Stop us if you’ve heard this one: Apple’s password protection in macOS can be thwarted

An Apple developer has uncovered another embarrassing vulnerability in macOS High Sierra, aka version 10.13, that lets someone bypass part of the operating system’s password protections.This time, a vulnerable dialog box was found in the System Preferences panel for the App Store settings. The bug, reported by developer Eric Holtam to the Open Radar bug tracker, has since been verified by Mac-toting netizens.The bug allows a user logged in with admin rights (this is important to note) to get around the password requirement when making changes in the App Store settings panel. Open the App Store settings panel, click on the padlock to make changes, a password prompt pops up, type in any string of text, and the “password” is accepted, unlocking the preferences panel.Aaron Lint, veep of research at infosec biz Arxan, claimed the trick can also be used to bypass the login requirements for some other settings panels as well, but not the important “Users and Groups” and “Security and Privacy” controls.

Source: Stop us if you’ve heard this one: Apple’s password protection in macOS can be thwarted • The Register

Violating a Website’s Terms of Service Is Not a Crime, Federal Court Rules

the federal court of appeals heeded EFF’s advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle’s website in a manner it didn’t like. The court ruled back in 2012 that merely violating a website’s terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act. But some companies, like Oracle, turned to state computer crime statutes — in this case, California and Nevada — to enforce their computer use preferences. This decision shores up the good precedent from 2012 and makes clear — if it wasn’t clear already — that violating a corporate computer use policy is not a crime.

Source: Violating a Website’s Terms of Service Is Not a Crime, Federal Court Rules – Slashdot

Boffins tweak audio by 0.1% to fool speech recognition engines

a paper by Nicholas Carlini and David Wagner of the University of California Berkeley has explained off a technique to trick speech recognition by changing the source waveform by 0.1 per cent.

The pair wrote at arXiv that their attack achieved a first: not merely an attack that made a speech recognition SR engine fail, but one that returned a result chosen by the attacker.In other words, because the attack waveform is 99.9 per cent identical to the original, a human wouldn’t notice what’s wrong with a recording of “it was the best of times, it was the worst of times”, but an AI could be tricked into transcribing it as something else entirely: the authors say it could produce “it is a truth universally acknowledged that a single” from a slightly-altered sample.

It works every single time: the pair claimed a 100 per cent success rate for their attack, and frighteningly, an attacker can even hide a target waveform in what (to the observer) appears to be silence.

Source: Boffins tweak audio by 0.1% to fool speech recognition engines • The Register

Nissan’s Car of the Future Will Read Your Brain Waves

The Japanese company will unveil and test its “brain-to-vehicle” technology at next week’s Consumer Electronics Show in Las Vegas. The “B2V” system requires a driver to wear a skullcap that measures brain-wave activity and transmits its readings to steering, acceleration and braking systems that can start responding before the driver initiates the action.The driver still turns the wheel or hits the gas pedal, but the car anticipates those movements and begins the actions 0.2 seconds to 0.5 seconds sooner, said Lucian Gheorghe, a senior innovation researcher at Nissan overseeing the project. The earlier response should be imperceptible to drivers, he said.“We imagine a future where manual driving is still a value of society,” said Gheorghe, 40, who earned a doctorate in applied neural technology. “Driving pleasure is something as humans we should not lose.”

Source: Nissan’s Car of the Future Will Read Your Brain Waves – Bloomberg

Unitek USB 3.0 to SATA Adapter Cable for 2.5″ SSD or HDD – Hard Drive Adapter: turns your hard disk into portable storage

Supports 2.5″ SATA I/II/III hard drive/solid state drive. USB 3.0 supports data transfer speeds up to 5Gbps. Backwards compatible with USB2.0/USB1.0
Efficient UASP Transfer Protocol. An Equipped Cover provides better dust protecting SATA connector from dust.
Portable and lightweight design make it is easy to carry. LED light shows Power and Activity status.
Support hot swapping, easy and tool-free installation. No drivers or software needed
What We Offer – Unitek USB 3.0 to SATA 6G Adapter x1, 2-year warranty quality guarantee, 24h friendly customer service and email support

What people hate and love at differing ages, visualised

Exploring over 30 million feelings towards 3,000+ topics.

