Crypto-cash exchange BitConnect pulls plug amid Bitcoin bloodbath

Amid a cryptocurrency price correction that has seen the price of Bitcoin drop by half from its mid-December peak, UK-based cyber-cash lending and exchange biz BitConnect said it is shutting down.

The firm, dogged by accusations that it is a Ponzi scheme, cited bad press, regulatory orders, and cyber attacks for its market exit this week.

BitConnect said it has received two cease-and-desist letters from US financial watchdogs: one from the Texas State Securities Board, and one from the Securities Division of North Carolina’s Secretary of State.

The letter from Texas authorities, an emergency cease-and-desist order sent January 3, 2018, charges the company with fraud and misleading investors.

The letter from North Carolina authorities observes that BitConnect’s purported rate of return amounts to about 3,000 per cent annually.

Noting that such rates “are extremely unusual in financial markets,” the North Carolina letter stated: “Guaranteed annual compounded investment returns of over 3,000 per cent are a known ‘red-flag’ for fraud, specifically for the risk that the investment may be a ‘Ponzi scheme.'”

Source: Crypto-cash exchange BitConnect pulls plug amid Bitcoin bloodbath • The Register

Computer program that tries to determine if you reoffend is racist, wrong and been in use since 2000.

One widely used criminal risk assessment tool, Correctional Offender Management Profiling for Alternative Sanctions (COMPAS; Northpointe, which rebranded itself to “equivant” in January 2017), has been used to assess more than 1 million offenders since it was developed in 1998. The recidivism prediction component of COMPAS—the recidivism risk scale—has been in use since 2000. This software predicts a defendant’s risk of committing a misdemeanor or felony within 2 years of assessment from 137 features about an individual and the individual’s past criminal record.

Although the data used by COMPAS do not include an individual’s race, other aspects of the data may be correlated to race that can lead to racial disparities in the predictions. In May 2016, writing for ProPublica, Angwin et al. (2) analyzed the efficacy of COMPAS on more than 7000 individuals arrested in Broward County, Florida between 2013 and 2014. This analysis indicated that the predictions were unreliable and racially biased. COMPAS’s overall accuracy for white defendants is 67.0%, only slightly higher than its accuracy of 63.8% for black defendants. The mistakes made by COMPAS, however, affected black and white defendants differently: Black defendants who did not recidivate were incorrectly predicted to reoffend at a rate of 44.9%, nearly twice as high as their white counterparts at 23.5%; and white defendants who did recidivate were incorrectly predicted to not reoffend at a rate of 47.7%, nearly twice as high as their black counterparts at 28.0%. In other words, COMPAS scores appeared to favor white defendants over black defendants by underpredicting recidivism for white and overpredicting recidivism for black defendants.
[…]
We have shown that commercial software that is widely used to predict recidivism is no more accurate or fair than the predictions of people with little to no criminal justice expertise who responded to an online survey.
[…]
Although Northpointe does not reveal the details of their COMPAS software, we have shown that their prediction algorithm is equivalent to a simple linear classifier. In addition, despite the impressive sounding use of 137 features, it would appear that a linear classifier based on only 2 features—age and total number of previous convictions—is all that is required to yield the same prediction accuracy as COMPAS.

The question of accurate prediction of recidivism is not limited to COMPAS. A review of nine different algorithmic approaches to predicting recidivism found that eight of the nine approaches failed to make accurate predictions (including COMPAS) (13). In addition, a meta-analysis of nine algorithmic approaches found only moderate levels of predictive accuracy across all approaches and concluded that these techniques should not be solely used for criminal justice decision-making, particularly in decisions of preventative detention
[…]
When considering using software such as COMPAS in making decisions that will significantly affect the lives and well-being of criminal defendants, it is valuable to ask whether we would put these decisions in the hands of random people who respond to an online survey because, in the end, the results from these two approaches appear to be indistinguishable.

Source: The accuracy, fairness, and limits of predicting recidivism | Science Advances

Lenovo inherited a switch authentication bypass

Lenovo has patched an ancient vulnerability in switches that it acquired along with IBM’s hardware businesses and which Big Blue itself acquired when it slurped parts of Nortel.

The bug, which Lenovo refers to as “HP backdoor”, for reasons it has not explained, has been in present in ENOS (Enterprise network operating system) since at least 2004 – when ENOS was still under the hand of Nortel.

Lenovo’s advisory says the issue “was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions”.

