STE WILLIAMS

S2 Ep2: EvilGnome, leaky browser add-ons and BlueKeep – Naked Security Podcast

We’re back in the rhythm of our weekly episodes with episode 2 from the new series.

This week, host Anna Brading is joined by Paul Ducklin, Mark Stockley and Matt Boddy.

We discuss EvilGnome Linux malware [5’07”], the latest developments in the BlueKeep saga [15’53”] and whether your browser extensions are spying on you [28’08”].

I may have made an error with some of Anna’s audio, but we think it doesn’t ruin the episode enough to cull it entirely, you’ll know what I mean from around 15 minutes in. Bear with us (me) while we find our way around the shiny new studio!

With longer episodes we now have space to answer your questions, so if you want to ask us something, post it below or ask us on social media.

Listen now and share your thoughts with us.

Listen and rate via iTunes...
Sophos podcasts on Soundcloud...
RSS feed of Sophos podcasts...

If you’re wondering what our new studio looks like, you can take a sneak peak inside thanks to our friends at Food Fight Studios.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/86Zc_5Y79Qo/

Another rewrite for 737 Max software as cosmic bit-flipping tests glitch out systems – report

Further details have emerged on the 737 Max flight control software bug discovered at the end of June, with reports suggesting that belated tests by a US regulator found the hitherto unknown bug.

The Seattle Times, Boeing’s hometown newspaper for many years, explains in detail how timid Federal Aviation Authority regulators eventually woke up and began doing their jobs in full after the two Boeing 737 Max crashes earlier this year.

During tests intended to check for malfunctions of the 737 Max’s redesigned flight control software, the pilots still managed to lose control of a simulated aircraft during ground exercises. The test which caused them to lose control involved flipping bits in the memory of one of the Boeing’s two flight control computers.

Flipping bits, the article explains, is intended to simulate a rare but not impossible situation where cosmic rays striking the memory of electronic components in flight can reset bits from 0 to 1. With 737s routinely flying up to 37,000ft, the possibility of this happening increases with altitude.

Testing focused on flipping five bits, said to control some of the most crucial parameters: positioning of flight controls and activation state of flight control systems, such as the infamous MCAS anti-stall system.

Astonishingly, until the 737 Max crashes, the aircraft was flying with no redundancy at all for the flight control computers. If the active one failed or suffered inversion of critical bits in memory, there was no standby unit ready to cut in and continue. The Seattle Times reported that this has now been redesigned so the two onboard computers run in an active:standby configuration. Previously the units merely swapped over in between flights.

In addition, the computers will receive input from both angle-of-attack sensors rather than just the one. A faulty AoA sensor is thought to have been a contributory factor to the 737 Max crashes, which together cost more than 300 lives.

Boeing is now working on yet another set of fixes in the hope that the 737 Max (or 737-8200, as some think the troubled aircraft may be rebranded) can regain certification from American authorities by October. Whether the rest of the world will trust the US FAA is unknown, however; China led the worldwide regulatory push to ground the unsafe aircraft, and despite Boeing’s well-reported close relationship with the American regulator, the odds of all the world’s civil aviation authorities taking it at its word is now lower than it was before the crashes. The US FAA was, predictably, the last major authority to take action and ground the dangerous aircraft.

The Seattle Times reported: “According to a third person familiar with the details, Boeing expects to have this new software architecture ready for testing toward the end of September. Meanwhile, it will continue certification activities in parallel so that it can stick to its announced schedule and hope for clearance from the FAA and other regulators in October.”

As we reported previously, the flaw was thought to have been caused by a revised version of the 737 Max’s firmware, triggering some unknown condition that caused a microprocessor in the active flight control computer to lock up. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/02/737_max_cosmic_bit_flipping_test/

German privacy probe orders Google to stop listening in on voice recordings for 3 months

Germany’s data protection commissioner in Hamburg has launched an investigation into Google over revelations that contracted workers were listening to recordings made via smart speakers.

Google has been ordered to cease manual reviews of audio snippets generated by its voice AI for three months while the investigation is under way.

