SoylentNews

An Anonymous Coward writes:

Cars that are four years old are suddenly bricking because of a code-related quirk that's burning out flash drives. Tesla does not support right to repair and has actively fought it and is not beholden to the same rules as every other auto manufacturer.

The issue is with a flash storage chip called the eMMC that is embedded on a board called the MCU1. According to experts who have studied the problem, Teslas are writing vehicle logs to this flash storage chip so much that it eventually goes bad. The issue has been known in the Tesla community since at least May, when Tesla repair YouTuber Rich Benoit spoke to another Tesla repair professional named Phil Sadow about it in a video.

"Tesla's got a problem. They create so many logs in the car, they write to [the chip] so fast that it basically burns them out. They have a finite amount of writes," Sadow said in the video. "When this burns out, you wake up to a black screen [in the car's center console.] There's nothing there. No climate control. You can generally drive the car, but it won't charge."

Original Submission

jb writes:

A group of senior members of the Australian Computer Society (ACS) have launched a campaign to oppose what they describe as a corporate "hijack" of their society.

Best coverage so far is in Innovation Aus:

Proposed changes to the governance structure at the Australian Computer Society are headed for a rough ride as senior members launch a campaign against the corporatisation [of] a professional society, in favour of its executive and at the expense of its members.

A group being headed by Australian National University visiting professor Roger Clarke – a long-time privacy advocate in Australia and an ACS member since 1974 – says the proposed changes strip away the rights of the members in favour of the society's executive.

Mr Clarke also complains that recent take-over of the Association for Data-Driven Marketing and Advertising (ADMA) – among a series of acquisitions of other industry groups – was incompatible with the values and goals of the society.

Also covered in ITWire:

He claimed that the ACS would aim to pass a new constitution at a general body meeting on 25 October in Sydney which, if adopted, would:

• centralise all power in the board;
         
• extinguish all meaningful member involvement;
         
• replace member-driven branches with subservient divisions; and
         
• enable continuity of power by a clique.

upstart writes:

Submitted via IRC for Bytram

Mathematicians prove that flash-memory 'fingerprints' of electronic devices are truly unique

Experts in applied mathematics at RUDN University have experimentally proven that it is possible to accurately identify electronic devices by defects in flash memory cells. It turns out that the distribution and nature of these defects are unique, and they can play the role of "fingerprints" for memory chips. The new method will improve protection against hacker attacks, as it would create electronic flash keys that cannot be faked. The results of the study are published in the journal IEEE Access.

As information and communication devices—smartphones, fitness bracelets, Wi-Fi equipment, memory devices—are spreading around the world, the issue of protecting them from theft and tampering becomes more and more relevant. A way to accurately identify each device is needed. Existing identification methods can be divided into two types: virtual and physical. Virtual methods are applied to the software (firmware) of a device. It could be, for example, a unique number that is "hard written" into the device. The problem is that any software can be hacked and data changed. Physical methods deal with hardware. These include the identification of a device by unique fluctuations of its radio frequency. However, radio signals are subject to interference.

One of the new methods of physical identification is based on damaged flash memory cells. Due to microscopic manufacturing defects, damaged cells randomly appear in the memory blocks of a device. The pattern of these microdefects is unique, and that means that one device can be distinguished by it from another. Previously, however, it has not been possible to numerically prove the effectiveness of this method, so the experts from RUDN University undertook to verify the effectiveness of this technology.

Unique Degradation of Flash Memory as an Identifier of ICT Device (open, DOI: 10.1109/ACCESS.2019.2932804) (DX)

Original Submission

An Anonymous Coward writes:

After fish that survives on land is found, Georgia tells anglers: Kill them immediately

Georgia's Department of Natural Resources has a message for anglers: If you catch a northern snakehead, kill it immediately. Northern snakeheads are invasive fish that can breathe air and survive for days on land.

An angler recently reported catching one in a private pond in Gwinnett County.

How it got there is a mystery. State wildlife officials said in a press release it's the first time the species has been confirmed in Georgia waters. It's been found in 14 other states.