There are three vulnerable scenarios, the advisory said:

Authentication via the Telnet or serial consoles, if used for local authentication, “or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances”;
The Web management interface is vulnerable when the user is authenticating via “a combination of RADIUS or TACACS+ and local authentication”, and then only in “an unlikely condition”; and
“SSH for certain firmware released in May 2004 through June 2004”, again with a combination of RADIUS or TACACS+.

The “unlikely conditions” Lenovo referred to depend on which interface is potentially being attacked.

For SSH access, the management interface is only vulnerable if the system is running firmware created between May and June 2004; RADIUS and/or TACACS+ is enable; the related “backdoor / secure backdoor” local authentication fallback is enabled (in this case, “backdoor” refers to a RADIUS configuration setting); and finally, a RADIUS or TACACS+ timeout occurs.

Source: Lenovo inherited a switch authentication bypass – from Nortel • The Register

Asus Bezel-Free Kit uses illusion to hide bezels in multimonitor setups

The concept is simple. Thin lenses are placed along the seams where screens meet; they contain optical micro-structures that refract light, bending it inward to hide the bezels underneath.
[…]
The kit’s optical obfuscation is designed to work at a specific angle. We selected 130° because it offered the best balance of comfort and immersion in internal testing. Proper fit and alignment are extremely important, so the lenses and associated mounting hardware are made for specific monitors.

Source: Bezel-Free Kit makes multi-monitor setups seamless | ROG – Republic of Gamers Global

OnePlus suspends credit card transactions after fraud

Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated.
[…]
As a precaution, we are temporarily disabling credit card payments at oneplus.net. PayPal is still available, and we are exploring alternative secure payment options with our service providers.

Source: An Update on Credit Card Security – OnePlus Forums

With the camera problems and data being sent quietly to a Chinese server, OnePlus is not exactly inspiring confidence, which is a shame after such succesful and valuable launch products in the Android space

Skygofree: Serious offensive Android malware, since 2014

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.
[…]
The implant provides the ability to grab a lot of exfiltrated data, like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.
[…]
In the latest implant versions there are 48 different commands. You can find a full list with short descriptions in the Appendix. Here are some of the most notable:

‘geofence’ – this command adds a specified location to the implant’s internal database and when it matches a device’s current location the malware triggers and begins to record surrounding audio.

”social” – this command that starts the ‘AndroidMDMSupport’ service – this allows the files of any other installed application to be grabbed.

‘wifi’ – this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled.

‘camera’ – this command records a video/capture a photo using the front-facing camera when someone next unlocks the device.

Source: Skygofree: Following in the footsteps of HackingTeam – Securelist

Hospital injects $60,000 into crims’ coffers to cure malware infection

The crooks had infected the network of Hancock Health, in Indiana, with the Samsam software nasty, which scrambled files and demanded payment to recover the documents. The criminals broke in around 9.30pm on January 11 after finding a box with an exploitable Remote Desktop Protocol (RDP) server, and inject their ransomware into connected computers.

Medical IT teams were alerted in early 2016 that hospitals were being targeted by Samsam, although it appears the warnings weren’t heeded in this case.

According to the hospital, the malware spread over the network and was able to encrypt “a number of the hospital’s information systems,” reducing staff to scratching out patient notes on pieces of dead tree.
[…]
The ransomware’s masters accepted the payment, and sent over the decryption keys to unlock the data. As of Monday this week, the hospital said critical systems were up and running and normal services have been resumed.

This doesn’t appear to be a data heist. The hospital claimed no digital patient records were taken from its computers, just made inaccessible. “The life-sustaining and support systems of the hospital remained unaffected during the ordeal, and patient safety was never at risk,” the healthcare provider argued.
[…]
It’s one thing to keep an offline store of sensitive data to prevent ransomware on the network from attacking it. It’s another to keep those backups somewhere so out of reach, they can’t be recovered during a crisis, effectively rendering them useless.

It just proves that when planning disaster recovery, you must consider time-to-restoration as well as the provisioning of backup hardware.

Source: Hospital injects $60,000 into crims’ coffers to cure malware infection • The Register

300 Dutch customers fell for fake popular website ring. Perps picked up and given a few months of prison time.

BCC and MediaMarkt are large electronics stores in NL. Ziggo is a large internet ISP. By linking to fake pages through marktplaats.nl (the Dutch ebay / Craigslist equivalent) people were able to shop for products on the fake sites, which were never delivered. Using a chat interface, the crims tried to gain access to the bank accounts of the marks. It very much surprises me that this kind of fraud only results in a few months in jail.

