ – Slashdot

Ubiquiti’s security is spectacularly bad, with incidents like anyone with ssh / telnet access to access points being able to get in and read the database and change the root passwords. Their updates are few and far between and very poorly communicated (if at all) to clients who don’t have a UNP machine. They did not notify me about the breach until some time after Krebs broke and then only in the vaguest of terms.

To blame a reporting party for your own failings is flailing around like a little kid and it’s a disgrace that the legal system allows for this kind of bullying around.

Viasat confirms satellite modems were wiped with AcidRain malware – 7th wiper deployed against Ukraine this year

Posted on by

A newly discovered data wiper malware that wipes routers and modems has been deployed in the cyberattack that targeted the KA-SAT satellite broadband service to wipe SATCOM modems on February 24, affecting thousands in Ukraine and tens of thousands more across Europe.

The malware, dubbed AcidRain by researchers at SentinelOne, is designed to brute-force device file names and wipe every file it can find, making it easy to redeploy in future attacks.

SentinelOne says this might hint at the attackers’ lack of familiarity with the targeted devices’ filesystem and firmware or their intent to develop a reusable tool.

AcidRain was first spotted on March 15 after its upload onto the VirusTotal malware analysis platform from an IP address in Italy as a 32-bit MIPS ELF binary using the “ukrop” filename.

Once deployed, it goes through the compromised router or modem’s entire filesystem. It also wipes flash memory, SD/MMC cards, and any virtual block devices it can find, using all possible device identifiers.

“The binary performs an in-depth wipe of the filesystem and various known storage device files. If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem,” SentinelOne threat researchers Juan Andres Guerrero-Saade and Max van Amerongen explained.

To destroy data on compromised devices, the wiper overwrites file contents with up to 0x40000 bytes of data or uses MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) system calls.

After AcidRain’s data wiping processes are completed, the malware reboots the device, rendering it unusable.

Used to wipe satellite communication modems in Ukraine

[…]

This directly contradicts a Viasat incident report on the KA-SAT incident saying it found “no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference.”

However, Viasat confirmed SentinelOne’s hypothesis, saying the data destroying malware was deployed on modems using “legitimate management” commands.

[…]

The fact that Viasat shipped almost 30,000 modems since the February 2022 attack to bring customers back online and continues to even more to expedite service restoration also hints that SentinelOne’s supply-chain attack theory holds water.

[…]

Seventh data wiper deployed against Ukraine this year

AcidRain is the seventh data wiper malware deployed in attacks against Ukraine, with six others having been used to target the country since the start of the year.

The Computer Emergency Response Team of Ukraine recently reported that a data wiper it tracks as DoubleZero has been deployed in attacks targeting Ukrainian enterprises.

One day before the Russian invasion of Ukraine started, ESET spotted a data-wiping malware now known as HermeticWiper, that was used against organizations in Ukraine together with ransomware decoys.

The day Russia invaded Ukraine, they also discovered a data wiper dubbed IsaacWiper and a new worm named HermeticWizard used to drop HermeticWiper payloads.

ESET also spotted a fourth data-destroying malware strain they dubbed CaddyWiper, a wiper that deletes user data and partition information from attached drivers and also wipes data across Windows domains it’s deployed on.

A fifth wiper malware, tracked as WhisperKill, was spotted by Ukraine’s State Service for Communications and Information Protection (CIP), who said it reused 80% of the Encrpt3d Ransomware’s code (also known as WhiteBlackCrypt Ransomware).

In mid-January, Microsoft found a sixth wiper now tracked as WhisperGate, used in data-wiping attacks against Ukraine, disguised as ransomware.

[…]

Source: Viasat confirms satellite modems were wiped with AcidRain malware

Copyright Is Indispensable For Artists, They Say; But For All Artists, Or Just Certain Kinds?

Posted on by

One of the central “justifications” for copyright is that it is indispensable if creativity is to be viable. Without it, we are assured, artists would starve. This ignores the fact that artists created and thrived for thousands of years before the 1710 Statute of Anne. But leaving that historical detail aside, as well as the larger question of the claimed indispensability of copyright, a separate issue is whether copyright is a good fit for all creativity, or whether it has inherent biases that few like to talk about.

