A marine biologist's ideas for singling out sharks that attack humans have prompted objections from other shark scientists. From a report: The war on sharks has been waged with shock and awe at times. When a shark bit or killed a swimmer, people within the past century might take out hundreds of the marine predators to quell the panic, like executing everyone in a police lineup in order to ensure justice was dispensed on the guilty party. Eric Clua, a professor of marine biology at the Ecole Pratique des Hautes Etudes in Paris, said the rationale behind shark culls in the past was simple: fewer sharks, fewer attacks. That reasoning also drives methods such as shark nets and baited hooks, which are currently in use at a number of Australian and South African beaches that are frequently visited by sharks. Nature, he notes, pays too great a price. "They are killing sharks that are guilty of nothing," said Dr. Clua, who studies the ocean predators up close in the South Pacific.

Dr. Clua said he has found a way to make precision strikes on sharks that have attacked people through a form of DNA profiling he calls "biteprinting." He believes it's usually just solo "problem sharks" that attack humans repeatedly, analogizing them to terrestrial predators that have been documented behaving the same way. Instead of culling every bear, tiger or lion when only one has serially attacked people, wildlife managers on land usually focus their ire on the culprit. Dr. Clua said that problem sharks could be dispatched the same way. This summer, Dr. Clua and several colleagues published their latest paper on collecting DNA from the biteprints of large numbers of sharks. Once a database is built, DNA could be collected from the wounds of people who were bitten by sharks, and matched to a known shark. The offending fish would then need to be found and killed. Critics have taken issue with every facet of this plan.

Spyware maker NSO Group used real phone location data on thousands of unsuspecting people when it demonstrated its new COVID-19 contact-tracing system to governments and journalists, researchers have concluded. From a report: NSO, a private intelligence company best known for developing and selling governments access to its Pegasus spyware, went on the charm offensive earlier this year to pitch its contact-tracing system, dubbed Fleming, aimed at helping governments track the spread of COVID-19. Fleming is designed to allow governments to feed location data from cell phone companies to visualize and track the spread of the virus. NSO gave several news outlets each a demo of Fleming, which NSO says helps governments make public health decisions "without compromising individual privacy." But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works -- the same demo seen by reporters weeks earlier. TechCrunch reported the apparent security lapse to NSO, which quickly secured the database, but said that the location data was "not based on real and genuine data." NSO's claim that the location data wasn't real differed from reports in Israeli media, which said NSO had used phone location data obtained from advertising platforms, known as data brokers, to "train" the system. Academic and privacy expert Tehilla Shwartz Altshuler, who was also given a demo of Fleming, said NSO told her that the data was obtained from data brokers, which sell access to vast troves of aggregate location data collected from the apps installed on millions of phones.

The Guardian reports: The mass die-off of thousands of songbirds in south-western U.S. was caused by long-term starvation, made worse by unseasonably cold weather probably linked to the climate crisis, scientists have said.

Flycatchers, swallows and warblers were among the migratory birds "falling out of the sky" in September, with carcasses found in New Mexico, Colorado, Texas, Arizona and Nebraska. A USGS National Wildlife Health Center necropsy has found 80% of specimens showed typical signs of starvation... The remaining 20% were not in good enough condition to carry out proper tests. Nearly 10,000 dead birds were reported to the wildlife mortality database by citizens, and previous estimates suggest hundreds of thousands may have died...

"It looks like the immediate cause of death in these birds was emaciation as a result of starvation," said Jonathan Sleeman, director of the USGS National Wildlife Health Center in Madison, Wisconsin, which received 170 bird carcasses and did necropsies on 40 of them. "It's really hard to attribute direct causation, but given the close correlation of the weather event with the death of these birds, we think that either the weather event forced these birds to migrate prior to being ready, or maybe impacted their access to food sources during their migration...."

Most deaths happened around 9 and 10 September during a bout of cold weather that probably meant food was particularly scarce...

With their savvy interfaces, smart features and oodles of VC money, digital banks have become the poster-child for fintech. There are now almost 300 so-called "neobanks" live worldwide, with nearly half concentrated in Europe. From a report: Meanwhile, new players are continuing to join the ranks, particularly in Latin America, Africa and the Middle East. This boom is being fuelled by ongoing investor enthusiasm for the sector, with neobanks raising over $2bn in venture capital globally this year alone. Customers are also riding the neobank wave. PitchBook estimates that by 2024, 145m of us will be using these apps across North America and Europe alone. To help keep track of the global neobank landscape, we have broken down the key data and trends. For clarity, 'neobank' is defined here as an app that i) offers its own retail banking services (i.e. prepaid, debit, credit cards), ii) launched after 2010, and iii) is mobile-centric. This definition does not distinguish between regulatory status, but it's worth noting that only a handful have official bank licences.

