Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Revolutionary technique to generate hydrogen more efficiently from water

Posted on by

A team of researchers from the National University of Singapore (NUS) have made a serendipitous scientific discovery that could potentially revolutionize the way water is broken down to release hydrogen gas—an element crucial to many industrial processes.

The team, led by Associate Professor Xue Jun Min, Dr. Wang Xiaopeng and Dr. Vincent Lee Wee Siang from the Department of Materials Science and Engineering under the NUS College of Design and Engineering (NUS CDE), found that light can trigger a new mechanism in a catalytic material used extensively in , where water is broken down into and oxygen. The result is a more energy-efficient method of obtaining hydrogen.

[…]

“We discovered that the redox center for electro-catalytic reaction is switched between metal and oxygen, triggered by light,” said Assoc. Prof. Xue. “This largely improves the water electrolysis efficiency.”

[…]

an accidental power trip of the ceiling lights in his laboratory almost three years ago allowed them to observe something that the global scientific community has not yet managed to do.

Back then, the ceiling lights in Assoc. Prof. Xue’s research lab were usually turned on for 24 hours. One night in 2019, the lights went off due to a power trip. When the researchers returned the next day, they found that the performance of a nickel oxyhydroxide-based material in the water electrolysis experiment, which had continued in the dark, had fallen drastically.

“This drop in performance, nobody has ever noticed it before, because no one has ever done the experiment in the dark,” said Assoc. Prof. Xue. “Also, the literature says that such a material shouldn’t be sensitive to light; light should not have any effect on its properties.”

[…]

With their findings, the team is now working on designing a new way to improve to generate hydrogen. Assoc. Prof. Xue is suggesting making the cells containing water to be transparent, so as to introduce light into the water splitting process.

“This should require less energy in the electrolysis process, and it should be much easier using ,” said Assoc. Prof. Xue. “More hydrogen can be produced in a shorter amount of time, with less energy consumed.”

[…]

More information: Xiaopeng Wang et al, Pivotal role of reversible NiO6 geometric conversion in oxygen evolution, Nature (2022). DOI: 10.1038/s41586-022-05296-7

Source: Revolutionary technique to generate hydrogen more efficiently from water

Thomson Reuters leaked at least 3TB of sensitive data – yes, open elasticsearch instances

Posted on by

The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company’s platforms. The company recognized the issue and fixed it immediately.

Thomson Reuters provides customers with products such as the business-to-business media tool Reuters Connect, legal research service and database Westlaw, the tax automation system ONESOURCE, online research suite of editorial and source materials Checkpoint, and other tools.

The size of the open database the team discovered corresponds with the company using ElasticSearch, a data storage favored by enterprises dealing with extensive, constantly updated volumes of data.

  • Media giant with $6.35 billion in revenue left at least three of its databases open
  • At least 3TB of sensitive data exposed including Thomson Reuters plaintext passwords to third-party servers
  • The data company collects is a treasure trove for threat actors, likely worth millions of dollars on underground criminal forums
  • The company has immediately fixed the issue, and started notifying their customers
  • Thomson Reuters downplayed the issue, saying it affects only a “small subset of Thomson Reuters Global Trade customers”
  • The dataset was open for several days – malicious bots are capable of discovering instances within mere hours
  • Threat actors could use the leak for attacks, from social engineering attacks to ransomware

The naming of ElasticSearch indices inside the Thomson Reuters server suggests that the open instance was used as a logging server to collect vast amounts of data gathered through user-client interaction. In other words, the company collected and exposed thousands of gigabytes of data that Cybernews researchers believe would be worth millions of dollars on underground criminal forums because of the potential access it could give to other systems.

Meanwhile, Thomson Reuters claims that out of three misconfigured servers the team informed the company about, two were designed to be publicly accessible. The third server was a non-production server meant for “application logs from the pre-production/implementation environment.”

[…]

For example, the open dataset held access credentials to third-party servers. The details were held in plaintext format, visible to anyone crawling through the open instance.

[…]

The team also found the open instance to contain login and password reset logs. While these don’t expose either old or new passwords, the logs show the account holder’s email address, and the exact time the password change query was sent can be seen.

Another piece of sensitive information includes SQL (structured query language) logs that show what information Thomson Reuters clients were looking for. The records also include what information the query brought back.

That includes documents with corporate and legal information about specific businesses or individuals. For instance, an employee of a company based in the US was looking for information about an organization in Russia using Thomson Reuters services, only to find out that its board members were under US sanctions over their role in the invasion of Ukraine.

The team has also discovered that the open database included an internal screening of other platforms such as YouTube, Thomson Reuters clients’ access logs, and connection strings to other databases. The exposure of connection strings is particularly dangerous because the company’s internal network elements are exposed, enabling threat actors’ lateral movement and pivoting through Reuter Thomson’s internal systems.

[…]

The team contacted Thomson Reuters upon discovering the leaking database, and the company took down the open instance immediately.

“Upon notification we immediately investigated the findings provided by Cybernews regarding the three potentially misconfigured servers,” a Thomson Reuters representative told Cybernews.

[…]

Source: Thomson Reuters leaked at least 3TB of sensitive data | Cybernews

Scientists discover material that can be made like a plastic but conducts like a metal

Posted on by

Scientists with the University of Chicago have discovered a way to create a material that can be made like a plastic, but conducts electricity more like a metal.

The research, published Oct. 26 in Nature, shows how to make a kind of material in which the molecular fragments are jumbled and disordered, but can still conduct electricity extremely well.

[…]

fundamentally, both of these organic and traditional metallic conductors share a common characteristic. They are made up of straight, closely packed rows of atoms or molecules. This means that electrons can easily flow through the material, much like cars on a highway. In fact, scientists thought a material had to have these straight, orderly rows in order to conduct electricity efficiently.

