At this time of year, agricultural burning adds to the air pollution problems across northern India and Pakistan. The region contains 16 of the 20 most polluted cities in the World Health Organization's global PM2.5 database. But are these the most polluted places ever recorded? Lack of measurements make historic comparisons difficult, but we have some clues. From a report: More than 200 years ago, Benjamin Franklin was famously among the first scientists to study electricity in the atmosphere. Lightning is the most obvious manifestation, but air pollution also changes the electrical properties of our air. Electrical measurements near Hyde Park in about 1790 suggest 18th-century London's particle pollution was perhaps half the annual average in the most polluted cities in modern India.

An anonymous reader quotes a report from ZDNet: GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year. The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords. Kibana apps are normally used by a company's IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface. Due to its native features, securing Kibana apps is just as important as securing the databases themselves.

But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020. Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points. The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users' account passwords. While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password). The company secured its infrastructure five days after Diachenko reported the exposed Kibana apps on October 10. It's unknown if someone else accessed the databases to download user data.

More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind. From a report: The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals. Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee. Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites. The idea behind the site isn't unique, and Cit0Day could be considered a reincarnation of similar "data breach index" services such as LeakedSource and WeLeakInfo, both taken down by authorities in 2018 and 2020, respectively.

Scientists from MIT have developed a new AI model that can detect COVID-19 from a simple forced cough. ScienceAlert reports: Evidence shows that the AI can spot differences in coughing that can't be heard with the human ear, and if the detection system can be incorporated into a device like a smartphone, the research team thinks it could become a useful early screening tool. The work builds on research that was already happening into Alzheimer's detection through coughing and talking. Once the pandemic started to spread, the team turned its attention to COVID-19 instead, tapping into what had already been learned about how disease can cause very small changes to speech and the other noises we make.

The Alzheimer's research repurposed for COVID-19 involved a neural network known as ResNet50. It was trained on a thousand hours of human speech, then on a dataset of words spoken in different emotional states, and then on a database of coughs to spot changes in lung and respiratory performance. When the three models were combined, a layer of noise was used to filter out stronger coughs from weaker ones. Across around 2,500 captured cough recordings of people confirmed to have COVID-19, the AI correctly identified 97.1 percent of them -- and 100 percent of the asymptomatic cases.

That's an impressive result, but there's more work to do yet. The researchers emphasize that its main value lies in spotting the difference between healthy coughs and unhealthy coughs in asymptomatic people -- not in actually diagnosing COVID-19, which a proper test would be required for. In other words, it's an early warning system. The researchers now want to test the engine on a more diverse set of data, and see if there are other factors involved in reaching such an impressively high detection rate. If it does make it to the phone app stage, there are obviously going to be privacy implications too, as few of us will want our devices constantly listening out for signs of ill health. The research has been published in the IEEE Open Journal of Engineering in Medicine and Biology.

The man on the trail went by "Mostly Harmless." He was friendly and said he worked in tech. After he died in his tent, no one could figure out who he was. Wired: It's usually easy to to put a name to a corpse. There's an ID or a credit card. There's been a missing persons report in the area. There's a DNA match. But the investigators in Collier County couldn't find a thing. Mostly Harmless' fingerprints didn't show up in any law enforcement database. He hadn't served in the military, and his fingerprints didn't match those of anyone else on file. His DNA didn't match any in the Department of Justice's missing person database or in CODIS, the national DNA database run by the FBI. A picture of his face didn't turn up anything in a facial recognition database. The body had no distinguishing tattoos.

Nor could investigators understand how or why he died. There were no indications of foul play, and he had more than $3,500 cash in the tent. He had food nearby, but he was hollowed out, weighing just 83 pounds on a 5'8" frame. Investigators put his age in the vague range between 35 and 50, and they couldn't point to any abnormalities. The only substances he tested positive for were ibuprofen and an antihistamine. His cause of death, according to the autopsy report, was "undetermined." He had, in some sense, just wasted away. But why hadn't he tried to find help? Almost immediately, people compared Mostly Harmless to Chris McCandless, whose story was the subject of Into the Wild. McCandless, though, had been stranded in the Alaska bush, trapped by a raging river as he ran out of food. He died on a school bus, starving, desperate for help, 22 miles of wilderness separating him from a road. Mostly Harmless was just 5 miles from a major highway. He left no note, and there was no evidence that he had spent his last days calling out for help.

