The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Grad Students Analyze, Hack, and Remove Under-Desk Surveillance Devices Designed to Track Them – at  a privacy institute!

Posted on by

[…]

graduate students at Northeastern University were able to organize and beat back an attempt at introducing invasive surveillance devices that were quietly placed under desks at their school.

Early in October, Senior Vice Provost David Luzzi installed motion sensors under all the desks at the school’s Interdisciplinary Science & Engineering Complex (ISEC), a facility used by graduate students and home to the “Cybersecurity and Privacy Institute” which studies surveillance. These sensors were installed at night—without student knowledge or consent—and when pressed for an explanation, students were told this was part of a study on “desk usage,” according to a blog post by Max von Hippel, a Privacy Institute PhD candidate who wrote about the situation for the Tech Workers Coalition’s newsletter.

[…]

In response, students began to raise concerns about the sensors, and an email was sent out by Luzzi attempting to address issues raised by students.

[…]

“The results will be used to develop best practices for assigning desks and seating within ISEC (and EXP in due course).”

To that end, Luzzi wrote, the university had deployed “a Spaceti occupancy monitoring system” that would use heat sensors at groin level to “aggregate data by subzones to generate when a desk is occupied or not.” Luzzi added that the data would be anonymized, aggregated to look at “themes” and not individual time at assigned desks, not be used in evaluations, and not shared with any supervisors of the students. Following that email, an impromptu listening session was held in the ISEC.

At this first listening session, Luzzi asked that grad student attendees “trust the university since you trust them to give you a degree,” Luzzi also maintained that “we are not doing any science here” as another defense of the decision to not seek IRB approval.

“He just showed up. We’re all working, we have paper deadlines and all sorts of work to do. So he didn’t tell us he was coming, showed up demanding an audience, and a bunch of students spoke with him,”

[…]

After that, the students at the Privacy Institute, which specialize in studying surveillance and reversing its harm, started removing the sensors, hacking into them, and working on an open source guide so other students could do the same. Luzzi had claimed the devices were secure and the data encrypted, but Privacy Institute students learned they were relatively insecure and unencrypted.

[…]

After hacking the devices, students wrote an open letter to Luzzi and university president Joseph E. Aoun asking for the sensors to be removed because they were intimidating, part of a poorly conceived study, and deployed without IRB approval even though human subjects were at the center of the so-called study.

“Resident in ISEC is the Cybersecurity and Privacy Institute, one of the world’s leading groups studying privacy and tracking, with a particular focus on IoT devices,” the letter reads. “To deploy an under-desk tracking system to the very researchers who regularly expose the perils of these technologies is, at best, an extremely poor look for a university that routinely touts these researchers’ accomplishments.

[…]

Another listening session followed, this time for professors only, and where Luzzi claimed the devices were not subject to IRB approval because “they don’t sense humans in particular – they sense any heat source.” More sensors were removed afterwards and put into a “public art piece” in the building lobby spelling out NO!

[…]

Afterwards, von Hippel took to Twitter and shares what becomes a semi-viral thread documenting the entire timeline of events from the secret installation of the sensors to the listening session occurring that day. Hours later, the sensors are removed

[…]

This was a particularly instructive episode because it shows that surveillance need not be permanent—that it can be rooted out by the people affected by it, together.

[…]

“The most powerful tool at the disposal of graduate students is the ability to strike. Fundamentally, the university runs on graduate students.

[…]

“The computer science department was able to organize quickly because almost everybody is a union member, has signed a card, and are all networked together via the union. As soon as this happened, we communicated over union channels.

[…]

This sort of rapid response is key, especially as more and more systems adopt sensors for increasingly spurious or concerning reasons. Sensors have been rolled out at other universities like Carnegie Mellon University, as well as public school systems. They’ve seen use in more militarized and carceral settings such as the US-Mexico border or within America’s prison system.

These rollouts are part of what Cory Doctrow calls the “shitty technology adoption curve” whereby horrible, unethical and immoral technologies are normalized and rationalized by being deployed on vulnerable populations for constantly shifting reasons. You start with people whose concerns can be ignored—migrants, prisoners, homeless populations—then scale it upwards—children in school, contractors, un-unionized workers. By the time it gets to people whose concerns and objections would be the loudest and most integral to its rejection, the technology has already been widely deployed.

[…]

Source: ‘NO’: Grad Students Analyze, Hack, and Remove Under-Desk Surveillance Devices Designed to Track Them

RIVM Study: ‘Perception of General Aviation in Netherlands’

Posted on by

The Ministry of Infrastructure and Water Management wants to know how residents aged 16 and older in the Netherlands experience their living environment. In that context, it was investigated whether people experience nuisance from the noise caused by GA (“small aviation”). T

he research shows that people experience little inconvenience from small aircraft. Most of the questions in the survey were asked of people who experience noise from GA (so-called “observers”). They are hardly concerned about their safety due to this type of air traffic, except about drones. They do worry about that.

Nearly two thirds of the observers can also enjoy overflying light aircraft. RIVM advises to continue to monitor the impact of helicopters and drones on the perceived quality of the living environment.

Source: Onderzoek RIVM ‘Beleving van kleine luchtvaart in Nederland’ · Aopa Netherlands

There you go. Stop trying to kill GA – it’s the feed for the airlines and transporters and people like it!

As US, UK Embrace ‘Age Verify Everyone!’ French Data Protection Agency Says Age Verification Is Unreliable And Violates Privacy Rights

Posted on by

[…]

We’ve already spent many, many words explaining how age verification technology is inherently dangerous and actually puts children at greater risk. Not to mention it’s a privacy nightmare that normalizes the idea of mass surveillance, especially for children.

But, why take our word for it?

The French data protection agency, CNIL, has declared that no age verification technology in existence can be deemed as safe and not dangerous to privacy rights.

Now, there are many things that I disagree with CNIL about, especially its views that the censorial “right to be forgotten in the EU” should be applied globally. But one thing we likely agree on is that CNIL does not fuck around when it comes to data protection stuff. CNIL is generally seen as the most aggressive and most thorough in its data protection/data privacy work. Being on the wrong side of CNIL is a dangerous place for any company to be.

So I’d take it seriously when CNIL effectively notes that all age verification is a privacy nightmare, especially for children:

The CNIL has analysed several existing solutions for online age verification, checking whether they have the following properties: sufficiently reliable verification, complete coverage of the population and respect for the protection of individuals’ data and privacy and their security.

