The Linkielist

Linking ideas with the world

The Linkielist

Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Wave Swell Blowhole Wave Energy Generator Exceeds Expectations In 12-Month Test

Posted on by

Wave Swell Energy’s remarkable UniWave 200 is a sea platform that uses an artificial blowhole formation to create air pressure changes that drive a turbine and feed energy back to shore. After a year of testing, the company reports excellent results. New Atlas reports: As we’ve discussed before, the UniWave system is a floating device that can be towed to any coastal location and connected to the local energy grid. It’s designed so that wave swells force water into a specially designed concrete chamber, pressurizing the air in the chamber and forcing it through an outlet valve. Then as the water recedes, it generates a powerful vacuum, which sucks air in through a turbine at the top and generates electricity that’s fed into the grid via a cable. As a result, it draws energy from the entire column of water that enters its chamber, a fact the team says makes it more efficient than wave energy devices that only harvest energy from the surface or the sea floor.

[…] A 200-kW test platform was installed last year off King Island, facing the notoriously rough seas of Bass Strait, which separates the island state of Tasmania from the mainland of Australia. There, it’s been contributing reliable clean energy to the island’s microgrid around the clock for a full 12 months. The WSE team has made a few live tweaks to the design during operation, improving its performance beyond original expectations. “We set out to prove that Wave Swell’s wave energy converter technology could supply electricity to a grid in a range of wave conditions, and we have done that,” said WSE CEO Paul Geason in a press release. “One key achievement has been to deliver real-world results in Tasmanian ocean conditions to complement the AMC test modeling. In some instances, the performance of our technology in the ocean has exceeded expectations due to the lessons we’ve learnt through the project, technological improvements and the refinements we have made over the course of the year.” “Our team is excited to have achieved a rate of conversion from wave power to electricity at an average of 45 to 50% in a wide range of wave conditions,” he continues. “This is a vast improvement on past devices and shows that the moment has arrived for wave power to sit alongside wind, solar and energy storage as part of a modern energy mix.”

The King Island platform will remain in place at least until the end of 2022, and the company is now gearing up to go into production. “Having proven our device can survive the toughest conditions the Southern Ocean and Bass Strait can throw at it, and deliver grid compliant electricity, our priority now shifts to commercializing the technology,” said Gleason. “For Wave Swell this means ensuring the market embraces the WSE technology and units are deployed to deliver utility scale clean electricity to mainland grids around the world.”

https://www.youtube.com/watch?v=PD5fXCW-yKc

Source: Blowhole Wave Energy Generator Exceeds Expectations In 12-Month Test – Slashdot

Toyota and Woven Planet Have Developed a New Portable Hydrogen Cartridge Prototype

Posted on by

TOYOTA MOTOR CORPORATION (“Toyota”) and its subsidiary, Woven Planet Holdings, Inc. (“Woven Planet”), have developed a working prototype of its portable hydrogen cartridge. This cartridge design will facilitate the everyday transport and supply of hydrogen energy to power a broad range of daily life applications in and outside of the home. Toyota and Woven Planet will conduct Proof of Concept (“PoC”) trials in various places, including Woven City, a human-centered smart city of the future currently being constructed in Susono City, Shizuoka Prefecture.

Portable Hydrogen Cartridge (Prototype)
Portable Hydrogen Cartridge (Prototype)*1

[…]

Together with ENEOS Corporation, Toyota and Woven Planet are working to build a comprehensive hydrogen-based supply chain aimed at expediting and simplifying production, transport, and daily usage. These trials will focus on meeting the energy needs of Woven City residents and those living in its surrounding communities.

Benefits of Using Hydrogen Cartridges

  • Portable, affordable, and convenient energy that makes it possible to bring hydrogen to where people live, work, and play without the use of pipes
    • Prototype dimensions
      400 mm (16″) in length x 180 mm (7″) in diameter
    • Target weight
      5 kg (11 lbs)
  • Swappable for easy replacement and quick recharging
  • Volume flexibility allows for a broad variety of daily use applications*2
  • Small-scale infrastructure can meet energy needs in remote and non-electrified areas and be swiftly dispatched in the case of a disaster

Next Steps for the Hydrogen Cartridge

[…]

Our goal is to help hydrogen become commonplace by making this clean form of energy safe, convenient, and affordable. By establishing the underlying supply chain, we hope to facilitate the flow of a larger volume of hydrogen and fuel more applications. Woven City will explore and test an array of energy applications using hydrogen cartridges including mobility, household applications, and many future possibilities we have yet to imagine. Together with inventors and those living within and around Woven City, we will continue to advance mobility over time by constantly developing more practical applications for hydrogen cartridges. In future Woven City demonstrations, we will continue to improve the hydrogen cartridge itself, making it increasingly easy to use and improving the energy density.

Hydrogen Cartridge Applications (Image)
Hydrogen Cartridge Applications (Image)

The ultimate goal of this project is to realize a carbon-neutral society where everyone can access clean energy, first in Japan and then throughout the world. Toyota and Woven Planet aim to develop best practices for incorporating clean hydrogen energy into daily life by conducting human-centered demonstrations in and around Woven City. These real-life experiences will help us learn how to best transform hydrogen into a familiar, well-used, and well-loved form of energy.

The portable hydrogen cartridge prototype will be showcased at Super Taikyu Series 2022 Round 2 at Fuji SpeedWay from June 3 to 5, 2022*3. Our showcase is geared toward teaching people about how hydrogen energy works and helping them imagine the countless ways hydrogen can become a useful part of their daily lives.

Source: Toyota and Woven Planet Have Developed a New Portable Hydrogen Cartridge Prototype | Corporate | Global Newsroom | Toyota Motor Corporation Official Global Website

Solana ‘hot’ wallets are being drained in multi-million dollar attack

Posted on by

An unknown actor has drained over 8,000 internet-connected wallets in an ongoing attack on the Solana blockchain ecosystem. According to Blockchain auditor OtterSec, the attacks were still ongoing when it posted an update in the evening of August 2nd and that they had affected multiple wallets, including Phantom, Slope, Solflare and TrustWallet, across a wide variety of platforms.

As TechCrunch notes, the bad actor seems to have stolen both Solana tokens and USDC stablecoins, with the estimated losses so far amounting to around $8 million. OtterSec is now encouraging users to move all their assets to a hardware wallet, and the Solana Status Twitter account echoed that advice, adding that there’s no evidence “cold” wallets have been impacted.