Here is the story of the world's neobanks, as told in numbers. The neobank boom: At its peak? The number of neobanks worldwide has tripled since 2017, climbing from 100 to nearly 300 worldwide. That means, over the last three years, a neobank launched every five days somewhere in the world (!), according to Exton, a consultancy firm which manages a global database of consumer banking apps. In 2019 alone, more than 70 neobanks went live globally. But Cristoph Stegmeier, a partner at Exton, says we may finally have reached a peak, with 2020 seeing a slowdown. "I expect we will see less from now," he told Sifted. He explained this year's launch decline went beyond simply the 'Covid effect' and stems from the growing saturation of neobanks. Indeed, 30 neobanks have been wound down since 2015, according to Stegmeier. Still, the neobank boom hasn't totally stalled. Over 30 neobanks launched in the face of the pandemic, including Zelf, Daylight (a US bank for LGBT+ members) and Tenpo in Chile. Meanwhile, dozens of new players are still planning to go live in 2021 -- including Greece's Woli and France's Vybe.

An anonymous reader shares a report: On an earnings call two months ago, SolarWinds Chief Executive Kevin Thompson touted how far the company had gone during his 11 years at the helm. There was not a database or an IT deployment model out there to which his Austin, Texas-based company did not provide some level of monitoring or management, he told analysts on the Oct. 27 call. "We don't think anyone else in the market is really even close in terms of the breadth of coverage we have," he said. "We manage everyone's network gear." Now that dominance has become a liability -- an example of how the workhorse software that helps glue organizations together can turn toxic when it is subverted by sophisticated hackers. On Monday, SolarWinds confirmed that Orion -- its flagship network management software -- had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers.

[...] Cybersecurity experts across government and private industry are still struggling to understand the scope of the damage, which some are already calling one of the most consequential breaches in recent memory. [...] Experts are reviewing their notes to find old examples of substandard security at the company. Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds' update server by using the password "solarwinds123" "This could have been done by any attacker, easily," Kumar said. Others -- including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress -- noticed that, even days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

An anonymous Slashdot reader writes: For the past year, hackers have been breaking into MySQL databases, downloading tables, deleting the originals, and leaving ransom notes behind, telling server owners to contact the attackers to get their data back. If database owners don't respond and ransom their data back in nine days, the databases are then put up on auction on a dark web portal.
"More than 85,000 MySQL databases are currently on sale on a dark web portal for a price of only $550/database," reports ZDNet: This suggests that both the DB intrusions and the ransom/auction web pages are automated and that attackers don't analyze the hacked databases for data that could contain a higher concentration of personal or financial information. Signs of these ransom attacks have been piling up over the course of 2020, with the number of complaints from server owners finding the ransom note inside their databases popping up on Reddit, the MySQL forums, tech support forums, Medium posts, and private blogs.

Oracle said on Friday it's moving its headquarters from the Silicon Valley to Austin, Texas. CNBC reports: "Oracle is implementing a more flexible employee work location policy and has changed its Corporate Headquarters from Redwood City, California to Austin, Texas. We believe these moves best position Oracle for growth and provide our personnel with more flexibility about where and how they work," a spokesperson confirmed to CNBC. A bulk of employees can choose their office location, or continue to work from home part time or full time, the company said.

"In addition, we will continue to support major hubs for Oracle around the world, including those in the United States such as Redwood City, Austin, Santa Monica, Seattle, Denver, Orlando and Burlington, among others, and we expect to add other locations over time," Oracle said. "By implementing a more modern approach to work, we expect to further improve our employees' quality of life and quality of output." Oracle is one of Silicon Valley's older success stories, founded in Santa Clara in 1977. It moved into its current headquarters in 1989. Several of the buildings on its campus there are constructed in the shape of a squat cylinder, which is the classic symbol in computer systems design for a database, the product on which Oracle built its empire.