The investigators were stumped. To find out what had happened, they needed to learn who he was. So the Florida Department of Law Enforcement drew up an image of Mostly Harmless, and the Collier County investigators shared it with the public. In the sketch, his mouth is open wide, and his eyes too. He has a gray and black beard, with a bare patch of skin right below the mouth. His teeth, as noted in the autopsy, are perfect, suggesting he had good dental care as a child. He looks startled but also oddly pleased, as if he's just seen a clown jump out from behind a curtain. The image started to circulate online along with other pictures from his campsite, including his tent and his hiking poles.

"The Linux Foundation has formed a new group to provide public health authorities with free technology for tracking the spread of the coronavirus and future epidemics," writes Business Insider. Launched in July, the group has already released two apps "that notify users if they've been in contact with someone who has tested positive with COVID-19." Since these apps are open source, people can contribute code and customize them, allowing regions with similar needs to collaborate, general manager at Linux Foundation Public Health, Dan Kohn, told Business Insider. Developers that want to build an app off these projects can access or download the source code.

These apps take advantage of technology launched by Apple and Google, which can be integrated into any app, that uses Bluetooth on people's smartphones to track who a user has been in close proximity with, without identifying the specific people. If anyone tests positive for COVID-19 and uploads that information to a database run by a local public health authority, any user who has been in close contact with that person will get a notification through their app saying they may have been exposed — again, without identifying who has COVID-19. If someone knows that they may have been exposed, they can either self-quarantine or get tested.

"Essentially we think exposure notification could have a big impact on reducing the overall rate of exposure," Kohn said. An Oxford University study in April said that if about 60% of the population used a contact tracing app, it could grind the diseases spread to a halt. Researchers on the team also found that digital contact tracing can cut down spread even at much lower levels of usage.

Two restaurants have initiated a potential class-action lawsuit against GrubHub for allegedly listing 150,000 restaurants to its site without the businesses' permission. From a report: The Farmer's Wife in Sebastopol, California and Antonia's Restaurant in Hillsborough, NC filed the suit with Gibbs Law Group, accusing Grubhub of adding their restaurants to its site despite not entering into a partnership, which causes "significant damage to their hard-earned reputations, loss of control over their customers' dining experiences, loss of control over their online presence, and reduced consumer demand for their services." Grubhub has explicitly made this false partnership part of their business strategy. Last October, CEO Matt Maloney said the company would be piloting a new initiative of adding more restaurants to its searchable database without entering into an official partnership with them, so customers would believe they had more delivery options with Grubhub, and wouldn't switch to competitors.

It works like this: if you happened to order from a non-partnered restaurant, "the order doesn't go directly to the restaurant," says the lawsuit. "It goes instead to a Grubhub driver, who must first figure out how to contact the restaurant and place the order. Sometimes it's possible to place orders with the restaurant by phone, but other times the restaurant will only accept orders in person. The extra steps often lead to mistakes in customers' orders and often the restaurant won't receive the order at all." Grubhub also wouldn't warn restaurants before they were listed, which led to restaurants suddenly being inundated with Grubhub orders they never expected. Often, Grubhub would list outdated menus with the wrong prices, or include restaurants that don't even offer take-out, leading to canceled orders. The lawsuit includes screenshots from the pages Grubhub created for The Farmer's Wife and Antonia's, using their respective names and logos. The Farmer's Wife alleges the pages are "inaccurate and suggests that The Farmer's Wife is offering to make food that it does not actually make and has never made," which the lawsuit claims hurts the restaurant's reputation, and leads customers to become frustrated with service the restaurant never agreed to provide in the first place. And both restaurants say the language Grubhub uses suggests a partnership that doesn't exist, and in Antonia's case, was actively declined when Grubhub approached them. Further reading: Even If You're Trying To Avoid Grubhub By Calling Your Favorite Restaurant Directly, Grubhub Could Still Be Charging It A Fee; Meal-Delivery Company GrubHub is Buying Thousands of Restaurant Web Addresses, Preventing Mom and Pop From Owning Their Slice of Internet.

