Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Hackers Steal $135 Million From Users of Crypto Gaming Company

Posted on by

In the latest hack targeting cryptocurrency investors, hackers stole around $135 million from users of the  blockchain gaming company VulcanForge, according to the company.

The hackers stole the private keys to access 96 wallets, siphoning off 4.5 million PYR, which is VulcanForge’s token that can be used across its ecosystem, the company said in a series of tweets on Sunday and Monday. VulcanForge’s main business involves creating games such as VulcanVerse, which it describes as an “MMORPG,” and a card game called Berserk. Both titles, like pretty much all blockchain games, appear chiefly designed as vehicles to buy and sell in-game items linked to NFTs using PYR.

[…]

This is the third major theft of cryptocurrency in the last eleven days. The total amount of stolen cryptocurrency in these three hacks is around $404 million. On Dec. 2, it was BadgerDAO, a blockchain-based decentralized finance (DeFi) platform, which lost $119 million. The company is asking the hacker to please “do the right thing” and return the money. Then four days later, cryptocurrency exchange BitMart got hacked, losing $150 million.

The VulcanForge hack is notable because, like many new tokens, PYR trades on decentralized exchanges. Decentralized exchanges run on smart contracts, and because there’s no centralized order book, investors trade against “liquidity pools” with funds contributed by users who earn a “staking” reward in return. It also means there’s no central authority to blocklist a malicious account trying to cash out stolen funds.

Since the hack, VulcanForge has advised users to remove their liquidity in order to make it difficult or impossible for the attacker to cash out. As The Block reported, the hacker has so far managed to cash out most of the tokens by trading small amounts at a time, although not without sending PYR’s price into a downward spiral due to the sell pressure. On Discord, a bot message has been asking users every half hour: “Anyone that has LP in uniswap or quickswap remove it ASAP.”

[…]

Source: Hackers Steal $140 Million From Users of Crypto Gaming Company

Ukraine arrests 51 for selling data of 300 million people in US, EU

Posted on by

Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe.

“As a result of the operation, about 100 databases of personal data relevant for 2020-2021 were seized,” the Cyberpolice Department of the National Police of Ukraine said.

“The seized databases contained information on more than 300 million citizens of Ukraine, Europe and the United States”

Following this large-scale operation, Ukrainian police also shut down one of the largest sites used to sell personal information stolen from both Ukrainians and foreigners (the site’s name was not revealed in the press release).

On the now shutdown illegal marketplace, suspects were selling a wide range of stolen personal data, including telephone numbers, surnames, names, addresses, and, in some cases, vehicle registration info.

[…]

Source: Ukraine arrests 51 for selling data of 300 million people in US, EU

Gumtree users’ locations were visible by pressing F12, wouldn’t pay bug bounty to finder

Posted on by

UK online used goods bazaar Gumtree exposed its users’ home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw.

British company Pen Test Partners (PTP) spotted the data leakage, which meant anyone could view a Gumtree user’s name and location (either postcode or GPS coordinates) by pressing F12 in their web browser.

In both Firefox and Chrome, F12 opens the “view page source” developer tools screen, showing the code that generates the webpage you see. This meant that anyone could view the precise location of any of the site’s 1.7 million monthly sellers.

PTP claimed it encountered a brick wall of indifference in its first attempts to alert Gumtree to the data breach.

The bug bounty policy specified €500-€5,000, PTP added, and “after the issue was fixed, [it was] informed that no reward was payable because – ‘This is a Responsible Disclosure report, meaning that receiving a reward is a bonus in itself.'”

In a blog post about the kerfuffle, a PTP rsearcher said: “After I queried which of their rules I’d broken on responsible disclosure, they changed their mind and paid the minimum.”

[…]

Source: Gumtree users’ locations were visible by pressing F12 • The Register

Don’t Buy an HDMI 2.1 TV Before You Read the Fine Print

Posted on by

[…]If deciphering every version of HDMI wasn’t already tedious enough, we now know that the latest and greatest HDMI 2.1 standard, well, isn’t very standardized. A TFTCentral investigation revealed that the TV or monitor you purchase with “HDMI 2.1″ might not support any of the latest features.

TFTCentral smelled something fishy when it saw that a Xiaomi monitor with HDMI 2.1 support only reached the specifications for HDMI 2.0. Instead of 4K resolution, the panel was limited to 1080p. And the thing is, Xiaomi technically didn’t do anything wrong. It all comes down to semantics and some murky (and consumer-hostile) guidelines set by the HDMI Licensing Administrator.

