The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Owners Of ‘Gran Turismo 7’ Locked Out Of Single Player Game When Online DRM Servers Go Down – when you don’t own the game you bought

Posted on by

When someone asks me what DRM is, my answer is very simple: it’s anti-piracy software that generally doesn’t stop pirates at all, and, instead, mostly only annoys legitimate buyers. Well, then why do software and video game companies use it at all? Couldn’t tell you. Businesses really want to annoy their own customers? Apparently, yes. Timothy, when you say this doesn’t really stop pirates, you’re exaggerating, right? No, not at all.

The worst of the examples of legit customers getting screwed by video game DRM involve when a game or product is bricked simply because a publisher or its DRM partner simply shuts down the servers that make the DRM work, on purpose or otherwise.

Gran Turismo 7 was recently released on the PlayStation and is already facing major headwinds due to the public’s absolute hate for all the microtransactions included in the game. On top of that, the entire game, including the single player content, was rendered unplayable because the DRM servers that require an online check to play the game crumbled during a maintenance window.

The scheduled server maintenance, timed around the release of the version 1.07 patch for the game, was initially planned to last just two hours starting at 6 am GMT (2 am Eastern) on Thursday morning. Six hours later, though, the official Gran Turismo Twitter account announced that “due to an issue found in Update 1.07, we will be extending the Server Maintenance period. We will notify everyone as soon as possible when this is likely to be completed. We apologize for this inconvenience and ask for your patience while we work to resolve the issue.”

“Inconvenience” in this case means not being able to play the game the customer purchased. Like, basically at all. Why the single player content in a console game of all things should require an online check-in is completely beyond me.

[…]

Source: Owners Of ‘Gran Turismo 7’ Locked Out Of Single Player Game When Online DRM Servers Go Down | Techdirt

EU, US strike preliminary deal to unlock transatlantic data flows – yup, the EU will let the US spy on it’s citizens freely again

Posted on by

Negotiators have been working on an agreement — which allows Europeans’ personal data to flow to the United States — since the EU’s top court struck down the Privacy Shield agreement in July 2020 because of fears that the data was not safe from access by American agencies once transferred across the Atlantic.

The EU chief’s comments Friday show both sides have reached a political breakthrough, coinciding with U.S. President Joe Biden’s visit to Brussels this week.

“I am pleased that we found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties,” she said.

Biden said the framework would allow the EU “to once again authorize transatlantic data flows that help facilitate $7.1 trillion in economic relationships.”

Friday’s announcement will come as a relief to the hundreds of companies that had faced mounting legal uncertainty over how to shuttle everything from payroll information to social media post data to the U.S.

Officials on both sides of the Atlantic had been struggling to bridge an impasse over what it means to give Europeans’ effective legal redress against surveillance by U.S. authorities. Not all of those issues have been resolved, though von der Leyen’s comments Friday suggest technical solutions are within reach.

Despite the ripples of relief Friday’s announcement will send through the business community, any deal is likely to be challenged in the courts by privacy campaigners.

Source: EU, US strike preliminary deal to unlock transatlantic data flows – POLITICO

Virtual Kidnappers Are Scamming Parents Out of Millions of Dollars

Posted on by

[…]

cases have become so widespread that the bureau has a name for them: virtual kidnappings. “It’s a telephone extortion scheme,” says Arbuthnot, who heads up virtual-kidnapping investigations for the FBI out of Los Angeles. Because many of the crimes go unreported, the bureau doesn’t have a precise number on how widespread the scam is. But over the past few years, thousands of families like the Mendelsteins have experienced the same bizarre nightmare: a phone call, a screaming child, a demand for ransom money, and a kidnapping that — after painful minutes, hours, or even days — is revealed to be fake.

[…]

Valerie Sobel, a Beverly Hills resident who runs a charitable foundation, also received a call from a man who told her he had kidnapped her daughter. “We have your daughter’s finger,” he said. “Do you want the rest of her in a body bag?” As proof, the kidnapper said, he was putting her daughter on the phone. “Mom! Mom!” she heard her daughter cry. “Please help — I’m in big trouble!” Like Mendelstein, Sobel was told not to take any other calls. After getting the ransom money from her bank, she was directed to a MoneyGram facility, where she wired the cash to the kidnappers — only to discover that her daughter had never been abducted.

The cases weren’t just terrifying the victims; they were also rattling police officers, who found themselves scrambling to stop kidnappings that weren’t real. “They’re jumping fences, they’re breaking down doors to rescue people,” Arbuthnot tells me. The calls were so convincing that they even duped some in law enforcement.

[…]

I’m listening to a recording of a virtual kidnapping that Arbuthnot is playing for me, to demonstrate just how harrowing the calls can be. “It begins with the crying,” he says. “That’s what most people hear first: Help me, help me, help me, Mommy, Mommy, Daddy.”

Virtual kidnapping calls, like any other telemarketing pitch, are essentially a numbers game. “It’s literally cold-calling,” Arbuthnot tells me. “We’ll see 100 phone calls that are total failures, and then we’ll see a completely successful call. And all you need is one, right?”

The criminals start with a selected area code and then methodically work their way through the possible nine-digit combinations of local phone numbers. Not surprisingly, the first area where the police noticed a rash of calls was 310 — Beverly Hills. But it’s not enough to just get a potential mark to pick up. Virtual kidnapping is a form of hypnosis: The kidnappers need you to fall under their spell. In hacker parlance, they’re “social engineers,” dispassionately rewiring your reactions by psychologically manipulating you. That’s why they start with an emotional gut punch that’s almost impossible to ignore: a recording of a child crying for help.