The Solana Status account has also revealed that an exploit allowed a malicious actor to drain funds from the compromised wallets and that it seems to have affected both their mobile versions and extensions. Engineers from multiple ecosystems have already banded together to work with security researchers to identify the root cause of the exploit, which is yet to be discovered.

[…]

Source: Solana ‘hot’ wallets are being drained in multi-million dollar attack | Engadget

WhatsApp boss says no to AI filters policing encrypted chat

Posted on by

Will Cathcart, who has been at parent company Meta for more than 12 years and head of WhatsApp since 2019, told the BBC that the popular communications service wouldn’t downgrade or bypass its end-to-end encryption (EE2E) just for British snoops, saying it would be “foolish” to do so and that WhatsApp needs to offer a consistent set of standards around the globe.

“If we had to lower security for the world, to accommodate the requirement in one country, that … would be very foolish for us to accept, making our product less desirable to 98 percent of our users because of the requirements from 2 percent,” Cathcart told the broadcaster. “What’s being proposed is that we – either directly or indirectly through software – read everyone’s messages. I don’t think people want that.”

Strong EE2E ensures that only the intended sender and receiver of a message can read it, and not even the provider of the communications channel nor anyone eavesdropping on the encrypted chatter. The UK government is proposing that app builders add an automated AI-powered scanner in the pipeline – ideally in the client app – to detect and report illegal content, in this case child sex abuse material (CSAM).

[…]

Source: WhatsApp boss says no to AI filters policing encrypted chat • The Register

They always trot out sex abuse and children when they want to impair your freedoms.

Nomad Bridge Hack Allowed ‘Mob’ to Drain $190m in Crypto

Posted on by

As evidenced by its namesake, apparently there wasn’t much security stopping a hoard of wandering strangers from breaking into the Nomad DeFi project’s token bridge, allowing hundreds of unknown hackers and some users to walk away with over $190 million crypto, leaving behind a bare pittance in the project’s wallet.

Late on Monday, users started noticing tokens being extracted from Nomad’s accounts “in million-dollar increments.” Crypto security company CertiK confirmed in a Tuesday analysis that the bridge protocol, which allows users to send tokens between separate blockchains, had been breached thanks to a routine upgrade that allowed bad actors to skip verification messages. CoinTelegraph reported that the first transaction, likely the initial hacker, managed to remove about $2.3 million in crypto from the bridge.

Apparently, this breach further allowed other users to exploit the bridge, turning it essentially into a Black Friday-esque free-for-all. CertiK’s analysis further said the vulnerability was in the token bridge’s initialization process, introduced in the flawed upgrade, allowing users to copy and paste the original hackers transaction number and replace it with a personal one. Researchers said in just four hours, other hackers, bots, and even community members drained the protocol in a “frenzied mob.”

The crypto developer who goes by Foobar on Twitter wrote that this attack was “the first decentralized crowd-looting of a 9-figure bridge in history.” There are hundreds of addresses that show they’ve received tokens from the bridge during the exploit.

Some users have actually gone back to the protocol, hanging their heads in shame and offering to return the stolen funds. Some claimed it was “an accident,” while others said they were trying to protect their friend’s assets, according to screenshots posted by Foobar. DefiLlama shows that the current value of the blockchain is sitting at just a little under $16,000.

[…]

Source: Nomad Bridge Hack Allowed ‘Mob’ to Drain Millions in Crypto

NASA Is Changing Its Rules for Private Astronauts

Posted on by

As more private astronauts venture out into space, NASA is seeking to better regulate their journeys to Earth orbit. The space agency recently announced some updates to the set of rules required for upcoming private astronaut missions, including the stipulation that all future missions be led by a former NASA astronaut.

NASA released the list of updated rules on Monday, which will be documented as part of the Private Astronaut Mission Authorization, Coordination, and Execution (PACE) Annex 1. The updates are “lessons learned” from the first private astronaut mission to the ISS, in which Axiom space sent four astronauts to the ISS in April. Axiom Mission 1 (Ax-1) was led by former NASA astronaut Michael López-Alegría, but the new requirements now call for all future missions to be led by a former NASA astronaut. For these missions, the NASA astronaut will serve as the mission commander and provide guidance “during pre-flight preparation through mission execution.”

Axiom Space was planning on sending future missions without a NASA astronaut and have four paying customers instead of three, according to SpaceNews. It’s not yet clear how the new rules will affect the private space company’s original plan to launch private missions without a NASA astronaut in command.

[…]

Source: NASA Is Changing Its Rules for Private Astronauts

AI-friendly patent law needed for ‘national security’ argued in US Chamber of Commerce

Posted on by

America urgently needs to rewrite its patent laws to recognize modern artificial intelligence technologies, business and IP leaders have said.

This sentiment emerged from a series of hearings organized by the US Chamber of Commerce, during which experts from academia, industry, and government were invited to speak. The meetings, held last month, raised important questions plaguing the development of state-of-the-art AI models: should AI algorithms be patentable? And, separately, should these systems be granted patent rights for inventions they help create?

Today’s IP laws are outdated, it was argued. The rules dictating what types of innovations can be patented have stayed largely untouched since the historic Patent Act of 1793. Although the law is broad and states “any new and useful art, machine, manufacture or composition of matter, or any new and useful improvement on any art, machine, manufacture or composition of matter” is potentially patentable, there other conditions that make it difficult to patent things like machine-learning models.

Patents are only useful if they provide clear scientific and economic benefits to the country, the group argues. It’s why the Patent Act states that descriptions of the inventions should “enable any person skilled in the art or science, of which it is a branch, or with which it is most nearly connected, to make, compound, and use the same.” That means someone suitably skilled should be able to take a patent text and diagrams, understand what’s going on, and reproduce the technology themselves.

But take a system with a trained neural network. That collection of weights and values that mysteriously turns input data into output predictions is opaque and hard to interpret: experts often don’t quite know why a model behaves the way it does, which makes explaining its inner workings in a patent difficult.

Well, OK, let’s just say the patent explains how to train the neural network to produce the same results, thus allowing the invention to be recreated. But reproducibility is notoriously difficult in machine learning. You need access to the training data and other settings to recreate it. That becomes problematic if the data is medical or personal info, or proprietary, because it would need to be made public as part of the patent filing, and not all the necessary settings and tweaks may be disclosed in an application.