[…]

in short, HDMI 2.0 is a subset of HDMI 2.1, meaning its specifications are housed within the newer standard. The standards organization even said it would no longer certify for HDMI 2.0, telling TFTCentral that HDMI 2.0 “no longer exists” and that the features and capabilities of HDMI 2.1 are optional. As long as a monitor supports one of the newer standards, it can be called HDMI 2.1.

As you’d expect, HDMI 2.1 consists of many standards, so TV and monitor makers could theoretically grab the lowest hanging fruit, add it to their (formerly) HDMI 2.0 ports, and slap an HDMI 2.1 label on the box.

The HDMI standards body even confirmed to The Verge that what Xiaomi is doing is perfectly within the rules and that we all depend on manufacturers to be honest about their products. The problem is that they rarely are.

[…]

HDMI 2.1 has made headlines in recent months because of the capabilities it enables on next-gen consoles and gaming PCs—specifically, the ability to run 4K games at 120Hz.

[…]

Source: Don’t Buy an HDMI 2.1 TV Before You Read the Fine Print

New IBM and Samsung transistors could be key to super-efficient vertical chips

Posted on by

IBM and Samsung claim they’ve made a breakthrough in semiconductor design. On day one of the IEDM conference in San Francisco, the two companies unveiled a new design for stacking transistors vertically on a chip. With current processors and SoCs, transistors lie flat on the surface of the silicon, and then electric current flows from side-to-side. By contrast, Vertical Transport Field Effect Transistors (VTFET) sit perpendicular to one another and current flows vertically.

[…]

the design leads to less wasted energy thanks to greater current flow. They estimate VTFET will lead to processors that are either twice as fast or use 85 percent less power than chips designed with FinFET transistors.

[…]

Source: New IBM and Samsung transistors could be key to super-efficient chips (updated) | Engadget

This Air Force Targeting AI Thought It Had a 90% Success Rate. It Was More Like 25%

Posted on by

If the Pentagon is going to rely on algorithms and artificial intelligence, it’s got to solve the problem of “brittle AI.” A top Air Force official recently illustrated just how far there is to go.

In a recent test, an experimental target recognition program performed well when all of the conditions were perfect, but a subtle tweak sent its performance into a dramatic nosedive,

Maj. Gen. Daniel Simpson, assistant deputy chief of staff for intelligence, surveillance, and reconnaissance, said on Monday.

Initially, the AI was fed data from a sensor that looked for a single surface-to-surface missile at an oblique angle, Simpson said. Then it was fed data from another sensor that looked for multiple missiles at a near-vertical angle.

“What a surprise: the algorithm did not perform well. It actually was accurate maybe about 25 percent of the time,” he said.

That’s an example of what’s sometimes called brittle AI, which “occurs when any algorithm cannot generalize or adapt to conditions outside a narrow set of assumptions,” according to a 2020 report by researcher and former Navy aviator Missy Cummings. When the data used to train the algorithm consists of too much of one type of image or sensor data from a unique vantage point, and not enough from other vantages, distances, or conditions, you get brittleness, Cummings said.

[…]

But Simpson said the low accuracy rate of the algorithm wasn’t the most worrying part of the exercise. While the algorithm was only right 25 percent of the time, he said, “It was confident that it was right 90 percent of the time, so it was confidently wrong. And that’s not the algorithm’s fault. It’s because we fed it the wrong training data.”

Source: This Air Force Targeting AI Thought It Had a 90% Success Rate. It Was More Like 25% – Defense One

Scott Morrison urged to end ‘lunacy’ and push UK and US for Julian Assange’s release by Australian PMs

Posted on by

Australian parliamentarians have demanded the prime minister, Scott Morrison, intervene in the case of Julian Assange, an Australian citizen, after the United States won a crucial appeal in its fight to extradite the WikiLeaks founder on espionage charges.

“The prime minister must get Assange home,” the Australian Greens leader, Adam Bandt, told Guardian Australia on Saturday.

“An Australian citizen is being prosecuted for publishing details of war crimes, yet our government sits on its hands and does nothing.”

WikiLeaks founder Julian Assange.
WikiLeaks founder Julian Assange. Photograph: Daniel Leal-Olivas/AFP/Getty Images

The independent MP Andrew Wilkie called on Morrison to “end this lunacy” and demand the US and UK release Assange.