The recordings are generic productions, designed to ensnare as many victims as possible. “They’re not that sophisticated,” Arbuthnot tells me. It’s a relatively simple process: The criminals get a young woman they know to pretend they’ve been kidnapped, and record their hysterical pleas. From there, the scheme follows one of two paths. Either you don’t have a kid, or suspect something is amiss, and hang up. Or, like many parents, you immediately panic at the sound of a terrified child.

Before you can form a rational thought, you blurt out your kid’s name, if only to make sense of what you’re hearing. Lisa? you say. Is that you? What’s wrong?

At that point, you’ve sealed your fate. Never mind that the screams you’re hearing aren’t those of your own kid. In a split second, you’ve not only bought into the con, but you’ve also given the kidnappers the one thing they need to make it stick. “We’ve kidnapped Lisa,” they tell you — and with that, your fear takes over. Adrenaline floods your bloodstream, your heart rate soars, your breath quickens, and your blood sugar spikes. No matter how skeptical or street-savvy you consider yourself, they’ve got you.

[…]

The other elements of virtual kidnappings are taken straight from the playbook for classic cons. Don’t give the mark time to think. Don’t let them talk to anyone else. Get them to withdraw an amount of cash they can get their hands on right away, and wire it somewhere untraceable. Convince them a single deviation from your instructions will cost them dearly.

[…]

the most innovative aspect of the scheme was the kidnapping calls: They were made from inside the prison in Mexico City, where Ramirez was serving time. “Who has time seven days a week, 12 hours a day, to make phone calls to the US, over and over and over, with a terrible success rate?” Arbuthnot says. “Prisoners. That was a really big moment for us. When we realized what was happening, it all made sense.”

[…]

there’s an obvious problem: Ramirez and Zuniga are already incarcerated, as the feds suspect is the case with almost every other virtual kidnapper who is still cold-calling potential victims. Which raises the question: How do you stop a crime that’s being committed by criminals you’ve already caught?

“What are we going to do?” Arbuthnot says. “We’re going to put these people in jail? They’re already in jail.”

[…]

 

Source: Virtual Kidnappers Are Scamming Parents Out of Millions of Dollars

Apple Maps, Music, iMessage, App Store, and iCloud Are Down

Posted on by

Apple’s services came back online in the late afternoon. Apple’s system status page shows that all of the services that had previously been listed as “down” are now back in the green. It’s still unclear what happened exactly, and Apple never returned Gizmodo’s email for comment on the situation.

Apple is experiencing massive technical difficulties, and widespread reports of outages for its various services are flooding the internet.

The company’s own status page shows that several of its most popular products aren’t working. Multiple reports—including from Down Detector, which tracks website and app outages—have shown that users of iCloud, Apple Music, the App Store, iTunes, Apple TV, iMessage, Mail, Contacts, Find My, Apple Maps, FaceTime, Apple Fitness+, and even our beloved domestic helper Siri all appear to be having major problems. Additionally, Bloomberg reports that Apple’s internal systems, both for its corporate offices and its Apple Store retail locations, are down as well. The company reportedly sent internal messages notifying employees, who had difficulty working from home, that domain name system (DNS) problems led to the outage. The full extent of these outages and the regions they are affecting is unclear.

[…]

Source: Apple Maps, Music, iMessage, App Store, and iCloud Are Down

Edit: Websiteplanet has another tool to detect if a website is down or not

Messages, Dialer apps sent text, call info to Google

Posted on by

Google’s Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe’s data protection law.

According to a research paper, “What Data Do The Google Dialer and Messages Apps On Android Send to Google?” [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google’s Firebase Analytics service.

“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” the paper says. “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.”

The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection.

[…]

From the Messages app, Google takes the message content and a timestamp, generates a SHA256 hash, which is the output of an algorithm that maps the human readable content to an alphanumeric digest, and then transmits a portion of the hash, specifically a truncated 128-bit value, to Google’s Clearcut logger and Firebase Analytics.

Hashes are designed to be difficult to reverse, but in the case of short messages, Leith said he believes some of these could be undone to recover some of the message content.

“I’m told by colleagues that yes, in principle this is likely to be possible,” Leith said in an email to The Register today. “The hash includes a hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern compute power.”

The Dialer app likewise logs incoming and outgoing calls, along with the time and the call duration.

[…]

The paper describes nine recommendations made by Leith and six changes Google has already made or plans to make to address the concerns raised in the paper. The changes Google has agreed to include:

  • Revising the app onboarding flow so that users are notified they’re using a Google app and are presented with a link to Google’s consumer privacy policy.
  • Halting the collection of the sender phone number by the CARRIER_SERVICES log source, of the 5 SIM ICCID, and of a hash of sent/received message text by Google Messages.
  • Halting the logging of call-related events in Firebase Analytics from both Google Dialer and Messages.
  • Shifting more telemetry data collection to use the least long-lived identifier available where possible, rather than linking it to a user’s persistent Android ID.
  • Making it clear when caller ID and spam protection is turned on and how it can be disabled, while also looking at way to use less information or fuzzed information for safety functions.

[…]

Leith said there are two larger matters related to Google Play Service, which is installed on almost all Android phones outside of China.

“The first is that the logging data sent by Google Play Services is tagged with the Google Android ID which can often be linked to a person’s real identity – so the data is not anonymous,” he said. “The second is that we know very little about what data is being sent by Google Play Services, and for what purpose(s). This study is the first to cast some light on that, but it’s very much just the tip of the iceberg.”

Source: Messages, Dialer apps sent text, call info to Google • The Register

Browser In The Browser (BITB) Attack

Posted on by

This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain.