The Georgia Department of Natural Resources, suggests:

Anglers are the first line of defense. If you think you've caught a northern snakehead:

1. DO NOT RELEASE IT.
2. Kill it immediately and freeze it. They can survive on land.
3. If possible, take pictures of the fish. Include close ups of its mouth, fins and tail.
4. Note where it was caught like the waterbody, landmarks or GPS coordinates.
5. Immediately report it to your regional Georgia DNR Wildlife Resources Division Fisheries Office.

For more information about the northern snakehead, or other aquatic nuisance species, visit https://georgiawildlife.com/aquatic-nuisance-species.

Entry on Wikipedia for northern snakehead.

Original Submission

We had two Soylentils write in to inform us of a serious bug in sudo.

See the web site Potential bypass of Runas user restrictions and CVE-2019-14287 for examples and details.

Unsigned int in sudo allows Linux privilege escalation

datapharmer writes:

Time to fire up your favorite package manager. Joe Vennix, a researcher from Apple, has discovered an unsigned variable was used for uid in sudo prior to version 1.8.28, allowing a user to specify -1 or 4294967295 as the uid. This then defaults to uid 0, but since this doesn't exist in the database no PAM modules are run. This only works for users with sudo rights, but works even if root is explicitly prohibited. See CVE-2019-14287 for more details.

sudo escalation - interesting bug

Anonymous Coward writes:

A freshly-discovered bug in sudo allows escalation to root for any entries with runas ALL configured. Bug has been present for years.

https://seclists.org/oss-sec/2019/q4/18

Original Submission #1  Original Submission #2 

upstart writes:

Submitted via IRC for AnonymousCoward

More Libra woes:

EBay, Stripe and Mastercard drop out of Facebook’s Libra Association – TechCrunch

Oof — a week after PayPal announced plans to part ways with Facebook’s Libra cryptocurrency project and the related association of the same name, three more names are reportedly breaking away: eBay, Stripe and Mastercard. (Update: and now Visa!)

In a comment to TechCrunch, a Stripe spokesperson leaves the door open for them to potentially work with Libra in the future — but not right now:

“Stripe is supportive of projects that aim to make online commerce more accessible for people around the world. Libra has this potential. We will follow its progress closely and remain open to working with the Libra Association at a later stage.”

Previously:
Visa, Mastercard Reportedly Reconsidering Support For Facebook's Libra
PayPal Withdraws Support for Facebook’s Libra Cryptocurrency

Original Submission

Arthur T Knackerbracket has found the following story:

Sensors distributed across the city will allow the collection of real-time data to improve services, says the council.

Using Internet of Things (IoT) sensors distributed around the city to provide data in real-time data, Hull City Council says it will be able to better control street lighting, refuse collection, parking and traffic congestion, with the goal of providing better services at a reduced cost.

The council is working with a local telecoms service provider, Connexin, which built on Cisco's Kinetic for Cities platform - a subscription-based software that lets city operators view and manage data from multiple sensors, and from a single panel.

Furqan Alamgir, founder of Connexin, told ZDNet: "We found that cities struggled to digitalise because they had lots of siloed systems. For example, they might have an LED management system and a traffic management system, but the two wouldn't link to each other.

"So, building on Cisco's platform, we built a central OS that normalises all the data into one language, so that all the sensors can speak to one another seamlessly."

The platform, called CityOS, pulls together and aggregates information from a range of different IoT sensors, before passing it on to city operators. This means the data is easier to visualise, and can then be used to better manage resources.  

Councillor Daren Hale said: "The system pulls together information that currently sits within separate council computer systems that enable city-wide management of the city's public assets in real time."

Original Submission

Runaway1956 writes:

A few weeks ago, we tested out three phone platforms (iOS on an iPhone XR, Android on a Nexus 6P, and Linux on the Librem 5 dev kit) to see which one leaks the most data -- and, just as importantly, which leaks the least data.

To do this we connected all three devices to a dedicated wireless router running OpenWrt, and monitored all connections. The phones were then left to sit idle with no applications launched. Both the total number of connections, as well as the amount of data transmitted, were logged. This initial testing was done with the Librem 5 Development Kit, but the results are expected to be the same in the final shipping Librem 5 smartphone.

All three phones were loaded only with stock applications and system settings -- depending on which applications are added (such as Facebook, Twitter, etc.) obviously the results will likely change.

Inspired by research done by Professor Douglas C. Schmidt, Professor of Computer Science at Vanderbilt University, and his team.

