My Weekly RoundUp #101

Last week several things caught my eye: cybersecurity news, interesting articles and new incoming TV shows.
But first of all I want to talk about and interesting project: a videogame developed by a team of students as degree final project.

Codename “Schism”

Recently I had to be an audience for a final degree examination.
The final project is a fantasy videogame named “Schism“.

The team developed concept and storyboard, realized all graphical artworks (characters, textures, visual effects) and put it all together using Unreal Engine 4.

The result is a playable demo of the first bossfight, as well as physical goodies such as an Artbook and 3D printed characters.
A great job from a team of young and passionate nerds: I think is nice give it the proper prominence.


The demo


Artbook and Gadgets

Click for full ArtBook


The team


The tools


Privacy

Bad week for British Airways:

British Airways faces record $230 million GDPR fine over data breach

British Airways (BA) is facing a record £183.39 million ($230 million) fine over a 2018 security breach that compromised the personal data of roughly 500,000 customers.
The U.K. Information Commissioner’s Office (ICO) said that it has “issued a notice of its intention” to levy the gargantuan fine against BA, which now has 28 days to appeal before the ICO settles on a final figure.

The breach, which the ICO said it believes started back in June 2018 some three months before it was eventually reported, was the result of “poor security arrangements,” according to a statement. A fraudulent website had been set up by an unknown third party to receive redirected BA traffic, which harvested personal data such as login information, payment card details, names, addresses, and travel booking details.

https://venturebeat.com/2019/07/08/british-airways-faces-record-230-million-gdpr-fine-over-data-breach/

Finally, a watchdog with teeth! BA’s £183m fine shows that the ICO means business

How do you know today’s £183m fine on British Airways for a huge data theft from its website is a landmark ruling? Is it because it was the first made public by the Information Commissioner’s Office (ICO) since GDPR privacy laws came into force? Or perhaps because the slap on the wrist is 366 times bigger than the ICO’s previous record?
No. You know it was a landmark ruling because of the outrage and disbelief seeping through every syllable of BA’s reaction. “We found no evidence of fraud on accounts linked to the theft,” pleaded Alex Cruz, British Airways’ chairman and chief executive.“We responded quickly. “We apologise”. In other words, nothing bad happened, we told the ICO promptly just like we were meant to and we’re even saying sorry. So why are we getting clobbered? He might as well have tweeted: “Waaaaah, UNFAIR!” 
Willie Walsh, CEO of IAG, which owns BA, preferred to come out swinging, promising appeals and a “vigorous” defence.” He might as well have said: “You’ll never get away with this!”

https://www.telegraph.co.uk/technology/2019/07/08/finally-watchdog-teeth-bas-183m-fine-shows-ico-means-business/

Frankly, I expected it:

Yep, human workers are listening to recordings from Google Assistant, too

A report from Belgian public broadcaster VRT NWS has revealed how contractors paid to transcribe audio clips collected by Google’s AI assistant can end up listening to sensitive information about users, including names, addresses, and details about their personal lives.
It’s the latest story showing how our interactions with AI assistants are not as private as we may like to believe. Earlier this year, a report from Bloomberg revealed similar details about Amazon’s Alexa, explaining how audio clips recorded by Echo devices are sent without users’ knowledge to human contractors, who transcribe what’s being said in order to improve the company’s AI systems.

https://www.theverge.com/2019/7/11/20690020/google-assistant-home-human-contractors-listening-recordings-vrt-nws

Google employees are eavesdropping, even in Flemish living rooms, VRT NWS has discovered

Google employees are systematically listening to audio files recorded by Google Home smart speakers and the Google Assistant smartphone app. Throughout the world – so also in Belgium and the Netherlands – people at Google listen to these audio files to improve Google’s search engine. VRT NWS was able to listen to more than a thousand recordings. Most of these recordings were made consciously, but Google also listens to conversations that should never have been recorded, some of which contain sensitive information.

https://www.vrt.be/vrtnws/en/2019/07/10/google-employees-are-eavesdropping-even-in-flemish-living-rooms/

Technology

Some updates from Elon Musk:

Elon Musk says free self-driving chip upgrade could come to older Teslas this year

Tesla CEO Elon Musk says the company will “most likely” start retrofitting its new, more powerful processing chip into older vehicles near the end of the year. The new FSD chip is the first to have been designed in-house. Tesla says it offers 21 times the performance of the Nvidia chips it replaces — a claim Nvidia disputes. The new chip has been shipping in Model S, X, and 3 cars since before its announcement, but soon it will be offered as a free upgrade to half a million Tesla owners.
Elon Musk has made big promises about the new chip, which he claims has enough power to eventually allow for fully self-driving cars, if and when the software catches up. The upgraded FSD computer includes two of these new chips for redundancy. Despite being a lot more powerful, the company says the new chip costs 20 percent less than its previous “HW2+” Nvidia hardware, and only draws a bit more power.

https://www.theverge.com/2019/7/8/20685873/tesla-fsd-chip-upgrade-2019-install-hw2-full-self-driving

Elon Musk teases possible late July Starship presentation following engine test

Elon Musk was fielding a number of questions from fans on Twitter on Sunday, and revealed that the current target for a full presentation of Starship, SpaceX’s next-generation reusable rocket and a key piece of the company’s plan to reach Mars, could come as soon as “late July.”
The SpaceX CEO also noted that the company’s most recent test of one of its Raptor rocket engines (officially test ‘SN6’) was “overall successful,” despite an abort, since the whole purpose of the test was to test the outward limits of the new engine’s tolerances on fueling mixture ratios.