[…]

Source: Scott Morrison urged to end ‘lunacy’ and push UK and US for Julian Assange’s release | Australian politics | The Guardian

‘Cowboy Bebop’ Canceled by Netflix After One Season

Posted on by

That was fast: Netflix has canceled its ambitious, widely hyped and, ultimately, widely disappointing anime adaptation Cowboy Bebop, The Hollywood Reporter has learned.

The move comes less than three weeks after the show’s Nov. 19 debut on the streaming service.

The space Western had a rough reception. The 10-episode series garnered only a 46 percent positive critics rating on review aggregator Rotten Tomatoes. Fans seemed to agree, giving the show a 56 percent positive audience score on the site. According to Netflix’s Top 10 site, the series has racked up almost 74 million viewing hours worldwide since its debut — so it got plenty of sampling out of the gate — but it plummeted 59 percent for the week of Nov. 29 to Dec. 5.

Insiders pointed out that Netflix’s renewal rate for scripted series that have two or more seasons stands at 60 percent, in line with industry averages, and, like all Netflix renewal verdicts, the decision was made by balancing the show’s viewership and cost. The streamer also prides itself on taking big swings on projects like Cowboy Bebop and has many other genre shows on the air and in the works.

[…]

Source: ‘Cowboy Bebop’ Canceled by Netflix After One Season – The Hollywood Reporter

What a shame – there seems to have been some fashion in bashing this show, especially from people who were 12 when they watched the original and endowed it with some completely non-existing properties. I liked the original and thought this one was brilliant too. This is why we can’t have nice things.

FAA: No more commercial astronaut wings, too many launching. You still get to be on a list.

Posted on by

Heads up, future space travelers: No more commercial astronaut wings will be awarded from the Federal Aviation Administration after this year.

The FAA said Friday it’s clipping its astronaut wings because too many people are now launching into space and it’s getting out of the astronaut designation business entirely.

The news comes one day ahead of Blue Origin’s planned liftoff from West Texas with former NFL player and TV celebrity Michael Strahan. He and his five fellow passengers will still be eligible for wings since the FAA isn’t ending its long-standing program until Jan. 1.

NASA’s astronauts also have nothing to worry about going forward—they’ll still get their pins from the .

All 15 people who rocketed into space for the first time this year on private U.S. flights will be awarded their wings, according to the FAA. That includes Blue Origin founder Jeff Bezos and Virgin Galactic’s Richard Branson, as well as the other space newbies who accompanied them on their brief up-and-down trips. The companies handed out their own version of astronaut wings after the flights.

All four passengers on SpaceX’s first private flight to orbit last September also qualified for FAA wings.

Adding Blue Origin’s next crew of six will bring the list to 30. The FAA’ s first commercial wings recipient was in 2004.

Earlier this year, the FAA tightened up its qualifications, specifying that awardees must be trained crew members, versus paying customers along for the ride. But with the program ending, the decision was made to be all-inclusive, a spokesman said.

Future space tourists will get their names put on a FAA commercial spaceflight list. To qualify, they must soar at least 50 miles (80 kilometers) on an FAA-sanctioned launch.

Source: FAA: No more commercial astronaut wings, too many launching

The European Commission is making its software open source to benefit society – considering it was paid for by the tax payers it’s the least they could do and should have done this years ago

Posted on by

The European Commission has announced that it’s adopting new rules around open source software which will see it release software under open source licenses. The decision follows a Commission study that found investment in open source software leads on average to four times higher returns. There has also been a push for this type of action from the Public Money, Public Code campaign.

If you’re wondering what sort of code the EC could offer to the world, it gave two examples. First, there’s its eSignature, a set of free standards, tools, and services that can speed up the creation and verification of electronic signatures that are legally valid inside the EU. Another example is LEOS (Legislation Editing Open Software) which is used to draft legal texts.

[…]

Source: The European Commission is making its software open source to benefit society – Neowin

Julian Assange can be extradited to the US, court rules, changes mind because US tells judge to.

Posted on by

Wikileaks founder Julian Assange can be extradited from the UK to the US, the High Court has ruled.

The US won its appeal against a January UK court ruling that he could not be extradited due to concerns over his mental health.

Judges were reassured by US promises to reduce the risk of suicide. His fiancee said they intended to appeal.

Mr Assange is wanted in the US over the publication of thousands of classified documents in 2010 and 2011.