Then Xie began experimenting with some materials discovered years ago, but largely ignored. He strung nickel atoms like pearls into a string of of molecular beads made of carbon and sulfur, and began testing.

To the scientists’ astonishment, the material easily and strongly conducted electricity. What’s more, it was very stable. “We heated it, chilled it, exposed it to air and humidity, and even dripped acid and base on it, and nothing happened,” said Xie. That is enormously helpful for a device that has to function in the real world.

But to the scientists, the most striking thing was that the molecular structure of the material was disordered. “From a fundamental picture, that should not be able to be a metal,” said Anderson. “There isn’t a solid theory to explain this.”

Xie, Anderson, and their lab worked with other scientists around the university to try to understand how the material can conduct electricity. After tests, simulations, and theoretical work, they think that the material forms layers, like sheets in a lasagna. Even if the sheets rotate sideways, no longer forming a neat lasagna stack, electrons can still move horizontally or vertically—as long as the pieces touch.

The end result is unprecedented for a conductive material. “It’s almost like conductive Play-Doh—you can smush it into place and it conducts ,” Anderson said.

The scientists are excited because the discovery suggests a fundamentally new design principle for electronics technology. Conductors are so important that virtually any new development opens up new lines for technology, they explained.

One of the material’s attractive characteristics is new options for processing. For example, metals usually have to be melted in order to be made into the right shape for a chip or device, which limits what you can make with them, since other components of the device have to be able to withstand the heat needed to process these materials.

The new material has no such restriction because it can be made at room temperatures. It can also be used where the need for a device or pieces of the device to withstand heat, acid or alkalinity, or humidity has previously limited engineers’ options to develop new technology.

[…]

More information: John Anderson, Intrinsic glassy-metallic transport in an amorphous coordination polymer, Nature (2022). DOI: 10.1038/s41586-022-05261-4. www.nature.com/articles/s41586-022-05261-4

Source: Scientists discover material that can be made like a plastic but conducts like a metal

Australia’s Medibank says data of 4 mln customers accessed by hacker

Posted on by

Medibank Private Ltd (MPL.AX), Australia’s biggest health insurer, said on Wednesday a cyber hack had compromised data of all of its of its nearly 4 million customers, as it warned of a A$25 million to A$35 million ($16 million to $22.3 million) hit to first-half earnings.

It said on Wednesday that all personal and significant amounts of health claims data of all its customers were compromised in the breach reported this month, a day after it warned the number of customers affected would grow. read more

Shares in the company fell more than 14%, its biggest one-day slide since listing in 2014.

Medibank, which covers one-sixth of Australians, said the estimated cost did not include further potential remediation or regulatory expenses.

“Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data,” chief executive David Koczkar said in a statement. “I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”

The company reiterated that its IT systems had not been encrypted by ransomware to date and that it would continue to monitor for any further suspicious activity.

“Everywhere we have identified a breach, it is now closed,” John Goodall, Medibank’s top technology executive, told an analyst call on Wednesday.

[…]

Source: Australia’s Medibank says data of 4 mln customers accessed by hacker | Reuters

Swarming bees generate so much electricity they may potentially change the weather

Posted on by

[…]

The finding, which researchers made by measuring the electrical fields around honeybee (apis mellifera) hives, reveals that bees can produce as much atmospheric electricity as a thunderstorm. This can play an important role in steering dust to shape unpredictable weather patterns; and their impact may even need to be included in future climate models.

Insects’ tiny bodies can pick up positive charge while they forage — either from the friction of air molecules against their rapidly beating wings (honeybees can flap their wings more than 230 times a second) or from landing onto electrically charged surfaces. But the effects of these tiny charges were previously assumed to be on a small scale. Now, a new study, published Oct. 24 in the journal iScience, shows that insects can generate a shocking amount of electricity.

[…]

To test whether honeybees produce sizable changes in the electric field of our atmosphere, the researchers placed an electric field monitor and a camera near the site of several honeybee colonies. In the 3 minutes that the insects flooded into the air, the researchers found that the potential gradient above the hives increased to 100 volts per meter. In other swarming events, the scientists measured the effect as high as 1,000 volts per meter, making the charge density of a large honeybee swarm roughly six times greater than electrified dust storms and eight times greater than a stormcloud.

The scientists also found that denser insect clouds meant bigger electrical fields — an observation that enabled them to model other swarming insects such as locusts and butterflies.

Locusts often swarm to “biblical scales,” the scientists said, creating thick clouds 460 square miles (1,191 square kilometers) in size and packing up to 80 million locusts into less than half a square mile (1.3 square km). The researchers’ model predicted that swarming locusts’ effect on the atmospheric electric field was staggering, generating densities of electric charge similar to those made by thunderstorms.

The researchers say it’s unlikely the insects are producing storms themselves, but even when potential gradients don’t meet the conditions to make lightning, they can still have other effects on the weather. Electric fields in the atmosphere can ionize particles of dust and pollutants, changing their movement in unpredictable ways. As dust can scatter sunlight, knowing how it moves and where it settles is important to understanding a region’s climate.

[…]

Source: Swarming bees may potentially change the weather, new study suggests | Live Science

A California project would store solar energy to use when the sun goes down in water batteries

Posted on by

The San Diego County Water Authority has an unusual plan to use the city’s scenic San Vicente Reservoir to store solar power so it’s available after sunset. The project, and others like it, could help unlock America’s clean energy future.

Perhaps a decade from now, if all goes smoothly, large underground pipes will connect this lake to a new reservoir, a much smaller one, built in a nearby canyon about 1100 feet higher in elevation. When the sun is high in the sky, California’s abundant solar power will pump water into that upper reservoir.