PDF here https://digitalcontentnext.org/wp-content/uploads/2018/08/DCN-Google-Data-Collection-Paper.pdf

*SPOILER* (click to show) *SPOILER* (click to hide)

I. EXECUTIVE SUMMARY
1. Google is the world's largest digital advertising company.1 It also provides the #1 web browser,2 the
#1 mobile platform,3 and the #1 search engine4 worldwide. Google's video platform, email service, and map
application have over 1 billion monthly active users each.5 Google utilizes the tremendous reach of its products
to collect detailed information about people's online and real-world behaviors, which it then uses to target them
with paid advertising. Google's revenues increase significantly as the targeting technology and data are refined.
2. Google collects user data in a variety of ways. The most obvious are "active," with the user directly
and consciously communicating information to Google, as for example by signing in to any of its widely used
applications such as YouTube, Gmail, Search etc. Less obvious ways for Google to collect data are "passive"
means, whereby an application is instrumented to gather information while it's running, possibly without the
user's knowledge. Google's passive data gathering methods arise from platforms (e.g. Android and Chrome),
applications (e.g. Search, YouTube, Maps), publisher tools (e.g. Google Analytics, AdSense) and advertiser tools
(e.g. AdMob, AdWords). The extent and magnitude of Google's passive data collection has largely been
overlooked by past studies on this topic.6
3. To understand what data Google collects, this study draws on four key sources:
a. Google's My Activity7 and Takeout8 tools, which describe information collected during the use of
Google's user-facing products;
b. Data intercepted as it is sent to Google server domains while Google or 3rd-party products are used;
c. Google's privacy policies (both general and product-specific); and
d. Other 3rd-party research that has examined Google's data collection efforts.
4. Through the combined use of above resources, this study provides a unique and comprehensive view
of Google's data collection approaches and delves deeper into specific types of information it collects from
users. This study highlights the following key findings:

a. Google learns a great deal about a user's personal interests during even a single day of typical internet
usage. In an example "day in the life" scenario, where a real user with a new Google account and an
Android phone (with new SIM card) goes through her daily routine, Google collected data at numerous
activity touchpoints, such as user location, routes taken, items purchased, and music listened to.
Surprisingly, Google collected or inferred over two-thirds of the information through passive means.
At the end of the day, Google identified user interests with remarkable accuracy.
b. Android is a key enabler of data collection for Google, with over 2 billion monthly active users
worldwide.9 While the Android OS is used by Original Equipment Manufacturers (OEMs) around the
world, it is tightly connected with Google's ecosystem through Google Play Services. Android helps
Google collect personal user information (e.g. name, mobile phone number, birthdate, zip code, and
in many cases, credit card number), activity on the mobile phone (e.g. apps used, websites visited), and
location coordinates. In the background, Android frequently sends Google user location and devicerelated
information, such as apps usage, crash reports, device configuration, backups, and various
device-related identifiers.
c. The Chrome browser helps Google collect user data from both mobile and desktop devices, with over
2 billion active installs worldwide.
10 The Chrome browser collects personal information (e.g. when a
user completes online forms) and sends it to Google as part of the data synchronization process. It
also tracks webpage visits and sends user location coordinates to Google.
d. Both Android and Chrome send data to Google even in the absence of any user interaction. Our
experiments show that a dormant, stationary Android phone (with Chrome active in the background)
communicated location information to Google 340 times during a 24-hour period, or at an average of
14 data communications per hour. In fact, location information constituted 35% of all the data samples
sent to Google. In contrast, a similar experiment showed that on an iOS Apple device with Safari
(where neither Android nor Chrome were used), Google could not collect any appreciable data
(location or otherwise) in the absence of a user interaction with the device.
e. After a user starts interacting with an Android phone (e.g. moves around, visits webpages, uses apps),
passive communications to Google server domains increase significantly, even in cases where the user
did not use any prominent Google applications (i.e. no Google Search, no YouTube, no Gmail, and
no Google Maps). This increase is driven largely by data activity from Google's publisher and advertiser
products (e.g. Google Analytics, DoubleClick, AdWords)11. Such data constituted 46% of all requests
to Google servers from the Android phone. Google collected location at a 1.4x higher rate compared
to the stationary phone experiment with no user interaction. Magnitude wise, Google's servers
communicated 11.6 MB of data per day (or 0.35 GB/month) with the Android device. This experiment
suggests that even if a user does not interact with any key Google applications, Google is still able to
collect considerable information through its advertiser and publisher products.
f. While using an iOS device, if a user decides to forgo the use of any Google product (i.e. no Android,
no Chrome, no Google applications), and visits only non-Google webpages, the number of times data
is communicated to Google servers still remains surprisingly high. This communication is driven purely
by advertiser/publisher services. The number of times such Google services are called from an iOS
device is similar to an Android device. In this experiment, the total magnitude of data communicated
to Google servers from an iOS device is found to be approximately half of that from the Android
device.
g. Advertising identifiers (which are purportedly "user anonymous" and collect activity data on apps and
3rd-party webpage visits) can get connected with a user's Google identity. This happens via passing of
device-level identification information to Google servers by an Android device. Likewise, the
DoubleClick cookie ID (which tracks a user's activity on the 3rd-party webpages) is another
purportedly "user anonymous" identifier that Google can connect to a user's Google Account if a user
accesses a Google application in the same browser in which a 3rd-party webpage was previously
accessed. Overall, our findings indicate that Google has the ability to connect the anonymous data
collected through passive means with the personal information of the user.