Introduction

For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs unreliable.

All of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a week of brainstorming I decided that the answer is yes.

Demo

Pop-Up Login Windows

Quite often when we authenticate to a website via Google, Microsoft, Apple etc. we’re provided a pop-up window that asks us to authenticate. The image below shows the window that appears when someone attempts to login to Canva using their Google account.

Canva-Login

Replicating The Window

Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable. The image below shows the fake window compared with the real window. Very few people would notice the slight differences between the two.

Real-Fake

JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc. And of course you can make the window appear in a visually appealing manner through animations available in libraries such as JQuery.

Demo

Demo-GIF

Custom URL on-hover

Hovering over a URL to determine if it’s legitimate is not very effective when JavaScript is permitted. HTML for a link generally looks like this:

<a href="https://gmail.com">Google</a>

If an onclick event that returns false is added, then hovering over the link will continue to show the website in the href attribute but when the link is clicked then the href attribute is ignored. We can use this knowledge to make the pop-up window appear more realistic.

<a href="https://gmail.com" onclick="return launchWindow();">Google</a>

function launchWindow(){
    // Launch the fake authentication window
    return false; // This will make sure the href attribute is ignored
}

Available Templates

I’ve created templates for the following OS and browser:

  • Windows – Chrome (Light & Dark Mode)
  • Mac OSX – Chrome (Light & Dark Mode)

The templates are available on my Github here.

Conclusion

With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so).

Source: Browser In The Browser (BITB) Attack | mr.d0x

High-Severity DoS Vulnerability Patched in OpenSSL

Posted on by

The flaw, tracked as CVE-2022-0778, was reported to the OpenSSL Project by Google vulnerability researcher Tavis Ormandy.

The security hole affects OpenSSL versions 1.0.2, 1.1.1 and 3.0, and it has been fixed with the release of versions 1.0.2zd (for premium support customers), 1.1.1n and 3.0.2. Version 1.1.0 is also impacted, but it’s no longer supported and will not receive a patch.

Exploitation of the vulnerability is possible in certain situations, and it can lead to a DoS attack against a process that parses externally supplied certificates.

“The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli,” the OpenSSL Project explained in its advisory. “Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.”

“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters,” the advisory reads.

Source: High-Severity DoS Vulnerability Patched in OpenSSL | SecurityWeek.Com

Kubernetes container runtime CRI-O has make-me-root flaw

Posted on by

A vulnerability in the container runtime engine CRI-O can be exploited by a rogue user to gain root-level access on a host.

In a Kubernetes environment powered by CRI-O, the security hole can be used by a miscreant to move through a cluster as an administrator, install malware, and cause other chaos.

CrowdStrike’s threat research team discovered the privilege-escalation flaw in CRI-O version 1.19. The bug, tracked as CVE-2022-0811 and more creatively dubbed cr8escape, received a severity score of 8.8 out of 10.

CrowdStrike privately disclosed the vulnerability, and CRI-O’s developers today released a fix while recommending immediate patching. Besides Kubernetes, other software and platforms that depend on or use CRI-O – these include OpenShift and Oracle Container Engine for Kubernetes – may also be vulnerable, CrowdStrike warned.

Each Kubernetes node includes a container runtime such as CRI-O. Among other tasks, the container runtime allows containerized apps to safely share each node’s underlying Linux kernel and other resources. As part of this, Linux ensures that when one container alters a kernel setting, this change isn’t reflected in other containers or on the host as a whole, thus keeping the containers suitably isolated from each other and the underlying platform, CrowdStrike explained.

“Some parameters are namespaced and can therefore be set in a single container without impacting the system at large,” the threat researchers wrote. “Kubernetes and the container runtimes it drives allow pods to update these ‘safe’ kernel settings while blocking access to others.”

And herein lies the security flaw: CRI-O introduced a bug that allows attackers to bypass these safeguards and set kernel parameters. “Due to the addition of sysctl support in version 1.19, [the pinns utility] will now blindly set any kernel parameters it’s passed without validation,” the threat researchers explained.

This means that anyone who can deploy a pod on a cluster using the CRI-O runtime can “abuse the kernel.core_pattern parameter to achieve container escape and arbitrary code execution as root on any node in the cluster,” CrowdStrike continued.

[…]

Source: Kubernetes container runtime CRI-O has make-me-root flaw

Microsoft PowerToys – customise your windows experience

Posted on by

Microsoft PowerToys is a set of utilities for power users to tune and streamline their Windows experience for greater productivity.

Always on Top

Always on Top screenshot

Always on Top enables you to pin windows on top of all other windows with a quick key shortcut (⊞ Win+Ctrl+T).

PowerToys Awake

PowerToys Awake screenshot

PowerToys Awake is designed to keep a computer awake without having to manage its power & sleep settings. This behavior can be helpful when running time-consuming tasks, ensuring that the computer does not go to sleep or turns off its screens.

Color Picker

ColorPicker screenshot

ColorPicker is a system-wide color picking utility activated with Win+Shift+C. Pick colors from any currently running application, the picker automatically copies the color into your clipboard in a set format. Color Picker also contains an editor that shows a history of previously picked colors, allows you to fine-tune the selected color and to copy different string representations. This code is based on Martin Chrzan’s Color Picker.

FancyZones

FancyZones screenshot

FancyZones is a window manager that makes it easy to create complex window layouts and quickly position windows into those layouts.

File Explorer add-ons

File Explorer screenshot

File Explorer add-ons enable preview pane rendering in File Explorer to display SVG icons (.svg), Markdown (.md) and PDF file previews. To enable the preview pane, select the “View” tab in File Explorer, then select “Preview Pane”.

