What Is Ultra-Processed Food?

We eat a lot of ultra-processed food, and these foods tend to be sugary and not so great for us. But the problem isn’t necessarily the fact that they’re ultra-processed. This is a weird and arguably unfair way to categorize foods, so let’s take a look at what “ultra-processed” really means.

This terminology comes from a classification scheme called NOVA that splits foods into four groups:

Unprocessed or “minimally processed” foods (group 1) include fruits, vegetables, and meats. Perhaps you’ve pulled a carrot out of the ground and washed it, or killed a cow and sliced off a steak. Foods in this category can be processed in ways that don’t add extra ingredients. They can be cooked, ground, dried, or frozen.

Processed culinary ingredients (group 2) include sugar, salt, and oils. If you combine ingredients in this group, for example to make salted butter, they stay in this group.

Processed foods (group 3) are what you get when you combine groups 1 and 2. Bread, wine, and canned veggies are included. Additives are allowed if they “preserve [a food’s] original properties” like ascorbic acid added to canned fruit to keep it from browning.

Ultra-processed foods (group 4) don’t have a strict definition, but NOVA hints at some properties. They “typically” have five or more ingredients. They may be aggressively marketed and highly profitable. A food is automatically in group 4 if it includes “substances not commonly used in culinary preparations, and additives whose purpose is to imitate sensory qualities of group 1 foods or of culinary preparations of these foods, or to disguise undesirable sensory qualities of the final product.”

That last group feels a little disingenous. I’ve definitely seen things in my kitchen that are supposedly only used to make “ultra-processed” foods: food coloring, flavor extracts, artificial sweeteners, anti-caking agents (cornstarch, anyone?) and tools for extrusion and molding, to name a few.
So when we talk about ultra-processed foods, we have to remember that it’s a vague category that only loosely communicates the nutrition of its foods. Just like BMI combines muscley athletes with obese people because it makes for convenient math, NOVA categories combine things of drastically different nutritional quality.

Source: What Is Ultra-Processed Food?

LoopX Startup Pulls ICO Exit Scam and Disappears with $4.5 Million

A cryptocurrency startup named LoopX has pulled an exit scam after collecting around $4.5 million from users during an ICO (Initial Coin Offering) held for the past weeks.

The LoopX team disappeared out of the blue at the start of the week when it took down its website and deleted its Facebook, Telegram, and YouTube channels without any explanation.

The company’s former Twitter profile now lists only one tweet, a link to a TheNextWeb article detailing the exit scam, but it is unclear if the LoopX team posted this link themselves, or if somebody else claimed the account name after it was vacated.
Victims tracking funds as they dissipate

People who invested in the startup are now tracking funds move from account to account in a BitcoinTalk forum thread, and banding together in the hopes of filing a class action lawsuit.

Before the site went down, LoopX claimed to have gathered $4.5 million of the $12 million they wanted to raise for creating a new cryptocurrency trading mobile app based on a proprietary trading algorithm.

In an email sent to customers last week, LoopX owners made an ironic statement of “We will have some more surprises for you throughout the week. Stay tuned!”

This was probably not the surprise many users were expecting, but some users did see red flags with the entire LoopX operation and tried to warn would-be investors last month, via LoopX’s official Reddit channel.

Source: LoopX Startup Pulls ICO Exit Scam and Disappears with $4.5 Million

Telegram desktop app exploited for malware, cryptocurrency mining

Telegram has fixed a security flaw in its desktop app that hackers spent several months exploiting to install remote-control malware and cryptocurrency miners on vulnerable Windows PCs.The programming cockup was spotted by researchers at Kaspersky in October. It is believed miscreants have been leveraging the bug since at least March. The vulnerability stems from how its online chat app handles Unicode characters for languages that are read right-to-left, such as Hebrew and Arabic.

