social.stefan-muenz.de

Search

Items tagged with: data

Smart data structures and dumb code works a lot better than the other way around.
Eric S. Raymond (b. 1957) American software developer, writer [a.k.a. ESR]
The Cathedral and the Bazaar, ch. 2, Lesson 9 (1999)

#quotation #quote #programming #computerscience #data #code
via
The Cathedral and the Bazaar, ch. 2, Lesson 9 (1999)
 
Smart data structures and dumb code works a lot better than the other way around.
Eric S. Raymond (b. 1957) American software developer, writer [a.k.a. ESR]
The Cathedral and the Bazaar, ch. 2, Lesson 9 (1999)

#quotation #quote #programming #computerscience #data #code
via
The Cathedral and the Bazaar, ch. 2, Lesson 9 (1999)
 
Food delivery service #Foodora confirmed a data breach across 14 countries.

Data leaked includes personal details for 727,000 accounts - names, addresses, phone numbers and hashed passwords. It also contains latitude and longitude coordinates to six decimal points, which is accurate to within just a few inches.

Data also includes personal notes that customers included with their orders.

Good job.

#privacy #data #dataprivacy #security
 
RT @CO2_earth
418.03 ppm #CO2 in atmosphere May 1 2020 HIGHEST EVER daily avg in HUMAN HISTORY @ Mauna Loa Observatory Was 414.88 ppm 1 year ago #DATA: https://www.esrl.noaa.gov/gmd/ccgg/trends/monthly.html RECORDS: https://www.co2.earth/co2-records Emissions R too high despite #COVID19 emissions reductions
Bild/Foto
 

Coronavirus triggers soul-searching on privacy in Germany





In the birthplace of European data protection standards, experts warn that decades-old standards could suffer lasting damage as the country tackles the pandemic.

#certificationandstandards #coronavirus #data #dataprotection #privacy #rights #societyandculture #surveillance #technology #cybersecurityanddataprotection
 
Which digital tools now? Let's collect, maybe give recommendations. Help to make #OpenSource, #Floss, #Data Security, #Data Economy, #Privacy & #Digitization & #Sustainability available to many people now! https://discourse.bits-und-baeume.org/t/software-loesungen-in-corona-zeiten/371 #bitsundbäumen also in english
 
FYI: When Virgin Media said it leaked 'limited contact info', it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more • The Register

That's a lot of content
#security #data
 
Zur Notwendigkeit einer #Data #Breach #Notification bei #Datenträgerverschlüsselung
Call Me Maybe?!

von Dipl.-Jur. Stefan Hessel und Dipl.-Jur. Karin Potel
DuD 2020, S. 94ff.

Volltext online:
https://link.springer.com/epdf/10.1007/s11623-020-1230-3?author_access_token=Tip7Q1wOcTGRp2-FK5jK-Pe4RwlQNchNByi7wbcMAY7ItXrG5clPQs2IXAs43ToOyx_vNprl0MHZqHhhrl_a8Lezca9JPFXkkpB91w5DW0t5ZnsUYhp3MGQRHKJME15kqZAnCVcY09fXG7nAIvFVGg%3D%3D
 

Who's "paranoid" now!? ;-)


#DNA #testing #personal #data #privacy #risk #surveillance
 

Who's "paranoid" now!? ;-)


#DNA #testing #personal #data #privacy #risk #surveillance
 
Please don't get me wrong, I think #ContractForTheWeb is a great project. But I doubt that this is the right way to do this. Even though #Google and #Facebook back the Contract, I do not want to provide them with my #data as they are (in my eyes) clearly violating the contract already.
Bild/Foto
 
#podmin #help #hilfe #corrupt #data

Hi Folks,

has any other podmin seen error like this in the logs:
DiasporaFederation::Discovery::DiscoveryError:  
Failed to fetch [url=http://10.0.0.40/.well-known/host-meta]http://10.0.0.40/.well-known/host-meta[/url] for  
vitler@10.0.0.40: Faraday::TimeoutError: request timed out

I have a lot of them blocking my sidekiq workers because of waiting for timeout.
First of all I made an iptables rule to block them and get the worker running again.

How can an private IP Address ( I do not use them in my networks) get in use for federation ???