Patent examiners, therefore, may struggle with patent applications of AI technology, and reject submissions, if they find the text is confusing, or not interpretable or reproducible. Thus, changes are needed in the law to allow machine-learning systems to be accepted as novel inventions, it was argued. And being able to patent and protect these inventions encourages businesses to build commercial products, we’re further told. Everyone gets to see the progression of tech and science, and inventors are granted rights to their specific part of it.

It is absolutely crucial, and it is a matter of immediate national security

“The patent code that [our founders] put in place was fantastic, however they did not anticipate DNA processing, artificial intelligence, cryptography, software code, and all of the modern technologies of the next industrial revolution,” Andrei Iancu, former Under Secretary of Commerce for Intellectual Property and ex-Director of the United States Patent and Trademark Office (USPTO), said in a Chamber of Commerce statement on Monday.

Rejecting AI patents, however, we’re told, will keep knowledge of the latest commercial applications of the technology from the public and hamper innovation.

“So, to say that the patent system, at least from that perspective, needs to modernize is an understatement. It is absolutely crucial, and it is a matter of immediate national security,” Iancu added.

The chamber noted China has surpassed the US in the number of international patent filings in 2019 and in 2020. If America is to hold a leadership position in AI, its leaders need to treat IP, such as machine learning breakthroughs, as a national asset, Brian Drake, federal chief technology officer at Accrete AI Government, a company focused on building enterprise-level AI applications, asserted.

Because for one thing, he said, rival nations are pouring all their energies into developing machine-learning technology to use against the United States of America.

“I’m talking about all the instruments of national power from our adversaries being directed at all of our national security instruments and economic power centers. That means their intelligence apparatuses, that means their direct and indirect funding apparatuses, that means their commercial military integration activities. All of those are being directed toward artificial intelligence. And make no mistake, it is about winning the future war,” Drake said.

Most experts agree AI algorithms should be patentable, but whether patent authorship or ownership rights should be given to machines that produce technologies, however, is debatable. Current IP laws do not recognize non-human entities as inventors, meaning machine-learning systems cannot be recognized as such.

Stephen Thaler, founder of Imagination Engines, a company in Missouri, who applied in 2019 for two US patents which listed his machine named DABUS as the inventor, found this out the hard way when his applications were rejected by the US Patent and Trademark Office.

Thaler believes there is good reason to give machines at least authorship rights, as it would discourage humans from stealing computers’ ideas and profiting from them – the originator would be on record in the patent office – he previously told The Register. But it’s not clear that there is any practical use in recognizing software as inventors yet, considering they have no agency or capabilities to sue for infringement unlike humans.

“To summarize, we cannot sustain innovation around AI without robust and reliable IP rights, which are essential to the prosperity of our innovative nation,” Christian Hannon, a patent attorney serving in the Office of Policy and International Affairs at USPTO, said. “To grow our economy and stay globally competitive, we must promote invention and patenting more than ever.”

The US Chamber of Commerce, one of the largest largest lobbying organizations in America, is planning to publish later this year a final report from its hearings, issuing recommendations for policy changes the US government can enact

VMware patches critical admin authentication bypass bug

Posted on by

VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products.

That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, published Tuesday.

Here’s the bottom line of the ‘31656 bug, according to VMware: “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.” Quite a nice way to get admin-level control over a remote system.

The critical vulnerability is similar to, or perhaps even a variant or patch bypass of, an earlier critical authentication bypass vulnerability (CVE-2022-22972) that also rated 9.8 in severity and VMware fixed back in May. Shortly after that update was issued, CISA demanded US government agencies pull the plug on affected VMware products if patches can’t be applied.

While the virtualization giant isn’t aware of any in-the-wild exploits (so far at least) of the newer vulnerability, “it is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” VMware warned in an advisory. “If your organization uses ITIL methodologies for change management, this would be considered an ’emergency’ change.”

In addition to the software titan and third-party security researchers urging organizations to patch immediately, Petrus Viet, the bug hunter who found and reported the flaw, said he’ll soon release a proof-of-concept exploit for the bug. So to be perfectly clear: stop what you are doing and immediately assess and if necessary patch this flaw before miscreants find and exploit it, which they are wont to do with VMware vulns.

Tenable’s Claire Tills, a senior research engineer with the firm’s security response team, noted that CVE-2022-31656 is especially worrisome in that a miscreant could use it to exploit other bugs that VMware disclosed in this week’s security push.

“It is crucial to note that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit the authenticated remote code execution flaws addressed in this release,” she wrote.

She’s referring to two remote code execution (RCE) flaws, CVE-2022-31658 and CVE-2022-31659, also discovered by Petrus Viet that would allow an attacker with admin-level network access to remotely deploy malicious code on a victim’s machine. Thus someone could use the ‘31656 to login with administrative powers, and then exploit the other bugs to pwn a device.

Both of these, ‘31658 and ‘31659, are dubbed “important” by VMware and ranked with a CVSS score of 8.0. And similar to the critical vuln that can be used in tandem with these two RCE, both affect VMware Workspace ONE Access, Identity Manager and vRealize Automation products.

In other patching news, the rsync project released updates to fix a vulnerability, tracked as CVE-2022-29154, that could allow miscreants to write arbitrary files inside directories of connecting peers.

Rsync is a tool for transferring and syncing files between remote and local machines, and exploiting this vulnerability could allow “a malicious rysnc server (or Man-in-The-Middle attacker) [to] overwrite arbitrary files in the rsync client target directory and subdirectories,” according to researchers Ege Balci and Taha Hamad, who discovered the bug.

That means a malicious server or MITM could overwrite, say, a victim’s ssh/authorized_keys file.

While these three VMware vulns deserve top patching priority, there are some other nasty bugs in the bunch. This includes three local privilege-escalation vulnerabilities (CVE-2022-31660, CVE-2022-31661 and CVE-2022-31664) in VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

All three received CVSS scores of 7.8 and successful exploits would allow criminals with local access to escalate privileges to root — and from there, pretty much do whatever they want, such as steal information, install a backdoor, inject a trojan, or shut down the system entirely.

[…]

Source: VMware patches critical admin authentication bypass bug • The Register

New Gmail Attack Bypasses Passwords And 2FA To Read All Email in browser extension

Posted on by

According to cyber security firm Volexity, the threat research team has found the North Korean ‘SharpTongue’ group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn’t need your Gmail login credentials at all.