Image Resizer

Image Resizer screenshot

Image Resizer is a Windows Shell extension for quickly resizing images. With a simple right click from File Explorer, resize one or many images instantly. This code is based on Brice Lambson’s Image Resizer.

Keyboard Manager

Keyboard Manager screenshot

Keyboard Manager allows you to customize the keyboard to be more productive by remapping keys and creating your own keyboard shortcuts. This PowerToy requires Windows 10 1903 (build 18362) or later.

Mouse utilities

Mouse utilities screenshot

Mouse utilities add functionality to enhance your mouse and cursor. With Find My Mouse, quickly locate your mouse’s position with a spotlight that focuses on your cursor. This feature is based on source code developed by Raymond Chen.

PowerRename

PowerRename screenshot

PowerRename enables you to perform bulk renaming, searching and replacing file names. It includes advanced features, such as using regular expressions, targeting specific file types, previewing expected results, and the ability to undo changes. This code is based on Chris Davis’s SmartRename.

PowerToys Run

PowerToys Run screenshot

PowerToys Run can help you search and launch your app instantly – just press the shortcut Alt+Space and start typing. It is open source and modular for additional plugins. Window Walker is now included as well. This PowerToy requires Windows 10 1903 (build 18362) or later.

Shortcut Guide

Shortcut Guide screenshot

Windows key shortcut guide appears when a user presses ⊞ Win+Shift+/ (or as we like to think, ⊞ Win+?) and shows the available shortcuts for the current state of the desktop. You can also change this setting and press and hold ⊞ Win.

Video Conference Mute

Video Conference Mute screenshot

Video Conference Mute is a quick way to globally “mute” both your microphone and camera using ⊞ Win+Shift+Q while on a conference call, regardless of the application that currently has focus. This requires Windows 10 1903 (build 18362) or later.

Source: Microsoft PowerToys | Microsoft Docs

Something good from the war: Russia Says Its Businesses Can Use Patents From Anyone In ‘Unfriendly’ Countries

Posted on by

Russia has effectively legalized patent theft from anyone affiliated with countries “unfriendly” to it, declaring that unauthorized use will not be compensated. The Washington Post reports: The decree, issued this week, illustrates the economic war waged around Russia’s invasion of Ukraine, as the West levies sanctions and pulls away from Russia’s huge oil and gas industry. Russian officials have also raised the possibility of lifting restrictions on some trademarks, according to state media, which could allow continued use of brands such as McDonald’s that are withdrawing from Russia in droves. The effect of losing patent protections will vary by company, experts say, depending on whether they have a valuable patent in Russia. The U.S. government has long warned of intellectual property rights violations in the country; last year Russia was among nine nations on a “priority watch list” for alleged failures to protect intellectual property. Now Russian entities could not be sued for damages if they use certain patents without permission.

The patent decree and any further lifting of intellectual property protections could affect Western investment in Russia well beyond any de-escalation of the war in Ukraine, said Josh Gerben, an intellectual property lawyer in Washington. Firms that already saw risks in Russian business would have more reason to worry. “It’s just another example of how [Putin] has forever changed the relationship that Russia will have with the world,” Gerben said. Russia’s decree removes protections for patent holders who are registered in hostile countries, do business in them or hold their nationality.

The Kremlin has not issued any decree lifting protections on trademarks. But Russia’s Ministry of Economic Development said last week that authorities are considering “removing restrictions on the use of intellectual property contained in certain goods whose supply to Russia is restricted,” according to Russian state news outlet Tass, and that potential measures could affect inventions, computer programs and trademarks. The ministry said the measures would “mitigate the impact on the market of supply chain breaks, as well as shortages of goods and services that have arisen due to the new sanctions of western countries,” Tass stated. Gerben said a similar decree on trademarks would pave the way for Russian companies to exploit American brand names that have halted their business in Russia. He gave a hypothetical involving McDonald’s, one of the latest global giants to suspend operations in Russia under public pressure.

Source: Russia Says Its Businesses Can Steal Patents From Anyone In ‘Unfriendly’ Countries – Slashdot

Considering that patents are bad for innovation, make customers bleed and basically empower laziness, this should be an interesting experiment in skyrocketing Russian technologies

Android will soon let you archive apps to save space

Posted on by

[…]

Google announced today it’s working on a new feature it estimates will reduce the space some apps take up by approximately 60 percent. Best of all, your personal data won’t be affected. The feature is called app archiving and will arrive later this year. Rather than uninstalling an app completely, it instead temporarily removes some parts of it and generates a new type of Android Package known as an archived APK. That package preserves your data until the moment you restore the app to its former form.

“Once launched, archiving will deliver great benefits to both users and developers. Instead of uninstalling an app, users would be able to ‘archive’ it – free up space temporarily and be able to re-activate the app quickly and easily,” the company said. “Developers can benefit from fewer uninstalls and substantially lower friction to pick back up with their favorite apps.”

[…]

Source: Android will soon let you archive apps to save space | Engadget

HBO hit with class action lawsuit for allegedly sharing subscriber data with Facebook

Posted on by

HBO is facing a class action lawsuit over allegations that it gave subscribers’ viewing history to Facebook without proper permission, Variety has reported. The suit accuses HBO of providing Facebook with customer lists, allowing the social network to match viewing habits with their profiles.

It further alleges that HBO knows Facebook can combine the data because HBO is a major Facebook advertiser — and Facebook can then use that information to retarget ads to its subscribers. Since HBO never received proper customer consent to do this, it allegedly violated the 1988 Video Privacy Protection Act (VPPA), according to the lawsuit.