The CNIL finds that there is currently no solution that satisfactorily meets these three requirements.

Basically, CNIL found that all existing age verification techniques are unreliable, easily bypassed, and are horrible regarding privacy.

Despite this, CNIL seems oddly optimistic that just by nerding harder, perhaps future solutions will magically work. However, it does go through the weaknesses and problems of the various offerings being pushed today as solutions. For example, you may recall that when I called out the dangers of the age verification in California’s Age Appropriate Design Code, a trade group representing age verification companies reached out to me to let me know there was nothing to worry about, because they’d just scan everyone’s faces to visit websites. CNIL points out some, um, issues with this:

The use of such systems, because of their intrusive aspect (access to the camera on the user’s device during an initial enrolment with a third party, or a one-off verification by the same third party, which may be the source of blackmail via the webcam when accessing a pornographic site is requested), as well as because of the margin of error inherent in any statistical evaluation, should imperatively be conditional upon compliance with operating, reliability and performance standards. Such requirements should be independently verified.

This type of method must also be implemented by a trusted third party respecting precise specifications, particularly concerning access to pornographic sites. Thus, an age estimate performed locally on the user’s terminal should be preferred in order to minimise the risk of data leakage. In the absence of such a framework, this method should not be deployed.

Every other verification technique seems to similarly raise questions about effectiveness and how protective (or, well, how not protective it is of privacy rights).

So… why isn’t this raising alarm bells among the various legislatures and children’s advocates (many of whom also claim to be privacy advocates) who are pushing for these laws?

Source: As US, UK Embrace ‘Age Verify Everyone!’ French Data Protection Agency Says Age Verification Is Unreliable And Violates Privacy Rights | Techdirt

Square Enix paid mobile games To Be Completely Disappeared With Studio Shutdown

Posted on by

It’s a lesson that apparently keeps needing to be re-learned over and over again: for far too many types of digital purchases, you simply don’t own the thing you bought. The arena for this perma-lesson are varied: movies, books, music. And, of course, video games. The earliest lesson in that space may have been when Sony removed a useful feature on its PlayStation 3 console after the public had already begun buying it, which is downright insane. But while that was an entire console being impacted, the lesson has been repeated in instances where games and mobile apps simply stop working when the maker decides to shut their servers down, or purchased DLC disappearing for the same reason.

And here we are again, with the announcement that Onoma, previously Square Enix Montreal, is going to be shuttering some of its mobile games. The end result is not that new purchases won’t be available. Instead, the game will just not be a thing anymore. Anywhere.

Arena Battle Champions, Deus Ex GO, Hitman Sniper: The Shadows and Space Invaders: Hidden Heroes will be shutting down on January 4th. The games will be removed from the App Store/Google Play Store on December 1st, and current players will not be able to access the games past January 4th.

Effective immediately, in-game purchases are stopped. We encourage prior in-game purchases to be used before January 4th, as they will not be refunded. On behalf of the development team, we would like to thank you for playing our games.

Deus Ex Go costs $6 on the Google Play Store. You can go buy it right damned now if you wanted to. But why would you, given that the game will simply brick and no longer function in five weeks? And, more importantly, did any of the 500k-plus people who downloaded the game over the years know that it disappearing was a possibility? I mean, I’m sure that buried in the ToS is the standard “you’re just licensing this for as long as we let you” language exists, but I’m also sure that the vast majority of the people who paid for the game didn’t realize this would be a possibility.

[…]

Source: ‘Deus Ex Go’ To Be Completely Disappeared With Studio Shutdown | Techdirt

Scientists simulate ‘baby’ wormhole in quantum computer

Posted on by

[…]

Researchers have announced that they simulated two miniscule black holes in a quantum computer and transmitted a message between them through what amounted to a tunnel in space-time.

They said that based on the quantum information teleported, a traversable wormhole appeared to have emerged, but that no rupture of space and time was physically created in the experiment, according to the study published in the journal Nature on Wednesday.

[…]

Caltech physicist Maria Spiropulu, a co-author of the research, described it as having the characteristics of a “baby wormhole”, and now hopes to make “adult wormholes and toddler wormholes step-by-step”. The wormhole dynamics were observed on a quantum device at Google called the Sycamore quantum processor.

Experts who were not involved in the experiment cautioned that it was important to note that a physical wormhole had not actually been created, but noted the future possibilities.

Daniel Harlow, a physicist at MIT, told the New York Times the experiment was based on a modelling that was so simple that it could just as well have been studied using a pencil and paper.

“I’d say that this doesn’t teach us anything about quantum gravity that we didn’t already know,” Harlow wrote. “On the other hand, I think it is exciting as a technical achievement, because if we can’t even do this (and until now we couldn’t), then simulating more interesting quantum gravity theories would certainly be off the table.”

The study authors themselves made clear that scientists remain a long way from being able to send people or other living beings through such a portal.

[…]

“These ideas have been around for a long time and they’re very powerful ideas,” Lykken said. “But in the end, we’re in experimental science, and we’ve been struggling now for a very long time to find a way to explore these ideas in the laboratory. And that’s what’s really exciting about this. It’s not just, ‘Well, wormholes are cool.’ This is a way to actually look at these very fundamental problems of our universe in a laboratory setting.”

Source: Scientists simulate ‘baby’ wormhole without rupturing space and time | Space | The Guardian

LastPass breached again

Posted on by

In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating. 

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. 

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. 

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional.

[…]

Source: Notice of Recent Security Incident – The LastPass Blog

Scientists produce nanobodies in plant cells that block emerging pathogens – using plants to grow bodies that block Covid (and more?)

Posted on by

Scientists at the U.S. Department of Agriculture’s (USDA) Agricultural Research Service (ARS) recently announced that plants could be used to produce nanobodies that quickly block emerging pathogens in human medicine and agriculture. These nanobodies represent a promising new way to treat viral diseases, including SARS-CoV-2.

Nanobodies are small antibody proteins naturally produced in specific animals like camels, alpacas, and llamas.

ARS researchers turned to evaluating nanobodies to prevent and treat citrus greening disease in citrus trees. These scientists are now using their newly developed and patented SymbiontTM technology to show that nanobodies can be easily produced in a plant system with broad agricultural and public health applications.

As a proof-of-concept, researches showed that nanobodies targeting the SARS-CoV-2 virus could be made in plant cells and remain functional in blocking the binding of the SARS-CoV-2 spike protein to its receptor protein: the process responsible for initiating viral infection in human cells.