Source: 10 Things Everyone Hates About You

Man’s YouTube Video of White Noise Hit With Five Copyright Claims

On Thursday, Tomczak tweeted a screenshot of the complaints that have been lodged against his video, “10 Hours of Low Level White Noise.” The clip is exactly what its title advertises, and the absurdity of someone claiming ownership of a bunch of frequencies with equal intensity playing simultaneously—that’s all white noise is—clearly illustrates just how beyond broken YouTube’s automated copyright system really is.
What’s most egregious about the situation is that the claimants aren’t just disputing Tomczak’s right to upload the video—they’ve elected to monetize it and leave it up. Tomczak isn’t missing out on any big profits (the video only has 1,485 views), but running around YouTube monetizing white noise has plenty of opportunities to be a moneymaker. A simple search pulls up millions of white noise videos and many of them have millions of views. A lot of the offerings are relaxing sounds like rain or a fan, but there’s plenty of good, old-fashioned TV static that’s quite popular.

Source: Man’s YouTube Video of White Noise Hit With Five Copyright Claims

Yahooooo! says! its! email! is! scrahoooo-ed!

Yahoo! Mail – yes, amazingly it is still a thing – is today taking a break from business as usual norms with the service down for almost the past seven hours.Since circa 9am, the email service has received hundreds of complaints an hour on, with users moaning about persistant “error 15” messages, and others telling of short periods of functionality before being kicked out of their accounts.Yahoo’s customer care Twitter account belatedly acknowledged the outage after 2pm, saying it had “received reports that users are seeing temporary access errors when accessing #YahooMail”, and that it was “working to fix this as quickly as possible.”More than a full hour later, the social media ninjas at Yahoo updated the customer base to say it still didn’t know when it would be able to make things better.

Source: Yahooooo! says! its! email! is! scrahoooo-ed! • The Register

The joys of the cloud…

How a Reddit Email Vulnerability Led to Thousands in Stolen Bitcoin Cash

The exploit allowed hackers to request a password reset for a target account and then click the generated link without opening the email it had been sent in. How was this possible? Theories circulated, buoyed by posts on Hacker Noon and The Next Web. It was the r/bitcoin users out to cause trouble; Or was it a Reddit admin gone rogue?But this attack had incentive beyond ideology. What made the users of r/btc such a rich target was the deployment of a bot account called Tippr, which was used, among other things, to reward a particularly funny or insightful comment. By tagging someone and designating an amount, Tippr withdrew some BCH from your hotwallet and allocated it to the recipient. Given that Tippr is active on both Reddit and Twitter (where it provides its donation service for such heavyweights as the Tor Project), there was easy money to be had.

Source: How a Reddit Email Vulnerability Led to Thousands in Stolen Bitcoin Cash

This Ex-NSA Hacker Is Building an AI to Find Hate Symbols on Twitter

NEMESIS, according to Crose, can help spot symbols that have been co-opted by hate groups to signal to each other in plain sight. At a glance, the way NEMESIS works is relatively simple. There’s an “inference graph,” which is a mathematical representation of trained images, classified as Nazi or white supremacist symbols. This inference graph trains the system with machine learning to identify the symbols in the wild, whether they are in pictures or videos.

Source: This Ex-NSA Hacker Is Building an AI to Find Hate Symbols on Twitter – Motherboard

Auto like Instagram pics Bot

Bot to automatically like your friends’ Instagram posts, and notify you on your Slack channel.

This script runs Instagram API every 15mins (cronjob) and checks for any new Instagram post for a paticular user_id. If a new a post is found it likes the post and sends a notification to your configured Slack channel using Slack Webhooks.


Western Digital ‘My Cloud’ devices have a hardcoded backdoor — stop using these NAS drives NOW!

Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital My Cloud NAS drives have a hardcoded backdoor, meaning anyone can access them — your files could be at risk. It isn’t even hard to take advantage of it — the username is “mydlinkBRionyg” and the password is “abc12345cba” (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company apparently did nothing until November 2017. Let’s be realistic — not everyone stays on top of updates, and a backdoor never should have existed in the first place.