An anonymous reader quotes a report from Motherboard: U.S. Customs and Border Protection is refusing to tell Congress what legal authority the agency is following to use commercially bought location data to track Americans without a warrant, according to the office of Senator Ron Wyden. The agency is buying location data from Americans all over the country, not just in border areas. The lack of disclosure around why CBP believes it does not need a warrant to use the data, as well as the Department of Homeland Security not publishing a Privacy Impact Assessment on the use of such location information, has spurred Wyden and Senators Elizabeth Warren, Sherrod Brown, Ed Markey, and Brian Schatz on Friday to ask the DHS Office of the Inspector General (DHS OIG) to investigate CBP's warrantless domestic surveillance of phones, and determine if CBP is breaking the law or engaging in abusive practices.

The news highlights the increased use of app location data by U.S. government agencies. Various services take location data which is harvested from ordinary apps installed on peoples' phones around the world, repackages that, and sells access to law enforcement agencies so they can try to track groups of people or individuals. In this case, CBP has bought the location data from a firm called Venntel. "CBP officials confirmed to Senate staff that the agency is using Venntel's location database to search for information collected from phones in the United States without any kind of court order," the letter signed by Wyden and Warren, and addressed to the DHS OIG, reads. "CBP outrageously asserted that its legal analysis is privileged and therefore does not have to be shared with Congress. We disagree." As well as not obtaining court orders to query the data, CBP said it's not restricting its personnel to only using it near the border, the Wyden aide added. CBP is unable to tell what nationality a particular person is based only on the information provided by Venntel; but what the agency does know is that the Venntel data the agency is using includes the movements of people inside the United States, the Wyden aide said.

An anonymous reader quotes a report from The New York Times: In early September, the City Council in Portland, Ore., met virtually to consider sweeping legislation outlawing the use of facial recognition technology. The bills would not only bar the police from using it to unmask protesters and individuals captured in surveillance imagery; they would also prevent companies and a variety of other organizations from using the software to identify an unknown person. During the time for public comments, a local man, Christopher Howell, said he had concerns about a blanket ban. He gave a surprising reason. "I am involved with developing facial recognition to in fact use on Portland police officers, since they are not identifying themselves to the public," Mr. Howell said. Over the summer, with the city seized by demonstrations against police violence, leaders of the department had told uniformed officers that they could tape over their name. Mr. Howell wanted to know: Would his use of facial recognition technology become illegal?

Portland's mayor, Ted Wheeler, told Mr. Howell that his project was "a little creepy," but a lawyer for the city clarified that the bills would not apply to individuals. The Council then passed the legislation in a unanimous vote. Mr. Howell was offended by Mr. Wheeler's characterization of his project but relieved he could keep working on it. "There's a lot of excessive force here in Portland," he said in a phone interview. "Knowing who the officers are seems like a baseline." Mr. Howell, 42, is a lifelong protester and self-taught coder; in graduate school, he started working with neural net technology, an artificial intelligence that learns to make decisions from data it is fed, such as images. He said that the police had tear-gassed him during a midday protest in June, and that he had begun researching how to build a facial recognition product that could defeat officers' attempts to shield their identity. Mr. Howell is not alone in his pursuit. Law enforcement has used facial recognition to identify criminals, using photos from government databases or, through a company called Clearview AI, from the public internet. But now activists around the world are turning the process around and developing tools that can unmask law enforcement in cases of misconduct. The report also mentions a few other projects around the world that are using facial recognition tools against the police.