The personal information of more than 243 million Brazilians, including alive and deceased, has been exposed online after web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health's website for at least six months. From a report: The security snafu was discovered by reporters from Brazilian newspaper Estadao, the same newspaper that last week discovered that a Sao Paolo hospital leaked personal and health information for more than 16 million Brazilian COVID-19 patients after an employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub. Estadao reporters said they were inspired by a report filed in June by Brazilian NGO Open Knowledge Brasil (OKBR), which, at the time, reported that a similar government website also left exposed login information for another government database in the site's source code. Since a website's source code can be accessed and reviewed by anyone pressing F12 inside their browser, Estadao reporters searched for similar issues in other government sites.

An anonymous reader quotes a report from Music Business Worldwide: According to a document published last week, Daniel Ek's company is seeking a patent for its "Plagiarism Risk Detector And Interface" technology, which pertains to "Methods, systems and computer program products..for testing a lead sheet for plagiarism." As explained in the filing -- and as our songwriter/musician readers will already know -- a "lead sheet" is a type of music score or musical notation for songs denoting their melody, chords and sometimes lyrics or additional notes. Spotify's invention would allow for a lead sheet to be fed through the platform's "plagiarism detector," which would then, "having been trained on a plurality of preexisting encoded lead sheets," immediately compare the composition in question to all other songs stored in its database.

A set of messages would then be displayed -- describing a detected level of plagiarism regarding "a plurality of elements" such as a chord sequence, melodic fragments, harmony, etc. of a song. The AI software would also potentially calculate "a similarity value" of the song in question vs. other songs in the Spotify lead sheet library. These technology could work the other way around, too, says Spotify's filing, reassuring a songwriter that "the melodic fragment [of your song] appears to be completely new." One particularly interesting element of this is that it would take place in near-real time, allowing a songwriter or composer to tweak elements of their work to avoid infringement before they (and/or their record label) spent the big bucks on recording a final version. Spotify's filing adds that "in some embodiments a link to the media content item that might be infringed (e.g., a track of an album) is provided so that a [songwriter] can quickly... listen to the potentially plagiarized work."

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. From a report: The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis. According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries. The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.

An anonymous reader quotes a report from TechCrunch: Massachusetts lawmakers have voted to pass a new police reform bill that will ban police departments and public agencies from using facial recognition technology across the state. The bill was passed by both the state's House and Senate on Tuesday, a day after senior lawmakers announced an agreement that ended months of deadlock.

The police reform bill also bans the use of chokeholds and rubber bullets, and limits the use of chemical agents like tear gas, and also allows police officers to intervene to prevent the use of excessive and unreasonable force. But the bill does not remove qualified immunity for police, a controversial measure that shields serving police from legal action for misconduct, following objections from police groups. Critics have for years complained that facial recognition technology is flawed, biased and disproportionately misidentifies people and communities of color. But the bill grants police an exception to run facial recognition searches against the state's driver license database with a warrant. In granting that exception, the state will have to publish annual transparency figures on the number of searches made by officers. "The Massachusetts Senate voted 28-12 to pass, and the House voted 92-67," notes the report. "The bill will now be sent to Massachusetts governor Charlie Baker for his signature."

The Supreme Court will hear arguments on Monday in a case that could lead to sweeping changes to America's controversial computer hacking laws -- and affecting how millions use their computers and access online services. From a report: The Computer Fraud and Abuse Act was signed into federal law in 1986 and predates the modern internet as we know it, but governs to this day what constitutes hacking -- or "unauthorized" access to a computer or network. The controversial law was designed to prosecute hackers, but has been dubbed as the "worst law" in the technology law books by critics who say it's outdated and vague language fails to protect good-faith hackers from finding and disclosing security vulnerabilities. At the center of the case is Nathan Van Buren, a former police sergeant in Georgia. Van Buren used his access to a police license plate database to search for an acquaintance in exchange for cash. Van Buren was caught, and prosecuted on two counts: accepting a kickback for accessing the police database, and violating the CFAA. The first conviction was overturned, but the CFAA conviction was upheld. Van Buren may have been allowed to access the database by way of his police work, but whether he exceeded his access remains the key legal question. Orin Kerr, a law professor at the University of California, Berkeley, said Van Buren vs. United States was an "ideal case" for the Supreme Court to take up. "The question couldn't be presented more cleanly," he argued in a blog post in April.

UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week. From a report: "On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support," the company said in an email sent to customers and obtained by ZDNet. Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).

An anonymous reader quotes a report from NBC News: Two notebooks written by the famed British naturalist Charles Darwin in 1837 and missing for years may have been stolen from the Cambridge University Library, according to curators who launched a public appeal Tuesday for information. The notebooks, estimated to be worth millions of dollars, include Darwin's celebrated "Tree of Life" sketch that the 19th-century scientist used to illustrate early ideas about evolution. Officials at the Cambridge University Library say the two notebooks have been missing since 2001, and it's now thought that they were stolen.