Source: Shock horror! Telegram messaging app proves insecure yet again! • The Register

While Western Union wired customers’ money, hackers transferred their personal details. WU won’t tell us what exactly was hacked

A Register reader, who wished to remain anonymous, showed us a copy of a letter dated January 31 that he received from the money-transfer outfit. The missive admitted that a supposedly secure data storage company used by Western Union was compromised: a database full of the wire-transfer giant's customer records was vulnerable to plundering, and hackers were quick to oblige. [...] According to the letter, the storage archive contained customers' contact details, bank names, Western Union internal customer ID numbers, as well as transaction amounts, times and identification numbers. Credit card data was definitely not taken, it stressed. [...] The red-faced biz was quick to point out that none of its internal payment or financial systems were affected in the attack. It also isn’t saying who the third-party storage supplier was, giving other customers of the slovenly provider time to check whether or not they have been hacked too. Western Union says that, so far, it isn't aware of any fraudulent activity stemming from the data security cockup, but just to be on the safe side it is enrolling affected customers in a year of free identity-fraud protection.

Source: While Western Union wired customers’ money, hackers transferred their personal deets • The Register

Moth brain uploaded to computer, taught to recognise numbers

MothNet’s computer code, according to the boffins, contains layers of artificial neurons to simulate the bug’s antenna lobe and mushroom body, which are common parts of insect brains.

Crucially, instead of recognizing smells, the duo taught MothNet to identify handwritten digits in the MNIST dataset. This database is often used to train and test pattern recognition in computer vision applications.

The academics used supervised learning to train MothNet, feeding it about 15 to 20 images of each digit from zero to nine, and rewarding it when it recognized the numbers correctly.

Receptor neurons in the artificial brain processed the incoming images, and passed the information down to the antenna lobe, which learned the features of each number. This lobe was connected, by a set of projection neurons, to the sparse mushroom body. This section was wired up to extrinsic neurons, each ultimately representing an individual integer between zero and nine.
MothNet achieved 75 per cent to 85 per cent accuracy, the paper stated, despite relatively few training examples, seemingly outperforming more traditional neural networks when given the same amount of training data.
It shows that the simplest biological neural network of an insect brain can be taught simple image recognition tasks, and potentially exceed other models when training examples and processing resources are scarce. The researchers believe that these biological neural networks (BNNs) can be “combined and stacked into larger, deeper neural nets.”

Source: Roses are red, are you single, we wonder? ‘Cos this moth-brain AI can read your phone number • The Register

Roses are red, Facebook is blue. Think private means private? More fool you

In a decision (PDF) handed down yesterday, chief judge Janet DiFiore said that a court could ask someone to hand over any relevant materials as part of discovery ahead of a trial – even if they are private.

The threshold for disclosure in a court case “is not whether the materials sought are private but whether they are reasonably calculated to contain relevant information”, she said.

The ruling is the latest in an ongoing battle over whether a woman injured in a horse-riding accident should hand over privately posted pictures to the man she has accused of negligence in the accident.

Kelly Forman suffered spinal and brain injuries after falling from a horse owned by Mark Henkins, who she accuses of fitting her with a faulty stirrup.

Forman said the accident had led to memory loss and difficulty communicating, which she said caused her to become reclusive and have problems using a computer or composing coherent messages.

Because Forman said she had been a regular Facebook user before the accident, Henkins sought an order to gain access to posts and photos she made privately on Facebook before and after the accident, saying this would provide evidence on how her lifestyle had been affected.

For instance, the court noted he argued that “the timestamps on Facebook messages would reveal the amount of time it takes the plaintiff to write a post or respond to a message”.
The judge acknowledged Forman’s argument that disclosure of social media materials posted under private settings was an “unjustified invasion of privacy”, but said that other private materials relevant to litigation – including medical records – can be ordered for disclosure.

DiFiore also noted that, although the court was assuming, for the purposes of resolving the case, that setting a post to “private” meant that the they should be characterised as such, there was “significant controversy” about this.