In a blog post last month, Google admitted it works with experts to review and transcribe a small set of queries to help better understand certain languages.

That was after a bunch of Belgian investigative journalists discovered staff were listening in on people who use its voice-activated Google Assistant product.

David Monsees, Google’s product manager of search, wrote at the time: “We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data. Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again.”

Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information, said (PDF): “The use of speech assistance systems in the EU must comply with the data protection requirements of the GDPR. In the case of the Google Assistant, there are currently considerable doubts about this. The use of speech assistance systems must be transparent so that informed consent can be obtained from users.

“In particular, this involves sufficient and transparent information for those concerned about the processing of voice commands, but also about the frequency and risks of misactivation. Finally, due account must be taken of the need to protect third parties affected by voice recordings. As a first step, further questions about the functioning of the speech analysis system need to be answered. The data protection authorities will then have to decide on the final measures that are necessary for their data protection-compliant operation.”

A Google spokesman said: “We are in touch with the Hamburg data protection authority and are assessing how we conduct audio reviews and help our users understand how data is used.

“These reviews help make voice recognition systems more inclusive of different accents and dialects across languages. We don’t associate audio clips with user accounts during the review process, and only perform reviews for around 0.2% of all clips. Shortly after we learned about the leaking of confidential Dutch audio data, we paused language reviews of the Assistant to investigate.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/02/germany_probes_google_over_privacy_of_voice_recordings/

Phisherman’s blues: Bogus Dell support rep extradited from Kenya, admits he conned US colleges out of $900,000

An email phisher found hiding in Kenya is facing up to two decades behind bars in America for scamming thousands of dollars from US universities.

Amil Hassan Raage, 48, pleaded guilty on Thursday in a southern California court to one count of conspiracy to commit wire fraud. The charge carries a maximum of 20 years imprisonment. Raage is due to be sentenced by Judge Gonzalo Curiel in the San Diego court on October 11.

Hassan admitted being on the receiving end of more than $870,000 in payments from officials at the University of California, San Diego and a second, unspecified college in the state of Pennsylvania.

“Modern criminals like Raage have ditched the ski mask and getaway vehicle and opted for a computer as their weapon of choice,” US Attorney Robert Brewer said in announcing the guilty plea.

“As this defendant has learned, we are matching wits with new-age thieves and successfully tracking them down and putting an end to their high-tech deception.”

In both cases, members of Raage’s crew back in Kenya contacted officials at the schools claiming to be Dell service reps. The schools were then told to redirect their Dell payments to an account in Minnesota that was controlled by Raage.

When the schools finally wised up to the scheme and prosecutors were called in, Raage and his crew managed to siphon $749,158.37 from UC San Diego and $123,643.77 from the school in Pennsylvania.

FinCEN_logo

Email scammers extract over $300m a month from American suits’ pockets

READ MORE

Back in September of 2018, shortly after his US bank accounts were frozen, Raage fled to Kenya, where he was able to hide out for nearly eight months before the local police arrested him in early May and extradited him back to the US for trial.

“As exemplified by this outstanding result, criminals who operate in cyberspace falsely believe themselves to be beyond the reach of law enforcement, but they are sorely mistaken,” said Scott Brunner, the FBI agent in charge on the case.

“Our agents will relentlessly pursue justice, aided by our foreign partners.”

The US attorney’s office did not say whether any of Raage’s Kenyan co-conspirators will be similarly brought stateside to face charges. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/02/bec_scammer_extradited_kenya/

Learn to Safeguard Critical Industrial Targets at Black Hat USA

Cybersecurity experts will share their latest insights and strategies for protecting industrial sites and equipment, from electric motors to satellites.

Some of the most grievous cybersecurity breaches happen at industrial facilities responsible for providing critical services like power, so it pays to stay on top of what’s happening in the field of industrial security. Black Hat USA offers an entire track of Smart Grid and Industrial Security Briefings that will help you do just that. As you prepare to attend the event next week in Las Vegas be sure not to overlook some of the most promising industrial cybersecurity Briefings.