Een aantal mannen heeft voor grootschalige internetoplichting elk diverse maanden gevangenisstraf gekregen. Zij verdienden vooral aan namaakwebshops van onder meer BCC, MediaMarkt en Ziggo.

Source: Gevangenisstraf voor internetoplichting – Emerce

Microsoft wants to patent mind control – show how stupid the patent system really is

Microsoft has applied to patent a brain control interface, so you’ll be able to “think” your way around a computer device, hands free.Last year, Facebook claimed to have 60 engineers engaged in BCI [brain computer interface] but Microsoft isn’t going to take this sitting down. It’s erm, sitting down and thinking really hard.The application Changing an application state using neurological data was filed last year, and published last week. The inventors recently filed a related patent for a continuous motion controller powered by the brain. (US 2017/0329392: Continuous Motion Controls Operable Using Neurological Data).

Source: Microsoft wants to patent mind control • The Register


The problem is that the actual technology to do this doesn’t exist and they have nothing like a working prototype. Considering brain control has existed for some time, it’s a bit silly that this kind of conceptual work can actually be patented by someone with money. I can come up with loads of patentable ideas, but the bridge to creating some sort of working product is one too far for me. And the costs of patenting all my imaginations are far too high. This system basically puts small inventors at a huge disadvantage, but also pushes out innovation by small companies as they find that technologies they have invented and worked out are suddenly patented after the fact by large companies.

All Intel laptops open to unlocking with ctrl-P and “admin”. Another fatal flaw in Intel Management Engine.

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.

The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.

Source: F-Secure Press Room | Global

Let’s Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers’ domains

Let’s Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it’s insecure in the context of many shared hosting providers.

TLS-SNI is one of three ways Let’s Encrypt’s Automatic Certificate Management Environment (ACME) protocol validates requests for TLS certificates, which enable secure connections when browsing the web, along with the confidence-inspiring display of a lock icon. The other two validation methods, HTTP-01 and DNS-01, are not implicated in this issue.

The problem is that TLS-SNI-01 and its planned successor TLS-SNI-02 can be abused under specific circumstances to allow an attacker to obtain HTTPS certificates for websites that he or she does not own.

Such a person could, for example, find an orphaned domain name pointed at a hosting service, and use the domain – with an unauthorized certificate to make fake pages appear more credible – without actually owning the domain.

Source: Let’s Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers’ domains • The Register

Adult Themed Virtual Reality App spills Names, Emails of Thousands

Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger.

Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.

Source: Adult Themed Virtual Reality App spills Names, Emails of Thousands | The Security Ledger

Wait, what? The Linux Kernel Mailing List archives lived on ONE PC? One BROKEN PC?

Spare a thought for Jasper Spaans, who hosts the Linux Kernel Mailing List archive from a single PC that lives in his home. And since things always happen this way the home machine died while he was on holiday.

The archive was therefore unavailable for much of the weekend, although Linux developers could still use mirrors like Indiana University’s effort.

Spaans quickly learned of the outage and he said it was a simple issue, that a brief power outage left the server waiting for a luks – Linux Unified Key Setup – password.

The sad part is that that machine has an initrd with remote ssh access for passing the passphrase (because of a sucky java-based kvm), but I can’t reach the bugger from the outside. A vps + cryptops might be a thing for when this hardware dies though.
— jasper spaans (@spaans) January 10, 2018

But once he got home, it became apparent the problem was rather more serious.

Bad news for the fans of https://t.co/MTS96wBH6B : the main board of the server somehow did not survive the outage 🙁
Expect prolonged downtime while I source replacement parts. (Any recommendations for mini-itx server boards? Currently looking at https://t.co/IHGz1wyxeS )
— jasper spaans (@spaans) January 13, 2018

The hardware Spaans needed appears to have arrived: in the 30 minutes The Reg worked on this story, lkml.org came back to full life.

Source: Wait, what? The Linux Kernel Mailing List archives lived on ONE PC? One BROKEN PC? • The Register

EMC, VMware security bugs throw gasoline on cloud security fire

While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell’s EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server’s file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

The first of the vulnerabilities, designated in MITRE’s Common Vulnerabilities and Exposures (CVE) list as CVE-2017-15548, allows an attacker to gain root access to the servers. This would potentially give someone direct access to backups on the server, allowing them to retrieve images of virtual machines, backed-up databases, and other data stored within the affected systems.

