Author Archives: pappp

Malicious PyPI packages stealing credit cards and injecting code

Source: Hacker News

Article note: This is solidly in the "Consequences of dung-beetle programming" column.
Comments
Posted in News | Leave a comment

Zoom to pay $85M for lying about encryption and sending data to Facebook and Google

Source: Ars Technica

Article note: For 2/3 complaints, all they had to do was say they were focusing on scaling and urgently needed management features during the pandemic, not ...blatantly lie... about their encryption features, and not insert spyware APIs into their code. The "zooombombing is the platform's fault" one is a little more of a stretch, since Zoom was very suddenly pushed into all kinds of unintended new use-cases ... but see above, it _is_ what they should have been working on.
A computer screen with a Zoom call showing the faces of a dozen participants.

Enlarge / Technical preview of Zoom's end-to-end encryption, made available months after Zoom was caught lying to users about how it encrypts video calls. (credit: Zoom )

Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant "Zoombombings."

The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California. It came nine months after Zoom agreed to security improvements and a "prohibition on privacy and security misrepresentations" in a settlement with the Federal Trade Commission, but the FTC settlement didn't include compensation for users.

As we wrote in November, the FTC said that Zoom claimed it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides, in a January 2019 white paper, in an April 2017 blog post, and in direct responses to inquiries from customers and potential customers. In reality, "Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom's 'Connecter' product (which are hosted on a customer's own servers), because Zoom's servers—including some located in China—maintain the cryptographic keys that would allow Zoom to access the content of its customers' Zoom Meetings," the FTC said. In real end-to-end encryption, only the users themselves have access to the keys needed to decrypt content.

Read 19 remaining paragraphs | Comments

Posted in News | Leave a comment

Clusterboard A64 Insidious Reset Problem: Solved

Source: Hacker News

Article note: That's one hell of a hunt, and excellent process documentation. Because I spend over half the year trying to teach EE/ECE sophomores to design, build, and debug digital hardware, I really respect good process docs for hunting hard bugs.
Comments
Posted in News | Leave a comment

Ssheven: A modern SSH client for Mac OS 7-9

Source: Hacker News

Article note: ...Nice. Into the "talking to old computers" toolbox.
Comments
Posted in News | Leave a comment

Running a CNC machine is definitely about sex and should be demonetized

Source: Hacker News

Article note: So, I'm totally onboard that Americans' weird selectively puritanical attitudes are absurd, and having our hegemonic tech firms enforce them is not a good thing. We've been having this fight forever, go read Nabokov's afterword _On a Book Entitled Lolita_ from 1956 and its the same discussion with better language. ...But also, please don't blow smoke up my ass about intentionally overtly sexualized content being anything other than what it is. It's right there in the handle, it's a highly effective strategy to get those engagement dollars, don't be disingenuous. Let's be civil, throw a THOT tag on the things that use sex to drive engagement, and move on. I know the reason why not is ad dollars, advertisers are major perpetrators of the sexual-but-not-pornographic attention grab, if it puts them off, they're full of shit and we can not let them filter on it.
Comments
Posted in News | Leave a comment

3D-Printed Tooling Enables DIY Electrochemical Machining

Source: Hack a Day

Article note: Neat! I read some stuff about people trying DIY ECM for internal features like barrel rifling a while back, but this looks markedly more sophisticated, even though there's nothing terribly complicated or inaccessible in the setup.

When it comes to turning a raw block of metal into a useful part, most processes are pretty dramatic. Sharp and tough tools are slammed into raw stock to remove tiny bits at a time, releasing the part trapped within. It doesn’t always have to be quite so violent though, as these experiments in electrochemical machining suggest.

Electrochemical machining, or ECM, is not to be confused with electrical discharge machining, or EDM. While similar, ECM is a much tamer process. Where EDM relies on a powerful electric arc between the tool and the work to erode material in a dielectric fluid, ECM is much more like electrolysis in reverse. In ECM, a workpiece and custom tool are placed in an electrolyte bath and wired to a power source; the workpiece is the anode while the tool is the cathode, and the flow of charged electrolyte through the tool ionizes the workpiece, slowly eroding it.

The trick — and expense — of ECM is generally in making the tooling, which can be extremely complicated. For his experiments, [Amos] took the shortcut of 3D-printing his tool — he chose [Suzanne] the Blender monkey — and then copper plating it, to make it conductive. Attached to the remains of a RepRap for Z-axis control and kitted out with tanks and pumps to keep the electrolyte flowing, the rig worked surprisingly well, leaving a recognizably simian faceprint on a block of steel.