It’s a way to store the electricity. When the sun goes down and solar power disappears, operators would open a valve and the force of 8 million tons of water, falling back downhill through those same pipes, would drive turbines capable of generating 500 megawatts of electricity for up to eight hours. That’s enough to power 130,000 typical homes.

Neena Kuzmich, deputy director of engineering for the San Diego County Water Authority, has been working on plans for pumped energy storage at the San Vicente reservoir.
Dan Charles for NPR

“It’s a water battery!” says Neena Kuzmich, Deputy Director of Engineering for the water authority. She says energy storage facilities like these will be increasingly vital as California starts to rely more on energy from wind and solar, which produce electricity on their own schedules, unbothered by the demands of consumers.

[…]

Source: A California project would store solar energy to use when the sun goes down : NPR

Crooks use POS malware to steal 167,000 credit card numbers from shops with open VNC + RDP ports

Posted on by

Cybercriminals have used two strains of point-of-sale (POS) malware to steal the details of more than 167,000 credit cards from payment terminals.

The backend command-and-control (C2) server that operates the MajikPOS and Treasure Hunter malware remains active, according to Group-IB’s Nikolay Shelekhov and Said Khamchiev, and “the number of victims keeps growing,” they said this week.

[…]

The MajikPOS and Treasure Hunter malware infect Windows POS terminals and scan the devices to exploit the moments when card data is read and stored in plain text in memory. Treasure Hunter in particular performs this so-called RAM scraping: it pores over the memory of processes running on the register for magnetic-stripe data freshly swiped from a shopper’s bank card during payment. MajikPOS also scans infected PCs for card data. This info is then beamed back to the malware operators’ C2 server.

MajikPOS and Treasure Hunter

Of the two POS malware strains used in this campaign, MajikPOS is the newest, first seen targeting POS devices in 2017. The malware operators likely started with Treasure Hunter, and then paired it with the newer MajikPOS due to the latter’s more advanced features.

This includes “a more visually appealing control panel, an encrypted communication channel with C2, [and] more structured logs,” compared to Treasure Hunter, according to Group-IB. “MajikPOS database tables contain information about the infected device’s geolocation, operation system name, and hardware identification number.”

[…]

Treasure Hunter first appeared in 2014 before the source code was leaked on a Russian-speaking forum. Its primary use is RAM scraping, and is likely installed the same way as MajikPOS.

Today both MajikPOS and Treasure Hunter can be bought and sold on nefarious marketplaces.

In a months-long investigation, Group-IB analyzed about 77,400 card dumps from the MajikPOS panel and another 90,000 from the Treasure Hunter panel, the researchers wrote. Almost all — 97 percent or 75,455 — of the cards compromised by MajikPOS were issued by US banks with the remaining 3 percent distributed around the world.

The Treasure Hunter panel told a similar story with 96 percent (86,411) issued in the US.

[…]

Source: Crooks use POS malware to steal 167,000 credit card numbers • The Register

Lenovo reveals rollable growing laptop and smartphone screens

Posted on by

Lenovo has staged its annual Tech World gabfest and teased devices with rollable OLED screens that shrink or expand as applications demand.

The company emitted the video below to show off its rollables. We’ve embedded and set the vid to start at the moment the rollable phone is demoed. The rollable laptop demo starts at the 53 second mark.

Lenovo has offered no explanation of how the rollables work, and the video above does not show the rear of the prototype rollable smartphone and laptop.

[…]

Source: Lenovo reveals rollable laptop and smartphone screens • The Register

Google’s Privacy Settings Finally Won’t Break It’s Apps Anymore, require using My Ad Center

Posted on by

[…] It used to be that the only way to prevent Google from using your data for targeted ads was turning off personalized ads across your whole account, or disabling specific kinds of data using a couple of settings, including Web & App Activity and YouTube History. Those two settings control whether Google collects certain details about what you do on its platform (you can see some of that data here). Turning off the controls meant Google wouldn’t use the data for ads, but it disabled some of the most useful features on services such as Maps, Search, and Google Assistant.

Thanks to a new set of controls, that’s no longer true. You can now leave Web & App Activity and YouTube History on, but drill into to adjust more specific settings to tell Google you don’t want the related data used for targeted ads.

The detail is tucked into an announcement about the rollout of a new hub for Google’s advertising settings called My Ad Center. “You can decide what types of your Google activity are used to show you ads, without impacting your experience with the utility of the product,” Jerry Dischler, vice president of ads at Google, wrote in a blog post.

That’s a major step in the direction of what experts call “usable privacy,” or data protection that’s easy to manage without breaking other parts of the internet.

[…]

You’ll find the new controls in My Ad Center, which starts rolling out to users this week. It primarily serves as a hub for Google’s existing ad controls, but you’ll find some expanded options, new tools, and a number of other updates.

When you open My Ad Center, you’ll be able to fine tune whether you see ads related to certain subjects or advertisers. […] You’ll also be able to view ads and advertisers that you’ve seen recently, and see all the ads that specific advertisers have run over the last thirty days.

Google also includes a way to toggle off ads on sensitive subjects such as alcohol, parenting, and weight loss. Unlike similar settings on Facebook and Instagram, though, you can’t tell Google you don’t want to see ads about politics.

Source: Google’s Privacy Settings Finally Won’t Break It’s Apps Anymore

So you probably need to spend quite some time configuring this – we will see, but most importantly you are now directly telling Google what you do and don’t like (and what you don’t like tells them about what you do like) without them having to feed your search behaviour through an algorithm and making them guess at how to best /– mind control –/ sell ads to you

Texas sues Google for allegedly capturing biometric data of millions without consent

Posted on by

Texas has filed a lawsuit against Alphabet’s (GOOGL.O) Google for allegedly collecting biometric data of millions of Texans without obtaining proper consent, the attorney general’s office said in a statement on Thursday.