The second vulnerability, CVE-2017-15549, makes it possible for an attacker to potentially upload malicious files into “any location on the server file system” without authentication. And the third, CVE-2017-15550, is a privilege escalation bug that could allow someone with low-level authenticated access to access files within the server. The attacker could do this by using a Web request crafted to take advantage of “path traversal”—moving up and down within the directory structure of the file system used by the application

Source: EMC, VMware security bugs throw gasoline on cloud security fire | Ars Technica

Okay, Google: why does Chromecast clobber Wi-Fi connections?

Wi-Fi router vendors have started issuing patches to defend their products against Google Chromecast devices.TP-Link and Linksys were first out of the blocks with firmware fixes, and TP-Link has posted this explanation of the issue.

The bug is not in the routers, but in Google’s “Cast” feature, used in Chromecast, Google Home, and other devices. Cast sends multicast DNS (MDNS) packets as a keep-alive for connections to products like Google Home, and it seems someone forgot to configure the feature to go quiet when Chromecast devices are sleeping.

That, at least, is how Vulture South reads the issue that TP-Link’s engineer described:“These packets normally sent in a 20-second interval. However, we have discovered that the devices will sometimes broadcast a large amount of these packets at a very high speed in a short amount of time. This occurs when the device is awakened from the ‘sleep mode’, and could exceed more than 100,000 packets in a short amount of time.”It continues: “The longer your device is in ‘sleep’, the larger this packet burst will be.”

If left alone long enough, TP-Link warned, the burst will fill up the router’s memory and leave a reboot the only option to restore connectivity.

Source: Okay, Google: why does Chromecast clobber Wi-Fi connections? • The Register

BAE Magma aircraft controls aircraft orientation without moving parts but blown air

Together with The University of Manchester, we have successfully completed the first phase of flight trials with MAGMA – a small scale unmanned aerial vehicle (UAV), which will use a unique blown-air system to manoeuvre the aircraft – paving the way for future stealthier aircraft designs.

The new concept for aircraft control removes the conventional need for complex, mechanical moving parts used to move flaps to control the aircraft during flight. This could give greater control as well as reduce weight and maintenance costs, allowing for lighter, stealthier, faster and more efficient military and civil aircraft in the future. The two technologies to be trialled first using the jet-powered UAV, MAGMA, are:

• Wing Circulation Control, which takes air from the aircraft engine and blows it supersonically through the trailing edge of the wing to provide control for the aircraft• Fluidic Thrust Vectoring, which uses blown air to deflect the exhaust, allowing for the direction of the aircraft to be changed.

Source: First MAGMA flight trials | BAE Systems | International

DARPA looking for Innovative Ideas for Swarm Drone Systems in Urban Environments

DARPA’s OFFensive Swarm-Enabled Tactics (OFFSET) program envisions future small-unit infantry forces using small unmanned aircraft systems (UASs) and/or small unmanned ground systems (UGSs) in swarms of 250 robots or more to accomplish diverse missions in complex urban environments. By leveraging and combining emerging technologies in swarm autonomy and human-swarm teaming, the program seeks to enable rapid development and deployment of breakthrough capabilities to the field. DARPA is continuing its pursuit of these goals through awarding Phase 1 contracts to teams led by Raytheon BBN Technologies (Cambridge, Massachusetts) and the Northrop Grumman Corporation (Linthicum, Maryland).
[…]
The focus of this effort is the generation of swarm tactics for a mixed swarm of 50 air and ground robots to isolate an urban objective within an area of two square city blocks over a mission duration of 15 to 30 minutes. Operationally relevant tactics to achieve that mission include performing reconnaissance, identifying ingress and egress points, and establishing a perimeter around an area of operation.

Source: OFFSET “Sprinters” Encouraged to Share Innovative Ideas for Swarm Systems

When It Comes to Gorillas, Google Photos Remains Blind – it’s hard to take an AI to account

In a third test attempting to assess Google Photos’ view of people, WIRED also uploaded a collection of more than 10,000 images used in facial-recognition research. The search term “African american” turned up only an image of grazing antelope. Typing “black man,” “black woman,” or “black person,” caused Google’s system to return black-and-white images of people, correctly sorted by gender, but not filtered by race. The only search terms with results that appeared to select for people with darker skin tones were “afro” and “African,” although results were mixed.