Source: Western Digital ‘My Cloud’ devices have a hardcoded backdoor — stop using these NAS drives NOW!

Rs 500, 10 minutes, and you have access to billion Aadhaar (Indian social security) details

It took just Rs 500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

What is more, The Tribune team paid another Rs 300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

Source: Rs 500, 10 minutes, and you have access to billion Aadhaar details

Ridiculously, the reporters of this news are now facing governmental investigation, instead of getting the recognition they deserve.
Snowden on Twitter

Major Cryptocurrency Index Excludes Korean Prices Without Warning, creates apparent drop in prices

CoinMarketCap, arguably the most prominent global index of cryptocurrency prices, triggered a wave of anxiety and anger this morning when it removed a group of Korean cryptocurency exchanges from its price calculations.Though the change was apparently made at midnight Sunday U.S. EST, CoinMarketCap did not publicize it until midday on Monday, saying that the Korean exchanges showed “extreme divergence in prices from the rest of the world and limited arbitrage opportunity.” This morning we excluded some Korean exchanges in price calculations due to the extreme divergence in prices from the rest of the world and limited arbitrage opportunity. We are working on better tools to provide users with the averages that are most relevant to them. — CoinMarketCap (@CoinMarketCap) January 8, 2018The move resulted in a sharp drop in CoinMarketCap’s measurement of nearly all cryptocurrencies. That gave the impression that a broad market decline, already in progress, had become even more dramatic overnight. As news of the cause for the sharp drop spread Monday, most cryptocurrency prices began recovering losses.

Source: Major Cryptocurrency Index Excludes Korean Prices Without Warning | Fortune

Our Solar System is an exception: most planets have more regular spacing and sizing

They found that planets in the same planetary system have correlated sizes. “Each planet is more likely to be the size of its neighbor than a size drawn at random from the distribution of observed planet sizes,” the paper said. If the system contains three or more planets, the planets are also more likely to be spaced regularly. Smaller planets seem to sit closer together than larger planets, leading scientists to believe that the patterns developed early during their formation.
This is at odds with our Solar System, Weiss explained to The Register. “Unlike these exoplanetary systems, the solar system has incredible size diversity. Earth is more than twice the radius of Mercury, Neptune is four times the radius of Earth, and Jupiter is ten times the radius of Earth. Also, the terrestrial planets are very widely spaced.”

The authors suggested the complex gravitational interactions between Jupiter and Saturn are to blame. When the terrestrial planets were still forming, Jupiter and Saturn scattered the protoplanets and increased the number of collisions among them.

Source: Astroboffins say our Solar System is a dark, violent, cosmic weirdo • The Register

SteelSeries’ Dual-Sensor Mouse Could Be the King of Precision

The Rival 600 even has its own CPU and storage tucked inside, so that once you get everything configured just the way you like, you can save those settings directly in the mouse, so you won’t need to re-download the SteelSeries app if you play with it on a different machine.

Source: SteelSeries’ Dual-Sensor Mouse Could Be the King of Precision

What I really really dislike about Razer’s offering is that their control panel requires an online account and connection. The settings and who knows what else is stored in their ‘cloud’. For a mouse or keyboard driver, this seems to me to be totally unnecessary and an invasion of privacy. This looks like a good alternative.

AI System Sorts News Articles By Whether or Not They Contain Actual Information

In a recent paper published in the Journal of Artificial Intelligence Research, computer scientists Ani Nenkova and Yinfei Yang, of Google and the University of Pennsylvania, respectively, describe a new machine learning approach to classifying written journalism according to a formalized idea of “content density.” With an average accuracy of around 80 percent, their system was able to accurately classify news stories across a wide range of domains, spanning from international relations and business to sports and science journalism, when evaluated against a ground truth dataset of already correctly classified news articles.