An online exhibit called "Capture," was created by artist Paolo Cirio and includes photos of 4,000 faces of French police officers. It's currently down because France's interior minister threatened legal action against Mr. Cirio but he hopes to republish them.

Andrew Maximov, a technologist from Belarus, uploaded a video to YouTube that demonstrated how facial recognition technology could be used to digitally strip away masks from police officers.

The report also notes that older attempts to identify police officers have relied on crowdsourcing. For example, news service ProPublica asks readers to identify officers in a series of videos of police violence. There's also the OpenOversight, a "public searchable database of law enforcement officers" that asks people to upload photos of uniformed officers and match them to the officers' names or badge numbers.

An anonymous reader quotes a report from The Guardian: Working with her Stanford colleague, Michal Kosinski, [Pin Pin Tea-makorn, a PhD student at Stanford] scoured Google, newspaper anniversary notices and genealogy websites for photos of couples taken at the start of their marriages and many years later. From these they compiled a database of pictures from 517 couples, taken within two years of tying the knot and between 20 and 69 years later. To test whether couples' faces grew alike over time, the researchers showed volunteers a photo of a "target" person accompanied by six other faces, one being their spouse, with the other five faces selected at random. The volunteers were then asked to rank how similar each of the six faces were to the target individual. The same task was then performed by cutting-edge facial recognition software.

In the original study in 1987, the late psychologist Robert Zajonc, at the University of Michigan, had volunteers rank the photos of only a dozen couples. He concluded that couples' faces became more alike as their marriages went on, with the effect being greater the happier they were. The explanation, psychologists have argued, is that sharing lives shapes people's faces, with diet, lifestyle, time outdoors, and laughter lines all having a part to play. However, writing in Scientific Reports, Tea-makorn and Kosinski describe how they found no evidence for couples looking more alike as time passed. They did, however, look more alike than random pairs of people at the start of their relationship. Tea-makorn said people may seek out similar-looking partners, just as they look for mates with matching values and personalities.

The Washington Post reports: In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world's largest botnet — one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.

U.S. Cyber Command's campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter's sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.
U.S. Cyber Command also "stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet's operators," reports security researcher Brian Krebs: Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation. Holden said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world. Holden said the Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets. "They are running normally and their ransomware operations are pretty much back in full swing," Holden said. "They are not slowing down because they still have a great deal of stolen data."

Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.

Today, researchers at Columbia University launched the world's first database of carbon dioxide removal laws, providing an annotated bibliography of legal materials related to carbon dioxide removal and carbon sequestration and use. It is publicly available at cdrlaw.org. Phys.Org reports: The site has 530 resources on legal issues related to carbon dioxide removal, including such techniques as: direct air capture; enhanced weathering; afforestation/reforestation; bioenergy with carbon capture and storage; biochar; ocean and coastal carbon dioxide removal; ocean iron fertilization; and soil carbon sequestration. The database also includes 239 legal resources on carbon capture and storage, utilization, and transportation. New resources are constantly being added.

This site was created by the Sabin Center for Climate Change Law at Columbia Law School, in cooperation with the Carbon Management Research Initiative at the Center on Global Energy Policy at Columbia's School of International and Public Affairs. Generous financial support was provided by the ClimateWorks Foundation and the Earth Institute at Columbia University. The Sabin Center is also undertaking a series of white papers with in-depth examinations of the legal issues in particular carbon dioxide removal technologies. The first of these, "The Law of Enhanced Weathering for Carbon Dioxide Removal," by Romany M. Webb, has just been released.

An anonymous reader quotes a report from Motherboard: The Department of Homeland Security (DHS) finally acknowledged Wednesday that photos that were part of a facial recognition pilot program were hacked from a Customs and Border Control subcontractor and were leaked on the dark web last year. Among the data, which was collected by a company called Perceptics, was a trove of traveler's faces, license plates, and care information. The information made its way to the Dark Web, despite DHS claiming it hadn't. In a newly released report about the incident, the DHS Office of Inspector General admitted that 184,000 images were stolen and at least 19 of them were posted to the Dark Web.

"CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot," the report found. "This incident may damage the public's trust in the Government's ability to safeguard biometric data and may result in travelers' reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry." According to the new report, DHS's biometric database "contains the biometric data repository of more than 250 million people and can process more than 300,000 biometric transactions per day. It is the largest biometric repository in the Federal Government, and DHS shares this repository with the Department of Justice and the Department of Defense." "A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP's biometric data, such as traveler images, to its own company network," the report found. "The DHS OIG made several recommendations in its report that all boil down to 'tighten up security and make sure this doesn't happen again,'" the report adds.

Australia's national public broadcaster ABC reports: A Chinese company with links to Beijing's military and intelligence networks has been amassing a vast database of detailed personal information on thousands of Australians, including prominent and influential figures. A database of 2.4 million people, including more than 35,000 Australians, has been leaked from the Shenzhen company Zhenhua Data which is believed to be used by China's intelligence service, the Ministry of State Security. Zhenhua has the People's Liberation Army and the Chinese Communist Party among its main clients.

Information collected includes dates of birth, addresses, marital status, along with photographs, political associations, relatives and social media IDs. It collates Twitter, Facebook, LinkedIn, Instagram and even TikTok accounts, as well as news stories, criminal records and corporate misdemeanours. While much of the information has been "scraped," some profiles have information which appears to have been sourced from confidential bank records, job applications and psychological profiles.

The company is believed to have sourced some of its information from the so-called "dark web". One intelligence analyst said the database was "Cambridge Analytica on steroids", referring to the trove of personal information sourced from Facebook profiles in the lead up to the 2016 US election campaign. But this data dump goes much further, suggesting a complex global operation using artificial intelligence to trawl publicly available data to create intricate profiles of individuals and organisations, potentially probing for compromise opportunities.

Zhenhua Data's chief executive Wang Xuefeng, a former IBM employee, has used Chinese social media app WeChat to endorse waging "hybrid warfare" through manipulation of public opinion and "psychological warfare"....
The database was leaked to a US academic, who worked with Canberra cyber security company Internet 2.0 and "was able to restore 10 per cent of the 2.4 million records for individuals...

"Of the 250,000 records recovered, there are 52,000 on Americans, 35,000 Australians, 10,000 Indian, 9,700 British, 5,000 Canadians, 2,100 Indonesians, 1,400 Malaysia and 138 from Papua New Guinea."

If you've ever received a parcel from a shopping platform that you didn't order, and nobody you know seems to have bought it for you, you might have been caught up in a "brushing" scam. From a report: It has hit the headlines after thousands of Americans received unsolicited packets of seeds in the mail, but it is not new. It's an illicit way for sellers to get reviews for their products. And it doesn't mean your account has been hacked. Here's an example of how it works: let's say I set myself up as a seller on Amazon, for my product, Kleinman Candles, which cost $3 each. I then set up a load of fake accounts, and I find random names and addresses either from publicly available information or from a leaked database that's doing the rounds from a previous data breach. I order Kleinman Candles from my fake accounts and have them delivered to the addresses I have found, with no information about where they have been sent from. I then leave positive reviews for Kleinman Candles from each fake account -- which has genuinely made a purchase.

This way my candle shop page gets filled with glowing reviews (sorry), my sales figures give me an algorithmic popularity boost as a credible merchant -- and nobody knows that the only person buying and reviewing my candles is myself. It tends to happen with low-cost products, including cheap electronics. It's more a case of fake marketing than cyber-crime, but "brushing" and fake reviews are against Amazon's policies. Campaign group Which? advises that you inform the platform they are sent by of any unsolicited goods.

"A few years ago, a hacker managed to exploit vulnerabilities in Tesla's servers to gain access and control over the automaker's entire fleet," remembers Electrek (in a story shared by long-time Slashdot reader AmiMoJo).