"I am heartbroken that the location of these Darwin notebooks, including Darwin's iconic 'Tree of Life' drawing, is currently unknown, but we're determined to do everything possible to discover what happened and will leave no stone unturned during this process," Jessica Gardner, the university librarian and director of library services, said in a statement. The lost manuscripts were initially thought to have been misplaced in the university's enormous archives, which house roughly 10 million books, maps and other objects. But an exhaustive search initiated at the start of 2020 -- the "largest search in the library's history," according to Gardner -- failed to turn up the notebooks and they are now being reported as stolen. Cambridge University officials said a police investigation is underway and the notebooks have been added to Interpol's database of stolen artworks.

Amateur astronomer and YouTuber Alberto Caballero, one of the founders of The Exoplanets Channel, has found a small amount of evidence for a source of the notorious Wow! signal. Phys.Org reports: Back in 1977, astronomers working with the Big Ear Radio Telescope -- at the time, situated in Delaware, Ohio -- recorded a unique signal from somewhere in space. It was so strong and unusual that one of the workers on the team, Jerry Ehman, famously scrawled the word Wow! on the printout. Despite years of work and many man hours, no one has ever been able to trace the source of the signal or explain the strong, unique signal, which lasted for all of 72 seconds. Since that time, many people have suggested the only explanation for such a strong and unique signal is extraterrestrial intelligent life.

In this new effort, Caballero reasoned that if the source was some other life form, it would likely be living on an exoplanet -- and if that were the case, it would stand to reason that such a life form might be living on a planet similar to Earth -- one circling its own sun-like star. Pursuing this logic, Caballero began searching the publicly available Gaia database for just such a star. The Gaia database has been assembled by a team working at the Gaia observatory run by the European Space Agency. Launched back in 2013, the project has worked steadily on assembling the best map of the night sky ever created. To date, the team has mapped approximately 1.3 billion stars. In studying his search results, Caballero found what appears to fit the bill -- a star (2MASS 19281982-2640123) that is very nearly a mirror image of the sun -- and is located in the part of the sky where the Wow! signal originated. He notes that there are other possible candidates in the area but suggests his candidate might provide the best launching point for a new research effort by astronomers who have the tools to look for exoplanets. Caballero shared his findings via arXiv.

An anonymous reader quotes a report from Motherboard: The IRS was able to query a database of location data quietly harvested from ordinary smartphone apps over 10,000 times, according to a copy of the contract between IRS and the data provider obtained by Motherboard. The document provides more insight into what exactly the IRS wanted to do with a tool purchased from Venntel, a government contractor that sells clients access to a database of smartphone movements. The Inspector General is currently investigating the IRS for using the data without a warrant to try to track the location of Americans. "This contract makes clear that the IRS intended to use Venntel's spying tool to identify specific smartphone users using data collected by apps and sold onwards to shady data brokers. The IRS would have needed a warrant to obtain this kind of sensitive information from AT&T or Google," Senator Ron Wyden told Motherboard in a statement after reviewing the contract. [...]

One of the new documents says Venntel sources the location information from its "advertising analytics network and other sources." Venntel is a subsidiary of advertising firm Gravy Analytics. The data is "global," according to a document obtained from CBP. Venntel then packages that data into a user interface and sells access to government agencies. A former Venntel worker previously told Motherboard that customers can use the product to search a specific area to see which devices were there, or follow a particular device across time. Venntel provides its own pseudonymous ID to each device, but the former worker said users could try to identify specific people. The new documents say that the IRS' purchase of an annual Venntel subscription granted the agency 12,000 queries of the dataset per year.

"In support of Internal Revenue Service (IRS) Criminal Investigation's (CI) law enforcement investigative mission, the Cyber Crimes Unit (CCU) requires one (1) Venntel Mobile Intelligence web-based subscription," one of the documents reads. "This allows tracing and pattern-of-life analysis on locations of interesting criminal investigations, allowing investigators to trace locations of mobile devices even if a target is using anonymizing technologies like a proxy server, which is common in cyber investigations," it adds.

Saturday saw 2020's virtual observation of the annual Aaron Swartz Day and International Hackathon, which the EFF describes as "a day dedicated to celebrating the continuing legacy of activist, programmer, and entrepreneur Aaron Swartz."