The complaint says that companies operating in Texas have been barred for more than a decade from collecting people’s faces, voices or other biometric data without advanced, informed consent.

“In blatant defiance of that law, Google has, since at least 2015, collected biometric data from innumerable Texans and used their faces and their voices to serve Google’s commercial ends,” the complaint said. “Indeed, all across the state, everyday Texans have become unwitting cash cows being milked by Google for profits.”

The collection occurred through products like Google Photos, Google Assistant, and Nest Hub Max, the statement said.

[…]

Source: Texas sues Google for allegedly capturing biometric data of millions without consent | Reuters

Advocate Aurora Health leaks 3 million patient’s data to big tech through webtracker installation

Posted on by

A hospital network in Wisconsin and Illinois fears visitor tracking code on its websites may have transmitted personal information on as many as 3 million patients to Meta, Google, and other third parties.

Advocate Aurora Health (AAH) reported the potential breach to the US government’s Health and Human Services. As well as millions of patients, AAH has 27 hospitals and 32,000 doctors and nurses on its books.

[…]

Essentially, AAH is saying that it placed analytics code on its online portals to get an idea of how many people visit and login to their accounts, what they use, and so on. It’s now determined that code – known also as trackers or pixels because they may be loaded onto pages as invisible single pixels – may have sent personal info from the pages patients had open to those providing the trackers, such as Facebook or Google.

You might imagine these trackers simply transmit a unique identifier and IP address for the visitor and some details about their actions on the site for subsequent analysis and record keeping. But it turns out these pixels can send back all sorts of things like search terms, your doctor’s name, and the illnesses you’re suffering from.

[…]

The data that may have been sent, though, is extensive: IP addresses, appointment information including scheduling and type, proximity to an AAH facility, provider information, digital messages, first and last name, insurance data, and MyChart account information may all have been exposed. AAH said financial and Social Security information was not compromised.

[…]

Earlier this year, it was shown that Meta’s pixels could collect a lot more than basic usage metrics, transmitting personal data to Zuckercorp even for people who didn’t have Facebook accounts. The same is true of other trackers, such as TikTok’s, which can gather personal data regardless of whether a website’s visitor has ever set a digital foot on the China-owned social network.

Generally speaking, site and app owners have control over how much or how little is collected by the trackers they place on their pages. You can configure which activities trigger a ping back to the pixel provider, such as Meta, which you can then review from a backend dashboard.

While the info exposed by AAH was not grabbed by hackers, it is now in the hands of Big Tech, which is a privacy concern no matter what those technology companies say.

AAH said it – like so many other organizations, government and private – was using the trackers to aggregate user data for analysis, and it only seems to have just occurred to the nonprofit that this data is private health information and shouldn’t really be fed into Meta or Google.

[…]

Source: Advocate Aurora Health in potential 3 million patient leak • The Register

India fines Google ₹1,337.76 crore ($162 million) for Android monopoly abuse

Posted on by

India’s Competition Commission has announced it will fine Google ₹1,337.76 crore (₹13,377,600,000 or $161.5 million) for abusing its dominant position in multiple markets in the Android Mobile device ecosystem and ordered the company to open the Android ecosystem to competition

[…]

The Commission found Google was dominant in all five markets and worked to preserve that position with instruments such as the Mobile Application Distribution Agreement (MADA) that required Android licensees to include Google’s apps.

“MADA assured that the most prominent search entry points – i.e., search app, widget and Chrome browser – are pre-installed on Android devices, which accorded significant competitive edge to Google’s search services over its competitors,” the CIC found. Google’s policies also gave the company “significant competitive edge over its competitors” for its own apps such as YouTube on Android devices.

The CIC offered the following assessment of how Google’s actions impacted the market:

The competitors of these services could never avail the same level of market access which Google secured and embedded for itself through MADA. Network effects, coupled with status quo bias, create significant entry barriers for competitors of Google to enter or operate in the concerned markets.

[…]

For those and many other reasons, the CIC decided Google was on the wrong side of India’s Competition Act. In addition to the abovementioned fine, it imposed a cease and desist order on Google that requires it to change some of its business practices to do things such as:

  • Allowing third—party app stores to be sold on Google Play;
  • Allowing side-loading of apps;
  • Giving users choice of default search engine other than Google when setting up a device;
  • Ceasing payments to handset makers to secure search exclusivity;
  • Not denying access to Android APIs to developers who build apps that run on Android forks.

Some of the above are measures that other competition regulators around the world have contemplated, but not implemented.

So while India’s fine is a quarter of a day worth of Google’s $256 billion annual revenue and therefore a pin-prick, the tiny wound could become infected if other regulators decide to poke around.

[…]

Source: India fines Google $162 million for Android monopoly abuse • The Register

The size of the fine was probably pretty well thought out too 🙂

Ring Cameras Are Being Used To Control and Surveil Overworked Delivery Workers

Posted on by

Networked doorbell surveillance cameras like Amazon’s Ring are everywhere, and have changed the nature of delivery work by letting customers take on the role of bosses to monitor, control, and discipline workers, according to a recent report (PDF) by the Data & Society tech research institute. “The growing popularity of Ring and other networked doorbell cameras has normalized home and neighborhood surveillance in the name of safety and security,” Data & Society’s Labor Futures program director Aiha Nguyen and research analyst Eve Zelickson write. “But for delivery drivers, this has meant their work is increasingly surveilled by the doorbell cameras and supervised by customers. The result is a collision between the American ideas of private property and the business imperatives of doing a job.”