Senior judges found the lower judge had based her decision in January on the risk of Mr Assange being held in highly restrictive prison conditions if extradited.

However, the US authorities later gave assurances that he would not face those strictest measures unless he committed an act in the future that merited them.

Giving the judgement, Lord Chief Justice Lord Burnett said: “That risk is in our judgement excluded by the assurances which are offered.

“It follows that we are satisfied that, if the assurances had been before the judge, she would have answered the relevant question differently.”

Mr Assange’s fiancee Stella Moris called the ruling “dangerous and misguided”, adding that the US assurances were “inherently unreliable”.

[…]

Wikileaks editor-in-chief Kristinn Hrafnsson said in a statement: “Julian’s life is once more under grave threat, and so is the right of journalists to publish material that governments and corporations find inconvenient.

“This is about the right of a free press to publish without being threatened by a bullying superpower.”

Amnesty International described the ruling as a “travesty of justice” and the US assurances as “deeply flawed”.

Nils Muiznieks, the human rights organisation’s Europe director, said it “poses a grave threat to press freedom both in the Unites States and abroad”.

Judges ordered the case must return to Westminster Magistrates’ Court for a district judge to send it formally to Home Secretary Priti Patel.

Mr Assange’s legal team – Birnberg Peirce Solicitors – said any appeal to the Supreme Court would relate to the question of assurances, rather than on issues such as free speech or “the political motivation of the US extradition request”.

Source: Julian Assange can be extradited to the US, court rules – BBC News

Ventoy – add an iso to usb drive and boot it (or any other iso on it) up without any configuration

Posted on by

Ventoy is an open source tool to create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI files.
With ventoy, you don’t need to format the disk over and over, you just need to copy the ISO/WIM/IMG/VHD(x)/EFI files to the USB drive and boot them directly.
You can copy many files at a time and ventoy will give you a boot menu to select them (screenshot).
x86 Legacy BIOS, IA32 UEFI, x86_64 UEFI, ARM64 UEFI and MIPS64EL UEFI are supported in the same way.
Most type of OS supported (Windows/WinPE/Linux/ChromeOS/Unix/VMware/Xen…)
770+ image files are tested (list),     90%+ distros in distrowatch.com supported (details),

Source: Ventoy

FAA says lack of federal whistleblower protections is ‘enormous factor’ hindering Blue Origin safety review

Posted on by

Jeff Bezos’ rocket company, Blue Origin, became the subject of a federal review this fall after a group of 21 current and former employees co-signed an essay that raised serious questions about the safety of the company’s rockets — including the rocket making headlines for flying Bezos and other celebrities to space.

Blue Origin: Essay alleges sexism, 'dehumanizing' culture at Jeff Bezos' rocket company

But that review was hamstrung by a lack of legal protections for whistleblowers in the commercial spaceflight industry, according to emails from Federal Aviation Administration investigators that were obtained by CNN Business.
The FAA also confirmed in a statement Friday that its Blue Origin review is now closed, saying the “FAA investigated the safety allegations made against Blue Origin’s human spaceflight program” and “found no specific safety issues.”
The emails obtained by CNN Business, however, reveal that investigators were not able to speak with any of the engineers who signed the letter anonymously. Investigators also were not able to go to Blue Origin and ask for documents or interviews with current employees or management, according to the FAA.
The situation highlights how commercial spaceflight companies like Blue Origin are operating in a regulatory bubble, insulated from much of the scrutiny other industries are put under. There are no federal whistleblower statues that would protect employees in the commercial space industry if they aid FAA investigators, according to the agency.
[…]

Source: FAA says lack of federal whistleblower protections is ‘enormous factor’ hindering Blue Origin safety review – CNN

Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package, hugely popular

Posted on by

A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.

The 0-day was tweeted along with a POC posted on GitHub. Since this vulnerability is still very new, there isn’t a CVE to track it yet. This has been published as CVE-2021-44228.

This post provides resources to help you understand the vulnerability and how to mitigate it for yourself.

Who is impacted?

Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.

Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.

Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j2.

Simply changing an iPhone’s name has been shown to trigger the vulnerability in Apple’s servers.

Updates (3 hours after posting): According to this blog post (see translation), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.

However, there are other attack vectors targeting this vulnerability which can result in RCE. An attacker could still leverage existing code on the server to execute a payload. An attack targeting the class org.apache.naming.factory.BeanFactory, present on Apache Tomcat servers, is discussed in this blog post.