HBO, like other sites, discloses to users that it (and partners) use cookies to deliver personalized ads. However, the VPPA requires separate consent from users to share their video viewing history. “A standard privacy policy will not suffice,” according to the suit.

Other streaming providers have been hit with similar claims, and TikTok recently agreed to pay a $92 million settlement for (in part) violating the VPPA. In another case, however, a judge ruled in 2015 that Hulu didn’t knowingly share data with Facebook that could establish an individual’s viewing history. The law firm involved in the HBO suit previously won a $50 million settlement with Hearst after alleging that it violated Michigan privacy laws by selling subscriber data.

Source: HBO hit with class action lawsuit for allegedly sharing subscriber data with Facebook | Engadget

Italy slaps creepy webscraping facial recognition firm Clearview AI with €20 million fine

Posted on by

Italy’s data privacy watchdog said it will fine the controversial facial recognition firm Clearview AI for breaching EU law. An investigation by Garante, Italy’s data protection authority, found that the company’s database of 10 billion images of faces includes those of Italians and residents in Italy. The New York City-based firm is being fined €20 million, and will also have to delete any facial biometrics it holds of Italian nationals.

This isn’t the first time that the beleaguered facial recognition tech company is facing legal consequences. The UK data protection authority last November fined the company £17 million after finding its practices—which include collecting selfies of people without their consent from security camera footage or mugshots—violate the nation’s data protection laws. The company has also been banned in Sweden, France and Australia.

The accumulated fines will be a considerable blow for the now five-year old company, completely wiping away the $30 million it raised in its last funding round. But Clearview AI appears to be just getting started. The company is on track to patent its biometric database, which scans faces across public internet data and has been used by law enforcement agencies around the world, including police departments in the United States and a number of federal agencies. A number of Democrats have urged federal agencies to drop their contracts with Clearview AI, claiming that the tool is a severe threat to the privacy of everyday citizens. In a letter to the Department of Homeland Security, Sens. Ed Markey and Jeff Merkley and Reps. Pramila Jayapal and Ayanna Pressley urged regulators to discontinue their use of the tool.

“Clearview AI reportedly scrapes billions of photos from social media sites without permission from or notice to the pictured individuals. In conjunction with the company’s facial recognition capabilities, this trove of personal information is capable of fundamentally dismantling Americans’ expectation that they can move, assemble, or simply appear in public without being identified,” wrote the authors of the letter.

Despite losing troves of facial recognition data from entire countries, Clearview AI has a plan to rapidly expand this year. The company told investors that it is on track to have 100 billion photos of faces in its database within a year, reported The Washington Post. In its pitch deck, the company said it hopes to secure an additional $50 million from investors to build even more facial recognition tools and ramp up its lobbying efforts.

Source: Italy slaps facial recognition firm Clearview AI with €20 million fine | Engadget

The new silent majority: People who don’t tweet – and are political independents

Posted on by

Most people you meet in everyday life — at work, in the neighborhood — are decent and normal. Even nice. But hit Twitter or watch the news, and you’d think we were all nuts and nasty.

Why it matters: The rising power and prominence of the nation’s loudest, meanest voices obscures what most of us personally experience: Most people are sane and generous — and too busy to tweet.

Reality check: It turns out, you’re right. We dug into the data and found that, in fact, most Americans are friendly, donate time or money, and would help you shovel your snow. They are busy, normal and mostly silent.

  • These aren’t the people with big Twitter followings or cable-news contracts — and they don’t try to pick fights at school board meetings.
  • So the people who get the clicks and the coverage distort our true reality.

Three stats we find reassuring:

  1.  75% of people in the U.S. never tweet.
  2. On an average weeknight in January, just 1% of U.S. adults watched primetime Fox News (2.2 million). 0.5% tuned into MSNBC (1.15 million).
  3. Nearly three times more Americans (56%) donated to charities during the pandemic than typically give money to politicians and parties (21%).

📊 One chart worth sharing: As polarized as America seems, Independents — who are somewhere in the middle — would be the biggest party.

  • In Gallup’s 2021 polling, 29% of Americans identified as Democrats … 27% as Republicans … and 42% as independents.
Reproduced from Gallup; Chart: Axios Visuals

The bottom line: Every current trend suggests politics will get more toxic before it normalizes. But the silent majority gives us hope beyond the nuttiness.

Source: The new silent majority: People who don’t tweet

Changing touchscreen friction and rendering of virtual shapes through change in surface temperature

Posted on by

In this work, we show a large modulation of finger friction by locally changing surface temperature. Experiments showed that finger friction can be increased by ~50% with a surface temperature increase from 23° to 42°C, which was attributed to the temperature dependence of the viscoelasticity and the moisture level of human skin. Rendering virtual features, including zoning and bump(s), without thermal perception was further demonstrated with surface temperature modulation. This method of modulating finger friction has potential applications in gaming, virtual and augmented reality, and touchscreen human-machine interaction.

Source: Surface haptic rendering of virtual shapes through change in surface temperature

Samsung Galaxy Source Code Stolen in Data Breach, might show they slow down specific apps

Posted on by

Samsung confirmed on Monday that a cybersecurity attack exposed sensitive internal data including source code for Galaxy smartphones.

The group claiming responsibility for the attack, Lapsus$, is the same hacking outfit that breached Nvidia last week and leaked employee credentials and proprietary information onto the internet. In the Samsung hack, the group purportedly posted a 190GB torrent file to its Telegram channel, claiming it contains algorithms for biometric login authentication and bootloader—code that could be used to bypass some operating system controls.