“Views range from the position taken by plaintiff that anything shielded by privacy settings is private, to the position taken by one commentator that anything contained in a social media website is not ‘private’,” she pointed out in a footnote.

Source: Roses are red, Facebook is blue. Think private means private? More fool you • The Register

Mpeg-2 now patentfree!

This is the list of patents (Attachm​​ent 1) covered by the MPEG-2 Patent Portfolio License as of January 1, 2018. Under the MPEG-2 Patent Portfolio License, royalties are payable for products manufactured or sold in countries with an active MPEG-2 Patent Portfolio Patent at the time of manufacture or sale. Please note that the last US patent expired February 13, 2018, and patents remain active in Philippines and Malaysia after that date. ​

Source: PatentList

Look out, Wiki-geeks. Now Google trains AI to write Wikipedia articles

A paper, out last month and just accepted for this year’s International Conference on Learning Representations (ICLR) in April, describes just how difficult text summarization really is.

A few companies have had a crack at it. Salesforce trained a recurrent neural network with reinforcement learning to take information and retell it in a nutshell, and the results weren’t bad.

However, the computer-generated sentences are simple and short; they lacked the creative flair and rhythm of text written by humans. Google Brain’s latest effort is slightly better: the sentences are longer and seem more natural.
The model works by taking the top ten web pages of a given subject – excluding the Wikipedia entry – or scraping information from the links in the references section of a Wikipedia article. Most of the selected pages are used for training, and a few are kept back to develop and test the system.

The paragraphs from each page are ranked and the text from all the pages are added to create one long document. The text is encoded and shortened, by splitting it into 32,000 individual words and used as input.

This is then fed into an abstractive model, where the long sentences in the input are cut shorter. It’s a clever trick used to both create and summarize text. The generated sentences are taken from the earlier extraction phase and aren’t built from scratch, which explains why the structure is pretty repetitive and stiff.

Mohammad Saleh, co-author of the paper and a software engineer in Google AI’s team, told The Register: “The extraction phase is a bottleneck that determines which parts of the input will be fed to the abstraction stage. Ideally, we would like to pass all the input from reference documents.

“Designing models and hardware that can support longer input sequences is currently an active area of research that can alleviate these limitations.”

We are still a very long way off from effective text summarization or generation. And while the Google Brain project is rather interesting, it would probably be unwise to use a system like this to automatically generate Wikipedia entries. For now, anyway.

Source: Look out, Wiki-geeks. Now Google trains AI to write Wikipedia articles • The Register

Gfycat Uses Artificial Intelligence to Fight Deepfakes Porn

Gfycat says it’s figured out a way to train an artificial intelligence to spot fraudulent videos. The technology builds on a number of tools Gfycat already used to index the GIFs on its platform.
Gfycat’s AI approach leverages two tools it already developed, both (of course) named after felines: Project Angora and Project Maru. When a user uploads a low-quality GIF of, say, Taylor Swift to Gfycat, Project Angora can search the web for a higher-res version to replace it with. In other words, it can find the same clip of Swift singing “Shake It Off” and upload a nicer version.

Now let’s say you don’t tag your clip “Taylor Swift.” Not a problem. Project Maru can purportedly differentiate between individual faces and will automatically tag the GIF with Swift’s name. This makes sense from Gfycat’s perspective—it wants to index the millions of clips users upload to the platform monthly.

Here’s where deepfakes come in. Created by amateurs, most deepfakes aren’t entirely believable. If you look closely, the frames don’t quite match up; in the below clip, Donald Trump’s face doesn’t completely cover Angela Merkel’s throughout. Your brain does some of the work, filling in the gaps where the technology failed to turn one person’s face into another.

Project Maru is not nearly as forgiving as the human brain. When Gfycat’s engineers ran deepfakes through its AI tool, it would register that a clip resembled, say, Nicolas Cage, but not enough to issue a positive match, because the face isn’t rendered perfectly in every frame. Using Maru is one way that Gfycat can spot a deepfake—it smells a rat when a GIF only partially resembles a celebrity.