Sensor and Process Fingerprinting in Industrial Control Systems will equip you with a full understanding of the most common cyber and cyber-physical attack vectors to critical infrastructure. You’ll learn practical detection and defense strategies for both cyber and physical attacks on industrial targets and enjoy full video walkthroughs of attacks and defenses in a state-of-the-art water treatment testbed.

Attacking Electric Motors for Fun and Profit is another great Briefing to check out because it promises a useful breakdown of electric motor vulnerabilities and defense strategies, based on a wide analysis of electric motors used in everything from cars to industrial robots to phones. It’s rare to see this level of cybersecurity analysis for electric motors, so expect to walk away with a better understanding of how to compromise motors using techniques like pin-control attacks disrupting PWM, DOS or injection network attacks, sensor attacks, and exploiting the lack of security controls of software libraries on electric motor controllers.

For a broader perspective on industrial system cybersecurity make time for Cybersecurity Risk Assessment for Safety-Critical Systems, a Briefing from Honeywell on the vulnerabilities of truly critical infrastructure. Much of this Briefing is focused on space, so you can expect to learn all about the weak points in the satellite systems and networks that support agriculture, transportation, and the military. Plus, you’ll learn about a new technique for assessing security risks for safety-critical systems like space systems and enjoy a discussion on what the next steps should be in advancing cybersecurity for space systems.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/learn-to-safeguard-critical-industrial-targets-at-black-hat-usa/d/d-id/1335416?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Black Hat: A Summer Break from the Mundane and Controllable

Enjoy the respite from the security tasks that await you back at home. Then prepare yourself for the uphill battles to come. Here’s how.

Next week, security practitioners from across the globe will make their summer pilgrimage to Las Vegas for Black Hat, DEF CON, and other security gatherings. As in years past, there will be no shortage of surprises:

  • Attendees, press, vendors, and analysts will clamor for insight on a tactic or technique that will break what was once thought unbreakable.
  • A geopolitical event will cast a shadow over the week like the Edward Snowden and DIRNSA keynote did in 2014.
  • A vendor will have the most over-the-top party (my bet, Rapid7).
  • The funniest T-shirt will capture the spirit of this year’s get-together.
  • Attendees will be mesmerized by the latest hacking demo or “drop the mic” vulnerability announcement.

What’s more — and most important — attendees for one week can forget the less exciting, mundane, and more challenging tasks that await them back at home. Tasks such as patch management, identity management, and other basics that most affect the security health of an organization and about which security leaders have the most influence.

Why is focusing on the external and sensational far more compelling than the internal and controllable? The answer is what I describe as “breach fixation.” Here are four examples:

In Search of the EZ Button
The EZ button is what I call a popular trend in the corporate world in which executives attempt to solve a business problem in one fell swoop by implementing a technology solution or outsourcing the entire problem to a third-party provider. Instead of trying to make substantial progress on your own, you chuck the whole thing over to someone else and make it their problem. On the corporate side, think of business process outsourcing as where you take a huge problem (IT and billing) and expect … “voilà!” — problem solved. Perhaps this reflects a relentless pursuit of the instant gratification derived from US fast food. Perhaps …

Internal Resistance
Security might be your job, but it’s just one more additional thing for laypeople in your organization to worry about. Aside from clear mandates on the topic, compliance-driven requirements, or a recent “near-death” experience, most organizations are still balancing security needs with day-to-day pressing needs in order to win more customers and increase revenue. This is a good thing. Security is asking other people to improve the organization above and beyond what individual workers are held accountable for on a daily basis. It’s important to understanding that this is the natural order and that security leaders are likely to encounter pushback on additional security controls.

Bias for Products over Processes
I get it. Product equals scalability. To make substantial progress on a security problem in a large 20,000-seat corporate environment you need technology. However, when the underlying risk decisions, business processes, and operations have not been addressed in a meaningful way, products only solve part of the problem and give security leaders a false sense of security. One example I come across in the application security world involves web application firewalls (WAFs). When the PCI DSS first mandated the implementation of WAFs to protect web applications, organizations went out and bought WAFs, implemented them, and in large numbers did not implement any semblance of blocking. WAFs without blocking are really glorified Layer 7 logging devices. Worse, they provide a false sense of security.

