Revealed: Facebook exposed identities of moderators to suspected terrorists

A security lapse that affected more than 1,000 workers forced one moderator into hiding – and he still lives in constant fear for his safety

Source: Revealed: Facebook exposed identities of moderators to suspected terrorists

Facebook moderators like him first suspected there was a problem when they started receiving friend requests from people affiliated with the terrorist organizations they were scrutinizing.

An urgent investigation by Facebook’s security team established that personal profiles belonging to content moderators had been exposed.
[…]
Facebook then discovered that the personal Facebook profiles of its moderators had been automatically appearing in the activity logs of the groups they were shutting down.
[…]
In one exchange, before the Facebook investigation was complete, D’Souza sought to reassure the moderators that there was “a good chance” any suspected terrorists notified about their identity would fail to connect the dots.

“Keep in mind that when the person sees your name on the list, it was in their activity log, which contains a lot of information,” D’Souza wrote, “there is a good chance that they associate you with another admin of the group or a hacker …”
[…]
The bug in the software was not fixed for another two weeks, on 16 November 2016. By that point the glitch had been active for a month. However, the bug was also retroactively exposing the personal profiles of moderators who had censored accounts as far back as August 2016.

Facebook offered to install a home alarm monitoring system and provide transport to and from work to those in the high risk group. The company also offered counseling through Facebook’s employee assistance program, over and above counseling offered by the contractor, Cpl.
[…]
“Our investigation found that only a small fraction of the names were likely viewed, and we never had evidence of any threat to the people impacted or their families as a result of this matter,” the spokesman said.
[…]
He was paid just €13 ($15) per hour for a role that required him to develop specialist knowledge of global terror networks and scour through often highly-disturbing material.

“You come in every morning and just look at beheadings, people getting butchered, stoned, executed,” he said.
[…]
The moderator said that when he started, he was given just two weeks training and was required to use his personal Facebook account to log into the social media giant’s moderation system.
[…]
In an attempt to boost morale among agency staff, Facebook launched a monthly award ceremony to celebrate the top quality performers. The prize was a Facebook-branded mug. “The mug that all Facebook employees get,” he noted.

Finally, a Tool for Making Totally Clear Ice Spheres 

Finally, a Tool for Making Totally Clear Ice Spheres 

http://www.seriouseats.com/2014/07/ice-balls-for-cocktails-best-home-tool-wintersmiths-does-clear-ice-melt-slower.html

Man Buys Two Metric Tons of LEGO Bricks; Sorts Them Via Machine Learning

http://mentalfloss.com/article/501060/man-buys-two-metric-tons-lego-bricks-sorts-them-machine-learning

Scientists win Nobel Prize in Chemistry for making tiny machines out of molecules

https://www.theverge.com/2016/10/5/13162476/nobel-prize-chemistry-tiny-machine-molecules-nanocar-stoddart-ferringa-sauvage

This year’s Nobel Prize in Chemistry has been awarded to three scientists who figured out how to build tiny machines out of molecules. The machines, which include a nano-sized car, are invisible to the human eye and have important implications in medicine and other fields. The researchers — Jean-Pierre Sauvage, J. Fraser Stoddart, and Bernard Feringa — will share the prize equally.


Tails 3.0 – anonymous live OS is out

Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card.

It aims at preserving your privacy and anonymity, and helps you to:

use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;
leave no trace on the computer you are using unless you ask it explicitly;
use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

https://tails.boum.org/index.en.html

Facebook’s Emotion Tech: Patents Show New Ways For Detecting And Responding To Users’ Feelings

Facebook’s newest patent, granted May 25, aims to monitor users’ typing speed to predict emotions and adapt messages in response.

We took a look at some of Facebook’s emotion-based patents to understand how the company is thinking about capturing and responding to people’s emotional reactions, which has been a tricky area for consumer tech companies but key to their future. On the one hand, they want to identify which content is most engaging and respond to audience’s reactions, on the other emotion-detection is technically difficult, not to mention a PR and ethical minefield.