Tesla enthusiast Jason Hughes had already received a $5,000 bug bounty for reporting a vulnerability, but "knowing that their network wasn't the most secure, to say the least, he decided to go hunting for more bug bounties." After some poking around, he managed to find a bunch of small vulnerabilities. The hacker told Electrek, "I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was 'Mothership'." Mothership is the name of Tesla's home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through "Mothership." After downloading and dissecting the data found in the repository, Hughes started using his car's VPN connection to poke at Mothership. He eventually landed on a developer network connection. That's when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla's fleet.

All he needed was a vehicle's VIN number, and he had access to all of those through Tesla's "tesladex" database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
Last week Hughes released an annotated version of the bug report he'd submitted to Tesla. "Hughes couldn't really send Tesla cars driving around everywhere..." reports Electrek, "but he could 'Summon' them..." Telsa gave him a special $50,000 bug report reward — several times higher than their usual maximum — and "used the information provided by Hughes to secure its network."

Electrek calls it "a good example of the importance of whitehat hackers."

More than 2,400 police agencies have entered contracts with Clearview AI, a controversial facial recognition firm, according to comments made by Clearview AI CEO Hoan Ton-That in an interview with Jason Calacanis on YouTube. The Verge reports: The hour-long interview references an investigation by The New York Times published in January, which detailed how Clearview AI scraped data from sites including Facebook, YouTube, and Venmo to build its database. The scale of that database and the methods used to construct it were already controversial before the summer of protests against police violence. "It's an honor to be at the center of the debate now and talk about privacy," Ton-That says in the interview, going on to call the Times investigation "actually extremely fair." "Since then, there's been a lot of controversy, but fundamentally, this is such a great tool for society," Ton-That says.

Ton-That also gave a few more details on how the business runs. Clearview is paid depending on how many licenses a client adds, among other factors, but Ton-That describes the licenses as "pretty inexpensive, compared to what's come previously" in his interview. Ton-That ballparks Clearview's fees as $2,000 a year for each officer with access. According to Ton-That, Clearview AI is primarily used by detectives. You can watch the full interview here.

Two million truckers move 70% of America's goods. But hundreds of thousands of their jobs could be disrupted away, reports Jon Wertheim on the CBS news show 60 Minutes, in "a high-stakes, high-speed race pitting the usual suspects — Google and Tesla and other global tech firms — against small start-ups smelling opportunity."

One of those startups is TuSimple, and their company's chief product officer points out that an AI driving system never gets distracted or falls asleep at the wheel: Chuck Price has unshakable confidence in the reliability of the technology; as do some of the biggest names in shipping: UPS, Amazon and the U.S. Postal Service ship freight with TuSimple trucks. All in, each unit costs more than a quarter million dollars. Not a great expense, considering it's designed to eliminate the annual salary of a driver; currently around $45,000. Another savings: the driverless truck can get coast-to-coast in two days, not four, stopping only to refuel — though a human still has to do that...

Jon Wertheim: How far are we from being able to pick up the specific cars that are passing us? "Oh, that's Joe from New Jersey with six points on his license.

Chuck Price: We can read license plates. So if there was an accessible database for something like that, we could...

Test Driver Maureen Fitzgerald: This truck is scanning mirrors, looking 1,000 meters out. It's processing all the things that my brain could never do and it can react 15 times faster than I could.

Most of her two million fellow truckers are less enthusiastic. Automated trucking threatens to jack-knife an entire $800 billion industry. Trucking is among the most common jobs for American's without a college education.... Sam Loesche represents 600,000 truckers for the teamsters. He's concerned that federal, state and local governments have only limited access to the driverless technology.

Sam Loesche: A lot of this information, understandably, is proprietary. Tech companies wanna keep, you know, their algorithms and their safety data — secret until they can kinda get it right. The problem is that, in the meantime, they're testing this technology on public roads. They're testing it next to you as you drive down the road...