Fixing Processes Is Hard
Let’s face it: Reengineering existing business processes to improve security is hard. Doing so requires a deep understanding of existing security processes, an understanding that most organizations don’t have outside of the security team itself. The expanding consulting ecosystem focused on providing clients feedback on NIST security processes reflects that. The different levels of the Capability Maturity Model Integration (CMMI) Scale show just how challenging process improvement can be:

  • Level 1, Initial: Processes are unpredictable, poorly controlled and reactive.
  • Level 2, Managed: Processes are characterized for projects and is often reactive.
  • Level 3, Defined: Processes are characterized for the organizations and is proactive.
  • Level 4, Quantitatively Managed: Processes are managed and controlled.

As security practitioners privately know, most organizations are fortunate to achieve Level 2 and rarely are their security processes quantitatively managed and controlled. That’s because improving security processes is an uphill battle, though well worth the effort, especially after a welcome respite at Black Hat.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/black-hat-a-summer-break-from-the-mundane-and-controllable/a/d-id/1335397?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Capital One: What We Should Learn This Time

Where Capital One went wrong, what the bank did right, and more key takeaways from the latest mega-breach.

When a major data breach occurs, security and business leaders running companies large and small are quick to ask the same familiar question: “How can we prevent this from happening to us?”

Their question remains the same as organizations continue to shore up their defenses and cybercriminals continue to find their way in. Top of mind now is the Capital One breach, disclosed this week, which compromised personal data belonging to 100 million Americans and 6 million Canadians.

Most affected data came from credit card applications: names, addresses, ZIP and postal codes, phone numbers, email addresses, birth dates, self-reported income. Still, 140,000 Social Security numbers and 80,000 linked bank accounts of secured credit card customers were accessed by the attacker, as were about 1 million Social Insurance numbers of Canadian users.

New details about the breach have emerged since it was first reported. We now know Paige Thompson, the suspect in FBI custody, accessed this information through a misconfiguration error in a web application firewall (WAF), which let privileged commands be executed using Capital One credentials that had sufficient privileges to access the bank’s data. Thompson is a former employee of Amazon Web Services (AWS), where Capital One stored its information.

Capital One may not have been the only company Thompson breached. The attacker, known under the alias “erratic,” maintained a Slack channel where she shared details of her personal life and online activity. In late June, she posted a comment listing several corporate databases she located by breaking into poorly secured Amazon cloud servers. So far, no other businesses have confirmed they were breached.

As the investigations continue and more updates surface, businesses can (and should) consider what Capital One got wrong, what it got right, and how they can learn from this incident:

This Should Have Been Spotted
A number of red flags could have alerted Capital One to this activity long before the company was informed of it in July, says Avivah Litan, distinguished research vice president at Gartner.

“It’s the same old story,” she explains. “All this activity is being logged but no one is paying attention to logs or alerts indicating the attack is in progress.” A misconfigured WAF is an application error, not a cloud error, Litan adds. It could have happened anywhere. But Capital One, which has marketed itself as a tech-savvy business, should have noticed. The financial giant was among the first to embrace the cloud and move its data over to AWS five years ago.

“There are few companies that have spent as much time and money as they have,” she says.

Part of the problem is there’s simply too much data. Litan advises adopting user and entity behavioral analytics to scan data for anomalies. Many companies use this to determine a baseline for normal activity and seek anomalies that go beyond it. “These systems are way too complicated for humans to decipher,” she notes. “There’s just too much going on.” Capital One uses behavioral analytics on certain systems, she says, but it wasn’t used on these logs.

It’s also worth noting that cloud security experts have long known about the type of vulnerability exploited in the Capital One breach, says Chris Wysopal, CTO of Veracode. Server-side request forgery is when an attacker can control the requests that a server makes; these requests often have higher privileges and provide greater access to sensitive data, he explains.