Source: Facebook’s Emotion Tech: Patents Show New Ways For Detecting And Responding To Users’ Feelings

Dutch Usenetprovider Eweka forced by judge to hand over personal details to BREIN without judicial oversight

A Dutch judge has said that the usenet provider needs to hand over personal details to BREIN (the Dutch version of the RIAA) without any reason other than that BREIN wants them or face a fine of EUR 1000,- per day. It’s pretty bizarre that some commercial entity can raid anyones private data because they feel like it, but it looks like the North Holland judge prefers cash money to personal interests and judicial oversight.

De rechtbank Noord-Holland heeft vonnis gewezen in een zaak tussen BREIN en Usenetprovider Eweka. Eweka handelt onrechtmatig door BREIN niet terstond – zonder gerechtelijk vonnis – identificerende gegevens te verschaffen van een uploader van auteursrechtelijk beschermd materiaal. Dat moet alsnog gebeuren op verbeurte van een dwangsom van 1000 euro per dag.

Source: Usenetprovider Eweka moet persoonsgegevens overleggen – Emerce

Artificial tongues can discriminate between whiskeys

We present simple tongues consisting of fluorescent polyelectrolytes or chimeric green fluorescent proteins (GFPs) to discriminating 33 different whiskies according to their country of origin (Ireland, US, or Scotland), brand, blend status (blend or single malt), age, and taste (rich or light). The mechanism of action for these tongues is differential quenching of the fluorescence of the poly(aryleneethynylene)s or the GFPs by the complex mixture of colorants (vanillin, vanillic acid, oak lactones, tannins, etc.; the interactome) extracted from the oak barrels and added caramel coloring. The differential binding and signal generation of the interactomes to the polymers and proteins result from hydrophobic and electrostatic interactions. The collected quenching data, i.e., the response patterns, were analyzed by linear discriminant analysis. Our tongues do not need any sample preparation and are equal or superior to state-of-the-art mass spectrometric methods with respect to speed, resolution, and efficiency of discrimination.

Which means the artificial tongues can taste stuff without having to decompose it in any way either.

Ex-Admin Deletes All Customer Data and Wipes Servers of Dutch Hosting Provider

Verelox, a provider of dedicated KVM and VPS servers based in The Hague, Netherlands, suffered a catastrophic outage after a former administrator deleted all customer data and wiped most of the company’s servers.

Source: Ex-Admin Deletes All Customer Data and Wipes Servers of Dutch Hosting Provider

The “Doubleswitch” social media attack: how to lock people out of social media accounts and use them to spread fake news

With the Doubleswitch attack, a hijacker takes control of a victim’s account through one of several attack vectors. People who have not enabled an app-based form of multifactor authentication for their accounts are especially vulnerable. For instance, an attacker could trick you into revealing your password through phishing. If you don’t have multifactor authentication, you lack a secondary line of defense. Once in control, the hijacker can then send messages and also subtly change your account information, including your username. The original username for your account is now available, allowing the hijacker to register for an account using that original username, while providing different login credentials. Now, if you try to recover your original account by resetting your password, the reset email will be sent directly to the hijacker.

Source: The “Doubleswitch” social media attack: a threat to advocates in Venezuela and worldwide – Access Now

Artificial intelligence can now predict suicide risk with remarkable accuracy

In trials, results have been 80-90% accurate when predicting whether someone will attempt suicide within the next two years, and 92% accurate in predicting whether someone will attempt suicide within the next week.

The prediction is based on data that’s widely available from all hospital admissions, including age, gender, zip codes, medications, and prior diagnoses. Walsh and his team gathered data on 5,167 patients from Vanderbilt University Medical Center that had been admitted with signs of self-harm or suicidal ideation. They read each of these cases to identify the 3,250 instances of suicide attempts.

This set of more than 5,000 cases was used to train the machine to identify those at risk of attempted suicide compared to those who committed self-harm but showed no evidence of suicidal intent. The researchers also built algorithms to predict attempted suicide among a group 12,695 randomly selected patients with no documented history of suicide attempts. It proved even more accurate at making suicide risk predictions within this large general population of patients admitted to the hospital.

