Who Am I?
Thankfully I use my mobile phone as a hotspot.
"We learn from history that we do not learn from history."
Lost in Space
Ars Technica: Internet routers running Tomato are under attack by notorious crime gang
Tomato is a popular alternative firmware for routers. This exploit targets various vulnerabilities in combination with default admin passwords to gain control of the devices and incorporate them into botnets. If you run Tomato, make sure you have changed the administration password to something secure.
Edited by Fighteer on Jan 23rd 2020 at 12:43:29 PM
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"
Lost in Space
The New York Times: U.S. Charges Chinese Military Officers in 2017 Equifax Hacking
WASHINGTON — The Justice Department announced charges on Monday against four members of China’s military on suspicion of hacking into Equifax, one of the nation’s largest credit reporting agencies, and stealing trade secrets and the personal data of about 145 million Americans in 2017.
“This was a deliberate and sweeping intrusion into the private information of the American people,” Attorney General William P. Barr said.
The charges underscored China’s quest to obtain the personal data of Americans and its willingness to flout a 2015 agreement with the United States to refrain from hacking and cyberattacks, all in an effort to expand economic power and influence.
The indictment suggests the hack was part of a series of major data thefts organized by the People’s Liberation Army and Chinese intelligence agencies. China can use caches of personal information and combine them with artificial intelligence to better target American intelligence officers and other officials, Mr. Barr said at a news conference announcing the charges.
Lost in Space
Ars Technica: Hackers exploit critical vulnerability found in ~100,000 WordPress sites
This vulnerability is in a common plugin called ThemeGrill Demo Importer. Exploitation allows an attacker to gain complete control of the site, wiping it and/or replacing it with code of their choice. Best practice is to completely remove the plugin.
...
![[up]](https://static.tvtropes.org/pmwiki/pub/smiles/arrow_up.png "[up]"){kind=icon}
I know Wordpress is prone to a google hack where clicking on a page from google sends you to a different page than intended.
Lost in Space
Ars Technica: Serious flaw that lurked in sudo for 9 years hands over root privileges
A longstanding flaw in the sudo utility found in most Unix-like operating systems has finally been patched. This allowed unprivileged users to get root access by exploiting a buffer overflow when an option called "pwfeedback" is enabled.
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"
Lost in Space
I'm not entirely sure which topic suits this best, but since the major story is automated surveillance, I'll put it here.
Ars Technica: Amazon made a bigger camera-spying store—so we tried to steal its fruit
Amazon Go stores are a unique attempt to create a seamless shopping experience for customers with no cashiers — not even any checkout lines. Rather, you enter the store with the Amazon app on your smartphone, get yourself digitally imaged, then go through the store, picking out whatever you want. At the end, you leave, and whatever you bought is charged automatically.
These stores are lined with massive banks of sensors, mostly cameras but who knows what else is going on there. Up until recently the stores were mainly stocked with boxed or canned goods as those represent a simpler solution space, but their new Amazon Go Grocery store in Seattle now includes produce and similar "loose" items. An Ars Technica reporter attempted to defeat its technology and came away with mixed results.
First, it's apparently scarily good, or else there is a bunch of human operators behind the cameras who resolve any edge cases that the software isn't sure about. Every attempt to play sleight-of-hand with the goods failed, with the system accurately recording whatever was taken from the bins and not returned. However, the system was easily defeated by a less obvious method: changing clothes. The reporter went into the bathroom, switched outfits, and was then able to leave with several items without being charged.
As far as the AI was concerned, he'd gone in and never left.
I assume this will get iterated on and eventually corrected. Could this be the future of retail, or is it a flashy gimmick that won't ever see widespread adoption?