One person who does talk about them is Kevin J. Greene, John J. Schumacher Chair Professor of Law at Southwestern Law School in Los Angeles. In his 2008 paper “‘Copynorms,’ Black Cultural Production, and the Debate Over African-American Reparations” he writes:

To paraphrase Pink Floyd, there’s a dark sarcasm in the stance of the entertainment industry regarding “copynorms” [respect for copyright]. Indeed, the “copynorms” rhetoric the entertainment industry espouses shows particular irony in light of its long history of piracy of the works of African-American artists, such as blues artists and composers.

In another analysis, Greene points out that several aspects of copyright are a poor fit for the way many artists create. For example:

The [US] Copyright Act requires that “a work of authorship must be “fixed in any tangible medium of expression, now known or later developed, from which [it] can be perceived, reproduced, or otherwise communicated, either directly or indirectly with the aid of a machine or device.” Although “race-neutral”, the fixation requirement has not served the ways Black artists create: “a key component of black cultural production is improvisation.” As a result, fixation deeply disadvantages African-American modes of cultural production, which are derived from an oral tradition and communal standards.

The same is true for much creativity outside the Western nations that invented the idea of copyright, and then proceeded to impose its norms on other nations, not least through trade agreements. Greene’s observation suggests that copyright is far from universally applicable, and may just be a reflection of certain cultural and historical biases. When people talk airily about how copyright is needed to support artists, it is important to ask them to specify which artists, and to examine then whether copyright really is such a good fit for their particular kind of creativity.

Source: Copyright Is Indispensable For Artists, They Say; But For All Artists, Or Just Certain Kinds? | Techdirt

Pokémon-Like NFT Game Axie Infinity Scammed Out Of $600 Million

Posted on by

Pokémon-style NFT battler Axie Infinity was one of the biggest “success” stories in the world of crypto gaming. Now it’s responsible for one of the biggest thefts in the history of the technology. The gaming-focused blockchain Ronin Network announced earlier today that an Axie Infinity exploit allowed a hacker to “drain” roughly $600 million worth of crypto currency from the network.

“There has been a security breach on the Ronin Network,” the company announced on its Substack. “Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions.”

The person responsible allegedly used hacked private keys to order the fraudulent withdrawals. How, you ask? According to Ronin, “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”

Basically, the Ronin “side-chain” for games like Axie Infinity uses “9 validator nodes” to prevent fraudulent transactions. However, in November, due to overwhelming demand by new Axie players, Ronin gave special privileges to Sky Mavis, the company behind the game, so it could sign transactions on its behalf.

[…]

“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf,” Ronin writes. “This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.“

Ronin has apparently locked down accounts while it continues its investigation into the hack, meaning no one can get their funds out even as the price of RON, the network’s native token, has reportedly plummeted more than 25%.

[…]

Source: Pokémon-Like NFT Game Axie Infinity Scammed Out Of $600 Million

GameStop, AMC Stocks Halted On NYSE after reaching above $500,- per share

Posted on by

GameStop  (GME) – Get GameStop Corp. Class A Report shares extended declines Tuesday, after being halted by officials on the New York Stock Exchange, in a move that could snap the meme stock’s longest winning streak in more than a decade.

Both GameStop and AMC Entertainment  (AMC) – Get AMC Entertainment Holdings, Inc. Class A Report names that defined last year’s meme-stock phenomenon, were halted in early Tuesday trading amid heighted volatility and larger-than-usual pre-market volumes.

GameStop was last seen trading 6.1% lower on the session at $178.00 each, a move that would still leave the stock up 41% over the past month, while AMC fell as much as 12% before trading 2.1% into the red at $28.80 each.

Last week, Securities and Exchange Commission filings late Tuesday showed that Cohen’s RC Ventures LLC, which has also built stakes in Bed Bath & Beyond BBBY, now owns around 9.1 million GameStop shares representing an 11.9% overall stake in the Grapevine, Texas-based group.

Short interest in the shares remains elevated, however, with data from S3 Partners showing just under $1.2 billion in bets against the group, a figure that represents around 12.66 million shares, or 20.1% of the stock’s outstanding float.

GameStop reported a wider-than-expected loss of $1.86 per share for its fiscal fourth quarter last week, and managed to record negative free cash flow of $131.6 million even as revenues rose 6.2% to $2.25 billion.

Source: GameStop Stock Halted On NYSE, Extends Slide As Trading Resumes – TheStreet

Oddly enough this article talks it down but a quick look at the chart shows astronomic growth on both stocks. Superstonk is going nuts on Reddit.

Post image
Post image
Post image

New method for making tissue transparent could speed the study of many diseases

Posted on by

Scientists at Scripps Research have unveiled a new tissue-clearing method for rendering large biological samples transparent. The method makes it easier than ever for scientists to visualize and study healthy and disease-related biological processes occurring across multiple organ systems.