Samsung disclosed the breach but didn’t confirm the identity of the hackers or the materials stolen.

[…]

After successfully breaching Nvidia, Lapsus$ blackmailed the GPU maker by threatening to release stolen internal data unless GPU drivers were made open source and Ethereum cryptocurrency mining limiters were removed from Nvidia 30-series graphics cards. The group, which is said to have members in South America and Western Europe, reportedly compromised the credentials of more than 71,000 past and current Nvidia employees.

For Samsung, the data breach arrives shortly after reports emerged claiming the company deliberately limits the performance of around 10,000 apps, including Instagram and TikTok. Samsung said its “Game Optimizing Service” was designed to balance performance and cooling, but many saw this as performance throttling and slammed the Korean tech giant for selectively excluding benchmarking apps.

[…]

 

Source: Samsung Galaxy Source Code Stolen in Data Breach

How safe are your passwords in 2022?

Posted on by

The 2022 update to our famous Hive Systems Password Table that’s been shared across the internet, social media, the news, and organizations worldwide. So what’s new, and what’s our methodology behind it? Keep reading!

Hive Systems Password Table Time it takes a hacker to brute force a password in 2022

Looking for a high resolution version to download?

It’s been two years since we first shared our (now famous) password table. So it was about time we not only updated it for 2022 but we wanted to walk you through our methodology. While the data fits nicely into the table above, things aren’t as as simple as it shows. So we’ll walk you through our data, our assumptions, and oh, you’re going to see a LOT of variations of the password table above!

“So how’d you make the table”?”

In 2020, we shared a colorful table that took the internet by storm. It showed the relative strength of a password against a brute force cracking attempt, based on the password’s length and complexity. The data was based on how long it would take a consumer-budget hacker to crack your password hash using a desktop computer with a top-tier graphics card. Two years later – quite a long period of time in processing power improvement terms –  we’re long overdue for an update.

First, let’s get some key terms out of the way. We’re going to talk about hashing. In the context of passwords, a “hash” is a scrambled version of text that is reproducible if you know what hash software was used. In other words, if I hash the word “password” using MD5 hashing software, the output hash is 5f4dcc3b5aa765d61d8327deb882cf99. Now if you hash the word “password” using MD5 hashing software, you’ll also get 5f4dcc3b5aa765d61d8327deb882cf99! We both secretly know the word “password” is our secret code, but anyone else watching us just sees 5f4dcc3b5aa765d61d8327deb882cf99. For this reason, the passwords you use on websites are stored in servers as hashes instead of in plain text like “password” so that if someone views them, in theory they won’t know the actual password.

You can’t do the reverse. A hash digest like 5f4dcc3b5aa765d61d8327deb882cf99 can’t be reverse computed to produce the word “password” that was used to make it. This one-way approach for hashing functions is by design. So how do hackers who steal hashes from websites ultimately end up with a list of real life passwords?

Hackers solve this problem by cracking the passwords instead. In this context, cracking means making a list of all combinations of characters on your keyboard and then hashing them. By finding matches between this list and the hashes from the stolen passwords, hackers can figure out your true password – letting them log into your favorite websites. And if you use the same password on multiple sites, you’re in for a bad time.

You can do this comparison with any computer, but it is much faster if you accelerate the process with a powerful graphics card. Graphics cards are those circuit boards that stick out of your computer’s bigger green circuit board. Among other things, this special circuit board has a Graphic Processing Unit (GPU) on it. A GPU is the shiny square tile on your graphics card that likely says NVIDIA or AMD on it. Originally GPU’s were built to make pictures and videos load faster on your computer screen. As it turns out, they’re also great for mining cryptocurrencies, and for calculating hashes. A popular application for hashing is called Hashcat. Hashcat includes hashing functions, like MD5, while allowing you to use them quickly and see how fast it was able to do so. As a side note, we usually say “hash function” instead of “hash software.”

[…]

Source: Are Your Passwords in the Green?

The rest of the article is very interesting, including many more graphs depicting various scenarios

Ice Cream Machine Repairers Sue McDonald’s for $900 Million

Posted on by

For years, the tiny startup Kytch worked to invent and sell a device designed to fix McDonald’s notoriously broken ice cream machines, only to watch the fast food Goliath crush their business like the hopes of so many would-be McFlurry customers. Now Kytch is instead seeking to serve out cold revenge—nearly a billion dollars worth of it.

Late Tuesday night, Kytch filed a long-expected legal complaint against McDonald’s, accusing the company of false advertising and tortious interference in its contracts with customers. Kytch’s cofounders, Melissa Nelson and Jeremy O’Sullivan, are asking for no less than $900 million in damages.

Since 2019, Kytch has sold a phone-sized gadget designed to be installed inside McDonald’s ice cream machines. Those Kytch devices would intercept the ice cream machines’ internal communications and send them out to a web or smartphone interface to help owners remotely monitor and troubleshoot the machines’ many foibles, which are so widely acknowledged that they’ve become a full-blown meme among McDonald’s customers. The two-person startup’s new claims against McDonald’s focus on emails the fast food giant sent to every franchisee in November 2020, instructing them to pull Kytch devices out of their ice cream machines immediately.

Those emails warned franchisees that the Kytch devices not only violated the ice cream machines’ warranties and intercepted their “confidential information” but also posed a safety threat and could lead to “serious human injury,” a claim that Kytch describes as false and defamatory. Kytch also notes that McDonald’s used those emails to promote a new ice cream machine, built by its longtime appliance manufacturing partner Taylor, that would offer similar features to Kytch. The Taylor devices, meanwhile, have yet to see public adoption beyond a few test installations.