Affected Apache log4j2 Versions

2.0 <= Apache log4j <= 2.14.1

Permanent Mitigation

Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Maven Central here, with [release notes] and [log4j security announcements].

The release can also be downloaded from the Apache Log4j Download page.

[…]

Source: Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package | LunaSec

You can find sites that have been exloited https://github.com/YfryTchsGD/Log4jAttackSurface

MCH2022 Submit a talk above and beyond the final frontier!

Posted on by

In the first part of this series of posts where we explore possible subjects that may trigger your “Aha! I know about this and can talk about this!” reflex, medical technology was suggested as an avenue of interest. In this second part, we would like to tickle your memories from not so very long ago but quite far far away and suggest space as a topic for your consideration.

There has been an incredible acceleration of technology and accessibility in this space. With the introduction of CubeSats, space became much more accessible and a few years ago the first fully open-source CubeSat was launched. Companies such as Astra, Rocket Labs and SpaceX have entered the space race, elbowing out the traditional nationally funded efforts. A car was fired into space. Mars was landed on – twice – with the first aircraft on another planet flying around. The moon was rear-ended by the Chinese. 2021 was the year where we launched billionaires into space willy-nilly with even Captain Kirk having a go. NASA got all childish and changed the definition of an astronaut so that some billionaires were one and some weren’t suddenly. Satellite mesh networks are cluttering the skies so ground astronomers can’t see out any more. Nations are firing missiles at satellites, contributing significantly to the space junk problem. Satellites are jamming each other and trying to take each other over. The ISS is leaking and suddenly firing thrusters when it isn’t avoiding aforesaid trash. SpinLaunch is using a giant snail-like centrifuge that launches stuff into space from Earth. Neumann Space is trying to build a gas station for satellites in space. Steve Wozniak wants to become a space janitor and clean up all that mess. China has its own space station.

With all this action also comes condemnation. Should we be spending all that money on space when there are so many problems here on Earth? Reflection: What kind of legal structures and governance do we try to impose on foreign planets, the moon, the space above us, and how do we enforce this? But also what does cheap and plentiful access to space mean on a societal level, looking forward? Technically, what efforts have we thrown into tracking and communicating with these satellites? What should we do with old satellites? How can we as a community access space, and what do we want to do there?

We are looking forward to hearing from you – a workshop, lecture, anything you feel you can contribute is welcome!

Call for Participation

Source: May Contain Hackers 2022

I wrote this in the hopes that you are inspired to join the CFP!

Italian regulator fines Amazon $1.28 billion for abusing its market dominance

Posted on by

Italy’s antitrust authority (AGCM) has fined Amazon €1.13 billion ($1.28 billion) for “abuse of dominant position,” the second penalty it has imposed on Amazon over the last month. Amazon holds a position of “absolute dominance” in the Italian brokerage services market, “which has allowed it to promote its own logistics service, called Fulfillment by Amazon (FBA),” the authority wrote in a (Google translated) press release.

According to the AGCM, companies must use Amazon’s FBA service if they want access to key benefits like the Prime label, which in turn allows them to participate in Black Friday sales and other key events. “Amazon has thus prevented third-party sellers from associating the Prime label with offers not managed with FBA,” it said.

The authority said access to those functions are “crucial” for seller success. It also noted that third-party sellers using FBA are not subject to the same stringent performance requirements as non-FBA sellers. As such, they’re less likely to be suspended from the platform if they fail to meet certain goals. Finally, it noted that sellers using Amazon’s logistics services are discouraged from offering their products on other online platforms, at least to the same extent they do on Amazon.

[…]

Source: Italian regulator fines Amazon $1.28 billion for abusing its market dominance | Engadget

Report: VPNs Are Often a Mixed Bag for Privacy

Posted on by

[…] Consumer Reports, which recently published a 48-page white paper on VPNs that looks into the privacy and security policies of 16 prominent VPN providers. Researchers initially looked into some 51 different companies but ultimately honed in on the most prominent, high-quality providers. The results are decidedly mixed, with the report highlighting a lot of the long offered criticisms of the industry—namely, it’s lack of transparency, its PR bullshit, and its not always stellar security practices. On the flip side, a small coterie of VPNs actually seem pretty good.

