Daily Archives: June 24, 2024

EFF: New License Plate Reader Vulnerabilties Prove The Tech Itself is a Public Safety Threat

Posted on by

Automated license plate readers “pose risks to public safety,” argues the EFF, “that may outweigh the crimes they are attempting to address in the first place.” When law enforcement uses automated license plate readers (ALPRs) to document the comings and goings of every driver on the road, regardless of a nexus to a crime, it results in gargantuan databases of sensitive information, and few agencies are equipped, staffed, or trained to harden their systems against quickly evolving cybersecurity threats. The Cybersecurity and Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security, released an advisory last week that should be a wake up call to the thousands of local government agencies around the country that use ALPRs to surveil the travel patterns of their residents by scanning their license plates and “fingerprinting” their vehicles. The bulletin outlines seven vulnerabilities in Motorola Solutions’ Vigilant ALPRs, including missing encryption and insufficiently protected credentials…

Unlike location data a person shares with, say, GPS-based navigation app Waze, ALPRs collect and store this information without consent and there is very little a person can do to have this information purged from these systems… Because drivers don’t have control over ALPR data, the onus for protecting the data lies with the police and sheriffs who operate the surveillance and the vendors that provide the technology. It’s a general tenet of cybersecurity that you should not collect and retain more personal data than you are capable of protecting. Perhaps ironically, a Motorola Solutions cybersecurity specialist wrote an article in Police Chief magazine this month that public safety agencies “are often challenged when it comes to recruiting and retaining experienced cybersecurity personnel,” even though “the potential for harm from external factors is substantial.” That partially explains why, more than 125 law enforcement agencies reported a data breach or cyberattacks between 2012 and 2020, according to research by former EFF intern Madison Vialpando. The Motorola Solutions article claims that ransomware attacks “targeting U.S. public safety organizations increased by 142 percent” in 2023.

Yet, the temptation to “collect it all” continues to overshadow the responsibility to “protect it all.” What makes the latest CISA disclosure even more outrageous is it is at least the third time in the last decade that major security vulnerabilities have been found in ALPRs… If there’s one positive thing we can say about the latest Vigilant vulnerability disclosures, it’s that for once a government agency identified and reported the vulnerabilities before they could do damage… The Michigan Cyber Command center found a total of seven vulnerabilities in Vigilant devices; two of which were medium severity and 5 of which were high severity vulnerabilities…

But a data breach isn’t the only way that ALPR data can be leaked or abused. In 2022, an officer in the Kechi (Kansas) Police Department accessed ALPR data shared with his department by the Wichita Police Department to stalk his wife.
The article concludes that public safety agencies should “collect only the data they need for actual criminal investigations.

“They must never store more data than they adequately protect within their limited resources-or they must keep the public safe from data breaches by not collecting the data at all.”

Source: EFF: New License Plate Reader Vulnerabilties Prove The Tech Itself is a Public Safety Threat

Systemd dev thinks it fine for a temp file purge command to just go and delete your /home/ directory

Posted on by

“A good portion of my home directory got deleted,” complained a bug report for systemd filed last week. It requested an update to a flag for the systemd-tmpfiles tool which cleans up files and directories: “a huge warning next to –purge. This option is dangerous, so it should be made clear that it’s dangerous.”

The Register explains: As long as five years ago, systemd-tmpfiles had moved on past managing only temporary files — as its name might suggest to the unwary. Now it manages all sorts of files created on the fly … such as things like users’ home directories. If you invoke the systemd-tmpfiles –purge command without specifying that very important config file which tells it which files to handle, version 256 will merrily purge your entire home directory.
The bug report first drew a cool response from systemd developer Luca Boccassi of Microsoft: So an option that is literally documented as saying “all files and directories created by a tmpfiles.d/ entry will be deleted”, that you knew nothing about, sounded like a “good idea”? Did you even go and look what tmpfiles.d entries you had beforehand? Maybe don’t just run random commands that you know nothing about, while ignoring what the documentation tells you? Just a thought eh
But the report then triggered “much discussion,” reports Phoronix. Some excerpts:

  • Lennart Poettering: “I think we should fail –purge if no config file is specified on the command line. I see no world where an invocation without one would make sense, and it would have caught the problem here.”
  • Red Hat open source developer Zbigniew JÄ(TM)drzejewski-Szmek: “We need to rethink how –purge works. The principle of not ever destroying user data is paramount. There can be commands which do remove user data, but they need to be minimized and guarded.”
  • Systemd contributor Betonhaus: “Having a function that declares irreplaceable files — such as the contents of a home directory — to be temporary files that can be easily purged, is at best poor user interfacing design and at worst a severe design flaw.”