“We initially wanted to develop to pathogens in ,” said ARS researcher Robert Shatters, Jr. “The results of that research are indeed successful and beneficial for the nation’s agricultural system. But now we are aware of an even greater result—the benefits of producing therapeutics in plants now justify the consideration of using to mass produce COVID-19 protein-based therapies.”

AgroSource, Inc. collaborated with USDA-ARS to develop the plant-based production system. They are currently taking the necessary steps to see how they can move this advancement into the commercial sector.

“This is a huge breakthrough for science and innovative solutions to agricultural and public health challenges,” said ARS researcher Michelle Heck. “This cost-efficient, plant-based system proves that there are alternative ways to confront and prevent the spread of emerging pathogens. The approach has the potential to massively expand livelihood development opportunities in rural agricultural areas of the nation and in other countries.”

The findings are published on the bioRxiv preprint server.

More information: Marco Pitino et al, Plant production of high affinity nanobodies that block SARS-CoV-2 spike protein binding with its receptor, human angiotensin converting enzyme, bioRxiv (2022). DOI: 10.1101/2022.09.03.506425

Source: Scientists produce nanobodies in plant cells that block emerging pathogens

Disney Made an AI Tool That Automatically De-Ages Actors

Posted on by

[…]

To make an age-altering AI tool that was ready for the demands of Hollywood and flexible enough to work on moving footage or shots where an actor isn’t always looking directly at the camera, Disney’s researchers, as detailed in a recently published paper, first created a database of thousands of randomly generated synthetic faces. Existing machine learning aging tools were then used to age and de-age these thousands of non-existent test subjects, and those results were then used to train a new neural network called FRAN (face re-aging network).

A step-by-step illustration of how FRAN generates aging/de-aging changes which are applied to the original input face.
Screenshot: YouTube – DisneyResearchHub

When FRAN is fed an input headshot, instead of generating an altered headshot, it predicts what parts of the face would be altered by age, such as the addition or removal of wrinkles, and those results are then layered over the original face as an extra channel of added visual information. This approach accurately preserves the performer’s appearance and identity, even when their head is moving, when their face is looking around, or when the lighting conditions in a shot change over time. It also allows the AI generated changes to be adjusted and tweaked by an artist, which is an important part of VFX work: making the alterations perfectly blend back into a shot so the changes are invisible to an audience.

 


Source: Disney Made an AI Tool That Automatically De-Ages Actors

Players are boycotting Nintendo and Panda events in the wake of Smash Bros tournaments being instacanceled by Nintendo

Posted on by

n the wake of Nintendo being Nintendo and unceremoniously canceling the Smash World Tour, one of the year’s biggest esports tournaments dedicated to all things Super Smash Bros., copious folks in the game’s community have come out in protest. Casual fans, pro players, long-time commentators, and even other tournament organizers, from AITX eSports to Beyond the Summit, have all publicly denounced not just Nintendo for its asinine decision but also Panda Global for allegedly causing the Smash World Tour to get shut down. Now, it appears many of those people are boycotting all of Nintendo’s officially licensed tournaments as well.

[…]

Super Smash Bros. fans aren’t happy about what’s going on, with many posting their frustrations on Twitter. Some pointed fingers at Panda Global CEO and co-founder Dr. Alan Bunney for allegedly trying to recruit tournaments to the Panda Cup by threatening to get Nintendo involved to shut the Smash World Tour down and reportedly attempting to create a monopoly by requesting exclusive streaming rights to the Panda Cup. Others fear this may hurt their careers and livelihoods. The main consensus is to never watch, support, or attend a Panda Global event ever again. A lot of people seem to feel this way.

[…]

The future of Super Smash Bros.’s competitive fighting game scene is looking quite precarious, with Video Game Boot Camp admitting in the statement that it’s “currently navigating budget cuts, internal communications with our team and partners, commitments/contracts, as well as sponsorship negotiations that will inevitably be affected by all of this.” It’s possible that smaller tournaments will continue without Nintendo’s blessing, but, as has been done time and again, it’s likely only a matter of time until Nintendo comes a-knocking.

[…]

Source: Smash Bros. Fans Are Totally Done With Nintendo And Tournaments

The article says that Smash Bros tournaments were cancelled due to Nintendo not sponsoring them, but the tournaments were cancelled due to Nintendo throwing cease and desist letters at the organisers. Also see: Nintendo Shuts Down Smash World Tour – worlds largest e-sports tournament – out of the blue

Telegram shares users’ data in copyright violation lawsuit to Indian court

Posted on by

Telegram has disclosed names of administrators, their phone numbers and IP addresses of channels accused of copyright infringement in compliance with a court order in India in a remarkable illustration of the data the instant messaging platform stores on its users and can be made to disclose by authorities.

The app operator was forced by a Delhi High Court order to share the data after a teacher sued the firm for not doing enough to prevent unauthorised distribution of her course material on the platform. Neetu Singh, the plaintiff teacher, said a number of Telegram channels were re-selling her study materials at discounted prices without permission.

An Indian court earlier had ordered Telegram to adhere to the Indian law and disclose details about those operating such channels.

Telegram unsuccessfully argued that disclosing user information would violate the privacy policy and the laws of Singapore, where it has located its physical servers for storing users’ data. In response, the Indian court said the copyright owners couldn’t be left “completely remediless against the actual infringers” because Telegram has chosen to locate its servers outside the country.

In an order last week, Justice Prathiba Singh said Telegram had complied with the earlier order and shared the data.

“Let copy of the said data be supplied to Id. Counsel for plaintiffs with the clear direction that neither the plaintiffs nor their counsel shall disclose the said data to any third party, except for the purposes of the present proceedings. To this end, disclosure to the governmental authorities/police is permissible,” said the court (PDF) and first reported by LiveLaw.

[…]

Source: Telegram shares users’ data in copyright violation lawsuit | TechCrunch

More Details On China’s Exotic Orbital Hypersonic Weapon Come To Light

Posted on by

[…]

This information was included in the Defense Department’s annual Military and Security Developments Involving the People’s Republic of China report, more commonly known as the China Military Power Report (CMPR), which serves as an assessment of China’s current defense strategy and military capabilities. While the CMPR analyzes a wide array of Chinese military advancements, it was especially beneficial in clarifying what exactly occurred during the country’s highly intriguing hypersonic weapon test that took place on July 27, 2021, which can be read about in detail here.