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"
I suspect that it will trigger an arms race between shoplifters and stores. Or it will be outlawed for being unduly privacy invasive. Or we'll see a controversy when it turns out that the software used has some bias (probable: racial). Or it won't be adopted because it has no large benefit over the current methods.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled." - Richard Feynman
Lost in Space
From Amazon's point of view, inviting shoplifters to try to defeat the software may be part of the point. It has no concerns about being driven out of business, so the more data it can gather from people trying to steal from the stores, the better it can make the software in the future. It's sort of like how Tesla collects data every time Autopilot does something wrong. The point is to identify all those edge cases in order to better train the AI.
"Come try to steal our tasty fruit," the shop beckons. "You're only making us stronger."
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"
Who Am I?
That part about "he went in but never came out" is a bit creepy. I would imagine its a bit harder to shoplift here than at a regular grocery store.
"We learn from history that we do not learn from history."
Lost in Space
Well, the fact that entry is strictly controlled to identified Amazon customers definitely restricts the capability of someone to get away with theft unidentified. Certainly it would be possible to manually review the camera footage and figure out that someone changed clothes. The question is whether the AI can be trained to do that, or at least identify that it has happened, without too many false positives.
False positives are the absolute bane of AI training.
Edited to add: Its impact is on society as a whole is likely to be small if it remains inside Amazon Go stores, but the technology absolutely won't stop there. Imagine being tracked every minute you are inside any public space, like a shopping mall or airport. Imagine that AI is doing all the work, even identifying suspicious behavior, so that humans can be called into the loop to intervene if needed. Are we ready for that?
Edited by Fighteer on Feb 26th 2020 at 10:11:41 AM
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"
Lost in Space
Well if you want more privacy concerns to fill out your day...
- Ars Technica: Secretive face-matching startup has customer list stolen
Clearview notified its customers about the leak today, according to The Daily Beast, which obtained a copy of the notification. The memo says an intruder accessed the list of customers, as well as the number of user accounts those customers set up and the number of searches those accounts have conducted.
Manufacturers have made patches available for most or all of the affected devices, but it's not clear how many devices have installed the patches. Of greatest concern are vulnerable wireless routers, which often go unpatched indefinitely.
[...]
Kr00k exploits a weakness that occurs when wireless devices disassociate from a wireless access point. If either the end-user device or the access point is vulnerable, it will put any unsent data frames into a transmit buffer and then send them over the air. Rather than encrypt this data with the session key negotiated earlier and used during the normal connection, vulnerable devices use a key consisting of all zeros, a move that makes decryption trivial.
Disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable client device or access point can easily trigger disassociations by sending what’s known as management frames, which aren’t encrypted and require no authentication. This lack of security allows an attacker to forge management frames that manually trigger a disassociation.
With the forced disassociation, vulnerable devices will typically transmit several kilobytes of data that’s encrypted with the all-zero session key. The hacker can then capture and decrypt the data. Eset researcher Robert Lipovsky told me hackers can trigger multiple disassociations to further the chances of obtaining useful data.
- NBC News, and many others: MGM hack exposes data of 10 million, including government officials
The posting of the hacked information was first reported Wednesday by the website ZDNet.
No financial data were included in the dataset, which has been reviewed by NBC News. But it includes full names, birthdates, addresses, email addresses and phone numbers. The information was posted to the hacking forum Monday.
Last summer, the company "discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts," MGM Resorts said in a statement.
"We are confident that no financial, payment card or password data was involved in this matter. MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws," a spokesperson for the company said.
Blowout soon fellow Stalker
What a nice afternoon this is for online safet
Oh really when?
...
I'm averse to putting much data online, precisely because online safety is so wishy-washy. Yet, companies keep on making everything need an app, e-mail address, etc for "convenience". You can't fill out physical job applications anymore and even public transformation is trying to do away with Metrocards.
Who Am I?
Regarding the Amazon use of AI—this is a practical application for them because only their own members are involved, who presumably gave their permission in a EULA somewhere. They couldn't do that with the general public. Still, the advance of facial recognition databases is a concern.
I'm also left wondering how MGM got birthdates and phone numbers from their guests. I've never stayed at an MGM hotel specifically, but I stay at national chain hotels occassionally, and I have never had to give out all that information just to check in.