A video graphically displays part of the same information - https://www.youtube.com/watch?v=yHcHi0TBFv4

Original Submission

canopic jug writes:

Facebook vastly exaggerated the number of viewers it had on its video platform in order to lure producers away from competing platforms like YouTube. Facebook's exaggerations were off by 150% to 900% from the actual figures, and apparently knew it at the time. Facebook is proposing a settlement of a meager $40 million to avoid facing larger penalties. Fines or not, these exaggerations — or more precisely, lies — contributed to crippling or eliminating several video-oriented areas of activity.

According to a brief in support of the settlement, Facebook would pay $40 million to resolve claims. Much of that would go to those who purchased ad time in videos, though $12 million — or 30 percent of the settlement fund — is earmarked for plaintiffs' attorneys.

The suit accused Facebook of acknowledging miscalculations in metrics upon press reports, but still not taking responsibility for the breadth of the problem. "The average viewership metrics were not inflated by only 60%-80%; they were inflated by some 150 to 900%," stated an amended complaint.

Earlier on SN:
Facebook Discloses Additional Advertising Metric Miscalculations (2016)

Original Submission

An Anonymous Coward writes:

https://debugmo.de/2007/07/read-your-dvds-the-raw-way/

This will be an attempt to document stuff I've done in the past. I'm bad at documenting, so I'll just present what I've done. If you have further questions, always feel free to email me.

This time I wanted to know what's on my DVDs. I mean, not what's normally visible, but what's underneath the data layer. Contrary to CDs, where a lot of work has been done to allow reading every bit of a CD, there is surprisingly less information for DVDs.

[...] CD readers often have special modes to read raw sectors. This is probably related to the fact that you need some of these functions to digitally read out audio data from audio CDs, but they can also be used to explore CD-ROMs. In the DVD-domain, we are not that lucky. Most of the signal processing is done in hardware, and recent drives are single-chip chipsets, with one chip doing all the work, from analog RF to IDE (or SCSI). Sometimes firmware allows you reading 2064 bytes per sector, sometimes you can disable the EDC check or scrambling, but usually, you cannot go further. Sometimes you can query PI/PO stats, but that's all.

[...] If you want to build your own debug DVD reader - well, start with finding the proper DVD-ROM. I'm sure there are a lot of (older) DVD-ROMs which have the right data ports. Take a scope, and watch for digital data. An easy way to tell if this data comes directly from DVD is to slow down the disc a bit (with your finger :) - only a bit, the drive needs to keep in sync! -, and watch if the data rate changes. If it does, chances are big that you found the right data. It should be approx. twice the payload data rate.

Original Submission

Arthur T Knackerbracket has found the following story:

Vodafone has apologised for a "technical error" that left customers abroad facing thousands of pounds in roaming fees over the weekend.

It seems the issue was with an upgrade to Vodafone's customer account database. Consequently, customers in Europe and the US faced steep charges for data usage, with some people reporting bills as high as £9,000.