[Amos] admits the setup is far from optimized; the loop controlling the distance between workpiece and tool isn’t closed yet, for instance. Still, for initial experiments, the results are very encouraging, and we like the idea of 3D-printing tools for this process. Given his previous success straightening his own teeth or 3D-printing glass, we expect he’ll get this fully sorted soon enough.

Posted in News | Leave a comment

The Itanic Has Sunk

Source: Hacker News

Article note: They held out for 20 years with it on the market, and another 10 in development before that, for a project so expensive, late, and beset with failure that people debate whether it was a conspiracy to suck the air out of competing high-end architectures, or simply Intel's third sequential utter overestimation of their own ability to produce a viable next-gen architecture (after the iAPX432 and i860/960 stuff). It'll be weird not seeing jokes about it in the tech press, it's been a constant for the entire part of my life where I've been paying attention to the tech industry.
Comments
Posted in News | Leave a comment

Amazon has ruined search and Google is in on it

Source: Hacker News

Article note: It's such a bummer that the internet has been so thoroughly overrun by people trying to scam a quick buck. There is a degree of "failure of imagination by early designers," but I'm not even sure what a system robust against motivated scammers, SEO assholes, and their sock-puppets would look like, especially one that isn't extremely, dangerously invasive to its users.
Comments
Posted in News | Leave a comment

CDC mask reversal: Vaccinated should wear masks in many settings amid surge

Source: Ars Technica

Article note: And there it is.
Colorful face masks are piled on a table.

Enlarge / Self-sewn protective face masks in a fabric store on April 3, 2020, in Jena, Germany. (credit: Getty | Jens Schlueter)

Fully vaccinated Americans should go back to masking up in schools and areas of high or substantial COVID-19 transmission, the Centers for Disease Control and Prevention announced Tuesday.

The CDC says its stark reversal in mask guidance is prompted by the current surge in COVID-19 cases and the spread of the hyper-transmissible delta variant, which is now dominant in the US and thought to be more than twice as contagious as previous versions of the virus.

Specifically, the CDC says new data from outbreak investigations in the US and elsewhere suggests that fully vaccinated people who have breakthrough infections with the delta variant carry similar levels of viral loads in their respiratory tracts as unvaccinated people infected with the delta variant. This raises concern that fully vaccinated people can spread the delta variant to others.

Read 12 remaining paragraphs | Comments

Posted in News | Leave a comment

De-anonymization Story

Source: Schneier on Security

Article note: It's an interesting story. I'm all in on publicly attacking powerful, hypocritical abusers by whatever means are available. I'm also super opposed to the kind of commercialized surveillance that enabled it. The best case is that we get to bust this asshole and make an example of them to discourage their behavior, _and_ it makes more people cognizant of persistent commercial surveillance to get enough public opinion to reign that shit in.

This is important:

Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops (USCCB), effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work, vacation home, family members’ addresses, and more.

[…]

The data that resulted in Burrill’s ouster was reportedly obtained through legal means. Mobile carriers sold­ — and still sell — ­location data to brokers who aggregate it and sell it to a range of buyers, including advertisers, law enforcement, roadside services, and even bounty hunters. Carriers were caught in 2018 selling real-time location data to brokers, drawing the ire of Congress. But after carriers issued public mea culpas and promises to reform the practice, investigations have revealed that phone location data is still popping up in places it shouldn’t. This year, T-Mobile even broadened its offerings, selling customers’ web and app usage data to third parties unless people opt out.

The publication that revealed Burrill’s private app usage, The Pillar, a newsletter covering the Catholic Church, did not say exactly where or how it obtained Burrill’s data. But it did say how it de-anonymized aggregated data to correlate Grindr app usage with a device that appears to be Burrill’s phone.

The Pillar says it obtained 24 months’ worth of “commercially available records of app signal data” covering portions of 2018, 2019, and 2020, which included records of Grindr usage and locations where the app was used. The publication zeroed in on addresses where Burrill was known to frequent and singled out a device identifier that appeared at those locations. Key locations included Burrill’s office at the USCCB, his USCCB-owned residence, and USCCB meetings and events in other cities where he was in attendance. The analysis also looked at other locations farther afield, including his family lake house, his family members’ residences, and an apartment in his Wisconsin hometown where he reportedly has lived.

Location data is not anonymous. It cannot be made anonymous. I hope stories like these will teach people that.

Posted in News | Leave a comment