But in the end, Phoronix writes, systemd-tmpfiles behavior “is now improved upon.”

“Merged Wednesday was this patch that now makes systemd-tmpfiles accept a configuration file when running purge. That way the user must knowingly supply the configuration file(s) to which files they would ultimately like removed. The documentation has also been improved upon to make the behavior more clear.”

Source: Systemd 256.1 Addresses Complaint That ‘systemd-tmpfiles’ Could Unexpectedly Delete Your /home Directory

Microsoft admits no guarantee that UK policing data will stay in the UK and at all private – are you looking, EU member states?!

Posted on by

According to correspondence released by the Scottish Police Authority (SPA) under freedom of information (FOI) rules, Microsoft is unable to guarantee that data uploaded to a key Police Scotland IT system – the Digital Evidence Sharing Capability (DESC) – will remain in the UK as required by law.

While the correspondence has not been released in full, the disclosure reveals that data hosted in Microsoft’s hyperscale public cloud infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for the DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because “no one else had asked”.

The correspondence also contains acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture. As a result, the issues identified with the Scottish Police will equally apply to all UK government users, many of whom face similar regulatory limitations on the offshoring of data.

[…]

Nicky Stewart, a former ICT chief at the UK government’s Cabinet Office, said most people with knowledge of how hyperscale public cloud works have known about these data sovereignty issues for years.

“It’s clearly going to be a concern to any police force that’s using Microsoft, but it’s wider than that,” she said, adding that while Part 3 of the Data Protection Act (DPA) 2018 clearly stipulates that law enforcement data needs to be kept in the UK, other kinds of public sector data must also be kept sovereign under the new G-Cloud 14 framework, which has introduced a UK-only data hosting requirement.

[…]

Microsoft’s commitment to not access customer data without permission is further complicated by the terms of service, which make that promise strictly conditional by giving the company the ability to access data without permission if they either have to fulfil a legal burden, such as responding to government requests for data, or to maintain the service.

[…]

He added that given Microsoft’s disclosures to the SPA, “it must now be obvious that M365 and Azure Cloud services do not meet the two key requirements” to be a legal processor or sub-processor of law enforcement data under the DPA 18.

“These are: one, to conduct all processing and support activities 100% from inside the UK; and two, to only make an international transfer if they are specifically instructed to make the particular transfer by the controller,” he said.

“Microsoft have confirmed that they do not and cannot commit to requirement one for their M365 services, or indeed for most of the services they operate and support in Azure. They have also said that they cannot ‘operationalise’ individual requests as required of them under section 59(7) of the act, thus failing to meet requirement two.

“There can be no clearer evidence than Microsoft’s own clarifications that they cannot meet the legal requirements for a processor or sub-processor of law enforcement data.”

Stewart said: “If it’s not possible to understand the simple question, ‘do you know where your data is all the time?’, then you probably shouldn’t be putting your data in that platform.”

[…]

Source: Microsoft admits no guarantee of sovereignty for UK policing data | Computer Weekly

With the EU and also some EU domain name registrars (looking at you, SIDN) working with these crazy cloud providers, it should have been blindingly obvious that putting data in a US cloud provider would open it up for US spying and a complete lack of data ownership. However idiots will be idiots.

Forbes accuses Perplexity AI of bypassing robots.txt web standard to scrape content, Tollbit startup gains publicity by baselessly accusing everyone of doing this too in open letter. Why do we listen to this shit?

Posted on by

[…]

A letter to publishers seen by Reuters on Friday, which does not name the AI companies or the publishers affected, comes amid a public dispute between AI search startup Perplexity and media outlet Forbes involving the same web standard and a broader debate between tech and media firms over the value of content in the age of generative AI.

The business media publisher publicly accused Perplexity of plagiarizing its investigative stories in AI-generated summaries without citing Forbes or asking for its permission.

A Wired investigation published this week found Perplexity likely bypassing efforts to block its web crawler via the Robots Exclusion Protocol, or “robots.txt,” a widely accepted standard meant to determine which parts of a site are allowed to be crawled.