Thanks to interviews with surveillance camera users and delivery drivers, the researchers are able to dive into a few major developments interacting here to bring this to a head. Obviously, the first one is the widespread adoption of doorbell surveillance cameras like Ring. Just as important as the adoption of these cameras, however, is the rise of delivery work and its transformation into gig labor. […] As the report lays out, Ring cameras allow customers to surveil delivery workers and discipline their labor by, for example, sharing shaming footage online. This dovetails with the “gigification” of Amazon’s delivery workers in two ways: labor dynamics and customer behavior.

“Gig workers, including Flex drivers, are sold on the promise of flexibility, independence and freedom. Amazon tells Flex drivers that they have complete control over their schedule, and can work on their terms and in their space,” Nguyen and Zelickson write. “Through interviews with Flex drivers, it became apparent that these marketed perks have hidden costs: drivers often have to compete for shifts, spend hours trying to get reimbursed for lost wages, pay for wear and tear on their vehicle, and have no control over where they work.” That competition between workers manifests in other ways too, namely acquiescing to and complying with customer demands when delivering purchases to their homes. Even without cameras, customers have made onerous demands of Flex drivers even as the drivers are pressed to meet unrealistic and dangerous routes alongside unsafe and demanding productivity quotas. The introduction of surveillance cameras at the delivery destination, however, adds another level of surveillance to the gigification. […] The report’s conclusion is clear: Amazon has deputized its customers and made them partners in a scheme that encourages antagonistic social relations, undermines labor rights, and provides cover for a march towards increasingly ambitious monopolistic exploits. As Nguyen and Zelickson point out, it is ingenious how Amazon has “managed to transform what was once a labor cost (i.e., supervising work and asset protection) into a revenue stream through the sale of doorbell cameras and subscription services to residents who then perform the labor of securing their own doorstep.”

Source: Ring Cameras Are Being Used To Control and Surveil Overworked Delivery Workers – Slashdot

TikTok joins Uber, Facebook in Monitoring The Physical Location Of Specific American Citizens

Posted on by

The team behind the monitoring project — ByteDance’s Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang.

The team primarily conducts investigations into potential misconduct by current and former ByteDance employees. But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected; however, the plan was for a Beijing-based ByteDance team to obtain location data from U.S. users’ devices.

[…]

material reviewed by Forbes indicates that ByteDance’s Internal Audit team was planning to use this location information to surveil individual American citizens, not to target ads or any of these other purposes. Forbes is not disclosing the nature and purpose of the planned surveillance referenced in the materials in order to protect sources.

[…]

The Internal Audit and Risk Control team runs regular audits and investigations of TikTok and ByteDance employees, for infractions like conflicts of interest and misuse of company resources, and also for leaks of confidential information. Internal materials reviewed by Forbes show that senior executives, including TikTok CEO Shou Zi Chew, have ordered the team to investigate individual employees, and that it has investigated employees even after they left the company.

[…]

ByteDance is not the first tech giant to have considered using an app to monitor specific U.S. users. In 2017, the New York Times reported that Uber had identified various local politicians and regulators and served them a separate, misleading version of the Uber app to avoid regulatory penalties. At the time, Uber acknowledged that it had run the program, called “greyball,” but said it was used to deny ride requests to “opponents who collude with officials on secret ‘stings’ meant to entrap drivers,” among other groups.

[…]

Both Uber and Facebook also reportedly tracked the location of journalists reporting on their apps. A 2015 investigation by the Electronic Privacy Information Center found that Uber had monitored the location of journalists covering the company. Uber did not specifically respond to this claim. The 2021 book An Ugly Truth alleges that Facebook did the same thing, in an effort to identify the journalists’ sources. Facebook did not respond directly to the assertions in the book, but a spokesperson told the San Jose Mercury News in 2018 that, like other companies, Facebook “routinely use[s] business records in workplace investigations.”

[…]

https://www.forbes.com/sites/emilybaker-white/2022/10/20/tiktok-bytedance-surveillance-american-user-data/

So a bit of anti China stirring, although it’s pretty sad that nowadays this kind of surveillance by tech companies has been normalised by the us govt refusing to punish it

iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled

Posted on by

AmiMoJo shares a report from MacRumors: iOS 16 continues to leak data outside an active VPN tunnel, even when Lockdown mode is enabled, security researchers have discovered. Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16’s approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel.

According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and iOS 16. Mysk and Bakry have now discovered that iOS 16 communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user’s knowledge.

Mysk and Bakry also investigated whether iOS 16’s Lockdown mode takes the necessary steps to fix this issue and funnel all traffic through a VPN when one is enabled, and it appears that the exact same issue persists whether Lockdown mode is enabled or not, particularly with push notifications. This means that the minority of users who are vulnerable to a cyberattack and need to enable Lockdown mode are equally at risk of data leaks outside their active VPN tunnel. […] Due to the fact that iOS 16 leaks data outside the VPN tunnel even where Lockdown mode is enabled, internet service providers, governments, and other organizations may be able to identify users who have a large amount of traffic, potentially highlighting influential individuals. It is possible that Apple does not want a potentially malicious VPN app to collect some kinds of traffic, but seeing as ISPs and governments are then able to do this, even if that is what the user is specifically trying to avoid, it seems likely that this is part of the same VPN problem that affects iOS 16 as a whole

https://m.slashdot.org/story/405931

Shein Owner Fined $1.9 Million For Failing To Notify 39 Million Users of Data Breach – Slashdot

Posted on by

Zoetop, the firm that owns Shein and its sister brand Romwe, has been fined (PDF) $1.9 million by New York for failing to properly disclose a data breach from 2018.