[…]

“On July 27, 2021, China conducted the first fractional orbital launch of an ICBM [intercontinental ballistic missile] with an HGV [hypersonic glide vehicle],” the CMPR revealed. “The HGV flew around the world and impacted inside China. This demonstrated the greatest distance flown (~40,000 km) and longest flight time (~100+ minutes) of any land-attack PRC [People’s Republic of China] weapons system to date. According to senior U.S. military officials, the HGV did not strike its target, but came close.”

[…]

As The War Zone discussed in this previous breakdown of the FOB concept, the depressed flight profile and capacity to strike really any target near its orbital path pose quite the challenge for an opponent’s tracking and missile defense networks. The FOB system could attack from vectors that its opponent’s radars are not looking toward, affecting its ability to anticipate where and when a strike may occur, let alone counter one.

An infographic depicting the flight path of a FOB system. Credit: Wikimedia Commons

China’s FOB-like system, though, instead carries a maneuverable hypersonic glide vehicle as opposed to a traditional nuclear-armed reentry vehicle, allowing it to change course dynamically and fly at lower altitudes, even porpoising as it goes, during its flight through the atmosphere. This allows it to hit targets much farther off its orbital flight path and makes interception nearly impossible. As noted earlier, reports that China’s hypersonic glide vehicle had also released its own projectile while on its very high-speed descent complicates things further, as The War Zone explained in detail in this past article.

The Financial Times, which was the first to report on the test, even emphasized how caught off-guard the Pentagon was by this development considering how technically complex it would be for anything moving at high hypersonic speeds to launch its own projectile.

[…]

The Pentagon throughout the CMPR cited the U.S. military’s own advancements in the hypersonic realm as the predominant driving factor behind China’s innovations while admitting that most of China’s missile systems are “comparable in quality to systems of other international top-tier producers.” An underlying fear that the proliferation of hypersonic technology could soon “blur the line between nuclear and conventional escalation” was also highlighted as a potential motivator behind these advancements. These influences are being reflected in other Chinese strategic developments, as well.

Regardless, it is important to note that U.S. missile defenses, as they exist now, aren’t anywhere capable of deflecting a massive nuclear strike from a near-peer like China or Russia, which is something The War Zone has previously touched on. Defending against hypersonic weapons, especially ones that can attack from unpredictable vectors like this FOB-capable system would be able to, is an even more challenging proposition.

[…]

Source: More Details On China’s Exotic Orbital Hypersonic Weapon Come To Light

Eufy Cameras Have Been Uploading Unencrypted Face Footage to Cloud

Posted on by

Eufy, the company behind a series of affordable security cameras I’ve previously suggested over the expensive stuff, is currently in a bit of hot water for its security practices. The company, owned by Anker, purports its products to be one of the few security devices that allow for locally-stored media and don’t need a cloud account to work efficiently. But over the turkey-eating holiday, a noted security researcher across the pond discovered a security hole in Eufy’s mobile app that threatens that whole premise.

Paul Moore relayed the issue in a tweeted screengrab. Moore had purchased the Eufy Doorbell Dual Camera for its promise of a local storage option, only to discover that the doorbell’s cameras had been storing thumbnails of faces on the cloud, along with identifiable user information, despite Moore not even having a Eufy Cloud Storage account.

After Moore tweeted the findings, another user found that the data uploaded to Eufy wasn’t even encrypted. Any uploaded clips could be easily played back on any desktop media player, which Moore later demonstrated. What’s more: thumbnails and clips were linked to their partner cameras, offering additional identifiable information to any digital snoopers sniffing around.

Android Central was able to recreate the issue on its own with a EufyCam 3. It then reached out to Eufy, which explained to the site why this issue was cropping up. If you choose to have a motion notification pushed out with an attached thumbnail, Eufy temporarily uploads that file to its AWS servers to send it out.

[…]

Unfortunately, this isn’t the first time Eufy has had an issue regarding security on its cameras. Last year, the company faced similar reports of “unwarranted access” to random camera feeds, though the company quickly fixed the issue once it was discovered. Eufy is no stranger to patching things up.

Source: Eufy Cameras Have Been Uploading Unencrypted Footage to Cloud

Why first upload these images to AWS instead of directly mailing them?!

Nintendo Shuts Down Smash World Tour – worlds largest e-sports tournament – out of the blue

Posted on by

The organisers of the Smash World Tour have today announced that they are being shut down after Nintendo, “without any warning”, told them they could “no longer operate”.

The Tour, which is run by a third party (since Nintendo has been so traditionally bad at this), had grown over the years to become one of the biggest in the esports and fighting game scene. As the SWT team say:

In 2022 alone, we connected over 6,400 live events worldwide, with over 325,000 in-person entrants, making the Smash World Tour (SWT, or the Tour) the largest esports tour in history, for any game title. The Championships would also have had the largest prize pool in Smash history at over $250,000. The 2023 Smash World Tour planned to have a prize pool of over $350,000.

That’s all toast, though, because organisers now say “Without any warning, we received notice the night before Thanksgiving from Nintendo that we could no longer operate”. While Nintendo has yet to comment—we’ve reached out to the company (UPDATE: see comment at bottom of post)—Nintendo recently teamed up with Panda to run a series of competing, officially-licensed Smash events.

While this will be a disappointment to SWT’s organisers, fans and players, it has also placed the team in a huge financial hole, since so many bookings and plans for the events had already been made. As they say in the cancellation announcement:

We don’t know where everything will land quite yet with contracts, sponsor obligations, etc — in short, we will be losing hundreds of thousands of dollars due to Nintendo’s actions. That being said, we are taking steps to remedy many issues that have arisen from canceling the upcoming Smash World Tour Championships — Especially for the players. Please keep an eye out in the coming days for help with travel arrangements. Given the timeline that we were forced into, we had to publish this statement before we could iron out all of the details. All attendees will be issued full refunds.

The move blindsided the SWT team who had believed, after years of friction, they were starting to make some progress with Nintendo:

In November 2021, after the Panda Cup was first announced, Nintendo contacted us to jump on a call with a few folks on their team, including a representative from their legal team. We truly thought we might be getting shut down given the fact that they now had a licensed competing circuit and partner in Panda.

Once we joined the call, we were very surprised to hear just the opposite.

Nintendo reached out to us to let us know that they had been watching us build over the years, and wanted to see if we were interested in working with them and pursuing a license as well. They made it clear that Panda’s partnership was not exclusive, and they said it had “not gone unnoticed” that we had not infringed on their IP regarding game modifications and had represented Nintendo’s values well. They made it clear that game modifications were their primary concern in regards to “coming down on events”, which also made sense to us given their enforcement over the past few years in that regard.