A Google spokesperson confirmed that “gorilla” was censored from searches and image tags after the 2015 incident, and that “chimp,” “chimpanzee,” and “monkey” are also blocked today. “Image labeling technology is still early and unfortunately it’s nowhere near perfect,” the spokesperson wrote in an email, highlighting a feature of Google Photos that allows users to report mistakes.

Google’s caution around images of gorillas illustrates a shortcoming of existing machine-learning technology. With enough data and computing power, software can be trained to categorize images or transcribe speech to a high level of accuracy. But it can’t easily go beyond the experience of that training. And even the very best algorithms lack the ability to use common sense, or abstract concepts, to refine their interpretation of the world as humans do.

Source: When It Comes to Gorillas, Google Photos Remains Blind | WIRED

With the “Forever Battery,” Ossia’s Cota AA system Promises True Wireless Charging

The Forever Battery comes in a AA form factor, and houses electronics (including an antenna) within its shell. Ossia’s Cota system uses a transmitter that beams electricity along direct paths through the air to the antenna in the battery, charging it from distances of up to 30 feet, with nary a wire to be seen between them.

“Think of Wi-Fi,” Obeidat said. “Just like you have a Wi-Fi router in the home, you have a Cota transmitter. You have many low-power devices, one of them could be the AA battery … inside of it has electronics that communicate and receive power from that transmitter.” The Cota system beams the power only through unoccupied space; if a person were to move in the way, Cota would angle the beam to avoid them.

Obeidat went on to explain that users could have the battery in a variety of devices, such as smoke detectors or remote controls, receiving power without hassle. He also emphasized that the AA form factor of the Forever Battery is just the start. Ossia believes it can scale the technology down to work in smartphone batteries. To this end, the company hopes to partner with large smartphone manufacturers to integrate Cota into their smartphone batteries.

Source: With the “Forever Battery,” Ossia Promises True Wireless Charging | Digital Trends

The Vuzix Blade Is What Google Glass Always Wanted to Be

The thing that always rubbed me the wrong way about Google Glass though, was how after an underwhelming debut, the company seemingly forgot about its moonshot tech. The only thing that remains of the project are enterprise-only models focused more on assisting business complete specialized tasks than expanding the tech as a whole.

It’s a shame because if Google had continued to develop the Glass, we might not have had to wait as long for something like the Vuzix Blade. Sporting a tiny DLP projector that spits images onto its full color see-through display, the Blade’s uses waveguide optics to project a tiny display onto the right lens of some surprisingly normal-looking glasses.

In addition to the Blade’s innovative display, it also has everything it needs to function as a standalone wearable, complete with a built-in CPU running a customized version of Android, 8-MP camera, 4GB of storage and a microSD card slot, wi-fi, and a mic and touchpad for controlling the device.
[…]
Controlling it is a cinch too. A two-finger swipe on the touchpad built into the right side of the glasses takes you to the home screen, while a one finger swipe advances you through UI, with a single-tap used for making selections.

From there, you can pair the Blade with your phone, which makes it easy to check your messages, view directions or even take first-person photos or videos, using either the touchpad or voice commands. But that’s not all, because in addition to Vuzix’s homemade smartphone companion app, the Blade also sports built-in Alexa integration. So if you want to ask about the weather without pulling out your phone? No problem. How about controlling smart home devices like lights or your thermostat? That’s easy too.

Source: The Vuzix Blade Is What Google Glass Always Wanted to Be

US House reps green-light Fourth Amendment busting spy program

The US House of Representatives has passed a six-year extension to the controversial Section 702 spying program, rejecting an amendment that would have required the authorities to get a warrant before searching for information on US citizens.

The 256-164 vote effectively retains the status quo and undermines a multi-year effort to bring accountability to a program that critics argue breaks the Constitution. A bipartisan substitute amendment put forward by House reps Justin Amash (R-MI) and Zoe Lofgren (D-CA) and supported by both ends of the political spectrum was defeated 233-183.< [...] The already tense atmosphere in Washington DC over the issue was heightened when President Trump tweeted his apparent support of critics of the program just moments after the Amash-Lofgren amendment was discussed on Fox News./blockquote>

Source: US House reps green-light Fourth Amendment busting spy program • The Register

OnePlus Android mobes’ clipboard app caught phoning home to China

OnePlus has admitted that the clipboard app in a beta build of its Android OS was beaming back mystery data to a cloud service in China.