Source: Gfycat Uses Artificial Intelligence to Fight Deepfakes Porn | WIRED

FiveThirtyEight – some large and interesting datasets

We’re sharing the data and code behind some of our articles and graphics.

Source: Our Data | FiveThirtyEight

Consumers prefer security over convenience for the first time ever, IBM Security report finds

“We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts…people actually would go the extra mile and will use extra security,” Kessem said. Whether it’s using two factor authentication, an SMS message on top of their password, or any other additional step for extra protection, people still want to use it. Some 74% of respondents said that they would use extra security when it comes to those accounts, she said.

Based on findings in the report, people are aware of the data breaches that are happening to companies and consumers alike—with the US leading in terms of people who are aware of data breaches.

“They understand that there’s something they can do to prevent it, and they need to secure their accounts,” she said. “We figure that could be a reason, especially when it comes to where their money lays. They want to make sure that’s more secure.”

Source: Consumers prefer security over convenience for the first time ever, IBM Security report finds – TechRepublic

Do Not, I Repeat, Do Not Download Onavo, Facebook’s Vampiric VPN Service

There’s a new menu item in the Facebook app, first reported by TechCrunch on Monday, labeled “Protect.” Clicking it will send you to the App Store and prompt you to download a Virtual Private Network (VPN) service called Onavo. (“Protect” shows up in the iOS app. Gizmodo looked for it on an Android device and didn’t see it—though, presumably it is only a matter of time.)
Facebook, however, purchased Onavo from an Israeli firm in 2013 for an entirely different reason, as described in a Wall Street Journal report last summer. The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat’s dwindling user base, even before the company announced a period of diminished growth last year.

To put it another way, Onavo is corporate spyware.

If you’re someone who can’t live without Facebook or simply can’t find the courage to delete it, the Onavo appears under the “Explore” list just above the “Settings” menu. I’d recommend you never click it. Facebook is already vacuuming up enough your data without you giving them permission to monitor every website you visit.

Source: Do Not, I Repeat, Do Not Download Onavo, Facebook’s Vampiric VPN Service

If you want a VPN, buy a good one!

Fiat Chrysler Pushed A UConnect Update That Causes Constant Reboots With No Announced Fix

It appears that the over-the-air update to the UConnect system went out on Friday, and many, many owners have not had working center-stack systems since then. Many of these vehicles are nearly brand-new, which makes the issue even more maddening.
The failure of the UConnect system isn’t just limited to not having a radio; like almost all modern automotive infotainment systems, the center screen, controlled by UConnect, handles things like rear-view camera systems, navigation, cell phone connection systems like Apple CarPlay or Android Auto, some climate control functions, many system and user settings, and more.

Source: Fiat Chrysler Pushed A UConnect Update That Causes Constant Reboots With No Announced Fix


Announcing “Project Things” – An open framework for connecting your devices to the web.

Today, we are pleased to announce that anyone can now build their own Things Gateway to control their connected device directly from the web.

We kicked off “Project Things”, with the goal of building a decentralized ‘Internet of Things’ that is focused on security, privacy, and interoperability. Since our announcement last year, we have continued to engage in open and collaborative development with a community of makers, testers, contributors, and end-users, to build the foundation for this future.

Today’s launch makes it easy for anyone with a Raspberry Pi to build their own Things Gateway. In addition to web-based commands and controls, a new experimental feature shows off the power and ease of using voice-based commands. We believe this is the most natural way for users to interact with their smart home. Getting started is easy, and we recommend checking out this tutorial to get connected.
Built for everyone

If you have been following our progress with Project Things, you’ll know that up to now, it was only really accessible to those with a good amount of technical knowledge. With today’s release, we have made it easy for anyone to get started on building their own Things Gateway to control their devices. We take care of the complicated stuff so that you can focus on the fun stuff such as automation, ‘if this, then that’ rules, adding a greater variety of devices, and more.