[…]

. Consumers may often believe that by using a VPN they are able to become completely invisible online, as companies promise stuff like “unrivaled internet anonymity,” and the ability to “keep your browsing private and protect yourself from hackers and online tracking,” and so on and so forth.

In reality, there are still a whole variety of ways that companies and advertisers can track you across the internet—even if your IP address is hidden behind a virtual veil.

[…]

via a tool developed by a group of University of Michigan researchers, dubbed the “VPNalyzer” test suite, which was able to look at various security issues with VPN connections. The research team found that “malicious and deceptive behaviors by VPN providers such as traffic interception and manipulation are not widespread but are not nonexistent. In total, the VPNalyzer team filed more than 29 responsible disclosures, 19 of which were for VPNs also studied in this report, and is awaiting responses regarding its findings.”

The CR’s own analysis found “little evidence” of VPNs “manipulating users’ networking traffic when testing for evidence of TLS interception,” though they did occasionally run into examples of data leakage.

And, as should hopefully go without saying, any VPN with the word “free” near it should be avoided at all costs, lest you accidentally download some sort of Trojan onto your device and casually commit digital hari-kari.

[…]

According to CR’s review, four VPN providers rose to the top of the list in terms of their privacy and security practices. They were:

Apparently in that order.

These companies stood out mostly by not over-promising what they could deliver, while also scoring high on scales of transparency and security

[…]

Source: Report: VPNs Are Often a Mixed Bag for Privacy

Physicists discover special transverse sound wave

Posted on by

A research team at City University of Hong Kong (CityU) has discovered a new type of sound wave: The airborne sound wave vibrates transversely and carries both spin and orbital angular momentum like light does. The findings shattered scientists’ previous beliefs about the sound wave, opening an avenue to the development of novel applications in acoustic communications, acoustic sensing and imaging.

The research was initiated and co-led by Dr. Shubo Wang, Assistant Professor in the Department of Physics at CityU, and conducted in collaboration with scientists from Hong Kong Baptist University (HKBU) and the Hong Kong University of Science and Technology (HKUST). It was published in Nature Communications, titled “Spin-orbit interactions of transverse sound.”

Beyond the conventional understanding of sound wave

The physics textbooks tell us there are two kinds of waves. In like light, the vibrations are perpendicular to the direction of wave propagation. In longitudinal waves like sound, the vibrations are parallel to the direction of wave propagation. But the latest discovery by scientists from CityU changes this understanding of sound waves.

“While the airborne sound is a longitudinal wave in usual cases, we demonstrated for the first time that it can be a transverse wave under certain conditions. And we investigated its spin-orbit interactions (an important property only exists in transverse waves), i.e. the coupling between two types of angular momentum. The finding provides new degrees of freedom for sound manipulations.”

The absence of shear force in the air, or fluids, is the reason why sound is a longitudinal wave, Dr. Wang explained. He had been exploring whether it is possible to realize transverse sound, which requires shear force. Then he conceived the idea that synthetic shear force may arise if the air is discretized into “meta-atoms,” i.e., volumetric air confined in small resonators with size much smaller than the wavelength. The collective motion of these air “meta-atoms” can give rise to a transverse sound on the macroscopic scale.

Negative refraction induced by the spin-orbit interaction in momentum space. Credit: S. Wang et al. DOI: 10.1038/s41467-021-26375-9

Conception and realization of ‘micropolar metamaterial’

He ingeniously designed a type of artificial material called “micropolar metamaterial” to implement this idea, which appears like a complex network of resonators. Air is confined inside these mutually connected resonators, forming the “meta-atoms.” The metamaterial is hard enough so that only the air inside can vibrate and support sound propagation. The showed that the collective motion of these air “meta-atoms” indeed produces the shear force, which gives rise to the transverse sound with spin-orbit interactions inside this metamaterial. This theory was verified by experiments conducted by Dr. Ma Guancong’s group in HKBU.

Moreover, the research team discovered that air behaves like an elastic material inside the micropolar metamaterial and thus supports transverse sound with both spin and orbital angular momentum. Using this metamaterial, they demonstrated two types of spin-orbit interactions of sound for the first time. One is the momentum-space spin-orbit interaction, which gives rise to negative refraction of the transverse sound, meaning that sound bends in the opposite directions when passing through an interface. Another one is the real-space spin-orbit interaction, which generates sound vortices under the excitation of the transverse sound.