Source: AI System Sorts News Articles By Whether or Not They Contain Actual Information – Motherboard

Total solar eclipse: find out when and where eclipses will be in your lifetime

On Aug. 21, a total solar eclipse will traverse the contiguous United States. It’ll be the first to traverse coast to coast in nearly a century.

Source: Total solar eclipse 2017: How rare is the Aug. 21 eclipse path? – Washington Post

The Evolution of Trust

an interactive guide to the game theory of why & how we trust each other

Source: The Evolution of Trust

Very clear and well illustrated

When a North Korean Missile Accidentally Hit a North Korean City

What happens when a North Korean ballistic missile test fails in flight and explodes in a populated area? On April 28, 2017, North Korea launched a single Hwasong-12/KN17 intermediate-range ballistic missile (IRBM) from Pukchang Airfield in South Pyongan Province (the Korean People’s Army’s Air and Anti-Air Force Unit 447 in Ryongak-dong, Sunchon City, to be more precise). That missile failed shortly after launch and crashed in the Chongsin-dong, in North Korean city of Tokchon, causing considerable damage to a complex of industrial or agricultural buildings.
As seen in image 1, had the launch succeeded, Rodong Sinmun would likely have printed an image of Kim Jong-un standing in front of the transporter-erector-mounted IRBM in a hardened tunnel.

That would have (and now does) send a dire message to U.S. and allied military planners: North Korea’s missiles won’t be sitting ducks at known “launch pads,” contrary to much mainstream analysis. What’s more, the proliferation of newly constructed hangers, tunnels, and storage sites cannot be assumed to stop at the Pukchang Airfield. Similar facilities likely exist across the country. In 2017, not only has North Korea tested a massive variety of strategic weaponry, but it has done so from a more diverse list of launch sites — what the U.S. intelligence community calls “ballistic missile operating areas” — than ever before. Gone are the days of Kim Jong-un supervising and observing launches at a limited list of sites that’d include Sinpo, Sohae, Wonsan, and Kittaeryong.
As North Korea’s production of now-proven IRBMs and ICBMs continues, it will have a large and diversified nuclear force spread across multiple hardened sites, leaving the preventive warfighter’s task close to impossible if the objective is a comprehensive, disarming first strike leaving Pyongyang without retaliatory options. The time is long gone to turn the clock back on North Korea’s ballistic missile program and its pre-launch basing options.

Source: When a North Korean Missile Accidentally Hit a North Korean City | The Diplomat

Rare Malware Targeting Uber’s Android App Uncovered

Malware discovered by Symantec researchers sneakily spoofs Uber’s Android app and harvests users’ passwords, allowing attackers to take over the effected users’ accounts. The malware isn’t widespread, though, and most Uber users are not effected.
In order to steal a user’s login information, the malware pops up on-screen regularly and prompts the user to enter their Uber username and password. Once a user falls for the attack and enters their information, it gets swept up by the attacker.

To cover up the credential theft, this malware uses deep links to Uber’s legitimate app to display the user’s current location—making it appear as though the user is accessing the Uber app instead of a malicious fake.

Source: Rare Malware Targeting Uber’s Android App Uncovered

Asus is turning its old routers into mesh Wi-Fi networks

Mesh routers like Eero, Netgear’s Orbi, and Google Wifi are getting all the hype these days, but replacing your whole network with a bunch of new devices can be kind of expensive. Asus has a good solution with its new AiMesh system, which lets you repurpose your existing Asus routers as part of a mesh network.For now, the mesh support is coming to a few routers today in beta, including the ASUS RT-AC68U, RT-AC1900P, RT-AC86U, RT-AC5300, and the ROG Rapture GT-AC5300. with additional support planned for the RT-AC88U and RT-AC3100 later this year.

Source: Asus is turning its old routers into mesh Wi-Fi networks – The Verge

Google’s voice-generating AI is now indistinguishable from humans

A research paper published by Google this month—which has not been peer reviewed—details a text-to-speech system called Tacotron 2, which claims near-human accuracy at imitating audio of a person speaking from text.

The system is Google’s second official generation of the technology, which consists of two deep neural networks. The first network translates the text into a spectrogram (pdf), a visual way to represent audio frequencies over time. That spectrogram is then fed into WaveNet, a system from Alphabet’s AI research lab DeepMind, which reads the chart and generates the corresponding audio elements accordingly.