Source: Announcing “Project Things” – An open framework for connecting your devices to the web. – The Mozilla Blog

Danish man convicted of promoting illegal film service

A Danish man has become the first European to be convicted of taking part in the promotion of an illegal online film site.The 39-year-old man was handed a six-month suspended sentence by an Odense court for promoting the illegal online film streaming service Popcorn Time via his website popcorntime.dk.
More specifically, the man was convicted of offering a guideline about how Danish users could download the Popcorn Time app, how to install and use it, and how to avoid being discovered by the authorities.

Aside from his suspended sentence, the court also ruled to confiscate 500,000 kroner the man had earned in advertising income via his website. He also faces 120 hours of community service. He has two weeks to appeal to the higher courts.

Source: Historic case: Danish man convicted of promoting illegal film service – The Post

The case was brought by the movie mafia trying to sustain their outdated business model. Now I wonder how worried Google and Bing and other search engines should be, as they link to quite a few illegal places on the web.

Why hiring the ‘best’ people produces the least creative results

Yet the fallacy of meritocracy persists. Corporations, non-profits, governments, universities and even preschools test, score and hire the ‘best’. This all but guarantees not creating the best team. Ranking people by common criteria produces homogeneity. And when biases creep in, it results in people who look like those making the decisions. That’s not likely to lead to breakthroughs. As Astro Teller, CEO of X, the ‘moonshoot factory’ at Alphabet, Google’s parent company, has said: ‘Having people who have different mental perspectives is what’s important. If you want to explore things you haven’t explored, having people who look just like you and think just like you is not the best way.’ We must see the forest.

Source: Why hiring the ‘best’ people produces the least creative results — Quartz

Facial Recognition Is Accurate, if You’re a White Guy

Facial recognition technology is improving by leaps and bounds. Some commercial software can now tell the gender of a person in a photograph.

When the person in the photo is a white man, the software is right 99 percent of the time.

But the darker the skin, the more errors arise — up to nearly 35 percent for images of darker skinned women, according to a new study that breaks fresh ground by measuring how the technology works on people of different races and gender.

These disparate results, calculated by Joy Buolamwini, a researcher at the M.I.T. Media Lab, show how some of the biases in the real world can seep into artificial intelligence, the computer systems that inform facial recognition.
One widely used facial-recognition data set was estimated to be more than 75 percent male and more than 80 percent white, according to another research study.

The new study also raises broader questions of fairness and accountability in artificial intelligence at a time when investment in and adoption of the technology is racing ahead.
The African and Nordic faces were scored according to a six-point labeling system used by dermatologists to classify skin types. The medical classifications were determined to be more objective and precise than race.

Then, each company’s software was tested on the curated data, crafted for gender balance and a range of skin tones. The results varied somewhat. Microsoft’s error rate for darker-skinned women was 21 percent, while IBM’s and Megvii’s rates were nearly 35 percent. They all had error rates below 1 percent for light-skinned males.

Source: Facial Recognition Is Accurate, if You’re a White Guy – The New York Times

At least 4200 popular and large websites hijacked by hidden crypto-mining code after popular plugin pwned

Thousands of websites around the world – from the UK’s NHS and ICO to the US government’s court system – were today secretly mining crypto-coins on netizens’ web browsers for miscreants unknown.

The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind or partially sighted people.

This technology was compromised in some way – either by hackers or rogue insiders altering Browsealoud’s source code – to silently inject Coinhive’s Monero miner into every webpage offering Browsealoud.

For several hours today, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper.

Source: UK ICO, USCourts.gov… Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned • The Register

IBM Notes Privilege escalation in IBM Notes Smart Update Service

IBM iNotes SUService can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory. IBM Plans to address this vulnerability by providing a fix.