[…]

Source: Physicists discover special transverse sound wave

Prisons snoop on inmates’ phone calls with speech-to-text AI

Posted on by

Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

“(The) sheriff believes (the calls) will help him fend off pending liability via civil action from inmates and activists,” Sexton said. Verus transcribes phone calls and finds certain keywords discussing issues like COVID-19 outbreaks or other complaints about jail conditions.

Prisoners, however, said the tool was used to catch crime. In one case, it allegedly found one inmate illegally collecting unemployment benefits. But privacy advocates aren’t impressed. “T​​he ability to surveil and listen at scale in this rapid way – it is incredibly scary and chilling,” said Julie Mao, deputy director at Just Futures Law, an immigration legal group.

[…]

Source: Prisons snoop on inmates’ phone calls with speech-to-text AI • The Register

Spotify Pulls Content of Comedians Fighting to Get Royalties

Posted on by

[…]

Spotify took down the work of hundreds of comedians, including big names like John Mulaney, Jim Gaffigan, and Kevin Hart, the Wall Street Journal reported on Saturday. Mulaney, Gaffigan, Hart, and other comedians are represented by Spoken Giants, a global rights company that’s leading the fight to get radio and digital platforms, such as Spotify, SiriusXM, Pandora, and YouTube, to pay comedians royalty payments on the copyright for their written work.

According to the outlet, the streaming giant been in negotiations with Spoken Giants but couldn’t reach an agreement. On Thanksgiving, Spotify informed Spoken Giants that would pull all work by comedians represented by the organization until they could come to an understanding.

[…]

“In music, songwriter royalties are a very basic revenue stream, so this is not an unfamiliar concept and our work is based on established precedents and clear copyright language,” King said. “With this take-down, individual comedians are now being penalized for collectively requesting the same compensation songwriters receive.”

[…]

Source: Spotify Pulls Content of Comedians Fighting to Get Royalties

Cuba ransomware gang scores almost $44m from 49 victims: FBI

Posted on by

The US Federal Bureau of Investigation (FBI) says 49 organisations, including some in government, were hit by Cuba ransomware as of early November this year.

The attacks were spread across five “critical infrastructure”, which, besides government, included the financial, healthcare, manufacturing, and – as you’d expect – IT sectors. The Feds said late last week the threat actors are demanding $76m in ransoms and have already received at least $43.9m in payments.

The ransomware gang’s loader of choice, Hancitor, was the culprit, distributed via phishing emails, or via exploit of Microsoft Exchange vulnerabilities, compromised credentials, or Remote Desktop Protocol (RDP) tools. Hancitor – also known as Chanitor or Tordal – enables a CobaltStrike beacon as a service on the victim’s network using a legitimate Windows service like PowerShell.

[…]

Source: Cuba ransomware gang scores almost $44m from 49 victims: FBI • The Register

Executive at Swiss Tech Company Said to Operate Secret Surveillance Operation

Posted on by

The co-founder of a company that has been trusted by technology giants including Google and Twitter to deliver sensitive passwords to millions of their customers also operated a service that ultimately helped governments secretly surveil and track mobile phones, Bloomberg reported Monday, citing former employees and clients. From the report: Since it started in 2013, Mitto AG has established itself as a provider of automated text messages for such things as sales promotions, appointment reminders and security codes needed to log in to online accounts, telling customers that text messages are more likely to be read and engaged with than emails as part of their marketing efforts. Mitto, a closely held company with headquarters in Zug, Switzerland, has grown its business by establishing relationships with telecom operators in more than 100 countries. It has brokered deals that gave it the ability to deliver text messages to billions of phones in most corners of the world, including countries that are otherwise difficult for Western companies to penetrate, such as Iran and Afghanistan. Mitto has attracted major technology giants as customers, including Google, Twitter, WhatsApp, Microsoft’s LinkedIn and messaging app Telegram, in addition to China’s TikTok, Tencent and Alibaba, according to Mitto documents and former employees.

But a Bloomberg News investigation, carried out in collaboration with the London-based Bureau of Investigative Journalism, indicates that the company’s co-founder and chief operating officer, Ilja Gorelik, was also providing another service: selling access to Mitto’s networks to secretly locate people via their mobile phones. That Mitto’s networks were also being used for surveillance work wasn’t shared with the company’s technology clients or the mobile operators Mitto works with to spread its text messages and other communications, according to four former Mitto employees. The existence of the alternate service was known only to a small number of people within the company, these people said. Gorelik sold the service to surveillance-technology companies which in turn contracted with government agencies, according to the employees.