Someone running the latest test version of OnePlus’s Oreo-based operating system revealed in its support forums that unusual activity from the builtin clipboard manager had been detected by a firewall tool.

Upon closer inspection, the punter found that the app had been transmitting information to a block of IP addresses registered to Alibaba, the Chinese e-commerce and cloud hosting giant.
[…]
This should not come as much of a shock to those who follow the China-based OnePlus. In October last year, researchers discovered that OnePlus handsets were collecting unusually detailed reports on user activities, although the manufacturer said at the time it was only hoarding the data for its internal analytics. One month later, it was discovered that some phones had apparently been shipped with a developer kit left active, resulting in the phones sporting a hidden backdoor.

And lest we forget, today’s desktop and mobile operating systems are pretty gung-ho in phoning home information about their users, with Microsoft catching flak for Windows 10 telemetry in particular. ®

Source: OnePlus Android mobes’ clipboard app caught phoning home to China

WhatsApp Security Design Could Let an Infiltrator Add Members to Group Chats

Only admins can add new members to private groups. But the researchers found that anyone in control of the server can spoof the authentication process, essentially granting themselves the privileges necessary to add new members who can snoop on private conversations. The obvious examples that come to mind are hackers who manage to gain access to WhatsApp servers or a government successfully pressuring WhatsApp to give it access to targeted group chats.

Perhaps even more troubling, a compromised admin with control of the server could manipulate the messages that would alert group members that someone new had been added, according to the researchers. However, WhatsApp denies this is an issue.

Wired confirmed the researchers’ findings with a WhatsApp spokesperson. While the company, which is owned by Facebook, acknowledges the issue of server security, the spokesperson pushed back on the idea that attackers could block, cache, or otherwise prevent the alert that new members have been added.

Source: WhatsApp Security Design Could Let an Infiltrator Add Members to Group Chats [Updated]

What’s Slack Doing With Your Data?

More than six million people use Slack daily, spending on average more than two hours each day inside the chat app. For many employees, work life is contingent on Slack, and surely plenty of us use it for more than just, say, work talk. You probably have a #CATS and a women-only channel, and you’ve probably said something privately that you wouldn’t want shared with your boss. But that’s not really up to you.

When you want to have an intimate or contentious chat, you might send a direct message. Or perhaps you and a few others have started a private channel, ensuring that whatever you say is only seen by a handful of people. This may feel like a closed circuit between you and another person—or small group of people—but that space and the little lock symbol aren’t actually emblematic of complete privacy.

Do Slack employees have access to your chats? The short answer is: sort of. The long answer is… below. Can your company peek at your private DMs? It’s entirely possible. Slack’s FAQ pages help elucidate some of these concerns, but at times the answers are frustratingly vague and difficult to navigate. So we dug into it for you. Read more to find out what Slack—and your company—is actually doing with your data.

Source: What’s Slack Doing With Your Data?

The short is:
Yes, there are slack employees that can view your data. Channel owners can see everything in a channel, also direct messages. Slack gives your data to law enforcement upon request and won’t inform you. They don’t (and say won’t) sell it to third parties. Deletion is deletion. Slack, like any other company, can be hacked. Caveat emptor.

Wall Street Analysts Are Embarrassingly Bad At Predicting The Future, Study Finds

The researchers looked at a database of long-term growth forecasts made for all domestic companies listed on a major stock exchange. The forecasts are made in December each year, and predict how well a company’s stocks will do over the next three to five years. From 1981 to 2016, they found that the top 10 percent of stocks analysts were most hopeful about generally had poorer growth than the 10 percent of stocks they were most pessimistic about.

The paper found that investing in the stocks that analysts were most pessimistic in a given year about would have yielded an average 15 percent in extra returns (in stock terms, a profit) the following year, compared to a 3 percent return that would have been made from investing in the predicted champs.

The study, though it hasn’t yet been published in a peer-reviewed journal, is in fact merely an update of a classic study published in 1996; it too found a similarly stark contrast. Nor is this the only kind of study to find a clear gap between the professed stock expectations of analysts and actual reality. So the results aren’t exactly surprising.

Source: Wall Street Analysts Are Embarrassingly Bad At Predicting The Future, Study Finds

 
Skip to toolbar