Its official web site notes the wide-ranging event includes "projects and ideas that are still bearing fruit to this day, such as SecureDrop, Open Library, and the Aaron Swartz Day Police Surveillance Project." The event even included a virtual session for the Atlas of Surveillance project which involved documenting instances of law enforcement using surveillance technologies like social media monitoring, automated license plate readers, and body-worn cameras. And EFF special advisor Cory Doctorow, director of strategy Danny O'Brien, and senior activist Elliot Harmon also spoke "about Aaron's legacy and how his work lives on today," according to the EFF's announcement: Aaron Swartz was a brilliant champion of digital rights, dedicated to ensuring the Internet remained a thriving ecosystem for open knowledge. EFF was proud to call him a close friend and collaborator. His life was cut short in 2013, after he was charged under the notoriously draconian Computer Fraud and Abuse Act for systematically downloading academic journal articles from the online database JSTOR.

Federal prosecutors stretch this law beyond its original purpose of stopping malicious computer break-ins, reserving the right to push for heavy penalties for any behavior they don't like that happens to involve a computer. This was the case for Aaron, who was charged with eleven counts under the CFAA. Facing decades in prison, Aaron died by suicide at the age of 26. He would have turned 34 this year, on November 8.

In addition to EFF projects, the hackathon will focus on projects including SecureDrop, Open Library, and the Aaron Swartz Day Police Surveillance Project. The full lineup of speakers includes Aaron Swartz Day co-founder Lisa Rein, SecureDrop lead Mickael E., researcher Mia Celine, Lucy Parsons Lab founder Freddy Martinez, and Brewster Kahle — co-founder of Aaron Swartz Day and the Internet Archive.
All of the presentations are now online.

"A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket," reports Threatpost.

"The records include sensitive data, including credit-card details." Prestige Software's "Cloud Hospitality" is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com. The incident has affected 24.4 GB worth of data in total, according to the security team at Website Planet, which uncovered the bucket.

Many of the records contain data for multiple hotel guests that were grouped together on a single reservation; thus, the number of people exposed is likely well over the 10 million, researchers said. Some of the records go back to 2013, the team determined — but the bucket was still "live" and in use when it was discovered this month. "The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks," according to the firm, in a recent notice on the issue. "The S3 bucket contained over 180,000 records from August 2020 alone...."

The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more. The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more....

A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in September found. The study from Comparitch showed that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.

Mike Allen, reporting for Axios: President Trump has told friends he wants to start a digital media company to clobber Fox News and undermine the conservative-friendly network, sources tell Axios. The state of play: Some Trump advisers think Fox News made a mistake with an early call (seconded by AP) of President-elect Biden's win in Arizona. [...] Here's Trump's plan, according to the source: There's been lots of speculation about Trump starting a cable channel. But getting carried on cable systems would be expensive and time-consuming. Instead, Trump is considering a digital media channel that would stream online, which would be cheaper and quicker to start. Trump's digital offering would likely charge a monthly fee to MAGA fans. Many are Fox News viewers, and he'd aim to replace the network -- and the $5.99-a-month Fox Nation streaming service, which has an 85% conversion rate from free trials to paid subscribers -- as their top destination. Trump's database of email and cellphone contacts would be a huge head start. Trump's lists are among the most valuable in politics -- especially his extensive database of cellphone numbers for text messages.

Can algorithms identify unusual medication orders or profiles more accurately than humans? Not necessarily. From a report: A study coauthored by researchers at the Universite Laval and CHU Sainte-Justine in Montreal found that one model physicians used to screen patients performed poorly on some orders. The study offers a reminder that unvetted AI and machine learning may negatively impact outcomes in medicine. Pharmacists review lists of active medications -- i.e., pharmacological profiles -- for inpatients under their care. This process aims to identify medications that could be abused, but most medication orders don't show drug-related problems. Publications from over a decade ago illustrate technology's potential to help pharmacists streamline workflows by taking on tasks like reviewing orders. But while more recent research has investigated AI's potential in pharmacology, few studies have demonstrated its efficacy. The coauthors of this latest work looked at a model deployed in a tertiary-care mother-and-child academic hospital between April 2020 and August 2020. The model was trained on a dataset of 2,846,502 medication orders from 2005 to 2018. These had been extracted from a pharmacy database and preprocessed into 1,063,173 profiles. Prior to data collection, the model was retrained every month with 10 years of the most recent data from the database in order to minimize drift, which occurs when a model loses its predictive power.