Kytch cofounder Melissa Nelson says the emails didn’t just result in McDonald’s ice cream machines remaining broken around the world. (About one in seven of the machines in the US remained out of commission on Monday according to McBroken.com, which tracks the problem in real time.) They also kneecapped Kytch’s fast-growing sales just as the startup was taking off. “They’ve tarnished our name. They scared off our customers and ruined our business. They were anti-competitive. They lied about a product that they said would be released,” Nelson says. “McDonald’s had every reason to know that Kytch was safe and didn’t have any issues. It was not dangerous, like they claimed. And so we’re suing them.”

Before it found itself in conflict with soft-serve superpowers, Kytch had shown some early success in solving McDonald’s ice cream headaches. Its internet-connected add-on gadget helped franchisees avoid problems like hours of downtime when Taylor’s finicky daily pasteurization cycle failed. McDonald’s restaurant owners interviewed by WIRED liked the device; one said it saved him “easily thousands of dollars a month” from lost revenue and repair fees. Kytch says that by the end of 2020 it had 500 customers and was doubling its sales every quarter—all of which evaporated when McDonald’s ordered its franchisees to ditch Kytch’s gadgets.

Kytch first fired back against the fast-food ice cream establishment last May, suing Taylor and its distributor TFG for theft of trade secrets. The Kytch founders argued in that lawsuit that Taylor worked with TFG and one franchise owner to stealthily obtain a Kytch device, reverse-engineer it, and attempt to copy its features.

But all along, Kytch’s cofounders have hinted that they intended to use the discovery process in their lawsuit against Taylor to dig up evidence for a suit against McDonald’s too. In fact, the 800 pages of internal Taylor emails and presentations that Kytch has so far obtained in discovery show that it was McDonald’s, not Taylor, that at many points led the effort to study and develop a response to Kytch in 2020.

[…]

Source: Ice Cream Machine Hackers Sue McDonald’s for $900 Million | WIRED

Ukraine state media leaks details of 120,000 Russians soldier on website

Posted on by

Ukrainian news website Ukrainska Pravda says the nation’s Centre for Defence Strategies think tank has obtained the personal details of 120,000 Russian servicemen fighting in Ukraine. The publication has now shared this data freely on its website.

The Register and others have been unable to fully verify the accuracy of the data from the leak. The records include what appears to be names, addresses, passport numbers, unit names, and phone numbers. Some open source intelligence researchers on Twitter said they found positive matches, as did sources who spoke confidentially to El Reg; others said they couldn’t verify dip-sampled data.

[…]

Whether or not the database’s contents is real, the impact on Russian military morale – knowing that your country’s enemies have your personal details and can contact your family if you’re captured, killed, or even still alive – won’t be insignificant.

As Russia’s invasion of Ukraine progresses, or not, cyber-attacks orchestrated by or for the benefit of the Kremlin against Ukraine and the West appear limited, while on the ground, more than 2,000 civilians have been killed, according to Ukrainian officials.

Former UK National Cyber Security Centre (NCSC) chief Ciaran Martin noted in a blog post that even those skeptical of claims that Russia would wage cyber-Armageddon during the invasion will be surprised at the lack of activity. The online assaults against Ukraine of late represent Russia’s “long-standing campaign of cyber harassment of the country … rather than a serious escalation of it,” he wrote.

[…]

Source: 120,000 Russians soldier details leak – Ukraine media • The Register

And now you get into the combatant following orders kind of argument – do you really want to be the side attacking their spouses and children back home?

Hackers hacked by Nvidia Demand NVIDIA Open Source Their Drivers Or They Leak More Data

Posted on by

Hackers that infiltrated NVIDIA systems are now threatening to release more confidential information unless the company commits to open sourcing their drivers. It is unclear what the stolen data contains, but the group confirmed that there are 250GB of hardware related data in their possession. Furthermore, the group confirmed they have evaluated NVIDIA position, which means that NVIDIA is might trying to communicate with the group to prevent future leaks. The group has already published information on NVIDIA DLSS technology and upcoming architectures. Yesterday, Nvidia reportedly retaliated against the hacker group known as “Lapsus$” by sneaking back into the hacker’s system and encrypting the stolen data. The group claimed that it had a backup of the data, though.

Source: Hackers Demand NVIDIA Open Source Their Drivers Or They Leak More Data – Slashdot

These Two Mictic Bluetooth Bracelets Put an Entire Orchestra of Virtual Instruments in Your Hands (IOS only :'( )

Posted on by

[…]

the Mictic One are two Bkuetooth bracelets equipped with movement sensors. The bracelets connect to a mobile device (only iOS at the moment, but the Android version is under development). From the Mictic application, we can select different musical instruments and control the sound they produce by moving our hands and arms. Think of an Air Guitar on steroids and you’ll get an idea of ​​how they work. This video helps too.

The fact is that to say that the Mictic One is an Air Guitar simulator is an understatement, because the application of this startup created in Zurich does much more than that. To begin with, the range of musical instruments that we can imitate is quite wide and ranges from the cello to percussion or a DJ’s mixing desk. Each instrument requires you to make different movements with your arms and hands that mimic (to some extent) the actual movements you would make with that instrument.

The app allows you to add (and control) background tracks, and even mix various instruments and record the results. In fact, up to four pairs of bracelets can be connected in case you want to form an augmented reality band. There are also a handful of actual songs, and the company is already making deals with different record labels to add many more. In fact the device is being sponsored by Moby

[…]

wearing the Mictic One is an experience that is as frustrating as it is exciting. It’s frustrating because getting something out that sounds good is harder than it looks. It is not enough to wave your arms like a crazed ape. You have to move with precision and smoothness. Luckily, each instrument has a video tutorial in which we can learn the basic movements. It’s exciting because when you learn to make them sound the feeling is extremely satisfying.