That lengthy conversation changed our perspective on Nintendo at a macro level; it was incredibly refreshing to talk to multiple senior team members and clear the air on a lot of miscommunications and misgivings in the years prior. We explained why so many in the community were hesitant to reach out to Nintendo to work together, and we truly believed Nintendo was taking a hard look at their relationship with the community, and ways to get involved in a positive manner.

Guess not! In addition to Nintendo now stipulating that tournaments could only run with an official license—something SWT had not been successful applying for—the team also allege that Panda went around undermining them to the organisers of individual events (the World Tour would have been an umbrella linking these together), and that while Nintendo continued saying nice things to their faces, Panda had told these grassroost organisers that the Smash World Tour was definitely getting shut down, which made them reluctant to come onboard.

You can read the full announcement here, which goes into a lot more detail, and closes with an appeal “that Nintendo reconsiders how it is currently proceeding with their relationship with the Smash community, as well as its partners”.

UPDATE 12:16am ET, November 30: A Nintendo spokesperson tells Kotaku:

Unfortunately after continuous conversations with Smash World Tour, and after giving the same deep consideration we apply to any potential partner, we were unable to come to an agreement with SWT for a full circuit in 2023. Nintendo did not request any changes to or cancellation of remaining events in 2022, including the 2022 Championship event, considering the negative impact on the players who were already planning to participate.

UPDATE 2 1:51am ET, November 30: SWT’s oragnizers have disputed Nintendo’s statement, issuing a follow-up of their own which reads:

We did not expect to have to address this, but Nintendo’s response via Kotaku has been brought to our attention:

“Unfortunately after continuous conversations with Smash World Tour, and after giving the same deep consideration we apply to any potential partner, we were unable to come to an agreement with SWT for a full circuit in 2023. Nintendo did not request any changes to or cancellation of remaining events in 2022, including the 2022 Championship event, considering the negative impact on the players who were already planning to participate.”

We are unsure why they are taking this angle, especially in light of the greater statement and all that it contains.

To reiterate from the official statement:

“As a last ditch effort, we asked if we could continue running the Championships and the Tour next year without a license, and shift our focus to working with them in 2024. We alluded to how the last year functioned in that capacity, with a mutual understanding that we would not get shut down and focus on the future. We were told directly that those times were now over. This was the final nail in the coffin given our very particular relationship with Nintendo. This is when we realized it truly was all being shut down for real. We asked if they understood the waves that would be made if we were forced to cancel, and Nintendo communicated that they were indeed aware.”

To be clear, we asked Nintendo multiple times if they had considered the implications of canceling the Championships as well as next year’s Tour. They affirmed that they had considered all variables.

We received this statement in writing from Nintendo shortly after our call:

“It is Nintendo’s expectation that an approved license be secured in order to operate any commercial activity featuring Nintendo IP. It is also expected to secure such a license well in advance of any public announcement. After further review, we’ve found that the Smash World Tour has not met these expectations around health & safety guidelines and has not adhered to our internal partner guidelines. Nintendo will not be able to grant a license for the Smash World Tour Championship 2022 or any Smash World Tour activity in 2023.”

To be clear, we did not even submit an application for 2023 yet, the license application was for the 2022 Championships (submitted in April). Nintendo including all 2023 activity was an addition we were not even expecting. In our call that accompanied the statement, we asked multiple times if we would be able to continue to operate without a license as we had in years past with the same “unofficial” understanding with Nintendo. We were told point blank that those “times are over.” They followed up the call with their statement in writing, again confirming both the 2022 Championships and all 2023 activity were in the exact same boat.

Source: Nintendo Shuts Down Smash World Tour ‘Without Any Warning’

A Modchip To Root Starlink User Terminals Through Voltage Glitching

Posted on by

[…]

this modchip-based hack of a Starlink terminal brings us.

[Lennert Wouters]’ team has been poking and prodding at the Starlink User Terminal, trying to get root access, and needed to bypass the ARM Trusted Firmware boot-time integrity checks. The terminal’s PCB is satellite-dish-sized, so things like laser fault injection are hard to set up – hence, they went the voltage injection route. Much poking and prodding later, they developed a way to reliably glitch the CPU into verifying a faulty firmware, and got to a root shell – the journey described in a BlackHat talk embedded below.

To make the hack more compact, repeatable and cheap, they decided to move it from a mess of wires and boards into slim form-factor, and that’s where the modchip design was made. For that, they put the terminal PCB into a scanner, traced a board outline out, loaded it into KiCad, and put all the necessary voltage glitching and monitoring parts on a single board, driven by the venerable RP2040 – this board has everything you’d need if you wanted to get root on the Starlink User Terminal. Thanks to the modchip design’s flexibility, when Starlink released a firmware update disabling the UART output used for monitoring, they could easily re-route the signal to an eMMC data line instead. Currently, the KiCad source files aren’t available, but there’s Gerber and BOM files on GitHub in case we want to make our own!

Hacks like these, undoubtedly, set a new bar for what we can achieve while bypassing security protections. Hackers have been designing all kinds of modchips, for both proprietary and open tech – we’ve seen one that lets you use third-party filters in your “smart” air purifier, another that lets you use your own filament with certain 3D printers, but there’s also one that lets you add a ton of games to an ArduBoy. With RP2040 in particular, just this year we’ve seen used to build a Nintendo 64 flash cart, a PlayStation 1 memory card, and a mod that adds homebrew support to a GameCube. If you were looking to build hardware addons that improve upon tech you use, whether by removing protections or adding features, there’s no better time than nowadays!

Source: A Modchip To Root Starlink User Terminals Through Voltage Glitching | Hackaday

Rolls-Royce successfully tests hydrogen-powered jet engine

Posted on by

Britain’s Rolls-Royce (RR.L) said it has successfully run an aircraft engine on hydrogen, a world aviation first that marks a major step towards proving the gas could be key to decarbonising air travel.

The ground test, using a converted Rolls-Royce AE 2100-A regional aircraft engine, used green hydrogen created by wind and tidal power, the British company said on Monday.

[…]

Planemaker Airbus is working with French-U.S. engine maker CFM International to test hydrogen propulsion technology.

It said in February it planned to fit a specially adapted version of a current generation engine near the back of an A380 superjumbo test plane.