A sad news

Fernando “Corby” Corbató, MIT computer science pioneer, dies at 93

Most people who use Linux know that the name is a sort-of pun on Unix, the operating system that Linux most resembles.
And Unix, of course, is the operating system behind a significant proportion of the devices out there that don’t run Linux, being at the heart of Apple’s macOS and iOS systems, as well as the various and widely-used open source BSD distributions.
But nowhere near as many people realise that the name Unix was originally Unics, and was itself a pun on Multics, the ground-breaking multiuser operating system that gave rise to the Unix project itself.
Multics, in turn, was essentially Version 2 of an Massachussets Institute of Technology (MIT) operating system called CTSS, short for Compatible Time-Sharing System.

The man behind CTSS and Multics, the man who did the groundwork that made Unix happen, was Fernando José Corbató, better known simply as Corby.
Corby won the 1990 Alan Turing Award – the equivalent of a Nobel Prize in Computer Science, and that brings us to that sad news that Corby died yesterday at the age of 93.

https://nakedsecurity.sophos.com/2019/07/13/in-memoriam-corby-corbato-mit-computer-science-pioneer-dies-at-93/

Last Friday, legendary MIT computer scientist Fernando “Corby” Corbató passed away at his home in Newton, Massachusetts. He was 93.
The Oakland-born researcher was responsible for several pivotal advances in the computer science space, most notably the password, which he invented during his pioneering work in computer time sharing.
Corbató led the development of the Computer Time-Sharing System (CTSS), which is regarded as one of the world’s first operating systems. This allowed multiple people to use a computer at the same time, accelerating the pace in which programmers worked. It’s also credited as the first computer system to use passwords.

https://thenextweb.com/dd/2019/07/13/rip-fernando-corby-corbato-inventor-of-the-password-1926-2019/

An unusual usage of “ultra-long exposures”:

Final cut: films condensed into a single frame

Jason Shulman captures the entire duration of a movie in a single image with his series Photographs of Films. New large-scale versions of the works are being shown as part of the Photo London festival, 17-21 May.

https://www.theguardian.com/artanddesign/gallery/2017/may/16/jason-shulman-films-condensed-into-a-single-photo-frame-in-pictures

And finally, good news for Amazon PriveVideo users!

Prime Video is on Chromecast and Android TV, plus YouTube on Fire TV

It’s Prime time to sit back, relax and watch TV. Starting today, you can watch Amazon Prime Video on Chromecast and Android TV devices, giving Prime members unlimited access to their favorite Amazon Originals, films and more. Meanwhile, you can also now access the official YouTube app on select Amazon Fire TV devices.

https://blog.google/products/chromecast/prime-video-chromecast-android-tv-youtube-fire-tv/

Cybersecurity

Have you installed Zoom on your Mac? Be careful! (But don’t worry, Apple released a silent update!)

Silent Mac update nukes dangerous webserver installed by Zoom

Apple said it has pushed a silent macOS update that removes the undocumented webserver that was installed by the Zoom conferencing app for Mac.

The webserver accepts connections from any device connected to the same local network, a security researcher disclosed on Monday. The server continues to run even when a Mac user uninstalls Zoom. The researcher showed how the webserver can be abused by people on the same network to force Macs to reinstall the conferencing app. Zoom issued an emergency patch on Tuesday in response to blistering criticism from security researchers and end users.

https://arstechnica.com/information-technology/2019/07/silent-mac-update-nukes-dangerous-webserver-installed-by-zoom/

Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.
On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a 
localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Anyone for unintended Chat Roulette? Zoom installs hidden Mac web server to allow auto-join video conferencing

Zoom Video Communications, whose web conferencing service is used by millions, is under fire for installing a hidden web server on Macs in order to bypass user consent when joining a meeting.
Researcher Jonathan Leitschuh, a member of the security team at Gradle Inc, investigated how the Zoom client opens automatically when you receive a meeting link.
Leitschuh discovered that when you install Zoom on a Mac, it installs a web server on port 19421. If you then click on a Zoom conferencing link, the page loads an image from the web server on localhost, where the size of the image returned represents a status code – a hack to get around CORS (Cross-Origin Resource Sharing) restrictions which apply to Ajax requests.

https://www.theregister.co.uk/2019/07/09/zooms_hidden_mac_web_server_allows_autojoin_conferencing_exploit/

Zoom video conferencing software for Mac is affected by a flaw that could allow attackers to take over webcams when users visit a website

Cybersecurity expert Jonathan Leitschuh disclosed an unpatched critical security vulnerability in the Zoom app for Apple Mac computers, that is chained with another issue, could be exploited by attackers to execute arbitrary code on the targeted systems remotely.
The flaw could be used to control the webcam of a user when visiting a specially crafted website. The expert also discovered that is possible to control the webcam even if the user has uninstalled the Zoom client app.
This is possible because the client installs a local web server on the system that is not removed when the software is uninstalled. The software will happily re-install the Zoom client without requiring any user interaction on user behalf besides visiting a webpage.
Zoom is the leader in enterprise video communications, it is one of the most popular and reliable cloud platform for video and audio conferencing, chat, and webinars. 

https://securityaffairs.co/wordpress/88147/hacking/zoom-mac-software-flaw.html

SciFi

A very welcomed comeback!

Netflix’s ‘Another Life’ trailer shows Katee Sackhoff back in space

It’s been a while since we heard about this 10-episode sci-fi series from Netflix that features Battlestar Galactica and Longmire star Katee Sackhoff, but now there’s a new teaser trailer for Another Life. According to the synopsis, her character Niko Breckenridge is on an interstellar mission to find the origin of a massive alien artifact after it lands on Earth, while her husband stays home investigating it.

https://www.engadget.com/2019/07/09/another-life-netflix/?guccounter=1

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.