Movie companies and their anti-piracy partners are pressing ahead with their legal action to track down The Pirate Bay. The site reportedly used VPN provider OVPN, which carries no logs, but a security expert -- one that regularly penetration tests several major VPN providers -- believes that information about the notorious site could still be obtained. TorrentFreak reports: After a period of what seemed like calm, this year it became clear that the site's old enemies, Swedish anti-piracy group Rights Alliance, were again working to get closer to the site and its operators. We've covered the back story in detail but in summary, the site is alleged to have used Swedish VPN provider OVPN to hide its true location and Rights Alliance is now engaged in legal action to get its hands on whatever information the VPN provider may hold. The most recent move, playing out this week, is that Rights Alliance has provided testimony from an expert witness, one that has masses of experience in the VPN field.

The name 'Cure53' may not sound familiar to regular Internet users but the cyber-security company is well known for its first-class abilities in penetration testing. So much so, in fact, that the company has audited some of the most popular VPN providers in the world, including Mullvad, Surfshark, and TunnelBear. Given its experience in the field, it's no surprise that Rights Alliance has also sought the expert opinion of someone involved in Cure 53 to assess this VPN-related matter. Importantly, there doesn't appear to be any conflict of interest here, since the conclusions drawn are purely technical in nature and rely on experience and general facts, something we will touch on later. The expert opinion, which appeared in court documents reviewed by TorrentFreak this week, is from Jesper Larsson, who works at security company Ox4a but is involved with Cure 53 where he "regularly" performs penetration tests against the "ten largest VPN Providers in the world." His testimony reveals that he has been commissioned by Sara Lindback of Rights Alliance to comment on how a VPN service works and specifically, what information might potentially be stored at OVPN in relation to The Pirate Bay.

"It is clear on OVPN's website that it strives to protect its users; privacy by storing as little user data as possible in their databases," the testimony filed with the court and obtained by TorrentFreak reads. "Although [OVPN] strive to store as little data as possible, there must be data connecting users and identities to make the VPN service work. In this case, a user has paid for a VPN account with the ability to connect a public static address to OVPN which the user has then chosen to link to the file sharing site 'the piratebay,' i.e the user has configured his VPN account to point to the given domain." [...] "For this type of configuration to be possible, data about the configuration must be stored at OVPN at least during the time when the account is active," Larsson continues. "It should be considered extremely likely that the user or identity associated with the above configuration is stored in a user database where a given user can be connected to the VPN configuration, configuration regarding where the static IP address should be pointed to, and payment information that should describe how long a given account is active and which payment method the user has used. OVPN should thus be able to search its VPN servers for the given IP address, or alternatively search in their user databases or in backups of these to locate a given user or identity," the security expert adds.

An anonymous reader quotes a report from Forbes: The security research team at Comparitech today disclosed how an unsecured database left almost 235 million Instagram, TikTok and YouTube user profiles exposed online in what can only be described as a massive data leak. The data was spread across several datasets; the most significant being two coming in at just under 100 million each and containing profile records apparently scraped from Instagram. The third-largest was a dataset of some 42 million TikTok users, followed by just under 4 million YouTube user profiles.

Comparitech says that, based on the samples it collected, one in five records contained either a telephone number or email address. Every record also included at least some, sometimes all, the following information: Profile name; Full real name; Profile photo; and Account description. Statistics about follower engagement, including: Number of followers; Engagement rate; Follower growth rate; Audience gender; Audience age; Audience location; Likes; Last post timestamp; Age; and Gender. "The information would probably be most valuable to spammers and cybercriminals running phishing campaigns," Paul Bischoff, Comparitech editor, says. "Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation," Bischoff adds. Indeed, Bischoff told me that it would be easy for a bot to use the database to post targeted spam comments on any Instagram profile matching criteria such as gender, age or number of followers. The data appeared to have originated from a company called Deep Social, which was banned by both Facebook and Instagram in 2018 after scraping user profile data. The company was wound down sometime after this.

The researchers reached out to Deep Social, which then forwarded the disclosure to a Hong Kong-registered social media influencer data-marketing company called Social Data. Social Data shut down the database about three hours after the researchers' initial email. "Social Data has denied any connection between itself and Deep Social," reports Forbes, citing Comparitech.