Source: Artificial intelligence can now predict suicide risk with remarkable accuracy

Hackers Can Spoof Phone Numbers, Track Users via 4G VoLTE Mobile Technology

A team of researchers from French company P1 Security has detailed a long list of issues with the 4G VoLTE telephony, a protocol that has become quite popular all over the world in recent years and is currently in use in the US, Asia, and most European countries.
[…]
Researchers say that an attacker on the same network can send modified SIP INVITE messages to brute-force the mobile provider and get a list of all users on its network.
[…]
This could be an issue with lawful interception (surveillance) because it allows possible crime suspects a way to create covert data communications channels.
[…]
Researchers warn that this is a “critical” issue that may result in attackers accessing another person’s voice mail, or could cause problems for law enforcement monitoring criminals, who would be able to avoid surveillance by placing calls from another phone number.

Not mentioned by researchers, but a plausible scenario, is if tech support scammers would spoof the phone numbers of legitimate companies to call customers and obtain sensitive information such as passwords, card PINs, and other.
[…]
Researchers recommend that mobile telcos sanitize the headers of “200 OK” messages and remove any equipment info that may allow an attacker to create a virtual map of its network. This information is dangerous because it allows threat actors to plan and carry out finely-tuned attacks against the mobile operator.
[…]
Researchers discovered that by watching VoLTE traffic on an Android that’s initiating a call, intermediary messages exchanged before establishing a connection reveal information about the callee (victim)’s IMEI number.
[…]
attackers could initiate shadow calls, detect the victim’s approximate location, and hang up before the phone call is established.

Source: Hackers Can Spoof Phone Numbers, Track Users via 4G VoLTE Mobile Technology

Chinese Windows 10 doesn’t spy on you

Weg met telemetrie en ruime dataverzameling – het kan dus wel.

Source: Wil je privacy? Gebruik dan de Chinese Windows 10!

Microsoft has released a version of Windows 10 for the Chinese (!) market that doesn’t send all sorts of telemetry and private data to itself. This version is not available for the rest of us, in the rest of the world, Microsoft still has you as a secondary product.

Samsung forces unkillable adverts down Galaxy S8 buyers’ throats

“Hier heb ik geen 1000 dollar voor betaald!”

Source: Samsung verrast gebruikers met advertenties op Galaxy S8 – Webwereld

They come with the gaming service which cannot be disabled or uninstalled unless you’re root. Considering you pay through the nose for the most breakable piece of hardware there is, this sounds like a great reason to not buy Samsung any more.

Apple Rolls Out New Feature That Permanently Associates Devices with Apps, Even After Deletion

Tim Cook once scolded Travis Kalanick about Uber’s practice of tracking users even after they deleted the app from their iPhones. But in its newest operating system, iOS 11, Apple is rolling out a feature that will allow the same type of tracking—but with fewer privacy implications.

Apple’s new feature is called DeviceCheck and, if developers choose to use it, it will allow them to fingerprint and persistently track users’ iPhones, even if a user deletes the app or wipes their phone completely, using Apple as an intermediary.

To be clear, this kind of fingerprinting does not allow for location tracking. It lets developers keep track of former users’ devices so that, if they ever come back to the app, the developers will know they’ve been there before.

Source: Apple Rolls Out New Feature That Permanently Associates Devices with Apps, Even After Deletion

So what happens if you buy a second hand iphone?

Malware Uses Router LEDs to Air Gap Data From Secure Networks

This malware will intercept specific data passing through the router, break it down into its binary format, and use a router LED to signal the data to a nearby attacker, with the LED turned on standing for a binary one and the LED turned off representing a binary zero.

An attacker with a clear line of sight to the equipment can record the blinking operation. This “attacker” can be a security camera, a company insider, recording equipment mounted on a drone, and various other setups where a video recording device has a clear sight of the router or switch’s blinking LEDs.
The more router LEDs, the higher the exfiltration speed

During their tests, researchers say they’ve tested various configurations for the video recording setup, such as optical sensors, security/CCTV cameras, extreme cameras, smartphone cameras, wearable/hidden cameras, and others.

The research team says it achieved the best results with optical sensors because they are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment.

Researchers say that by using optical sensors, they were able to exfiltrate data at a rate of more than 1000 bit/sec per LED. Since routers and switches have more than one LED, the exfiltration speed can be increased many times over if multiple LEDs are used for data exfiltration. Basically, the more ports the router and switch has, the more data the malware can steal from the device.