Instead, it “directly inspects and exfiltrates data” from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware’s internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google GOOG +1.9% Chrome, Microsoft MSFT +1.5% Edge, and a South Korean client called Whale.

CISA says Kimsuky hackers ‘most likely tasked by North Korean regime’

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is “most likely tasked by the North Korean regime with a global intelligence gathering mission.”

While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often ” work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.”

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn’t attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it.

The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be.

[…]

Source: New Gmail Attack Bypasses Passwords And 2FA To Read All Email

map: How far can you go by train in 5h?

Posted on by

This map shows you how far you can travel from each station in Europe in less than 5 hours.

It is inspired by the great Direkt Bahn Guru. The data is based off of this site, which sources it from the Deutsch Bahn.

Hover your mouse over a station to see the isochrones from that city.

This assumes interchanges are 20 minutes, and transit between stations is a little over walking speed. Therefore, these should be interpreted as optimal travel times. The journeys might not exist when taking into account real interchange times.

MIT engineers develop stickers that can see inside the body for 48 hours

Posted on by

[…]

In a paper appearing today in Science, the engineers present the design for a new ultrasound sticker — a stamp-sized device that sticks to skin and can provide continuous ultrasound imaging of internal organs for 48 hours.

The researchers applied the stickers to volunteers and showed the devices produced live, high-resolution images of major blood vessels and deeper organs such as the heart, lungs, and stomach. The stickers maintained a strong adhesion and captured changes in underlying organs as volunteers performed various activities, including sitting, standing, jogging, and biking.

The current design requires connecting the stickers to instruments that translate the reflected sound waves into images. The researchers point out that even in their current form, the stickers could have immediate applications: For instance, the devices could be applied to patients in the hospital, similar to heart-monitoring EKG stickers, and could continuously image internal organs without requiring a technician to hold a probe in place for long periods of time.

If the devices can be made to operate wirelessly — a goal the team is currently working toward — the ultrasound stickers could be made into wearable imaging products that patients could take home from a doctor’s office or even buy at a pharmacy.

“We envision a few patches adhered to different locations on the body, and the patches would communicate with your cellphone, where AI algorithms would analyze the images on demand,” says the study’s senior author, Xuanhe Zhao, professor of mechanical engineering and civil and environmental engineering at MIT. “We believe we’ve opened a new era of wearable imaging: With a few patches on your body, you could see your internal organs.”

[…]

The MIT team’s new ultrasound sticker produces higher resolution images over a longer duration by pairing a stretchy adhesive layer with a rigid array of transducers. “This combination enables the device to conform to the skin while maintaining the relative location of transducers to generate clearer and more precise images.” Wang says.

The device’s adhesive layer is made from two thin layers of elastomer that encapsulate a middle layer of solid hydrogel, a mostly water-based material that easily transmits sound waves. Unlike traditional ultrasound gels, the MIT team’s hydrogel is elastic and stretchy.

“The elastomer prevents dehydration of hydrogel,” says Chen, an MIT postdoc. “Only when hydrogel is highly hydrated can acoustic waves penetrate effectively and give high-resolution imaging of internal organs.”

The bottom elastomer layer is designed to stick to skin, while the top layer adheres to a rigid array of transducers that the team also designed and fabricated. The entire ultrasound sticker measures about 2 square centimeters across, and 3 millimeters thick — about the area of a postage stamp.

The researchers ran the ultrasound sticker through a battery of tests with healthy volunteers, who wore the stickers on various parts of their bodies, including the neck, chest, abdomen, and arms. The stickers stayed attached to their skin, and produced clear images of underlying structures for up to 48 hours. During this time, volunteers performed a variety of activities in the lab, from sitting and standing, to jogging, biking, and lifting weights.

[…]

Source: MIT engineers develop stickers that can see inside the body | MIT News | Massachusetts Institute of Technology

Samsung adds ‘repair mode’ to smartphone

Posted on by

When activated, repair mode prevents a range of behaviors – from casual snooping to outright lifting of personal data – by blocking access to photos, messages, and account information.

The mode provides technicians with the access they require to make a fix, including the apps a user employs. But repairers won’t see user data in apps, so content like photos, texts and emails remains secure.

When users enable repair mode their device reboots. To exit, the user reboots again after logging in their normal way and turning the setting off.

Samsung said it is rolling out repair mode via software update, initially on the Galaxy S21 series within South Korea, with more models, and perhaps locations, getting the functionality over time.

Samsung has not explained how the feature works. Android devices already offer the chance to establish accounts for different users, so perhaps Samsung has created a role for repair technicians and made that easier to access.

Most repair technicians won’t want to view or steal a customer’s personal data – but it does happen.

Apple was forced to pay millions last year after two iPhone repair contractors allegedly stole and posted a woman’s nudes to the internet. That fiasco was in no way an isolated incident. In 2019 a Genius Bar employee allegedly texted himself explicit images taken from an iPhone he repaired and was subsequently fired.

[…]

Source: Samsung adds ‘repair mode’ to South Korean smartphone • The Register

Indonesian Government Blocks Steam, Epic, Ubisoft, Nintendo and more for 270 million people

Posted on by

Over the weekend, the Indonesian government began the task of blocking any website or service that had failed to register as part of new “internet control” laws. That ended up being a lot, including everything from Steam to the Epic Games Store to Nintendo Online to EA and Ubisoft’s platforms.

Indonesia’s Ministry of Communication and Information Technology (Kominfo) took the steps after the introduction of strict new laws, which the government says is part of a crackdown on anything appearing online that is “deemed unlawful,” and which would require any online service platform or provider hosting any such “unlawful” content to remove it within 24 hours (or four if it is deemed to be “urgent”).

In order to abide by those laws, international companies operating in Indonesia needed to have signed up by the weekend, and unsurprisingly given the sweeping powers at play, many have chosen not to, at least for now. As a response, non-participating services have been blocked to Indonesian IPs, which means alongside wider, more mainstream companies like PayPal and Yahoo, a host of gaming platforms have also been cut off.

While PayPal was temporarily reinstated (in order to allow customers to get their money off the platform), the gaming stores and platforms have remained dark since the weekend (the new law’s registration deadline passed on July 27).

As Global Voices sums up, these laws have been opposed both within and outside of Indonesia since they were first announced:

The mandatory registration of private electronic systems operators (ESOs) is stipulated in the Ministerial Regulation 5 (MR5) issued in December 2020. Its amended version, Ministerial Regulation 10 (MR10), was released in May 2021.