Source: Google’s voice-generating AI is now indistinguishable from humans — Quartz

Project Maven brings AI to the fight against ISIS

For years, the Defense Department’s most senior leadership has lamented the fact that US military and spy agencies, where artificial intelligence (AI) technology is concerned, lag far behind state-of-the-art commercial technology. Though US companies and universities lead the world in advanced AI research and commercialization, the US military still performs many activities in a style that would be familiar to the military of World War II.

As of this month, however, that has begun to change. Project Maven is a crash Defense Department program that was designed to deliver AI technologies—specifically, technologies that involve deep learning neural networks—to an active combat theater within six months from when the project received funding. Most defense acquisition programs take years or even decades to reach the battlefield, but technologies developed through Project Maven have already been successfully deployed in the fight against ISIS. Despite their rapid development and deployment, these technologies are getting strong praise from their military intelligence users. For the US national security community, Project Maven’s frankly incredible success foreshadows enormous opportunities ahead—as well as enormous organizational, ethical, and strategic challenges.
As its AI beachhead, the department chose Project Maven, which focuses on analysis of full-motion video data from tactical aerial drone platforms such as the ScanEagle and medium-altitude platforms such as the MQ-1C Gray Eagle and the MQ-9 Reaper. These drone platforms and their full-motion video sensors play a major role in the conflict against ISIS across the globe. The tactical and medium-altitude video sensors of the Scan Eagle, MQ-1C, and MQ-9 produce imagery that more or less resembles what you see on Google Earth. A single drone with these sensors produces many terabytes of data every day. Before AI was incorporated into analysis of this data, it took a team of analysts working 24 hours a day to exploit only a fraction of one drone’s sensor data.
Now that Project Maven has met the sky-high expectations of the department’s former second-ranking official, its success will likely spawn a hundred copycats throughout the military and intelligence community. The department must ensure that these copycats actually replicate Project Maven’s secret sauce—which is not merely its focus on AI technology. The project’s success was enabled by its organizational structure: a small, operationally focused, cross-functional team that was empowered to develop external partnerships, leverage existing infrastructure and platforms, and engage with user communities iteratively during development. AI needs to be woven throughout the fabric of the Defense Department, and many existing department institutions will have to adopt project management structures similar to Maven’s if they are to run effective AI acquisition programs.
To its credit, the department selected drone video footage as an AI beachhead because it wanted to avoid some of the more thorny ethical and strategic challenges associated with automation in warfare. As US military and intelligence agencies implement modern AI technology across a much more diverse set of missions, they will face wrenching strategic, ethical, and legal challenges—which Project Maven’s narrow focus helped it avoid.

Source: Project Maven brings AI to the fight against ISIS | Bulletin of the Atomic Scientists

Gamers Want DMCA Exemption for ‘Abandoned’ Online Games

Several organizations and gaming fans are asking the Copyright Office to make a DMCA circumvention exemption for abandoned online games, to preserve them for future generations. The exemption would allow museums and libraries to offer copies of abandoned online servers, so these games won’t turn to dust.

The U.S. Copyright Office is considering whether or not to update the DMCA’s anti-circumvention provisions, which prevent the public from tinkering with DRM-protected content and devices.

These provisions are renewed every three years. To allow individuals and organizations to chime in, the Office traditionally launches a public consultation, before it makes any decisions.

This week a series of new responses were received and many of these focused on abandoned games. As is true for most software, games have a limited lifespan, so after a few years they are no longer supported by manufacturers.

To preserve these games for future generations and nostalgic gamers, the Copyright Office previously included game preservation exemptions. This means that libraries, archives and museums can use emulators and other circumvention tools to make old classics playable.

However, these exemptions are limited and do not apply to games that require a connection to an online server, which includes most recent games. When the online servers are taken down, the game simply disappears forever.

Source: Gamers Want DMCA Exemption for ‘Abandoned’ Online Games – TorrentFreak

Skip to toolbar