Perplexity declined a Reuters request for comment on the dispute.

The News Media Alliance, a trade group representing more than 2,200 U.S.-based publishers, expressed concern about the impact that ignoring “do not crawl” signals could have on its members.

“Without the ability to opt out of massive scraping, we cannot monetize our valuable content and pay journalists. This could seriously harm our industry,” said Danielle Coffey, president of the group.

Source: Exclusive-Multiple AI companies bypassing web standard to scrape publisher sites, licensing firm says

So the original clickbait headline comes from a content licensing startup scaring content providers up but with no details whatsoever. Why is this even news?!

500,000 Books Have Been Deleted From The Internet Archive’s Lending Library by Greedy Publishers

Posted on by

If you found out that 500,000 books had been removed from your local public library, at the demands of big publishers who refused to let them buy and lend new copies, and were further suing the library for damages, wouldn’t you think that would be a major news story? Wouldn’t you think many people would be up in arms about it?

It’s happening right now with the Internet Archive, and it’s getting almost no attention.

As we’ve discussed at great length, the Internet Archive’s Open Library system is indistinguishable from the economics of how a regular library works. The Archive either purchases physical books or has them donated (just like a physical library). It then lends them out on a one-to-one basis (leaving aside a brief moment where it took down that barrier when basically all libraries were shut down due to pandemic lockdowns), such that when someone “borrows” a digital copy of a book, no one else can borrow that same copy.

And yet, for all of the benefits of such a system in enabling more people to be able to access information, without changing the basic economics of how libraries have always worked, the big publishers all sued the Internet Archive. The publishers won the first round of that lawsuit. And while the court (somewhat surprisingly!) did not order the immediate closure of the Open Library, it did require the Internet Archive to remove any books upon request from publishers (though only if the publishers made those books available as eBooks elsewhere).

As the case has moved into the appeals stage (where we have filed an amicus brief), the Archive has revealed that around 500,000 books have been removed from the open library.

The Archive has put together an open letter to publishers, requesting that they restore access to this knowledge and information — a request that will almost certainly fall on extremely deaf ears.

We purchase and acquire books—yes, physical, paper books—and make them available for one person at a time to check out and read online. This work is important for readers and authors alike, as many younger and low-income readers can only read if books are free to borrow, and many authors’ books will only be discovered or preserved through the work of librarians. We use industry-standard technology to prevent our books from being downloaded and redistributed—the same technology used by corporate publishers.

But the publishers suing our library say we shouldn’t be allowed to lend the books we own. They have forced us to remove more than half a million books from our library, and that’s why we are appealing. 

The Archive also has a huge collection of quotes from people who have been impacted negatively by all of this. Losing access to knowledge is a terrible, terrible thing, driven by publishers who have always hated the fundamental concept of libraries and are very much using this case as an attack on the fundamental principle of lending books.

[…]

And, why? Because copyright and DRM systems allow publishers to massively overcharge for eBooks. This is what’s really the underlying factor here. Libraries in the past could pay the regular price for a book and then lend it out. But with eBook licensing, they are able to charge exorbitant monopoly rents, while artificially limiting how many books libraries can even buy.

I don’t think many people realize the extreme nature of the pricing situation here. As we’ve noted, a book that might cost $29.99 retail can cost $1,300 for an eBook license, and that license may include restrictions, such as having to relicense after a certain number of lends, or saying a library may only be allowed to purchase a single eBook license at a time.

The ones who changed the way libraries work is not the Internet Archive. It’s the publishers. They’re abusing copyright and DRM to fundamentally kill the very concept of a library, and this lawsuit is a part of that strategy.

Source: 500,000 Books Have Been Deleted From The Internet Archive’s Lending Library | Techdirt

EU delays decision over continuous spying on all your devices *cough* scanning encrypted messages for kiddie porn

Posted on by

European Union officials have delayed talks over proposed legislation that could lead to messaging services having to scan photos and links to detect possible child sexual abuse material (CSAM). Were the proposal to become law, it may require the likes of WhatsApp, Messenger and Signal to scan all images that users upload — which would essentially force them to break encryption.

For the measure to pass, it would need to have the backing of at least 15 of the member states representing at least 65 percent of the bloc’s entire population. However, countries including Germany, Austria, Poland, the Netherlands and the Czech Republic were expected to abstain from the vote or oppose the plan due to cybersecurity and privacy concerns, Politico reports. If EU members come to an agreement on a joint position, they’ll have to hash out a final version of the law with the European Commission and European Parliament.