The aircraft manufacturer however told the European Union in 2021 that most airliners will rely on traditional jet engines until at least 2050.

A switch to hydrogen-powered engines would require a complete redesign of airframes and infrastructure at airports.

Eric Schulz, chief executive of SHZ Consulting, said in July that the changes in design are so massive it would take more than one generation of aircraft to get there.

Other technologies backed by companies such as Rolls-Royce include electric engines, which would be initially suitable for short flights, and sustainable aviation fuel (SAF).

Engines that are already in service can use a mixture of SAF and conventional fuels, but it is only currently produced in miniscule levels.

It could eventually be produced by combining carbon captured from the air with green hydrogen, but the process is energy intensive and not yet available on a large scale.

Source: Rolls-Royce successfully tests hydrogen-powered jet engine | Reuters

Europe Won’t Allow Mercedes’ EV Performance Subscription Fee, For Now

Posted on by

Mercedes raised some worried eyebrows with its recent announcement to offer additional power for its EVs via subscription. For electric EQE and EQS models, Mercedes will bump their horsepower if customers pay an additional $1,200 per year. However, that’s going to remain a U.S. market service only for the time being, as Europe currently won’t allow Mercedes to offer it, according to this report from Top Gear NL.

A spokesperson for Mercedes Netherlands told Top Gear NL that legal matters currently prevent Mercedes from offering a subscription-based power upgrade. However, the spokesperson declined to comment further, so it’s currently unknown what sort of laws block such subscription-based services. Especially when there are other subscription services that are available in Europe, such as BMW’s heated seat subscription. Automakers can also update a car’s horsepower, via free over-the-air service updates, as both Polestar and Tesla do so in Europe. But that comes at no extra cost and is a one-time, permanent upgrade. So there seems to be some sort of legal issue with charging a yearly subscription for horsepower.

In the U.S. market, Mercedes’ $1,200 yearly subscription gets EQE and EQS owners nearly a 100 horsepower gain. However, because it’s only software that unlocks the power, it’s obvious that the powertrain is capable of that much power regardless of subscription. So customers might feel cheated that they’re paying for a car with a powertrain that’s intentionally hamstrung from the factory, with its full potential hidden behind a paywall.

Source: Europe Won’t Allow Mercedes’ EV Performance Subscription Fee, For Now: Report

Let’s hope that this gets regulated properly at EU level – it’s bizarre that you can’t use something you paid for because it’s disabled and can be re-enabled remotely.

Intel and AMD did something like this in 2010 in a process called binning where they artificially disabled features in the hardware:

As Engadget rather calmly points out, Intel has been testing the waters with a new “Upgrade Card” system, which essentially involves buying a $50 scratch card with a code that unlocks features in your PC’s processor.

The guys at Hardware.info broke this story last month, although nobody seemed to notice right away—perhaps because their site’s in Dutch. The article shows how the upgrade key unlocks “an extra megabyte L3 cache and Hyper Threading” on the Pentium G6951. In its locked state, that 2.8GHz processor has two physical cores, two threads, and 3MB of L3 cache, just like the retail-boxed Pentium G6950.

[…]

Detractors of the scheme might point out that Intel is making customers pay for features already present in the CPU they purchased. That’s quite true. However, as the Engadget post notes, both Intel and AMD have been selling CPUs with bits and pieces artificially disabled for years. That practice is known as binning—sometimes, chipmakers use it to unload parts with malfunctioning components; other times, it’s more about product segmentation and demand. There have often been unofficial workarounds, too. These days, for example, quite a few AMD motherboards let you unlock cores in Athlon II X3 and Phenom II X2 processors. Intel simply seems to be offering an official workaround for its CPUs… and cashing in on it.

source: Intel ‘upgrade card’ unlocks disabled CPU features

This VR video player lets you watch videos in 6dof + Touch things with your hands (haptic feedback) – VR has found it’s porn case

Posted on by

*Quest 1, 2, pro standalone only atm, PCVR coming soon*

Touchly lets you watch any VR180 video in 6dof and interact with the environment. Standard playback in most VR formats is also supported.And it’s out now for free in the App Lab! https://www.oculus.com/experiences/quest/5564815066942737/

Note: Videos need to be processed with our converter beforehand to be seen in volumetric mode.

Join us at discord: https://discord.gg/WrGQA4H4

[…]

It requires both left and right videos to generate the depth map. I’m not sure if that requires a ML model or can be done with regular video filtering algorithms.

The video is preprocessed with the depthmap added as a “third view” in a SBS video. So speed isn’t an issue.

Source: This VR video player lets you watch videos in 6dof + Touch things with your hands (haptic feedback) : virtualreality

Now that VR has porn and  you can touch the models, it will finally explode

Physicists solve 50-year lightning mystery – why does it zigzag and what does it have to do with thunder

Posted on by

[…]

For the past 50 years, scientists around the world have debated why lightning zig-zags and how it is connected to the thunder cloud above.

There hasn’t been a definitive explanation until now, with a University of South Australia plasma physicist publishing a landmark paper that solves both mysteries.

[…]

The answer? Singlet-delta metastable oxygen molecules.

Basically, lightning happens when electrons hit oxygen molecules with enough energy to create high energy singlet delta oxygen molecules. After colliding with the molecules, the “detached” electrons form a highly conducting step—initially luminous—that redistributes the , causing successive steps.

The conducting column connecting the step to the cloud remains dark when electrons attach to neutral , followed by immediate detachment of the electrons by singlet delta molecules.

[…]

he paper, “Toward a theory of stepped leaders in ” is published in the Journal of Physics D: Applied Physics. It is authored by Dr. John Lowke and Dr. Endre Szili from the Future Industries Institute at the University of South Australia.

More information: John J Lowke et al, Toward a theory of “stepped-leaders” of lightning, Journal of Physics D: Applied Physics (2022). DOI: 10.1088/1361-6463/aca103

Source: Physicists strike gold, solving 50-year lightning mystery

Bright light from black holes caused by particle shock waves

Posted on by

Beams of electrons smash into slower-moving particles causing a shock wave which results in electromagnetic radiation across frequency bands from X-rays to visible light, according to a research paper published in Nature this week.

Astronomers first observed quasi-stellar radio sources or quasars in the early 1960s. This new class of astronomical objects was a puzzle. They looked like stars, but they also radiated very brightly at radio frequencies, and their optical spectra contained strange emission lines not associated with “normal” stars. In fact, these strange objects are gigantic black holes at the center of distant galaxies.