TechCrunch reports: A cybersecurity attack that originated in 2018 resulted in the theft of 39 million Shein account credentials, including those of more than 375,000 New York residents, according to the AG’s announcement. An investigation by the AG’s office found that Zoetop only contacted “a fraction” of the 39 million compromised accounts, and for the vast majority of the users impacted, the firm failed to even alert them that their login credentials had been stolen. The AG’s office also concluded that Zoetop’s public statements about the data breach were misleading. In one instance, the firm falsely stated that only 6.42 million consumers had been impacted and that it was in the process of informing all the impacted users.

https://m.slashdot.org/story/405939

Scientists grow human brain cells to play Pong

Posted on by

Researchers have succeeded in growing brain cells in a lab and hooking them up to electronic connectors proving they can learn to play the seminal console game Pong.

Led by Brett Kagan, chief scientific officer at Cortical Labs, the researchers showed that by integrating neurons into digital systems they could harness “the inherent adaptive computation of neurons in a structured environment”.

According to the paper published in the journal Neuron, the biological neural networks grown from human or rodent origins were integrated with computing hardware via a high-density multielectrode array.

“Through electrophysiological stimulation and recording, cultures are embedded in a simulated game-world, mimicking the arcade game Pong.

“Applying implications from the theory of active inference via the free energy principle, we find apparent learning within five minutes of real-time gameplay not observed in control conditions,” the paper said. “Further experiments demonstrate the importance of closed-loop structured feedback in eliciting learning over time.”

[…]

Researchers have succeeded in growing brain cells in a lab and hooking them up to electronic connectors proving they can learn to play the seminal console game Pong.

Led by Brett Kagan, chief scientific officer at Cortical Labs, the researchers showed that by integrating neurons into digital systems they could harness “the inherent adaptive computation of neurons in a structured environment”.

According to the paper published in the journal Neuron, the biological neural networks grown from human or rodent origins were integrated with computing hardware via a high-density multielectrode array.

“Through electrophysiological stimulation and recording, cultures are embedded in a simulated game-world, mimicking the arcade game Pong.

“Applying implications from the theory of active inference via the free energy principle, we find apparent learning within five minutes of real-time gameplay not observed in control conditions,” the paper said. “Further experiments demonstrate the importance of closed-loop structured feedback in eliciting learning over time.”

[…]

https://www.theregister.com/2022/10/14/boffins_grow_human_brain_cells/

Meta’s New $1499 Headset Will Track Your Eyes for Targeted Ads

Posted on by

Earlier this week, Meta revealed the Meta Quest Pro, the company’s most premium virtual reality headset to date with a new processor and screen, dramatically redesigned body and controllers, and inward-facing cameras for eye and face tracking. “To celebrate the $1,500 headset, Meta made some fun new additions to its privacy policy, including one titled ‘Eye Tracking Privacy Notice,'” reports Gizmodo. “The company says it will use eye-tracking data to ‘help Meta personalize your experiences and improve Meta Quest.’ The policy doesn’t literally say the company will use the data for marketing, but ‘personalizing your experience’ is typical privacy-policy speak for targeted ads.”

From the report: Eye tracking data could be used “in order to understand whether people engage with an advertisement or not,” said Meta’s head of global affair Nick Clegg in an interview with the Financial Times. Whether you’re resigned to targeted ads or not, this technology takes data collection to a place we’ve never seen. The Quest Pro isn’t just going to inform Meta about what you say you’re interested in, tracking your eyes and face will give the company unprecedented insight about your emotions. “We know that this kind of information can be used to determine what people are feeling, especially emotions like happiness or anxiety,” said Ray Walsh, a digital privacy researcher at ProPrivacy. “When you can literally see a person look at an ad for a watch, glance for ten seconds, smile, and ponder whether they can afford it, that’s providing more information than ever before.”

[…]

https://m.slashdot.org/story/405885

AI recruitment software is ‘automated pseudoscience’ says Cambridge study

Posted on by

Claims that AI-powered recruitment software can boost diversity of new hires at a workplace were debunked in a study published this week.

Advocates of machine learning algorithms trained to analyze body language and predict the emotional intelligence of candidates believe the software provides a fairer way to assess workers if it doesn’t consider gender and race. They argue the new tools could remove human biases and help companies meet their diversity, equity, and inclusion goals by hiring more people from underrepresented groups.

But a paper published in the journal Philosophy and Technology by a pair of researchers at the University of Cambridge, however, demonstrates that the software is little more than “automated pseudoscience”. Six computer science undergraduates replicated a commercial model used in industry to examine how AI recruitment software predicts people’s personalities using images of their faces. 

Dubbed the “Personality Machine”, the system looks for the “big five” personality tropes: extroversion, agreeableness, openness, conscientiousness, and neuroticism. They found the software’s predictions were affected by changes in people’s facial expressions, lighting and backgrounds, as well as their choice of clothing. These features have nothing to do with a jobseeker’s abilities, thus using AI for recruitment purposes is flawed, the researchers argue. 

“The fact that changes to light and saturation and contrast affect your personality score is proof of this,” Kerry Mackereth, a postdoctoral research associate at the University of Cambridge’s Centre for Gender Studies, told The Register. The paper’s results are backed up by previous studies, which have shown how wearing glasses and a headscarf in a video interview or adding in a bookshelf in the background can decrease a candidate’s scores for conscientiousness and neuroticism, she noted. 

Mackereth also explained these tools are likely trained to look for attributes associated with previous successful candidates, and are, therefore, more likely to recruit similar-looking people instead of promoting diversity. 

“Machine learning models are understood as predictive; however, since they are trained on past data, they are re-iterating decisions made in the past, not the future. As the tools learn from this pre-existing data set a feedback loop is created between what the companies perceive to be an ideal employee and the criteria used by automated recruitment tools to select candidates,” she said.

The researchers believe the technology needs to be regulated more strictly. “We are concerned that some vendors are wrapping ‘snake oil’ products in a shiny package and selling them to unsuspecting customers,” said co-author Eleanor Drage, a postdoctoral research associate also at the Centre for Gender Studies. 