One customer got in touch with The Reg on Sunday to report they'd been hit for over £1,200 while in Prague. "Also services are being cut so [I] can't make phone calls when abroad and now [have] no data on phone. So [I'm] having to rely on Wi-Fi hotspots or buy a [second] local SIM card," he said.

Another sent us a screenshot of a bill for nearly £7,000. "Vodafone have cocked up on roaming this weekend. Lots of people getting disconnected and huge bills, me included," he said.

A number of folk also took to Twitter to complain over the weekend.

A spokesman for Vodafone said: "We are very sorry that yesterday, some customers could not use data or calling services when roaming abroad. This was due to a technical error, which we have now fixed. Any affected customer should restart their phone to ensure that services are resumed.

"As a result of the issue, some customers are receiving billing messages in error; we are working through these as an urgent priority and removing any errors from customer accounts. Customers will not be charged and do not need to worry about contacting us as we are proactively checking accounts and fixing any issues."

Original Submission

upstart writes:

Submitted via IRC for Bytram

Current Time - Bulletin of the Atomic Scientists

Statement from the President and CEO

As the Bulletin's Science and Security Board prepared for its first set of Doomsday Clock discussions this fall, it began referring to the current world security situation as a "new abnormal." This new abnormal is a pernicious and dangerous departure from the time when the United States sought a leadership role in designing and supporting global agreements that advanced a safer and healthier planet. The new abnormal describes a moment in which fact is becoming indistinguishable from fiction, undermining our very abilities to develop and apply solutions to the big problems of our time. The new abnormal risks emboldening autocrats and lulling citizens around the world into a dangerous sense of anomie and political paralysis.

As you will see in the pages that follow, this year's Doomsday Clock statement draws attention to the devolving state of nuclear and climate security. It also points to a qualitative change in information warfare and a steady misrepresentation of fact that is undermining confidence in political structures and scientific inquiry. At the same time, science is racing forward, and new global governance structures are desperately needed to manage rapidly evolving and potentially dangerous technologies.

In 2017, the Bulletin moved the time of the Doomsday Clock a half-minute closer to midnight, in part because of reckless approaches toward nuclear weapons and a growing disregard for the expertise needed to address today's biggest challenges, most importantly climate change. We argued that world leaders not only failed to deal adequately with nuclear and climate threats, they increased them "through a variety of provocative statements and actions, including careless rhetoric about the use of nuclear weapons and the wanton defiance of scientific truths." Two years later, it has become even clearer that "the intentional corruption of the information ecosystem" threatens to undermine the rational discourse needed to address such challenges. The 2019 statement therefore goes on to provide a framework for how citizens can begin to organize themselves and respond.

Original Submission

upstart writes:

Submitted via IRC for tortured_old_man

Researchers rediscover fast-acting German insecticide lost in the aftermath of WWII

A new study in the Journal of the American Chemical Society explores the chemistry as well as the complicated and alarming history of DFDT, a fast-acting insecticide.

"We set out to study the growth of crystals in a little-known insecticide and uncovered its surprising history, including the impact of World War II on the choice of DDT—and not DFDT—as a primary insecticide in the 20th century," said Bart Kahr, professor of chemistry at New York University and one of the study's senior authors.

Kahr and fellow NYU chemistry professor Michael Ward study the growth of crystals, which two years ago led them to discover a new crystal form of the notorious insecticide DDT. DDT is known for its detrimental effect on the environment and wildlife. But the new form developed by Kahr and Ward was found to be more effective against insects—and in smaller amounts, potentially minimizing its environmental impact.

In continuing to explore the crystal structure of insecticides, the research team began studying fluorinated forms of DDT, swapping out chlorine atoms for fluorine. They prepared two solid forms of the compound—a monofluoro and a difluoro analog—and tested them on fruit flies and mosquitoes, including mosquito species that carry malaria, yellow fever, Dengue, and Zika. The solid forms of fluorinated DDT killed insects more quickly than did DDT; the difluoro analog, known as DFDT, killed mosquitoes two to four times faster.

"Speed thwarts the development of resistance," said Ward, a senior author on the study. "Insecticide crystals kill mosquitoes when they are absorbed through the pads of their feet. Effective compounds kill insects quickly, possibly before they are able to reproduce."