Particle acceleration in the jet emitted by a supermassive black hole. Liodakis et al/Nature

Particle acceleration in the jet emitted by a supermassive black hole. Illustration credit: Liodakis et al/Nature

Advances in radio-astronomy and X-ray-observing satellites have helped scientists understand that the anomalous radiation is caused by a stream of charged particles accelerated close to the speed of light. If it points at Earth, the generating quasar can be called a blazar. Electromagnetic radiation from them can be observed from radio waves through the visible spectrum to very high-frequency gamma rays.

[…]

By comparing polarized X-rays data with data about optical polarized visible light, the scientists reached the conclusion that the electromagnetic radiation resulted from a shock wave in the stream of charged particles emitting from the blackhole (see figure).

In an accompanying article, Lea Marcotulli, NASA Einstein Postdoctoral Fellow at Yale University, said: “Such shock waves occur naturally when particles travelling close to the speed of light encounter slower-moving material along their path. Particles traveling through this shock wave lose radiation rapidly and efficiently – and, in doing so, they produce polarized X-rays. As the particles move away from the shock, the light they emit radiates with progressively lower frequencies, and becomes less polarized.”

[…]

In December last year, a SpaceX Falcon 9 rocket launched NASA’s IXPE mission into orbit from Florida’s Kennedy Space Center. It is designed to observe the remnants of supernovae, supermassive black holes, and other high-energy objects.

[…]

Source: Bright light from black holes caused by particle shock waves • The Register

Omega Recreated the James Bond Opening on $7,600 Seamaster watch

Posted on by

[…] The standard version of the Omega Seamaster Diver 300M 60 Years Of James Bond watch features a design that aBlogtoWatch describes as, “a blend between the original Omega Seamaster Diver 300M that appeared in GoldenEye and the latest edition from No Time To Die.” In other words, it’s a not an exact recreation of the piece that Brosnan wore in GoldenEye, but incorporates elements from several watches featured in various Bond films. On the front, the only hint that this watch is in any way Bond themed is the number 60 appearing at top of the dial, where there is normally a triangle.

A close-up of the sapphire crystal window on the Omega Seamaster Diver 300M 60 Years Of James Bond watch's caseback.
Image: Omega

It’s only when you flip the watch over that its Bond theming is far more apparent. The caseback features a sapphire glass window revealing an animation recreating the iconic opening of Bond films where the silhouetted character walks on screen as seen through the barrel of a gun. But there’s no LCD or OLED screens here. The Seamaster Diver 300M is a purely mechanical timepiece, so to create the animation, Omega leveraged the moiré effect where interference patterns from spiral patterns on spinning discs reveal the sequence of a simple four-frame animation of Bond walking in. And because the animation mechanism is tied to the watch’s moving second-hand, it perpetually plays in a loop as long as the watch has power and is keeping time.

OMEGA Seamaster Diver 300M 60 Years Of James Bond – Stainless Steel

It’s a fun design element not only because of how subtly it’s executed, but also how it leverages what makes traditional timepieces appealing to many collectors: the complicated mechanics inside that make them work. Unfortunately, with a $7,600 price tag, the Seamaster Diver 300M 60 Years Of James Bond is not really affordable for most Bond fans.

Source: Omega Recreated the James Bond Opening on This $7,600 Watch

Ticketmaster’s Taylor Swift fiasco sparks Senate antitrust hearing

Posted on by
NEW YORK, NEW YORK - JULY 10: Taylor Swift performs onstage as Taylor Swift, Dua Lipa, SZA and Becky G perform at The Prime Day concert, presented by Amazon Music at on July 10, 2019 at Hammerstein Ballroom in New York City. (Photo by Kevin Mazur/Getty Images for Amazon )
Kevin Mazur via Getty Images

Ticketmaster’s chaotic handling of Taylor Swift’s tour ticket sales has brought the company under increased scrutiny, including from lawmakers. Sens. Amy Klobuchar (D-MN) and Mike Lee (R-UT), the chair and ranking member of the Senate Judiciary Subcommittee on Competition Policy, Antitrust and Consumer Rights, have announced a hearing to gather evidence on competition in the ticketing industry. They have yet to confirm when the hearing will take place or the witnesses that the committee will call upon.

Swift’s fans overwhelmed Ticketmaster’s systems in the gold rush for tickets to her first tour in five years. Ticketmaster says presale codes went out to 1.5 million people, but 14 million (including “a staggering number” of bots) tried to buy tickets. The company said it was slammed with 3.5 billion total system requests, four times its previous peak. When fans were able to make it to the seat selection screen, many effectively had tickets snatched out of their hands as tried to put them in their carts.

There was supposed to be a general sale for the remaining tickets last Friday, but Ticketmaster canceled that, citing “extraordinarily high demands on ticketing systems and insufficient remaining ticket inventory to meet that demand.” Even though the level of interest in Swift’s stadium shows was evidently through the roof, Ticketmaster’s management of the process has raised a lot of questions. Swift said Ticketmaster assured her and her team that it could handle the demand. However, she said the mayhem “pissed me off.”

[…]

“Last week, the competition problem in ticketing markets was made painfully obvious when Ticketmaster’s website failed hundreds of thousands of fans hoping to purchase concert tickets. The high fees, site disruptions and cancellations that customers experienced shows how Ticketmaster’s dominant market position means the company does not face any pressure to continually innovate and improve,” Klobuchar said in a statement. “That’s why we will hold a hearing on how consolidation in the live entertainment and ticketing industry harms customers and artists alike. When there is no competition to incentivize better services and fair prices, we all suffer the consequences.”

Source: Ticketmaster’s Taylor Swift fiasco sparks Senate antitrust hearing | Engadget

The problems with monopolies / duopolies are wide and varied and not only limited to big tech or aircraft builders

Meta researchers create AI that masters Diplomacy, tricking human players | Ars Technica

Posted on by

On Tuesday, Meta AI announced the development of Cicero, which it claims is the first AI to achieve human-level performance in the strategic board game Diplomacy. It’s a notable achievement because the game requires deep interpersonal negotiation skills, which implies that Cicero has obtained a certain mastery of language necessary to win the game.

[…]

Cicero learned its skills by playing an online version of Diplomacy on webDiplomacy.net. Over time, it became a master at the game, reportedly achieving “more than double the average score” of human players and ranking in the top 10 percent of people who played more than one game.