Source: Malware Uses Router LEDs to Steal Data From Secure Networks

Scientists Are Now Using AI to Predict Autism in Infants

Despite all the headway that science has made in understanding autism in recent years, knowing which children will one day develop autism is still almost impossible to predict. Children diagnosed with autism appear to behave normally until around two, and until then there is often no indication that anything is wrong.
[…]
In a paper out Wednesday in Science Translational Medicine, researchers from the University of North Carolina at Chapel Hill and Washington University School of Medicine scanned the brains of 59 high-risk, 6-month-old infants to examine how different regions of the brain connect and interact. At age two, after 11 of those infants had been diagnosed with autism, they scanned their brains again.
[…]
Using this method, researchers were able to accurately predict nine of the 11 infants who would wind up with an autism diagnosis. And it did not incorrectly predict any of the children who were not autistic.

“Our treatments of autism today have a modest impact at best,” said Joseph Piven, a psychiatrist at UNC Chapel Hill and author of the study, told Gizmodo. “People with autism continue to have challenges throughout their life. But there’s general consensus in the field that diagnosing earlier means better results.”

Source: Scientists Are Now Using AI to Predict Autism in Infants

The open source community is nasty and that’s just the docs

The 2017 Open Source Survey was hosted on GitHub, which “collected responses from 5,500 randomly sampled respondents sourced from over 3,800 open source repositories” and then added “over 500 responses from a non-random sample of communities that work on other platforms.” The questionnaire was also made available in Traditional Chinese, Japanese, Spanish, and Russian.

Interestingly, those behind the survey broke out “negative incidents” into a separate spreadsheet in that trove. That data reveals that 18 per cent of open source contributors have “personally experienced a negative interaction with another user in open source”. Fully half of participants “have witnessed one between other people”.

Most of the negative behaviour is explained as “rudeness”, which has been experienced witnessed by 45 per cent of participants and experienced by 16 per cent. GitHub’s summary of the survey says really nasty stuff like “sexual advances, stalking, or doxxing are each encountered by less than five per cent of respondents and experienced by less than two per cent (but cumulatively witnessed by 14%, and experienced by three per cent).” Twenty five per cent of women respondents reported experiencing “language or content that makes them feel unwelcome”, compared to 15 per cent of men.

This stuff has consequences: 21 per cent of those who see negative behaviour bail from projects they were working on.

Source: The open source community is nasty and that’s just the docs

Biogenic non-crystalline U(IV) revealed as major component in uranium ore deposits

Historically, it is believed that crystalline uraninite, produced via the abiotic reduction of hexavalent uranium (U(VI)) is the dominant reduced U species formed in low-temperature uranium roll-front ore deposits. Here we show that non-crystalline U(IV) generated through biologically mediated U(VI) reduction is the predominant U(IV) species in an undisturbed U roll-front ore deposit in Wyoming, USA. Characterization of U species revealed that the majority (∼58-89%) of U is bound as U(IV) to C-containing organic functional groups or inorganic carbonate, while uraninite and U(VI) represent only minor components. The uranium deposit exhibited mostly 238U-enriched isotope signatures, consistent with largely biotic reduction of U(VI) to U(IV). This finding implies that biogenic processes are more important to uranium ore genesis than previously understood. The predominance of a relatively labile form of U(IV) also provides an opportunity for a more economical and environmentally benign mining process, as well as the design of more effective post-mining restoration strategies and human health-risk assessment.

Source: Biogenic non-crystalline U(IV) revealed as major component in uranium ore deposits

Geologists now believe uranium is produced biologically, in a series of chemical reactions in Earth’s crust that take place over millions of years.

A team of biogeochemists has spotted promising signs that living microorganisms can also produce uranium, albeit in a different form than in the mineral uraninite. By analyzing the composition of uranium from 650-foot-deep samples mined in Wyoming – and using synchotron radiation-based spectroscopy and isotope fingerprinting – they found that 89 per cent of the uranium was bound to inorganic carbonate instead of being in uraninite ore.

The deposits match up to a series of biochemical reactions present in dissimilatory metal-reducing bacteria, a class of microbes that oxidize organic matter and produce metals in the process of anaerobic respiration. In other words, the bacteria use uranium instead of oxygen for energy.

The Register

Stock Stream – Worlds First Multiplayer Stock Market Game Using Real Money

Anyone can vote in the Stock Stream Twitch Channel on which stocks should be bought or sold. Trades are executed automatically using Robinhood.