Both MR5 and MR10 have been consistently opposed by the media, civil society groups, and human rights advocates for containing provisions that pose a threat to freedom of expression.

Human Rights Watch have said of the laws:

MR5 is deeply problematic, granting government authorities overly broad powers to regulate online content, access user data, and penalize companies that fail to comply…Ministerial Regulation 5 is a human rights disaster that will devastate freedom of expression in Indonesia, and should not be used in its current form.

While this isn’t a market that’s normally in the headlines, this is important news, because with its large population (at 270 million it’s the fourth most-populous nation on Earth) Indonesia is a huge market for online services. As The Diplomat points out, “Indonesia remains one of the largest internet markets in the world, with the third-largest population of Facebook users and also comes in the top 10 for users of YouTube, TikTok, Twitter, Instagram, and WhatsApp.”

None of the services currently affected are banned; they’re technically just restricted until either they sign up to Kominfo or the law is modified (or repealed). Some of the companies that have signed up include Google, Roblox and Riot Games (League of Legends, Valorant). And while direct access to services like Steam are currently not available, Indonesian gamers are already reportedly getting around this by using a VPN.

Source: Indonesian Government Blocks Steam, Epic, Ubisoft & Nintendo

Hackers stole passwords for accessing 140,000 Wiseasy payment terminals

Posted on by

Hackers had access to dashboards used to remotely manage and control thousands of credit card payment terminals manufactured by digital payments giant Wiseasy, a cybersecurity startup told TechCrunch.

Wiseasy is a brand you might not have heard of, but it’s a popular Android-based payment terminal maker used in restaurants, hotels, retail outlets and schools across the Asia-Pacific region. Through its Wisecloud cloud service, Wiseeasy can remotely manage, configure and update customer terminals over the internet.

But Wiseasy employee passwords used for accessing Wiseasy’s cloud dashboards — including an “admin” account — were found on a dark web marketplace actively used by cybercriminals, according to the startup.

Youssef Mohamed, chief technology officer at pen-testing and dark web monitoring startup Buguard, told TechCrunch that the passwords were stolen by malware on the employee’s computers. Mohamed said two cloud dashboards were exposed, but neither were protected with basic security features, like two-factor authentication, and allowed hackers to access nearly 140,000 Wiseasy payment terminals around the world.

[…]

Buguard said it first contacted Wiseasy about the compromised dashboards in early July, but efforts to disclose the compromise were met with meetings with executives that were later canceled without warning, and according to Mohamed, the company declined to say if or when the cloud dashboards would be secured.

Screenshots of the dashboards seen by TechCrunch show an “admin” user with remote access to Wiseasy payment terminals, including the ability to lock the device and remotely install and remove apps. The dashboard also allowed anyone to view names, phone numbers, email addresses and access permissions for Wiseasy dashboard users, including the ability to add new users.

Another dashboard view also shows the Wi-Fi name and plaintext password of the network that payment terminals are connected to.

Mohamed said anyone with access to the dashboards could control Wiseasy payment terminals and make configuration changes.

[…]

Source: Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

Visa Funded Alleged Pornhub / MindGeek Child Porn, Rules Judge

Posted on by

In a setback for Visa in a case alleging the payment processor is liable for the distribution of child pornography on Pornhub and other sites operated by parent company MindGeek, a federal judge ruled that it was reasonable to conclude that Visa knowingly facilitated the criminal activity.

On Friday, July 29, U.S. District Judge Cormac Carney of the U.S. District Court of the Central District of California issued a decision in the Fleites v. MindGeek case, denying Visa’s motion to dismiss the claim it violated California’s Unfair Competition Law — which prohibits unlawful, unfair or fraudulent business acts and practices — by processing payments for child porn. (A copy of the decision is available at this link.)

In the ruling, Carney held that the plaintiff “adequately alleged” that Visa engaged in a criminal conspiracy with MindGeek to monetize child pornography. Specifically, he wrote, “Visa knew that MindGeek’s websites were teeming with monetized child porn”; that there was a “criminal agreement to financially benefit from child porn that can be inferred from [Visa’s] decision to continue to recognize MindGeek as a merchant despite allegedly knowing that MindGeek monetized a substantial amount of child porn”; and that “the court can comfortably infer that Visa intended to help MindGeek monetize child porn” by “knowingly provid[ing] the tool used to complete the crime.”

 

 

“When MindGeek decides to monetize child porn, and Visa decides to continue to allow its payment network to be used for that goal despite knowledge of MindGeek’s monetization of child porn, it is entirely foreseeable that victims of child porn like plaintiff will suffer the harms that plaintiff alleges,” Carney wrote.

In a statement, a Visa spokesperson said: “Visa condemns sex trafficking, sexual exploitation and child sexual abuse materials as repugnant to our values and purpose as a company. This pre-trial ruling is disappointing and mischaracterizes Visa’s role and its policies and practices. Visa will not tolerate the use of our network for illegal activity. We continue to believe that Visa is an improper defendant in this case.”

A rep for MindGeek provided this statement: “At this point in the case, the court has not yet ruled on the veracity of the allegations, and is required to assume all of the plaintiff’s allegations are true and accurate. When the court can actually consider the facts, we are confident the plaintiff’s claims will be dismissed for lack of merit. MindGeek has zero tolerance for the posting of illegal content on its platforms, and has instituted the most comprehensive safeguards in user-generated platform history.”

The company’s statement continued, “We have banned uploads from anyone who has not submitted government-issued ID that passes third-party verification, eliminated the ability to download free content, integrated several leading technological platform and content moderation tools, instituted digital fingerprinting of all videos found to be in violation of our Non-Consensual Content and CSAM [child sexual abuse material] Policies to help protect against removed videos being reposted, expanded our moderation workforce and processes, and partnered with dozens of non-profit organizations around the world. Any insinuation that MindGeek does not take the elimination of illegal material seriously is categorically false.”

[…]

Source: Visa ‘Intended to Help’ Pornhub, MindGeek Monetize Child Porn: Ruling – Variety

Babel Finance Traded $280 Million of Users’ Crypto, Lost it All. Line not go up any more.

Posted on by

Babel Finance, the Hong Kong-based crypto lender, apparently had other designs when its worldwide user base handed over their crypto to the company than just borrowing and lending. It seems to have been doing what everyone else does with crypto, rapidly speculating and trying to make “line go up.” Of course, all that changed when the line no longer went up.