But the Wi Fi vulnerability is a nasty one. Is there a central place one can go to find out if one's own device has the flawed chip in it?
"We learn from history that we do not learn from history."
Lost in Space
On MGM, my guess would be customer loyalty programs, combined with hotel registrations. When you sign up for those casino gambling cards, you provide a lot of personal data. That's just a guess, of course.
The Ars Technica article lists some phone and router models that are known to have the vulnerability (it's not just for routers), but I don't know if it's comprehensive. It says that Apple patched the vulnerabilities last October, so make sure your iPhone and iPad are up to date. There are links to the research papers as well that may have more information.
Edited by Fighteer on Feb 27th 2020 at 9:54:48 AM
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"
Kushner’s team seeks national coronavirus surveillance system And we're back to the same thing we dealt with immediately after 9/11.
Oh, bother.
This would be iffy enough even if it weren't Kushner running this shitshow.
But since Kushner is running this shitshow, it's so much worse.
Disgusted, but not surprised
Who Am I?
Apparently what they are considering is real-time data on patient intake at hospitals and other health care centers, in order to gauge where and what kind of equipment and other resources are needed. As always, the devil's in the details. I cant see any reason they would need to identify who the patients are—summary data should serve perfectly for this purpose.
"We learn from history that we do not learn from history."
Organized Canine Bureau Special Agent
https://www.bbc.com/news/amp/technology-52843986
Not sure on putting this here, but Trump signed an EO regarding some legal protection on American-based social media companies.
"Exit muna si Polgas. Ang kailangan dito ay si Dobermaxx!"
A nice butterfly
My avatar is so fitting on this situation.
It has always been the prerogative of children and half-wits to point out that the emperor has no clothes
Disasturbator
Really,how?
New theme music also a box
A nice butterfly
Who watches the watchmen is a theme in the whole surveillance thing.
It has always been the prerogative of children and half-wits to point out that the emperor has no clothes
Who Am I?
From the linked article:
"Under a 1996 law, website operators, unlike traditional publishers, cannot generally be held responsible for content posted by users.
The sites are also protected from lawsuits if they block posts deemed obscene, violent "or otherwise objectionable, whether or not such material is constitutionally protected".
The executive order argues that this immunity should no longer apply if a social network edits posts, such as by adding a warning or a label.
It also says "deceptive" blocking, including removing a post for reasons other than those described in a website's terms of service, should not be protected."
This is a complicated issue. People on both the left and the right have been protesting this exception ever since it became law. This is the main reason, for example, that Facebook doesn't have to care about hate speech appearing on its' pages, or accounts that are bots.
Trump is all in a lather because Twitter dared to attach a warning to his tweet advising people that his comments might not be factually accurate. I don't remember the details of that particular tweet, but considering other things he has said that could potentially cause material harm to numbers of people, you can see the dilemma that a social media platform might find itself in.
Some people on the left therefore could conclude that Trump may be right this time for the wrong reasons. But it's more complicated than that, because just removing this protection without replacing it with new, clear criteria could result in a lot of confusion on the web, and in particular could cause hardship for smaller content providers, like TV Tropes. Imagine someone taking offense at something posted here, or in one of the trope descriptions, or a work page, and suing TV Tropes itself—in the absence of any legal protection, that could cause a lot of hardship. For that reason, I think this is going to end up in court, and that will drag it past the next presidential election. But I don't know for certain.
What we really need is an informed public debate on the issue, rather than policy driven by bruised ego. Stay tuned.
"We learn from history that we do not learn from history."
More from Ars Technica: Patch Windows 10 and Server now because certificate validation is broken
Microsoft has just released a patch for Windows 10 and Window Server 2016/2019 for a cryptographic vulnerability that can allow certificate spoofing and corresponding remote code execution. The issue is logged as CVE-2020-0601. It is recommended that all users, personal and enterprise, install the update immediately.
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"