How much money is available?

The account is funded with $50,000 though unfortunately, due to FINRA/SEC regulations, trading will halt if the account value falls below $25,000.

Source: Stock Stream – Worlds First Multiplayer Stock Market Game Using Real Money

Unfortunately I haven’t found any figures about how well or badly this is doing

Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach

On Wednesday, OneLogin—a company that allows users to manage logins to multiple sites and apps all at once—announced it had suffered some form of breach. Although it’s not clear exactly what data has been taken, OneLogin says that all customers served by the company’s US data centre are impacted, and has quietly issued a set of serious steps for affected customers to take.

“Today we detected unauthorized access to OneLogin data in our US region,” the company wrote in a blog post.

Notably, the public blog post omitted certain details that OneLogin mentioned to customers in an email; namely that hackers have stolen customer information.

“Customer data was compromised, including the ability to decrypt encrypted data,” according to a message OneLogin sent to customers. Multiple OneLogin customers provided Motherboard with a copy of the message.

The message also directed customers to a list of required steps to minimize any damage from the breach, which in turn gave an indication of just how serious this episode might be.

According to copies of those steps, users are being told to generate new API keys and OAuth tokens (OAuth being a system for logging into accounts); create new security certificates as well as credentials; recycle any secrets stored in OneLogin’s Secure Notes feature; have end-users update their passwords, and more.

“Dealing with aftermath,” one customer told Motherboard. “This is a massive leak.”

Source: Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach

Microsoft releases v2 of their AI system, Cognitive Toolkit

CNTK 2.0 The first production release of Cognitive Toolkit v.2.

Highlights:

CNTK backend for Keras.
Extremely fast binary convolution with Halide.
Java API.
A new set of NuGet Packages.
Multiple bug fixes.

Github

FIREBALL – The Chinese Malware run by Rafotech has 250 Million Computers Infected

Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities: the ability of running any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.

This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information. Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.

Source: FIREBALL – The Chinese Malware of 250 Million Computers Infected | Check Point Blog

Chinese e-tailer beats Amazon to the skies with one-ton delivery drones as FAA sleeps through everything

JD.com, China’s largest online retailer, has announced it is beginning trials of a new delivery drone capable of carrying a ton of cargo to rural Chinese customers.

Just like Amazon, JD.com (also known as “Jingdong”) has a vast network of warehouses and delivery networks crisscrossing the Middle Kingdom and, like Amazon, it sees drones as an ideal way to leapfrog over poor infrastructure to get the goods to its customers.

To that end, JD.com has set up a drone airbase in the Shaanxi province of central China and will use the massive drones to deliver goods over a 300-mile radius. It is also building a drone production line at Xi’an National Civil Aerospace Industrial Base, which has allocated five kilometers of airspace for testing the hardware.

“We envision a network that will be able to efficiently transport goods between cities, and even between provinces, in the future,” said CEO of JD.com’s logistics business group, Wang Zhenhui. “This is a milestone not only for JD, but for the entire transportation industry as we extend our logistics services to other shippers on and off of JD.com.”

It’s not just distances that the firm is looking to conquer. JD.com has 65,000 employees to handle its logistics and that comes up to a big wages bill. And with 235 million regular customers, there’s a lot of stuff to deliver.

Amazon boss Jeff Bezos is well aware that drones could play a similar role in the US, but is currently stymied because the Federal Aviation Administration can’t decide how to regulate the airways.

This has caused immense frustration for Amazon, which panned the FAA for taking 10 months to clear the flights of its first experimental drone. By that time, the applications approval was useless because the company had already built bigger and better drones.

As a result, Amazon has now shifted its drone development facilities to Canada and the UK, and progress has been somewhat slower than its Chinese rivals. Here at Vulture West we’ve had our own run-ins with the FAA’s glacial progress, but advances abroad underscore the consequences of federal dithering. ®

Source: Chinese e-tailer beats Amazon to the skies with one-ton delivery drones • The Register

CCC | Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method. [0]

Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. „If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication“, says Dirk Engling, spokesperson for the CCC. Samsung announced integration of their iris recognition authentication with its payment system „Samsung Pay“. A successful attacker gets access not only to the phone’s data, but also the owner’s mobile wallet.

Source: CCC | Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8

 
Skip to toolbar