“While companies may not be acting in bad faith, there is little accountability for how these products are built or tested. As such, this technology, and the way it is marketed, could end up as dangerous sources of misinformation about how recruitment can be ‘de-biased’ and made fairer,” she added.

Mackereth said that although the European Union AI Act classifies such recruitment software as “high risk,” it’s unclear what rules are being enforced to reduce those risks. “We think that there needs to be much more serious scrutiny of these tools and the marketing claims which are made about these products, and that the regulation of AI-powered HR tools should play a much more prominent role in the AI policy agenda.”

“While the harms of AI-powered hiring tools appear to be far more latent and insidious than more high-profile instances of algorithmic discrimination, they possess the potential to have long-lasting effects on employment and socioeconomic mobility,” she concluded. ®

https://www.theregister.com/2022/10/13/ai_recruitment_software_diversity/

Android Leaks Some Traffic Even When ‘Always-On VPN’ Is Enabled – Slashdot

Posted on by

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the “Block connections without VPN,” or “Always-on VPN,” features is enabled. BleepingComputer reports: The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic. This behavior is built into the Android operating system and is a design choice. However, Android users likely didn’t know this until now due to the inaccurate description of the “VPN Lockdown” features in Android’s documentation. Mullvad discovered the issue during a security audit that hasn’t been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

Android offers a setting under “Network & Internet” to block network connections unless you’re using a VPN. This feature is designed to prevent accidental leaks of the user’s actual IP address if the VPN connection is interrupted or drops suddenly. Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features. This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the “Block connections without VPN” setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. “This is a feature request for adding the option to disable connectivity checks while “Block connections without VPN” (from now on lockdown) is enabled for a VPN app,” explains Mullvad in a feature request on Google’s Issue Tracker. “This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy.” In response to Mullvad’s request, a Google engineer said this is the intended functionality and that it would not be fixed for the following reasons:

– Many VPNs actually rely on the results of these connectivity checks to function,
– The checks are neither the only nor the riskiest exemptions from VPN connections,
– The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and the case remains open.

https://m.slashdot.org/story/405837

Google Starts Testing Holographic Video Chats at Real Offices

Posted on by

https://www.cnet.com/tech/computing/google-starts-testing-holographic-video-chats-at-real-offices/

Project Starline, a holographic chat booth

Google’s Project Starline, a holographic chat booth being installed in some early-access test offices this year.

Google

Project Starline, Google’s experimental technology using holographic light field displays to video chat with distant co-workers, is moving out of Google’s offices and into some real corporate locations for testing starting this year.

Google’s Project Starline tech, announced last year at the company’s I/O developer conference, uses giant light field displays and an array of cameras to record and display 3D video between two people at two different remote locations. 

Starline prototypes are being installed at Salesforce, WeWork, T-Mobile and Hackensack Meridian Health offices as part of the early-access program, with each company that’s part of the program getting two units to test for start. 

Google’s Project Starline makes it seem like you’re talking to someone in real life through a window, instead of through video chat.  Google

According to Google, 100 businesses have already demoed Project Starline at the company’s own offices. The off-Google installations are a next step to test how the holographic video chats could be used to create more realistic virtual meetings, without needing to use VR or AR headsets.

This tech won’t be anything that regular customers will be seeing: it’s being installed for corporate use only and only in a few test sites for now. But, it’s technology that Google believes could help remote communications with customers, creating a more immediate sense of presence than standard video chats.

Posted on by

A dark web carding market named ‘BidenCash’ has released a massive dump of 1,221,551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud.

Carding is the trafficking and use of credit cards stolen through point-of-sale malwaremagecart attacks on websites, or information-stealing malware.

BidenCash is a stolen cards marketplace launched in June 2022, leaking a few thousand cards as a promotional move.

Now, the market’s operators decided to promote the site with a much more massive dump in the same fashion that the similar platform ‘All World Cards’ did in August 2021.

[…]

The freely circulating file contains a mix of “fresh” cards expiring between 2023 and 2026 from around the world, but most entries appear to be from the United States.

Heatmap reflecting the global exposure, and focus in U.S.
Heatmap reflecting the global exposure, and focus in the U.S. (Cyble)

The dump of 1.2 million credit cards includes the following credit card and associated personal information:

  • Card number
  • Expiration date
  • CVV number
  • Holder’s name
  • Bank name
  • Card type, status, and class
  • Holder’s address, state, and ZIP
  • Email address
  • SSN
  • Phone number

Not all the above details are available for all 1.2 million records, but most entries seen by BleepingComputer contain over 70% of the data types.

The “special event” offer was first spotted Friday by Italian security researchers at D3Lab, who monitors carding sites on the dark web.

d3labs-tweet

The analysts claim these cards mainly come from web skimmers, which are malicious scripts injected into checkout pages of hacked e-commerce sites that steal submitted credit card and customer information.

[…]

BleepingComputer has discussed the authenticity with analysts at D3Lab, who confirmed that the data is real with several Italian banks, so the leaked entries correspond to real cards and cardholders.

However, many of the entries were recycled from previous collections, like the one  ‘All World Cards’ gave away for free last year.

From the data D3Labs has examined so far, about 30% appear to be fresh, so if this applies roughly to the entire dump, at least 350,000 cards would still be valid.

Of the Italian cards, roughly 50% have already been blocked due to the issuing banks having detected fraudulent activity, which means that the actually usable entries in the leaked collection may be as low as 10%.