“In the Capital One case, it seems a vendor-provided WAF, which was acting as a server, allowed an attacker to manipulate server-side requests and leverage its privileges to get at sensitive data,” Wysopal says, who adds that other firms may have had data accessed through the same vulnerability. He anticipates we’ll see similar attacks continue in the future.

Responsible Disclosure Cut Response Time
In a nod to Capital One, it only took two days to investigate and confirm a breach after it was alerted to the attack. Thompson was not shy about sharing details of the breach on GitHub and social media platforms. A white-hat hacker noticed her posts and informed Capital One of a potential intrusion via its Responsible Disclosure Program on July 17, 2019. Officials launched an investigation, which led to discovery of the breach on July 19 and announcement on July 29. Thompson had breached the company few months earlier, between March 22 and 23 of this year.

“It usually takes companies far longer to identify that a breach has occurred, and white-hat hackers played a kay role in reducing the window of exposure,” says Casey Ellis, CTO of Bugcrowd. When a white-hat hacker discovers a bug, he continues, it’s important for organizations to clarify a process that lets the researcher safely report a problem.

Because it had a working responsible disclosure process, Capital One was able to investigate and fix the vulnerability before more damage was done. The bank says it’s unlikely any of the compromised data was used for fraud or disseminated by Thompson.

Tips for Staying Proactive
Given Thompson’s openness on GitHub, Slack, and other platforms, it’s worth asking why Capital One didn’t notice its data shared before a security researcher did. “One of the issues with security is it’s really reactive, and not preemptive,” says Litan. If Capital One had noticed this earlier, it could have reduced the time between the breach and its discovery.

“The information universe is incredibly fast and broad,” says Jim Zuffoletti, CEO of SafeGuard Cyber. “One of the things that keeps showing up again and again is where are people doing things — GitHub, Slack, etc.” Being proactive on social media can help financial services firms, and other potential victims, find emerging threats to act on. Zuffoletti advises companies to think about social media both as a vector for threat hunting and part of their attack surface.

In terms of protecting information before someone gets to it, Elissa Shevinsky, CEO of Faster Than Light, encourages the “defense in depth” approach in which organizations place several layers between sensitive data and the surface where an attacker could break in. Businesses should also conduct penetration tests at least once a year, she adds.

Also important here is companies’ responsibility for their own configurations and working with cloud providers, adds Litan, citing the shared responsibility model. “Capital One knows its role, it knows AWS’s role, but it’s important for people to know this is a shared responsibility,” she says. One thing company can do is put a “default deny” posture in all applications. This denies all access unless it’s explicitly granted, which prevents data access in all but legitimate cases.

“There is another important lesson here, which is that a data breach can happen to anyone,” says Shevinsky. “We don’t want to think about it, but it’s worthwhile to have an emergency response plan ready just in case.”

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/capital-one-what-we-should-learn-this-time/d/d-id/1335426?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US Utilities Hit with Phishing Attack

An email phishing attack, thought to be from a nation-state actor, claims that engineers have failed licensing exams.

A new phishing attack is hitting US utilities with threats that their engineers could be in danger of losing their professional licenses. But in reality, the only danger comes from panicked employees clicking on the embedded Word document and infecting their computers with a remote access Trojan (RAT) and command-and-control proxy.

The RAT and proxy appear to originate with a nation-state actor rather than a financially motivated criminal organization. Researchers at Proofpoint found that the LookBack malware and many of the macros used in the campaign look very similar to tools used in a 2018 campaign against Japanese businesses. While the researchers note it’s possible techniques are being used to mislead those trying to define attribution for the attack, a nation-state actor is almost certainly the attacker. They do not, however, identify the nation responsible.

Read more here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-utilities-hit-with-phishing-attack/d/d-id/1335431?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Facebook is working on mind-reading

How does the prospect of Facebook learning how to read minds strike you?