The Block reported based on restructuring proposal documents that Babel Finance had lost 8,000 bitcoin and 56,000 ether in June, worth close to $280 million, though of course the price is constantly fluctuating. The company had apparently been conducting proprietary trading with customers’ funds. It remains unclear based on reporting if users were/are aware their crypto was/is being used in this way.

Source: Babel Traded $280 Million of Users’ Crypto, Lost it All

Sony’s racing car AI just destroyed its human competitors—by being fast – and having etiquette rules

Posted on by

[…]

Built by Sony AI, a research lab launched by the company in 2020, Gran Turismo Sophy is a computer program trained to control racing cars inside the world of Gran Turismo, a video game known for its super-realistic simulations of real vehicles and tracks. In a series of events held behind closed doors last year, Sony put its program up against the best humans on the professional sim-racing circuit.

What they discovered during those racetrack battles—and the ones that followed—could help shape the future of machines that work alongside humans, or join us on the roads.

[…]

Sony soon learned that speed alone wasn’t enough to make GT Sophy a winner. The program outpaced all human drivers on an empty track, setting superhuman lap times on three different virtual courses. Yet when Sony tested GT Sophy in a race against multiple human drivers, where intelligence as well as speed is needed, GT Sophy lost. The program was at times too aggressive, racking up penalties for reckless driving, and at other times too timid, giving way when it didn’t need to.

Sony regrouped, retrained its AI, and set up a rematch in October. This time GT Sophy won with ease. What made the difference? It’s true that Sony came back with a larger neural network, giving its program more capabilities to draw from on the fly. But ultimately, the difference came down to giving GT Sophy something that Peter Wurman, head of Sony AI America, calls “etiquette”: the ability to balance its aggression and timidity, picking the most appropriate behavior for the situation at hand.

This is also what makes GT Sophy relevant beyond Gran Turismo. Etiquette between drivers on a track is a specific example of the kind of dynamic, context-aware behavior that robots will be expected to have when they interact with people, says Wurman.

An awareness of when to take risks and when to play it safe would be useful for AI that is better at interacting with people, whether it be on the manufacturing floor, in home robots, or in driverless cars.

“I don’t think we’ve learned general principles yet about how to deal with human norms that you have to respect,” says Wurman. “But it’s a start and hopefully gives us some insight into this problem in general.”

[…]

Source: Sony’s racing car AI just destroyed its human competitors—by being nice (and fast) | MIT Technology Review

Twitter warns of ‘record highs’ in account data requests

Posted on by

Twitter has published its 20th transparency report, and the details still aren’t reassuring to those concerned about abuses of personal info. The social network saw “record highs” in the number of account data requests during the July-December 2021 reporting period, with 47,572 legal demands on 198,931 accounts. The media in particular faced much more pressure. Government demands for data from verified news outlets and journalists surged 103 percent compared to the last report, with 349 accounts under scrutiny.

The largest slice of requests targeting the news industry came from India (114), followed by Turkey (78) and Russia (55). Governments succeeded in withholding 17 tweets.

As in the past, US demands represented a disproportionately large chunk of the overall volume. The country accounted for 20 percent of all worldwide account info requests, and those requests covered 39 percent of all specified accounts. Russia is still the second-largest requester with 18 percent of volume, even if its demands dipped 20 percent during the six-month timeframe.

The company said it was still denying or limiting access to info when possible. It denied 31 percent of US data requests, and either narrowed or shut down 60 percent of global demands. Twitter also opposed 29 civil attempts to identify anonymous US users, citing First Amendment reasons. It sued in two of those cases, and has so far had success with one of those suits. There hasn’t been much success in reporting on national security-related requests in the US, however, and Twitter is still hoping to win an appeal that would let it share more details.

[…]

Source: Twitter warns of ‘record highs’ in account data requests | Engadget

Free AI tool restores damaged old photos. Might see a “slight change of identity”. Looks very cool though.

Posted on by
GFP-GAN AI photo restoration
Wang, X. et. al

You can find AI that creates new images, but what if you want to fix an old family photo? You might have a no-charge option. Louis Bouchard and PetaPixel have drawn attention to a free tool recently developed by Tencent researchers, GFP-GAN (Generative Facial Prior-Generative Adversarial Network), that can restore damaged and low-resolution portraits. The technology merges info from two AI models to fill in a photo’s missing details with realistic detail in a few seconds, all the while maintaining high accuracy and quality.

Conventional methods fine-tune an existing AI model to restore images by gauging differences between the artificial and real photos. That frequently leads to low-quality results, the scientists said. The new approach uses a pre-trained version of an existing model (NVIDIA’s StyleGAN-2) to inform the team’s own model at multiple stages during the image generation process. The technique aims to preserve the “identity” of people in a photo, with a particular focus on facial features like eyes and mouths.

You can try a demo of GFP-GAN for free. The creators have also posted their code to let anyone implement the restoration tech in their own projects.

This project is still bound by the limitations of current AI. While it’s surprisingly accurate, it’s making educated guesses about missing content. The researchers warned that you might see a “slight change of identity” and a lower resolution than you might like. Don’t rely on this to print a poster-sized photo of your grandparents, folks. All the same, the work here is promising — it hints at a future where you can easily rescue images that would otherwise be lost to the ravages of time.

Source: Free AI tool restores old photos by creating slightly new loved ones | Engadget

Roboticists discover alternative physics using different variables

Posted on by

Energy, mass, velocity. These three variables make up Einstein’s iconic equation E=MC2. But how did Einstein know about these concepts in the first place? A precursor step to understanding physics is identifying relevant variables. Without the concept of energy, mass, and velocity, not even Einstein could discover relativity. But can such variables be discovered automatically? Doing so could greatly accelerate scientific discovery.

This is the question that researchers at Columbia Engineering posed to a new AI program. The program was designed to observe through a , then try to search for the minimal set of fundamental variables that fully describe the observed dynamics. The study was published on July 25 in Nature Computational Science.

The researchers began by feeding the system raw video footage of phenomena for which they already knew the answer. For example, they fed a video of a swinging double pendulum known to have exactly four “state variables”—the angle and of each of the two arms. After a few hours of analysis, the AI produced the answer: 4.7.