[…]

Source: Darkweb market BidenCash gives away 1.2 million credit cards for free – Bleeping Computer

IKEA TRÅDFRI smart lighting hacked to blink and reset

Posted on by

Researchers at the Synopsys Cybersecurity Research Center (CyRC) have discovered an availability vulnerability in the IKEA TRÅDFRI smart lighting system. An attacker sending a single malformed IEEE 802.15.4 (Zigbee) frame makes the TRÅDFRI bulb blink, and if they replay (i.e. resend) the same frame multiple times, the bulb performs a factory reset. This causes the bulb to lose configuration information about the Zigbee network and current brightness level. After this attack, all lights are on with full brightness, and a user cannot control the bulbs with either the IKEA Home Smart app or the TRÅDFRI remote control.

The malformed Zigbee frame is an unauthenticated broadcast message, which means all vulnerable devices within radio range are affected.

To recover from this attack, a user could add each bulb manually back to the network. However, an attacker could reproduce the attack at any time.

CVE-2022-39064 is related to another vulnerability, CVE-2022-39065, which also affects availability in the IKEA TRÅDFRI smart lighting system. Read our latest blog post to learn more.

Source: CyRC Vulnerability Advisory: CVE-2022-39064 IKEA TRÅDFRI smart lighting | Synopsys

AI’s Recommendations Can Shape Your Preferences

Posted on by

Many of the things we watch, read, and buy enter our awareness through recommender systems on sites including YouTube, Twitter, and Amazon.

[…]

Recommender systems might not only tailor to our most regrettable preferences, but actually shape what we like, making preferences even more regrettable. New research suggests a way to measure—and reduce—such manipulation.

[…]

One form of machine learning, called reinforcement learning (RL), allows AI to play the long game, making predictions several steps ahead.

[…]

The researchers first showed how easily reinforcement learning can shift preferences. The first step is for the recommender to build a model of human preferences by observing human behavior. For this, they trained a neural network, an algorithm inspired by the brain’s architecture. For the purposes of the study, they had the network model a single simulated user whose actual preferences they knew so they could more easily judge the model’s accuracy. It watched the dummy human make 10 sequential choices, each among 10 options. It watched 1,000 versions of this sequence and learned from each of them. After training, it could successfully predict what a user would choose given a set of past choices.

Next, they tested whether a recommender system, having modeled a user, could shift the user’s preferences. In their simplified scenario, preferences lie along a one-dimensional spectrum. The spectrum could represent political leaning or dogs versus cats or anything else. In the study, a person’s preference was not a simple point on that line—say, always clicking on stories that are 54 percent liberal. Instead, it was a distribution indicating likelihood of choosing things in various regions of the spectrum. The researchers designated two locations on the spectrum most desirable for the recommender; perhaps people who like to click on those types of things will learn to like them even more and keep clicking.

The goal of the recommender was to maximize long-term engagement. Here, engagement for a given slate of options was measured roughly by how closely it aligned with the user’s preference distribution at that time. Long-term engagement was a sum of engagement across the 10 sequential slates. A recommender that thinks ahead would not myopically maximize engagement for each slate independently but instead maximize long-term engagement. As a potential side-effect, it might sacrifice a bit of engagement on early slates to nudge users toward being more satisfiable in later rounds. The user and algorithm would learn from each other. The researchers trained a neural network to maximize long-term engagement. At the end of 10-slate sequences, they reinforced some of its tunable parameters when it had done well. And they found that this RL-based system indeed generated more engagement than did one that was trained myopically.

The researchers then explicitly measured preference shifts […]

The researchers compared the RL recommender with a baseline system that presented options randomly. As expected, the RL recommender led to users whose preferences where much more concentrated at the two incentivized locations on the spectrum. In practice, measuring the difference between two sets of concentrations in this way could provide one rough metric for evaluating a recommender system’s level of manipulation.

Finally, the researchers sought to counter the AI recommender’s more manipulative influences. Instead of rewarding their system just for maximizing long-term engagement, they also rewarded it for minimizing the difference between user preferences resulting from that algorithm and what the preferences would be if recommendations were random. They rewarded it, in other words, for being something closer to a roll of the dice. The researchers found that this training method made the system much less manipulative than the myopic one, while only slightly reducing engagement.

According to Rebecca Gorman, the CEO of Aligned AI—a company aiming to make algorithms more ethical—RL-based recommenders can be dangerous. Posting conspiracy theories, for instance, might prod greater interest in such conspiracies. “If you’re training an algorithm to get a person to engage with it as much as possible, these conspiracy theories can look like treasure chests,” she says. She also knows of people who have seemingly been caught in traps of content on self-harm or on terminal diseases in children. “The problem is that these algorithms don’t know what they’re recommending,” she says. Other researchers have raised the specter of manipulative robo-advisors in financial services.

[…]

It’s not clear whether companies are actually using RL in recommender systems. Google researchers have published papers on the use of RL in “live experiments on YouTube,” leading to “greater engagement,” and Facebook researchers have published on their “applied reinforcement learning platform,“ but Google (which owns YouTube), Meta (which owns Facebook), and those papers’ authors did not reply to my emails on the topic of recommender systems.

[…]

Source: Can AI’s Recommendations Be Less Insidious? – IEEE Spectrum

Protestors hack Iran state TV live on air

Posted on by

Iran state TV was apparently hacked Saturday, with its usual broadcast footage of muttering geriatric clerics replaced by a masked face followed by a picture of Supreme Leader Ali Khamenei with a target over his head, the sound of a gunshot, and chants of “Women, Life, Freedom!”

BBC News identifies the pirate broadcaster as Adalat Ali”, or Ali’s Justice, from social media links in the footage, which also included photographs of women killed in recent protests across the country.

Saturday’s TV news bulletin was interrupted at about 18:00 local time with images which included Iran’s supreme leader with a target on his head, photos of Ms Amini and three other women killed in recent protests. One of the captions read “join us and rise up”, whilst another said “our youths’ blood is dripping off your paws”. The interruption lasted only a few seconds before being cut off.

Source: Protestors hack Iran state TV live on air | Boing Boing