Source: IBM Security Bulletin: IBM Notes Privilege escalation in IBM Notes Smart Update Service – United States

Worm brain translated into a computer is taught tricks without programming

It is not much to look at: the nematode C. elegans is about one millimetre in length and is a very simple organism. But for science, it is extremely interesting. C. elegans is the only living being whose neural system has been analysed completely. It can be drawn as a circuit diagram or reproduced by computer software, so that the neural activity of the worm is simulated by a computer program.

Such an artificial C. elegans has now been trained at TU Wien (Vienna) to perform a remarkable trick: The computer worm has learned to balance a pole at the tip of its tail.
“With the help of reinforcement learning, a method also known as ‘learning based on experiment and reward’, the artificial reflex network was trained and optimized on the computer”, Mathias Lechner explains. And indeed, the team succeeded in teaching the virtual nerve system to balance a pole. “The result is a controller, which can solve a standard technology problem – stabilizing a pole, balanced on its tip. But no human being has written even one line of code for this controller, it just emerged by training a biological nerve system”, says Radu Grosu.

The team is going to explore the capabilities of such control-circuits further. The project raises the question, whether there is a fundamental difference between living nerve systems and computer code. Is machine learning and the activity of our brain the same on a fundamental level? At least we can be pretty sure that the simple nematode C. elegans does not care whether it lives as a worm in the ground or as a virtual worm on a computer hard drive.

Source: Technische Universität Wien : Dressierter Computerwurm lernt, einen Stab zu balancieren

Razer doesn’t care about Linux

Razer is a vendor that makes high-end gaming hardware, including laptops, keyboards and mice. I opened a ticket with Razor a few days ago asking them if they wanted to support the LVFS project by uploading firmware and sharing the firmware update protocol used. I offered to upstream any example code they could share under a free license, or to write the code from scratch given enough specifications to do so. This is something I’ve done for other vendors, and doesn’t take long as most vendor firmware updaters all do the same kind of thing; there are only so many ways to send a few kb of data to USB devices. The fwupd project provides high-level code for accessing USB devices, so yet-another-update-protocol is no big deal. I explained all about the LVFS, and the benefits it provided to a userbase that is normally happy to vote using their wallet to get hardware that’s supported on the OS of their choice.

I just received this note on the ticket, which was escalated appropriately:

I have discussed your offer with the dedicated team and we are thankful for your enthusiasm and for your good idea.
I am afraid I have also to let you know that at this moment in time our support for software is only focused on Windows and Mac.

The CEO of Razer Min-Liang Tan said recently “We’re inviting all Linux enthusiasts to weigh in at the new Linux Corner on Insider to post feedback, suggestions and ideas on how we can make it the best notebook in the world that supports Linux.” If this is true, and more than just a sound-bite, supporting the LVFS for firmware updates on the Razer Blade to solve security problems like Meltdown and Spectre ought to be a priority?

Source: Razer doesn’t care about Linux – Technical Blog of Richard Hughes

I have gone off them since they require their products to be connected via their cloud to change settings and receive updates. There is absolutely no reason for a mouse to need to be connected to Razer to change settings.

Researchers discover efficient and sustainable way to filter salt and metal ions from water

With two billion people worldwide lacking access to clean and safe drinking water, joint research by Monash University, CSIRO and the University of Texas at Austin published today in Sciences Advances may offer a breakthrough new solution.

It all comes down to metal-organic frameworks (MOFs), an amazing next generation material that have the largest internal surface area of any known substance. The sponge like crystals can be used to capture, store and release chemical compounds. In this case, the salt and ions in sea water.

Dr Huacheng Zhang, Professor Huanting Wang and Associate Professor Zhe Liu and their team in the Faculty of Engineering at Monash University in Melbourne, Australia, in collaboration with Dr Anita Hill of CSIRO and Professor Benny Freeman of the McKetta Department of Chemical Engineering at The University of Texas at Austin, have recently discovered that MOF membranes can mimic the filtering function, or ‘ion selectivity’, of organic cell membranes.