The image shows a chaotic swing stick dynamical system in motion. The work aims at identifying and extracting the minimum number of state variables needed to describe such system from high dimensional video footage directly. Credit: Yinuo Qin/Columbia Engineering

“We thought this answer was close enough,” said Hod Lipson, director of the Creative Machines Lab in the Department of Mechanical Engineering, where the work was primarily done. “Especially since all the AI had access to was raw video footage, without any knowledge of physics or geometry. But we wanted to know what the variables actually were, not just their number.”

The researchers then proceeded to visualize the actual variables that the program identified. Extracting the variables themselves was not easy, since the program cannot describe them in any intuitive way that would be understandable to humans. After some probing, it appeared that two of the variables the program chose loosely corresponded to the angles of the arms, but the other two remain a mystery.

“We tried correlating the other variables with anything and everything we could think of: angular and linear velocities, kinetic and , and various combinations of known quantities,” explained Boyuan Chen Ph.D., now an assistant professor at Duke University, who led the work. “But nothing seemed to match perfectly.” The team was confident that the AI had found a valid set of four variables, since it was making good predictions, “but we don’t yet understand the mathematical language it is speaking,” he explained.

After validating a number of other physical systems with known solutions, the researchers fed videos of systems for which they did not know the explicit answer. The first videos featured an “air dancer” undulating in front of a local used car lot. After a few hours of analysis, the program returned eight variables. A video of a lava lamp also produced eight variables. They then fed a video clip of flames from a holiday fireplace loop, and the program returned 24 variables.

A particularly interesting question was whether the set of variable was unique for every system, or whether a different set was produced each time the program was restarted.

“I always wondered, if we ever met an intelligent alien race, would they have discovered the same physics laws as we have, or might they describe the universe in a different way?” said Lipson. “Perhaps some phenomena seem enigmatically complex because we are trying to understand them using the wrong set of variables. In the experiments, the number of variables was the same each time the AI restarted, but the specific variables were different each time. So yes, there are alternative ways to describe the universe and it is quite possible that our choices aren’t perfect.”

The researchers believe that this sort of AI can help scientists uncover complex phenomena for which theoretical understanding is not keeping pace with the deluge of data—areas ranging from biology to cosmology. “While we used video data in this work, any kind of array data source could be used—radar arrays, or DNA arrays, for example,” explained Kuang Huang, Ph.D., who co-authored the paper.

The work is part of Lipson and Fu Foundation Professor of Mathematics Qiang Du’s decades-long interest in creating algorithms that can distill data into scientific laws. Past software systems, such as Lipson and Michael Schmidt’s Eureqa software, could distill freeform physical laws from experimental data, but only if the variables were identified in advance. But what if the variables are yet unknown?

Lipson, who is also the James and Sally Scapa Professor of Innovation, argues that scientists may be misinterpreting or failing to understand many phenomena simply because they don’t have a good set of variables to describe the phenomena.

“For millennia, people knew about objects moving quickly or slowly, but it was only when the notion of velocity and acceleration was formally quantified that Newton could discover his famous law of motion F=MA,” Lipson noted. Variables describing temperature and pressure needed to be identified before laws of thermodynamics could be formalized, and so on for every corner of the scientific world. The variables are a precursor to any theory.

“What other laws are we missing simply because we don’t have the ?” asked Du, who co-led the work.

The paper was also co-authored by Sunand Raghupathi and Ishaan Chandratreya, who helped collect the data for the experiments.

Explore further

Astronomers discover dozens of new variable stars

More information: Boyuan Chen et al, Automated discovery of fundamental variables hidden in experimental data, Nature Computational Science (2022). DOI: 10.1038/s43588-022-00281-6

Source: Roboticists discover alternative physics

For 12 Hours, Was Part of Apple Engineering’s Network Hijacked by Russia’s Rostelecom?

Posted on by

For a little over 12 hours on 26-27 July, a network operated by Russia’s Rostelecom started announcing routes for part of Apple’s network. The effect was that Internet users in parts of the Internet trying to connect to Apple’s services may have been redirected to the Rostelecom network. Apple Engineering appears to have been successful in reducing the impact, and eventually Rostelecom stopped sending the false route announcements. This event demonstrated, though, how Apple could further protect its networks by using Route Origin Authorizations (ROAs).

We are not aware of any information yet from Apple that indicates what, if any, Apple services were affected. We also have not seen any information from Rostelecom about whether this was a configuration mistake or a deliberate action.

Let’s dig into what we know so far about what happened, and how Route Origin Authorization (ROA) can help prevent these kinds of events.

Around 21:25 UTC On 26 July 2022, Rostelecom’s AS12389 network started announcing 17.70.96.0/19. This prefix is part of Apple’s 17.0.0.0/8 block; usually, Apple only announces the larger 17.0.0.0/9 block and not this shorter prefix length.

When the routes a network is announcing are not covered by valid Route Origin Authorization (ROA), the only option during a route hijack is to announce more specific routes. This is exactly what Apple Engineering did today; upon learning about the hijack, it started announcing 17.70.96.0/21 to direct traffic toward AS714.

RIPE RIS data, captured via pybgpkit tool
RIPE RIS data, captured via pybgpkit tool 

It is not clear what AS12389 was doing, as it announced the same prefix at the same time with AS prepend as well.

RIPE RIS data, captured via pybgpkit tool
RIPE RIS data, captured via pybgpkit tool

In the absence of any credible data to filter out any possible hijack attempts, the route announced by AS12389 was propagated across the globe. The incident was picked up by BGPstream.com (Cisco Works) and GRIP Internet Intel (GA Tech).

BGP Stream Possible BGP Hijack Details https://bgpstream.crosswork.cisco.com/event/293915
https://bgpstream.crosswork.cisco.com/event/293915
GRIP Prefix Event Details - https://grip.inetintel.cc.gatech.edu/events/submoas/submoas-1658870700-714=12389/17.70.96.0-19_17.0.0.0-9
https://grip.inetintel.cc.gatech.edu/events/submoas/submoas-1658870700-714=12389/17.70.96.0-19_17.0.0.0-9

Our route collectors in Sydney and Singapore also picked up these routes originated from AS12389:

BGP4MP_ET|07/26/22 21:25:10.065207|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 3257 1273 12389 12389 12389 12389|IGP 

BGP4MP_ET|07/26/22 21:25:11.211901|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 17819 7474 7473 12389|IGP 

BGP4MP_ET|07/26/22 21:25:12.022767|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 17819 4826 12389|IGP 

BGP4MP_ET|07/26/22 21:29:06.885842|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 3491 1273 12389|IGP

Apple must have received the alert too. Whatever mitigation techniques they tried didn’t stop the Rostelecom announcement and so Apple announced the more specific route. As per the BGP path selection process, the longest-matching route is preferred first. Prefix length supersedes all other route attributes. Apple started announcing 17.70.96.0/21 to direct traffic toward AS714.