Soon we will be able to offer you an in-depth review of the device, but the first impression is that they are incredibly fun. The Mictic One (sold as a pair and with a double USB-C cable to charge them both at the same time) are already on sale from the company’s website at a price of 139 Swiss francs (about 135 euros). In the future, the company plans to extend the platform so that it can be used with other devices that do not have the necessary motion sensors, such as mobile phones or smart watches.

Source: These Two Bluetooth Bracelets Put an Entire Orchestra of Virtual Instruments in Your Hands

NSA report: This is how you should be securing your network

Posted on by

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks.

NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance‘ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks.

The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

The US Cybersecurity and Infrastructure Security Agency (CISA) is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations.

The document, from NSA’s cybersecurity directorate, encourages the adoption of ‘zero trust’ networks. Zero trust assumes malicious insiders and threats existing inside and outside classical network boundaries.

[…]

Source: NSA report: This is how you should be securing your network | ZDNet

Opinion: Russia is now reaching endgame in Ukraine

Posted on by

Thesis: pretty soon Russia will stop their war. They have linked up the landmass to the Crimea, control access to the Black Sea and that was their goal all along. They don’t have enough soldiers to take over and administer the Ukraine. The police forces in the Ukraine will never align with a Russian puppet government. The threat to Kiev stalled because Putin was never interested in taking the whole of Ukraine. It’s a red herring which allows Putin to consolidate in the East. Once “peace” is worked out and they pull the 65km convoy back up to Russia and empty away from the west of the country, they will be left with that great swathe of land to the east and no-one will be able to remove them. In practical terms they will have annexed a huge land route to the Crimea as they did the Crimea. They will have displaced the Ukranians that were living there and claim that the whole area is inhabited by their Russian brothers. They will “unite” the newly independent Donbas and Luhansk regions and the regions to the south and they will for all intents and purposes be Russian. NATO will never allow the Ukraine to join anyway and neither will the EU, despite pro-Ukranian sentiment. So Ukraine remains a “buffer state”. Win for Russia.

BitConnect boss accused of $2.4bn fraud has disappeared

Posted on by

Satish Kumbhani, who is accused of scamming people out of $2.4bn in a cryptocurrency Ponzi scheme, has disappeared while evading an American watchdog, a court was told this week.

The BitConnect founder fled his home nation of India and went to ground in another country as the US Securities and Exchange Commission sought to serve a civil fraud lawsuit on him regarding the alleged scam, it is claimed.

“In October 2021, the commission learned that Kumbhani has likely relocated from India to an unknown address in a different foreign country,” Richard Primoff, general attorney at the SEC, said in a letter [PDF] to US federal district Judge John Koeltl on Monday.

[…]

In September, the regulator claimed BitConnect defrauded folks out of billions of dollars by running a Ponzi-like scheme that promised financial returns of up to 40 per cent per month all thanks to its automated crypto-trading bot.

Instead, people’s digital funds were allegedly secretly pocketed by Kumbhani and his associate Glenn Arcaro, who last year pleaded guilty to conspiring to cheat Bitconnect investors. Arcaro faces up to 20 years behind bars. Kumbhani, however, is still at large.

[…]

Source: BitConnect boss accused of $2.4bn fraud has disappeared • The Register

UK Online Safety Bill to require more data to use social media – eg send them your passport

Posted on by

The country’s forthcoming Online Safety Bill will require citizens to hand over even more personal data to largely foreign-headquartered social media platforms, government minister Nadine Dorries has declared.

“The vast majority of social networks used in the UK do not require people to share any personal details about themselves – they are able to identify themselves by a nickname, alias or other term not linked to a legal identity,” said Dorries, Secretary of State for Digital, Culture, Media and Sport (DCMS).

Another legal duty to be imposed on social media platforms will be a requirement to give users a “block” button, something that has been part of most of today’s platforms since their launch.

“When it comes to verifying identities,” said DCMS in a statement, “some platforms may choose to provide users with an option to verify their profile picture to ensure it is a true likeness. Or they could use two-factor authentication where a platform sends a prompt to a user’s mobile number for them to verify.”

“Alternatively,” continued the statement, “verification could include people using a government-issued ID such as a passport to create or update an account.”

Two-factor authentication is a login technology to prevent account hijacking by malicious people, not a method of verifying a user’s government-approved identity.

“People will now have more control over who can contact them and be able to stop the tidal wave of hate served up to them by rogue algorithms,” said Dorries.

Social networks offering services to Britons don’t currently require lots of personal data to register as a user. Most people see this as a benefit; the government seems to see it as a negative.

Today’s statement had led to widespread concerns that DCMS will place UK residents at greater risk of online identity theft or of falling victim to a data breach.

The Online Safety Bill was renamed from the Online Harms Bill shortly before its formal introduction to Parliament. Widely accepted as a disaster in the making by the technically literate, critics have said the bill risks creating an “algorithm-driven censorship future” through new regulations that would make it legally risky for platforms not to proactively censor users’ posts.

It is also closely linked to strong rhetoric discouraging end-to-end encryption rollouts for the sake of “minors”, and its requirements would mean that tech platforms attempting to comply would have to weaken security measures.

Parliamentary efforts at properly scrutinising the draft bill then led to the “scrutineers” instead publishing a manifesto asking for even more stronger legal weapons be included.

[…]

Source: Online Safety Bill to require more data to use social media