With further development, these membranes have significant potential to perform the dual functions of removing salts from seawater and separating metal ions in a highly efficient and cost effective manner, offering a revolutionary new technological approach for the water and mining industries.

Source: Researchers discover efficient and sustainable way to filter salt and metal ions from water

TUG – Turn a powercable into a magsafe plug

So when you fall over the cable, it just unplugs instead of making your laptop, lamp, whatever, fall over


US state’s pot dealer database pwned after security goes up in smoke

The US state of Washington says a miscreant was able to access the system it uses to track the manufacturing and sale of marijuana.

The Evergreen State’s Liquor and Cannabis Board – a job that sounds way cooler than it actually is – yesterday admitted that last weekend someone was able to exploit a vulnerability in one of its machines to access Leaf Data Systems, which Washington uses to keep records on the movement of Mary Jane.

Described as a “seed to sale” tracing process, the Leaf system is intended as a way for the board to keep track on the movement of marijuana from growers and suppliers. Growers and merchants upload information including planned shipments and movements of crops between various points in the “chain of custody” as the pot moves from farms to wholesalers and eventually shops.

Earlier this week, Washington was hit with a pot shortage after the Leaf Data System went down with what was at the time thought to be a “glitch” that had left shops unable to take in new shipments.

On Thursday, the board revealed that the “glitch” was in fact the aftermath of a hacker intrusion, and that someone had been able to obtain a copy of the database that tracked shipments.

“There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users,” the board said.

“We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”

The stolen database contained information on shipments set to take place between February 1 and 4 of 2018, including route manifest information, vehicle identification and, license plate number. Only the manifest data is considered sensitive, as the other records are public information.

Source: You dopes! US state’s pot dealer database pwned after security goes up in smoke • The Register

I am very curious if any dope trucks got robbed in that period.

You can resurrect any deleted GitHub account name. If you depend on that account you may find yourself in trouble

The individual identifying himself as Jim Teeuwen, who maintained GitHub repository for a tool called go-bindata for embedded data in Go binaries, recently deleted his GitHub account, taking with it a resource that other Go developers had included in their projects.

The incident echoes the more widely noted 2016 disappearance of around 250 modules maintained by developer Azer Koçulu from the NPM repository. The deletion of one of these modules, left-pad, broke thousands of Node.js packages that incorporated it and prompted NPM to take the unprecedented step of restoring or “un-un-publishing” the code.

Earlier this week, an unidentified developer, whose Go project stopped functioning as a result of the closure of the jteeuwen account, opened a new GitHub account under the abandoned name and repopulated it with a forked version of the go-bindata package as a workaround to re-enable the broken project.

In a post on that account, Franklin Yu, a Boston-area software engineer in the US, said he was a friend of the person who recreated the account and explained that the repo had been resurrected to fix a private project.

“The current owner had no way to directly redirect the repo, so he made such work-around so that he could safely go home without being blamed by his supervisor,” he explained. “And of course, hoped this would also save someone else trapped in similar situation.”
The security implications of allowing reuse of abandoned names are particularly evident in the domain industry, where expired domains regularly get re-registered by spammers hoping to benefit from whatever trust and traffic the previous owner had accrued.

Developers themselves bear some measure of responsibility for relying on code they can’t control and can’t verify.

But Donat, in a phone interview with The Register, suggested that’s not realistic. “You could argue it’s all down to the developer,” he said. “But the fact of the matter is this is how GitHub is now being used, as a package repository, whether it’s meant to be or not.”

Donat argued that GitHub should address the issue, noting that it would not be difficult to revive an abandoned account name and use it to distribute malware.

Source: You can resurrect any deleted GitHub account name. And this is why we have trust issues • The Register

Personally I don’t think the onus here is on GitHub. If you delete a username, it becomes free. The problem is with stupid developers who trust an account, instead of downloading the software they depend on and packaging it with their product. We should know by now that anything on the cloud won’t stay there forever.

Skip to toolbar