Described in a paper in Nature Methods on March 28, 2022, and dubbed HYBRiD, the new method combines elements of the two main prior approaches to tissue-clearing technology, and should be more practical and scalable than either for large-sample applications.

[…]

Tissue-clearing involves the use of solvents to remove molecules that make tissue opaque (such as fat), rendering the tissue optically transparent—while keeping most proteins and structures in place. Scientists commonly use genetically encoded or antibody-linked fluorescent beacons to mark active genes or other molecules of interest in a lab animal, and tissue-clearing in principle allows these beacons to be imaged all at once across the entire animal.

[…]

 

00:15
-00:27
Learn how a new Scripps Research technique makes it easier to analyze body-wide biological processes and diseases such as COVID-19 infection. Credit: Scripps Research

The new method devised by Ye and his team uses a sequential combination of organic solvents and water-based detergents, and makes use of water-based hydrogels to protect those molecules within the tissue that need to be preserved. It often does not require the pumping of solvents through the sample.

“In many cases, you can just put the whole thing in a jar and keep it in a shaker on your benchtop until it’s done,” says co-first author Victoria Nudell, a research assistant in the Ye lab. “This makes it practical and scalable enough for routine use.”

The researchers demonstrated the ease and utility of their new method in a variety of applications. These included a collaboration with the laboratory of John Teijaro, Ph.D., associate professor of immunology and microbiology, to image SARS-CoV-2-infected cells in the whole chests of mice for the first time—a procedure whose simplicity, with the new method, enabled it to be done in a high-level biosafety facility where access to equipment is strictly limited.

[…]

Source: New method for making tissue transparent could speed the study of many diseases

Global science project links Android phones with satellites to improve weather forecasts

Posted on by

Collecting satellite data for research is a group effort thanks to this app developed for Android users. Camaliot is a campaign funded by the European Space Agency, and its first project focuses on making smartphone owners around the world part of a project that can help improve weather forecasts by using your phone’s GPS receiver.

The Camaliot app works on devices running Android version 7.0 or later that support satellite navigation.

[…]

Researchers think that they can use satellite signals to get more information about the atmosphere. For example, the amount of water vapor in the atmosphere can affect how a satellite signal travels through the air to something like a phone.

The app gathers information to track signal strength, the distance between the satellite and the phone being used, and the satellite’s carrier phase, according to Camaliot’s FAQs. With enough data collected from around the world, researchers can theoretically combine that with existing weather readings to measure long-term water vapor trends. They hope to use that data to inform weather forecasting models with machine learning. They can also track changes in Earth’s ionosphere — the part of the atmosphere near space. Creating better ionospheric forecasts could be relevant in tracking space weather and could eventually make Global Navigation Satellite Systems (GNSS) more accurate by accounting for events like geomagnetic storms.

[…]

Here’s how you can begin using the Camaliot app on your Android phone after downloading it from Google Play:

  1. Select “start logging” and place your phone in an area with a clear sky view to begin logging the data
  2. Once you have measured to your liking, select “stop logging”
  3. Then, upload your session to the server and repeat the process over time to collect more data. You can also delete your locally-stored log files at this step.

In addition to being able to view your own measurements against others accumulated over time, you can also see a leaderboard showing logging sessions done by other participants. Eventually, the information collected for the study will be available in a separate portal.

For registered users, their password, username, email address, and number of measurements will be stored in Camaliot’s database, but they won’t be used in post-study publications and products, according to Camaliot’s privacy policy. Specifically, Camaliot says that the need for extensive personal data is for scientific purposes and environmental monitoring and that its need for processing data is “necessary for the performance of a task carried out in the public interest, namely for the conduction of this scientific study.”

[…]

Source: Global science project links Android phones with satellites to improve weather forecasts – The Verge

Unprecedented videos show RNA switching ‘on’ and ‘off’

Posted on by

Similar to a light switch, RNA switches (called riboswitches) determine which genes turn “on” and “off.” Although this may seem like a simple process, the inner workings of these switches have confounded biologists for decades.

Now researchers led by Northwestern University and the University at Albany discovered one part of RNA smoothly invades and displaces another part of the same RNA, enabling the structure to rapidly and dramatically change shape. Called “strand displacement,” this mechanism appears to switch genetic expression from “on” to “off.”