Source: Executive at Swiss Tech Company Said to Operate Secret Surveillance Operation – Slashdot

$150m – $200m of digital assets stolen in BitMart security breach

Posted on by

Cryptocurrency exchange BitMart has coughed to a large-scale security breach relating to ETH and BSC hot wallets. The company reckons that hackers made off with approximately $150m in assets.

Security and analytics outfit PeckShield put the figure at closer to $200m.

“We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets today. At this moment we are still concluding the possible methods used. Hackers were able to withdraw assets of the value of approximately 150 million USD,” BitMart said.

“The affected ETH hot wallet and BSC hot wallet carry a small percentage of assets on BitMart and all of our other wallets are secure and unharmed. We are now conducting a thorough security review and we will post updates as we progress,” it added.

Worryingly for customers, BitMart has blocked withdrawals until it has completed a “thorough security review” or, in the common metaphor, shut the stable door after the horse has bolted.

[…]

Source: $150m of digital assets stolen in BitMart security breach • The Register

The SEC is probing Tesla’s faulty solar panels prone to fire, whistleblower says they kept evidence of danger under wraps

Posted on by

The Securities and Exchange Commission has launched an investigation into whether Tesla failed to tell investors and customers about the fire risks of its faulty solar panels.

Whistleblower and ex-employee, Steven Henkes, accused the company of flouting safety issues in a complaint with the SEC in 2019. He filed a freedom of information request to regulators and asked to see records relating to the case in September, earlier this year. An SEC official declined to hand over documents, and confirmed its probe into the company is still in progress.

[…]

Tesla started selling and installing solar panels after it acquired SolarCity for $2.6bn in 2016. But its goal of becoming a renewable energy company hasn’t been smooth. Several fires have erupted from Tesla’s solar panels installed on the roofs of Walmart stores, Amazon warehouses, and people’s homes.

In fact, Walmart sued the company in 2019 after seven of its supermarkets in the US caught fire. The lawsuit accused Tesla of “utter incompetence or callousness, or both.” Walmart later dropped its claims, and settled the matter privately.

Before Walmart’s lawsuit, however, Steven Henkes, who was employed as a field quality manager by Tesla after the acquisition, said he attempted to raise concerns about fire risks with managers. He claimed in a lawsuit [PDF] filed last year in November that he was wrongfully terminated after he was fired in August, last year. Henkes claimed his concerns about defects in the company’s solar panels and electrical connectors were repeatedly ignored, and after he filed initial whistleblower complaints with the SEC and the US Consumer Protection Safety Commission (CPSC).

Over 60,000 people as well as over 500 commercial consumers could have been potentially affected by fire risks from Tesla’s faulty solar panels, the lawsuit said. Tesla started replacing and reimbursing defective components in 2019, Business Insider reported. The CPSC has also been investigating the company, too. Tesla did not respond to The Register’s questions.

Source: The SEC is probing Tesla’s faulty solar panels prone to fire • The Register

Suspected Russian Activity Targeting Government and Business Entities Around the Globe after Solarwinds

Posted on by

Mandiant continues to track multiple clusters of suspected Russian intrusion activity that have targeted business and government entities around the globe. Based on our assessment of these activities, we have identified two distinct clusters of activity, UNC3004 and UNC2652. We associate both groups with UNC2452 also referred to as Nobelium by Microsoft.

Some of the tactics Mandiant has recently observed include:

  • Compromise of multiple technology solutions, services, and reseller companies since 2020.
  • Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
  • Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
  • Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims.
  • Use of novel TTPs to bypass security restrictions within environments including, but not limited to the extraction of virtual machines to determine internal routing configurations.
  • Use of a new bespoke downloader we call CEELOADER.
  • Abuse of multi-factor authentication leveraging “push” notifications on smartphones

In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts.

The sections below highlight intrusion activity from multiple incident response efforts that are currently tracked as multiple uncategorized clusters. Mandiant suspects the multiple clusters to be attributable to a common Russian threat. The information below covers some of the Tactics, Techniques, and Procedures (TTPs) used by the threat actors for initial compromise, establishing a foothold, data collection, and lateral movement; how the threat actors provision infrastructure; and indicators of compromise. The information is being shared to raise awareness and allow organizations to better defend themselves.

[…]

Source: Suspected Russian Activity Targeting Government and Business Entities Around the Globe | Mandiant