To create Cicero, Meta pulled together AI models for strategic reasoning (similar to AlphaGo) and natural language processing (similar to GPT-3) and rolled them into one agent. During each game, Cicero looks at the state of the game board and the conversation history and predicts how other players will act. It crafts a plan that it executes through a language model that can generate human-like dialogue, allowing it to coordinate with other players.

A block diagram of Cicero, the <em>Diplomacy</em>-playing bot, provided by Meta.
Enlarge / A block diagram of Cicero, the Diplomacy-playing bot, provided by Meta.
Meta AI

Meta calls Cicero’s natural language skills a “controllable dialogue model,” which is where the heart of Cicero’s personality lies. Like GPT-3, Cicero pulls from a large corpus of Internet text scraped from the web. “To build a controllable dialogue model, we started with a 2.7 billion parameter BART-like language model pre-trained on text from the Internet and fine tuned on over 40,000 human games on webDiplomacy.net,” writes Meta.

Further Reading

AI ruined chess. Now it’s making the game beautiful again

The resulting model mastered the intricacies of a complex game. “Cicero can deduce, for example, that later in the game it will need the support of one particular player,” says Meta, “and then craft a strategy to win that person’s favor—and even recognize the risks and opportunities that that player sees from their particular point of view.”

Meta’s Cicero research appeared in the journal Science under the title, “Human-level play in the game of Diplomacy by combining language models with strategic reasoning.”

[…]

Meta provided a detailed site to explain how Cicero works and has also open-sourced Cicero’s code on GitHub. Online Diplomacy fans—and maybe even the rest of us—may need to watch out.

Source: Meta researchers create AI that masters Diplomacy, tricking human players | Ars Technica

Mercedes locks faster acceleration behind a yearly $1,200 subscription – the car can already go faster, they slowed you down

Posted on by

Mercedes is the latest manufacturer to lock auto features behind a subscription fee, with an upcoming “Acceleration Increase” add-on that lets drivers pay to access motor performance their vehicle is already capable of.

The $1,200 yearly subscription improves performance by boosting output from the motors by 20–24 percent, increasing torque, and shaving around 0.8 to 0.9 seconds off 0–60 mph acceleration when in Dynamic drive mode (via The Drive). The subscription doesn’t come with any physical hardware upgrades — instead, it simply unlocks the full capabilities of the vehicle, indicating that Mercedes intentionally limited performance to later sell as an optional extra. Acceleration Increase is only available for the Mercedes-EQ EQE and Mercedes-EQ EQS electric car models.

[…]

This comes just months after BMW sparked outrage by similarly charging an $18 monthly subscription in some countries for owners to use the heated seats already installed within its vehicles, just one of many features paywalled by the car manufacturer since 2020. BMW had previously also tried (and failed) to charge its customers $80 a month to access Apple CarPlay and Android Auto — features that other vehicle makers have included for free.

Source: Mercedes locks faster acceleration behind a yearly $1,200 subscription – The Verge

So they are basically saying you don’t really own the product you spent around $100 000,- to buy.

Unstable Diffusion Discord Server – AI generated NSFW

Posted on by

Unstable Diffusion is a server dedicated to the creation and sharing of AI generated NSFW.

We will seek to provide resources and mutual assistance to anyone attempting to make erotica, we will share prompts and artwork and tools specifically designed to get the most out of your generations, whether you’re using tools from the present or ones which may not have been invented as of this writing.

Source: Join Unstable Diffusion Discord Server | The #1 Discord Server List

Yes, these people are doing pretty strange things. It’s fun.

Token tactics: How to prevent, detect, and respond to cloud token theft

Posted on by

[…] Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.

[…]

Tokens are at the center of OAuth 2.0 identity platforms, such as Azure Active Directory (Azure AD). To access a resource (for example, a web application protected by Azure AD), a user must present a valid token. To obtain that token, the user must sign into Azure AD using their credentials. At that point, depending on policy, they may be required to complete MFA. The user then presents that token to the web application, which validates the token and allows the user access.

Flowchart for Azure Active Directory issuing tokens.
Figure 1. OAuth Token flow chart

When Azure AD issues a token, it contains information (claims) such as the username, source IP address, MFA, and more. It also includes any privilege a user has in Azure AD. If you sign in as a Global Administrator to your Azure AD tenant, then the token will reflect that. Two of the most common token theft techniques DART has observed have been through adversary-in-the-middle (AitM) frameworks or the utilization of commodity malware (which enables a ‘pass-the-cookie’ scenario).

[…]

When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token.

Flowchart describing how an adversary in the middle attack works.
Figure 3. Adversary-in-the-middle (AitM) attack flowchart

If a regular user is phished and their token stolen, the attacker may attempt business email compromise (BEC) for financial gain.

[…]

A “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies.

[…]

Commodity credential theft malware like Emotet, Redline, IcedID, and more all have built-in functionality to extract and exfiltrate browser cookies. Additionally, the attacker does not have to know the compromised account password or even the email address for this to work those details are held within the cookie.

[…]

Recommendations

Protect

Organizations can take a significant step toward reducing the risk of token theft by ensuring that they have full visibility of where and how their users are authenticating. To access critical applications like Exchange Online or SharePoint, the device used should be known by the organization. Utilizing compliance tools like Intune in combination with device based conditional access policies can help to keep devices up to date with patches, antivirus definitions, and EDR solutions. Allowing only known devices that adhere to Microsoft’s recommended security baselines helps mitigate the risk of commodity credential theft malware being able to compromise end user devices.

For those devices that remain unmanaged, consider utilizing session conditional access policies and other compensating controls to reduce the impact of token theft:

Protect your users by blocking initial access:

  • Plan and implement phishing resistant MFA solutions such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.
    • While this may not be practical for all users, it should be considered for users of significant privilege like Global Admins or users of high-risk applications.
  • Users that hold a high level of privilege in the tenant should have a segregated cloud-only identity for all administrative activities, to reduce the attack surface from on-premises to cloud in the event of on-premises domain compromise and abuse of privilege. These identities should also not have a mailbox attached to them to prevent the likelihood of privileged account compromise via phishing techniques.

[…]

In instances of token theft, adversaries insert themselves in the middle of the trust chain and often subsequently circumvent security controls. Having visibility, alerting, insights, and a full understanding of where security controls are enforced is key. Treating both identity providers that generate access tokens and their associated privileged identities as critical assets is strongly encouraged.

[…]

Source: Token tactics: How to prevent, detect, and respond to cloud token theft – Microsoft Security Blog