Fellow social media-participating lab rats, you are likely already aware that Facebook has been crafted on the principles of Las Vegas-esque addiction, the idea being to exploit human psychology by giving us little hits of dopamine with those “Likes” in order to keep us coming back to the platform like slot machine addicts feeling favored by Lady Luck.

In 2017, ex-president of Facebook Sean Parker told us all about Facebook’s nonchalantly endeavoring to get us addicted, during that era’s spate of mea-culpa’ing.

This is all just to say that it might be reasonable to worry about Facebook playing around with our wetware. There might be reasons why somebody might not trust Facebook with direct access to their brain.

But one of Facebook’s technology research projects – the funding of artificial intelligence (AI) algorithms capable of turning brain activity into speech – may be altruistic.

It’s about creating a brain-computer interface (BCI) that allows people to type just by thinking, and Facebook has announced that it’s just achieved a first in the field: while previous decoding has been done offline, for the first time, a team at University of California San Francisco has managed to decode a small set of full, spoken words and phrases from brain activity, in real-time.

In an article published on Tuesday in Nature Communications, University of California San Francisco (UCSF) neurosurgeon Edward Chang and postdoctoral student David Moses published the results of a study demonstrating that brain activity recorded while people speak could be used to almost instantly decode what they were saying into text on a computer screen.

Chang also runs a leading brain mapping and speech neuroscience research team dedicated to developing new treatments for patients with neurological disorders. In short, he’s the logical choice for the BCI program, which Facebook announced at its F8 conference in 2017. The program’s goal is to build a non-invasive, wearable device that lets people type by simply imagining that they’re talking.

In a blog post about the project, Facebook said that the past decade has brought tremendous strides in neuroscience, in that we know much more about how the brain understands and produces speech.

At the same time, AI research is improving speech to text translation. Put those technologies together, and the hope is that one day, people could be able to communicate by thinking about what they want to say – a possibility that could dramatically improve the lives of people living with paralysis.

The study involved three volunteer epileptic patients who were already undergoing treatment at UCSF Medical Center. Prior to surgery, they’d already had recording electrodes implanted in their brains to locate the origins of their seizures.

The hope is to decode more words in a shorter amount of time: the goal is to decode 100 words per minute with a 1,000-word vocabulary and with an error rate of less than 17%.

While the electrodes were implanted in the patients’ heads, Facebook says the ultimate goal is to create a non-invasive, wearable device to help patients with speech loss.

That’s quite a way off, but Facebook Reality Labs (FRL) is working with partners, including the Mallinckrodt Institute of Radiology at Washington University School of Medicine and APL at Johns Hopkins, on how to do it.

The next step: to use infrared light.

Facebook asks us to imagine a pulse oximeter: the clip-like sensor with a glowing red light that clinicians clamp around your index finger when you visit your doctor. Those devices measure the oxygen saturation level of your blood through your finger. Likewise, near-infrared light can be used to measure blood oxygenation in the brain from outside of the body in a safe, non-invasive way. FRL says it’s similar to the signals measured today in functional magnetic resonance imaging (fMRI), but it would be portable and wearable, made from consumer-grade parts.

The infrared system is clunky: it’s “bulky, slow and unreliable,” FRL says. But if it were to be improved to even a modest extent – able to decode a handful of silent thoughts, such as “home,” “select,” and “delete” – FRL thinks it could reinvent how we interact with today’s virtual reality systems, as well as tomorrow’s augmented reality glasses.

What comes after measuring blood oxygenation to determine brain activity? Measuring the movement of blood vessels and even neurons themselves.

Thanks to the commercialization of optical technologies for smartphones and LiDAR, we think we can create small, convenient BCI devices that will let us measure neural signals closer to those we currently record with implanted electrodes – and maybe even decode silent speech one day.

Facebook, decode this: My brain is thinking “Wow.” My brain is thinking that this could be a mind-boggling boon to those suffering from stroke or other head injuries.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/E-Vvn7l33Vw/

Anime filter glitches, exposing face of one extremely smart vlogger

Full disclosure.

Before delving into the case of a Chinese vlogger whom the public was aghast to find out was older than her filters made her out to be, I should tell you that the photo on my bio for Naked Security isn’t real.*

This is how I look without filters.