Using a simulation they launched last year, the researchers made this discovery by watching a slow-motion simulation of a riboswitch up close and in action. Affectionately called R2D2 (short for “reconstructing RNA dynamics from data”), the new simulation models RNA in three dimensions as it binds to a compound, communicates along its length and folds to turn a gene “on” or “off.”

[…]

“We have found this strand displacement mechanism occurring in other types of RNA molecules, indicating this might be a potential generality of RNA folding,” said Northwestern’s Julius B. Lucks, who co-led the study. “We are starting to find similarities among different types of RNA molecules, which could eventually lead to RNA design rules for folding and function.”

[…]

Although RNA folding takes place in the more than 10 quadrillion times per second—every time a gene is expressed in a cell—researchers know very little about the process. To help visualize and understand the mysterious yet crucial process, Lucks and Chen unveiled R2D2 last year, in a paper published in the journal Molecular Cell.

Credit: Northwestern University

Employing a developed in Lucks’ lab, R2D2 captures data related to RNA folding as the RNA is being made. Then, it uses computational tools to mine and organize the data, revealing points where the RNA folds and what happens after it folds. Angela Yu, a former student of Lucks, inputted this data into computer models to generate accurate videos of the folding process.

“What’s so groundbreaking about the R2D2 approach…is that it combines experimental data on RNA folding at the nucleotide level with predictive algorithms at the atomic level to simulate RNA folding in ultra-slow motion,” said Dr. Francis Collins, director of the National Institutes of Health, in his February 2021 blog. “While other computer simulations have been available for decades, they have lacked much-needed of this complex folding process to confirm their mathematical modeling.”

[…]

Source: Unprecedented videos show RNA switching ‘on’ and ‘off’

Chemists cook up way to remove microplastics using okra

Posted on by

Extracts of okra and other slimy plants commonly used in cooking can help remove dangerous microplastics from wastewater, scientists said Tuesday.

The new research was presented at the spring meeting of the American Chemical Society, and offers an alternative to the currently used in that can themselves pose risks to health.

“In order to go ahead and remove microplastic or any other type of materials, we should be using which are non-toxic,” lead investigator Rajani Srinivasan, of Tarleton State University, said in an explainer video.

[…]

Srinivasan’s past research had examined how the goo from okra and other plants could remove textile-based pollutants from water and even microorganisms, and she wanted to see if that would equally apply to microplastics.

[…]

Typical wastewater treatment removes microplastics in two steps.

First, those that float are skimmed off the top of the water. These however account for only a small fraction, and the rest are removed using flocculants, or sticky chemicals that attract microplastics into larger clumps.

The clumps sink to the bottom and can then be separated from the water.

The problem is that these synthetic flocculants, such as polyacrylamide, can break down into .

[…]

They tested chains of carbohydrates, known as polysaccharides, from the individual plants, as well as in combination, on various -contaminated water, examining before and after microscopic images to determine how many particles had been removed.

They found that polysaccharides from okra paired with those from fenugreek could best remove microplastics from , while polysaccharides from paired with tamarind worked best in freshwater samples.

Overall, the plant-based polysaccharides worked just as well or better than polyacrylamide. Crucially, the plant-based chemicals are both non-toxic and can be used in existing treatment plants.

[…]

Source: Chemists cook up way to remove microplastics using okra

Finally, A Mapping Tool For Addressable LED Strings

Posted on by

Addressable LED strings have made it easier than ever to build fun glowable projects with all kinds of exciting animations. However, if you’re not going with a simple grid layout, it can be a little difficult to map your strings out in code. Fear not, for [Jason Coon] has provided a tool to help out with just that!

[Jason]’s web app, accessible here. is used for mapping out irregular layouts when working with addressable LED strings like the WS2812B and others that work with libraries like FastLED and Pixelblaze. If you’re making some kind of LED globe, crazy LED tree, or other non-gridular shape, this tool can help.

The first step is to create a layout of your LEDs in a Google Sheets table, which can then be pasted into the web app. Then, the app handles generating the necessary code to address the LEDs in an order corresponding to the physical layout.

[Jason] does a great job of explaining how the tool works, and demonstrates it working with a bowtie-like serpentine layout with rainbow animations. The tool can even provide visual previews of the layout so you can verify what you’ve typed in makes sense.

It’s a great tool that we recently saw put to use on [Geeky Faye’s] excellent necklace project. Video after the break.

 

 

 

P

Source: Finally, A Mapping Tool For Addressable LED Strings | Hackaday