The researchers also made a detailed analysis of the relative activities of the solid-state forms of fluorinated DDT, noting that less thermodynamically stable forms—in which the crystals liberate molecules more easily—were more effective at quickly killing insects.

[...] "We were surprised to discover that at the outset DDT had a competitor which lost the race because of geopolitical and economic circumstances, not to mention its connection to the German military, and not necessarily because of scientific considerations. A faster, less persistent insecticide, as is DFDT, might have changed the course of the 20th century; it forces us to imagine counterfactual science histories," said Kahr.

More information: Xiaolong Zhu et al, Manipulating Solid Forms of Contact Insecticides for Infectious Disease Prevention, Journal of the American Chemical Society (2019). DOI: 10.1021/jacs.9b08125

Journal information: Journal of the American Chemical Society Provided by New York University

Citation: Researchers rediscover fast-acting German insecticide lost in the aftermath of WWII (2019, October 11) retrieved 13 October 2019 from https://phys.org/news/2019-10-rediscover-fast-acting-german-insecticide-lost.html

Original Submission

upstart writes:

Submitted via IRC for AnonymousCoward

Smart TVs are data-collecting machines, new study shows

Add smart TVs to the growing list of home appliances guilty of surveilling people's movements. A new study from Princeton University shows internet-connected TVs, which allow people to stream Netflix and Hulu, are loaded with data-hungry trackers.

"If you use a device such as Roku and Amazon Fire TV, there are numerous companies that can build up a fairly comprehensive picture of what you're watching," Arvind Narayanan, associate professor of computer science at Princeton, wrote in an email to The Verge. "There's very little oversight or awareness of their practices, including where that data is being sold."

Of course, data is part of the reason TVs have gotten so cheap. Today, Roku's sell for less than $200, subsidized in part by targeted advertising. Technically, people agree to have their data sold when they set up their devices. But many aren't aware it's even happening.

Technically, people agree to have their data sold when they set up their devices

That's true for other smart home technology, too. In a different study, researchers at Northeastern University looked at 81 smart home devices and found that some, including Amazon's Ring doorbell and Alexa, and the Zmodo doorbell, monitor when a user talks or moves, even when they're not using the device. "The app used to set up the [Ring] device does not warn the user that the doorbell performs such recording in real time, the doorbell offers no indication that recording is occurring, and the only disclosure is in fine print as part of the privacy policy," the paper says.

To understand how much surveillance is taking place on smart TVs, Narayanan and his co-author Hooman Mohajeri Moghaddam built a bot that automatically installed thousands of channels on their Roku and Amazon Fire TVs. It then mimicked human behavior by browsing and watching videos. As soon as it ran into an ad, it would track what data was being collected behind the scenes.

Some of the information, like device type, city, and state, is hardly unique to one user. But other data, like the device serial number, Wi-Fi network, and advertising ID, could be used to pinpoint an individual. "This gives them a more complete picture of who you are," said Moghaddam. He noted that some channels even sent unencrypted email addresses and video titles to the trackers.

Original Submission

upstart writes:

Submitted via IRC for AnonymousCoward

This story about a billion dollar scam to build an undersea Arctic cable is wild

Last year, the CEO of Quintillion, an Alaskan company trying to build a trans-Arctic undersea cable, was charged with wire fraud after forging contracts to help raise more than $250 million from investors. This week, Bloomberg posted a captivating feature about how that CEO nearly pulled off the scam of a lifetime. It's a fascinating story of how someone tried to fake it 'til they almost made it — but also a cautionary tale about big ambitions can push people to make disastrous decisions.

Elizabeth Pierce apparently had huge ambitions to build an undersea cable to give Alaskans (and eventually, parts of Japan, the Pacific Northwest, Greenland, Iceland, and London) better internet access. It was a noble cause. Internet for much of rural Alaska is slow and depends on expensive satellites, and an undersea cable could bring much faster speeds at cheaper prices for consumers. (Undersea cables are also being explored by big tech companies. Microsoft and Facebook jointly own a 4,000 mile transatlantic cable, and Google has invested in some as well.)

To get investors to back the project, Pierce needed to prove that she had completed contracts that would guarantee some revenue. So, to show investors that the business was solvent, she went right ahead and forged signatures on contracts that, if they'd been legit, would have been worth more than a billion dollars in total.

Original Submission