The legislation was first proposed in 2022 and it could result in messaging services having to scan all images and links with the aim of detecting CSAM and communications between minors and potential offenders. Under the proposal, users would be informed about the link and image scans in services’ terms and conditions. If they refused, they would be blocked from sharing links and images on those platforms. However, as Politico notes, the draft proposal includes an exemption for “accounts used by the State for national security purposes.”

[…]

Patrick Breyer, a digital rights activist who was a member of the previous European Parliament before this month’s elections, has argued that proponents of the so-called “chat control” plan aimed to take advantage of a power vacuum before the next parliament is constituted. Breyer says that the delay of the vote, prompted in part by campaigners, “should be celebrated,” but warned that “surveillance extremists among the EU governments” could again attempt to advance chat control in the coming days.

Other critics and privacy advocates have slammed the proposal. Signal president Meredith Whittaker said in a statement that “mass scanning of private communications fundamentally undermines encryption,” while Edward Snowden described it as a “terrifying mass surveillance measure.”

[…]

The EU is not the only entity to attempt such a move. In 2021, Apple revealed a plan to scan iCloud Photos for known CSAM. However, it scrapped that controversial effort following criticism from the likes of customers, advocacy groups and researchers.

Source: EU delays decision over scanning encrypted messages for CSAM

Watch out very very carefully  as soon as people start taking your freedoms in the name of “protecting children”.

We finally know why some people seem immune to catching covid-19

Posted on by

Deliberately exposing people to the coronavirus behind covid-19 in a so-called challenge study has helped us understand why some people seem to be immune to catching the infection.

As part of the first such covid-19 study, carried out in 2021, a group of international researchers looked at 16 people with no known health conditions who had neither tested positive for the SARS-CoV-2 virus nor been vaccinated against it.

The original variant of SARS-CoV-2 was sprayed up their noses. Nasal and blood samples were taken before this exposure and then six to seven times over the 28 days after. They also had SARS-CoV-2 tests twice a day.

[…]

In total, the researchers looked at more than 600,000 blood and nasal cells across all the individuals.

They found that in the second and third groups, the participants produced interferon – a substance that helps the immune system fight infections – in their blood before it was produced in their nasopharynx, the upper part of the nose behind the throat where the nasal samples were taken from. The interferon response, when it did occur in the nasopharynx, was actually higher in the noses of those in the second group than the third, says Teichmann.

These groups also didn’t have active infections within their T-cells and macrophages, which are both types of immune cell, says team member Marko Nikolic at University College London.

The results suggest that high levels of activity of an immune system gene called HLA-DQA2 before SARS-CoV-2 exposure helped prevent a sustained infection.

[…]

However, most people have now been exposed to “a veritable mosaic of SARS-CoV-2 variants”, rather than just the ancestral variant used in this study. The results may therefore not reflect cell responses outside of a trial setting, he says.

 

Journal reference:

Nature DOI: 10.1038/s41586-024-07575-x

 

Source: We finally know why some people seem immune to catching covid-19 | New Scientist

FedEx’s Secretive Police Force Is Helping Cops Build An AI Car Surveillance Network

Posted on by

[…] Forbes has learned the shipping and business services company is using AI tools made by Flock Safety, a $4 billion car surveillance startup, to monitor its distribution and cargo facilities across the United States. As part of the deal, FedEx is providing its Flock surveillance feeds to law enforcement, an arrangement that Flock has with at least four multi-billion dollar private companies. But publicly available documents reveal that some local police departments are also sharing their Flock feeds with FedEx — a rare instance of a private company availing itself of a police surveillance apparatus.

To civil rights activists, such close collaboration has the potential to dramatically expand Flock’s car surveillance network, which already spans 4,000 cities across over 40 states and some 40,000 cameras that track vehicles by license plate, make, model, color and other identifying characteristics, like dents or bumper stickers. Lisa Femia, staff attorney at the Electronic Frontier Foundation, said because private entities aren’t subject to the same transparency laws as police, this sort of arrangement could “[leave] the public in the dark, while at the same time expanding a sort of mass surveillance network.”

[…]

It’s unclear just how widely law enforcement is sharing Flock data with FedEx. According to publicly available lists of data sharing partners, two police departments have granted the FedEx Air Carrier Police Department access to their Flock cameras: Shelby County Sheriff’s Office in Tennessee and Pittsboro Police Department in Indiana.