Forgive the deception. It’s necessary for me to eat your species. I mean mate with. I mean, hey, look over there, is that a blimp?

As the BBC tells it, The vlogger in question calls herself “Your Highness Qiao Biluo”. The porcelain-skinned cutie-pie was quite popular before the porcelain cracked during an interview she was doing with another vlogger, the jaw-droppingly cute presumably-without-filters Qingzi, on the Chinese video-game live-streaming DouYu platform, which is similar to Twitch.

Qiao Biluo had nearly 130,000 followers on DouYu before a computer glitch removed the filter she was using to make herself look like an anime doll (and thus imminently worthy of cash donations).

You can see for yourself how Your Highness Qiao Biluo’s filters failed during the chat, since it was captured on YouTube. She’s the woman on the right.

According to the BBC, the live-streaming platform Lychee News reported that the filter failure happened on 25 July, during the joint live-stream.

According to Global News, up until the filter fail, the vlogger had covered her face with an anime sticker. The BBC has a picture of Qiao Biluo using a filter in previous videos to make herself look younger:

Prior to the accidental reveal, fans had been sending in donations, even without seeing her face, but had also been begging Qiao Biluo to remove her filter so they could see the real McCoy.

She had demurred, saying that she would only do so if her fans sent more money:

I can’t show my face until I receive gifts worth 100,000 yuan [US $14,495, £11953]. After all, I’m a good-looking host.

Fans complied, in spades. Donations poured in, with the biggest coming in at 40,000 yuan [US $5,798, £4,780] during the session.

Then, the filter sputtered out. The interview continued, and the vlogger didn’t notice until followers began exiting a paid VIP room… in droves.

According to the BBC, many of Qiao Biluo’s original followers, particularly men, not only stopped following her; they also withdrew their transactions after hearing her confess that she was really a 58-year-old woman with one child.

She’s since suspended her platform.

”Isn’t this fraud?”

AsiaOne shows some photos of the vlogger with and without the filter, along with translations of comments from some people who seem to believe that they’re entitled to purchase a pretty face and don’t appreciate being revealed as gullible yobs who believe that what they see online is “real.”

One comment:

Isn’t this fraud?

It’s just indirectly cheating, and she did it so nonchalantly.

Is it fraud? It certainly seems to fit the definition from Merriam Webster:

A person who is not what he or she pretends to be.

Except, well, there’s this: what, exactly, was she pretending to be? An anime figure? I didn’t believe she was a living anime figure and don’t think most people would. She said she was attractive. I find her chutzpah pretty attractive, so let’s just say that no, she wasn’t a fraud. She was, rather, a very savvy business woman milking hormones for all they’re worth.

She’s got haters, but she’s also picked up a load of new fans, who herald her as the “world’s best granny” and praised her sweet vlogger voice.

Her follower total has risen to over 400,000. As of Tuesday, she was the most-searched streamer on DouYu, AsiaOne reports.

On the internet, no one can tell you’re a… savvy woman?

A few benedictions: For those who feel betrayed by being “fooled,” may you be comforted by considering your donation to Qiao Biluo to be a price well paid for the lesson of things not always being as they seem online. Spread that lesson far and wide in your online travels, be it eyeballing phishing emails or hot honeys who’ve mysteriously fallen in love with you. Ask questions about things that seem too good to be true, lest you wind up snookered by scammers, including in the romance department.

Being found out to be gullible can be embarrassing. There are far worse things than embarrassment, though. Romance scams put hefty price tags on that lesson, as many have discovered: one example is that of the 65-year-old woman who allegedly plotted to kill her own mother in order to get more money to send to the conman posing as her beau.

And another benediction for Your Highness Qiao Biluo: may you rise again, and may you find your sweet voice once more. You surely know by now that you are of value to many people, far beyond any fake porcelain doll’s face.

*I’m kidding. My bio pic really is me. … Well, me of 8 years ago, at any rate.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bhVkkvsSdyg/