[…]

Source: For 12 Hours, Was Part of Apple Engineering’s Network Hijacked by Russia’s Rostelecom? – MANRS

Discovery of UEFI rootkit exposes an ugly truth: The attacks are invisible to us

Posted on by

Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.

The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.

Exotic, yes. Rare, no.

On Monday, researchers from Kaspersky profiled CosmicStrand, the security firm’s name for a sophisticated UEFI rootkit that the company detected and obtained through its antivirus software. The find is among only a handful of such UEFI threats known to have been used in the wild. Until recently, researchers assumed that the technical demands required to develop UEFI malware of this caliber put it out of reach of most threat actors. Now, with Kaspersky attributing CosmicStrand to an unknown Chinese-speaking hacking group with possible ties to cryptominer malware, this type of malware may not be so rare after all.

“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described,” Kaspersky researchers wrote. “This discovery begs a final question: If this is what the attackers were using back then, what are they using today?”

 

While researchers from fellow security firm Qihoo360 reported on an earlier variant of the rootkit in 2017, Kaspersky and most other Western-based security firms didn’t take notice. Kaspersky’s newer research describes in detail how the rootkit—found in firmware images of some Gigabyte or Asus motherboards—is able to hijack the boot process of infected machines. The technical underpinnings attest to the sophistication of the malware.

[…]

Source: Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica

US court system suffered ‘incredibly significant attack’ – no details known yet

Posted on by

The United States’ federal court system “faced an incredibly significant and sophisticated cyber security breach, one which has since had lingering impacts on the department and other agencies.”

That quote comes from congressional representative Jerrold Lewis Nadler, who uttered them on Thursday in his introductory remarks to a House Committee on the Judiciary hearing conducting oversight of the Department of Justice National Security Division (NSD).

Nadler segued into the mention of the breach after mentioning the NSD’s efforts to defend America against external actors that seek to attack its system of government. He commenced his remarks on the attack at the 4:40 mark in the video below:

The rep’s remarks appear to refer to the January 2021 disclosure by James C. Duff, who at the time served as secretary of the Judicial Conference of the United States, of “an apparent compromise” of confidentiality in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF).

That incident may have exploited vulnerabilities in CM/ECF and “greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings.”

Such documents are filed by the US government in cases that touch on national security, and therefore represent valuable intelligence.

The star witness at the hearing, assistant attorney general for National Security Matthew Olsen, said the Department of Justice continues to investigate the matter, adding the attack has not impacted his unit’s work.

But Olsen was unable – or unwilling – to describe the incident in detail.

However, a report in Politico quoted an unnamed aide as saying “the sweeping impact it may have had on the operation of the Department of Justice is staggering.”

For now, the extent of that impact, and its cause, are not known.

The nature of the vulnerability and the methods used to exploit it are also unknown, but Nadler suggested it is not related to the SolarWinds attack that the Judiciary has already acknowledged.

Olsen said he would update the Committee with further information once that’s possible. Representatives in the hearing indicated they await those details with considerable interest.

Source: US court system suffered ‘incredibly significant attack’ • The Register

China fines ride-sharer DiDi $1.2bn for data privacy abuse – why is China leading the world in this?

Posted on by

The Cyberspace Administration of China has fined ride-sharing company DiDi global ¥8.026 billion ($1.2 billion) for more than 64 billion illegal acts of data collection that it says were carried out maliciously and threatened national security.

Yes, we do mean billion. As in a thousand million.

The Administration enumerated DiDi’s indiscretions as follows:

  • 53.976 billion pieces of information indicating travellers’ intentions were analyzed without informing passengers;
  • 8.323 billion pieces of information were accessed from users’ clipboards and lists of apps;
  • 1.538 billion pieces of information about the cities in which users live were analyzed without permission;
  • 304 million pieces of information describing users’ place of work;
  • 167 million user locations were gathered when users evaluated the DiDi app while it ran in the background;
  • 153 million pieces of information revealing the drivers’ home and business location;
  • 107 million pieces of passenger facial recognition information;
  • 57.8 million pieces of driver’s ID number information in plain text;
  • 53.5092 million pieces of age information;
  • 16.3356 million pieces of occupation information;
  • 11.96 million screenshots were harvested from users’ smartphones;
  • 1.3829 million pieces of family relationship information;
  • 142,900 items describing drivers’ education.

The Administration (CAC) also found DiDi asked for irrelevant permissions on users’ smartphones and did not give an accurate or clear explanation for processing 19 types of personal information.

The fine levied on DiDi is not a run of the mill penalty. The Administration’s Q&A about the incident points out that the fine is a special administrative penalty because DiDi flouted China’s Network Security Law, Data Security Law, and Personal Information Protection Law – and did so for seven years in some cases.

The Q&A adds that China has in recent years introduced many data privacy and information security laws, so it’s not as if DiDi did not have good indicators that it needed to pay attention to such matters.

The fine is around 4.7 percent of DiDi’s annual revenue – just short of the five percent cap on such fines available to Chinese regulators.

[…]

Source: China fines ride-share outfit DiDi $1.2bn for data abuse

Atlassian reveals critical flaws in most of their products

Posted on by

Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security.

The company’s July security advisories detail “Servlet Filter dispatcher vulnerabilities.”

One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authentication.

The scary part is that the flaw allows a remote, unauthenticated attacker to bypass authentication used by third-party apps. The really scary part is that Atlassian doesn’t have a definitive list of apps that could be impacted.

“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” it added.

The same CVE can also be exploited in a cross-site scripting attack: a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets. “An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user’s browser,” Atlassian explains.

The second flaw – CVE-2022-26137 – is a cross-origin resource sharing (CORS) bypass.

Atlassian explains it as follows: “Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.”

Confluence users have another flaw to worry about: CVE-2022-26138 reveals that one of its Confluence apps has a hard-coded password in place to help migrations to the cloud. It explained:

Source: Atlassian reveals critical flaws across its product line • The Register