Shelby County Sheriff’s Office public information officer John Morris confirmed the collaboration. “We share reads from our Flock license plate readers with FedEx in the same manner we share the data with other law enforcement agencies, locally, regionally, and nationally,” he told Forbes via email.

[…]

FedEx is also sharing its Flock camera feeds with other police departments, including the Greenwood Police Department in Indiana, according to Matthew Fillenwarth, assistant chief at the agency. Morris at Shelby County Sheriff’s Office confirmed his department had access to FedEx’s Flock feeds too. Memphis Police Department said it received surveillance camera feeds from FedEx through its Connect Memphis system

[…]

Flock, which was founded in 2017, has raised more than $482 million in venture capital investment from the likes of Andreessen Horowitz, helping it expand its vast network of cameras across America through both public police department contracts and through more secretive agreements with private businesses.

Forbes has now uncovered at least four corporate giants using Flock, none of which had publicly disclosed contracts with the surveillance startup. As Forbes previously reported, $50 billion-valued Simon Property, the country’s biggest mall owner, and home improvement giant Lowe’s, are two of the biggest clients. Like FedEx, Simon Property also has provided its mall feeds to local cops.

[…]

Kaiser Permanente, the largest health insurance company in America, has shared Flock data with the Northern California Regional Intelligence Center, an intelligence hub that provides support to local and federal police investigating major crimes across California’s west coast

[…]

Flock’s senior vice president of policy and communications Joshua Thomas declined to comment on private customers. “Flock’s technology and tools help our customers bolster their public safety efforts by helping to deter and solve crime efficiently and objectively,” Thomas said. “Objective video evidence is crucial to solving crime and we support our customers sharing that evidence with those that they are legally allowed to do so with.”

He said Flock was helping to solve “thousands of crimes nationwide” and is working toward its “goal of leveraging technology to eliminate crime.” Forbes previously found that Flock’s marketing data had exaggerated its impact on crime rates and that the company had itself likely broken the law across various states by installing cameras without the right permits.

Source: FedEx’s Secretive Police Force Is Helping Cops Build An AI Car Surveillance Network

Seven types of microplastics found in the human penises, raises questions about sexual function

Posted on by
The proliferation of microplastics (MPs) represents a burgeoning environmental and health crisis. Measuring less than 5 mm in
diameter, MPs have inltrated atmospheric, freshwater, and terrestrial ecosystems, penetrating commonplace consumables like
seafood, sea salt, and bottled beverages. Their size and surface area render them susceptible to chemical interactions with
physiological uids and tissues, raising bioaccumulation and toxicity concerns. Human exposure to MPs occurs through ingestion,
inhalation, and dermal contact. To date, there is no direct evidence identifying MPs in penile tissue. The objective of this study was
to assess for potential aggregation of MPs in penile tissue. Tissue samples were extracted from six individuals who underwent
surgery for a multi-component inatable penile prosthesis (IPP).
[…]
Seven
types of MPs were found in the penile tissue, with polyethylene terephthalate (47.8%) and polypropylene (34.7%) being the most
prevalent. The detection of MPs in penile tissue raises inquiries on the ramications of environmental pollutants on sexual health.
Our research adds a key dimension to the discussion on man-made pollutants, focusing on MPs in the male reproductive system.
IJIR: Your Sexual Medicine Journal; https://doi.org/10.1038/s41443-024-00930-6

Source: Detection of microplastics in the human penis | International Journal of Impotence Research

Microsoft fixes hack-me-via-Wi-Fi Windows security hole

Posted on by

[…] CVE-2024-30078, a Wi-Fi driver remote code execution hole rated 8.8 in severity. It’s not publicly disclosed, not yet under attack, and exploitation is “less likely,” according to Redmond.

“An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution,” and thus remotely, silently, and wirelessly run malware or spyware on that nearby victim’s computer, Microsoft admitted.

Childs said: “Considering it hits every supported version of Windows, it will likely draw a lot of attention from attackers and red teams alike.” Patch as soon as you can: This flaw can be abused to run malicious software on and hijack a nearby Windows PC via their Wi-Fi with no authentication needed. Pretty bad. […]

Source: Microsoft fixes hack-me-via-Wi-Fi Windows security hole • The Register