[ Reshares are welcome ]
 
Joint paper of the Spanish data protection authority, Agencia española de protección de datos (AEPD), and the European Data Protection Supervisor (EDPS)
„ Introduction to the #hash #function as a #personal #data #pseudonymisation #technique


https://edps.europa.eu/sites/edp/files/publication/19-10-30_aepd-edps_paper_hash_final_en.pdf

via Christopher Schmidt
 
Bild/Foto

Avoid Intel and AMD Universal Backdoors


Only use computers certified to Respect Your Freedom (RYF)

The #Intel #Management #Engine is present on all Intel #desktop, #mobile ( #laptop ), and #server #systems since mid 2006. It consists of an #ARC #processor core (replaced with other processor cores in later generations of the ME), #code and #data #caches, a #timer, and a secure #internal #bus to which additional #devices are connected, including a #cryptography engine, internal #ROM and #RAM, #memory #controllers, and a direct memory access ( #DMA ) engine to access the host operating system’s memory as well as to reserve a region of protected external memory to supplement the ME’s limited internal RAM. The ME also has #network access with its own #MAC #address through an Intel #Gigabit #Ethernet #Controller. Its #boot program, stored on the internal ROM, loads a #firmware “manifest” from the PC’s SPI #flash #chip. This manifest is signed with a strong #cryptographic #key, which differs between versions of the ME firmware. If the manifest isn’t signed by a specific Intel key, the boot ROM won’t load and execute the firmware and the ME processor core will be halted.

The Active Management Technology ( #AMT ) application, part of the Intel “vPro” brand, is a #Web server and application code that enables #remote #users to #power on, power off, view information about, and otherwise manage the #PC. It can be used remotely even while the PC is powered off ( via #Wake-on-Lan ). Traffic is encrypted using #SSL / #TLS libraries, but recall that all of the major SSL/TLS implementations have had highly publicized vulnerabilities. The AMT application itself has known #vulnerabilities, which have been #exploited to develop #rootkits and #keyloggers and #covertly gain #encrypted #access to the management features of a PC. Remember that the ME has full access to the PC’s RAM. This means that an #attacker exploiting any of these vulnerabilities may gain access to everything on the PC as it runs: all open #files, all running #applications, all #keys pressed, and more.

ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include an ME application for audio and video DRM called “Protected Audio Video Path” (PAVP). The ME receives from the #host operating system an encrypted #media #stream and encrypted key, decrypts the key, and sends the encrypted media decrypted key to the #GPU, which then #decrypts the media. PAVP is also used by another ME application to draw an #authentication PIN pad directly onto the screen. In this usage, the PAVP application directly controls the graphics that appear on the PC’s screen in a way that the host #OS cannot detect. ME firmware version 7.0 on PCHs with 2nd Generation Intel Core #i3 / #i5 / #i7 (Sandy Bridge) CPUs replaces PAVP with a similar DRM application called “Intel Insider”. Like the AMT application, these DRM applications, which in themselves are defective by design, demonstrate the #omnipotent #capabilities of the ME: this #hardware and its proprietary firmware can access and #control everything that is in RAM and even everything that is shown on the #screen.

The Intel Management Engine with its #proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and #mouse movements, and even #capture or #display #images on the screen. And it has a network interface that is demonstrably #insecure, which can allow an attacker on the network to #inject #rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a #threat to #freedom, #security, and #privacy that can’t be ignored.

Before version 6.0 (that is, on systems from 2008/2009 and earlier), the ME can be disabled by setting a couple of values in the SPI flash memory. The ME firmware can then be #removed entirely from the flash memory space. Libreboot does this on the Intel 4 Series systems that it supports, such as the Libreboot X200 and Libreboot T400. ME firmware versions 6.0 and later, which are found on all systems with an Intel #Core i3/i5/i7 CPU and a PCH, include “ME Ignition” firmware that performs some hardware #initialization and power management. If the ME’s boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.

Due to the signature verification, developing free #replacement firmware for the ME is basically impossible. The only entity capable of replacing the ME firmware is Intel. As previously stated, the ME firmware includes proprietary code licensed from third parties, so Intel couldn’t release the source code even if they wanted to. And even if they developed completely new ME firmware without third-party proprietary code and released its source code, the ME’s boot ROM would reject any modified firmware that isn’t signed by Intel. Thus, the ME firmware is both hopelessly proprietary and #tivoized.

For years, #coreboot has been #struggling against Intel. Intel has been shown to be extremely uncooperative in general. Many coreboot #developers, and #companies, have tried to get Intel to #cooperate; namely, releasing source code for the firmware components. Even #Google, which sells millions of #Chromebooks (coreboot preinstalled) have been #unable to #persuade them.

Even when Intel does cooperate, they still don’t provide source code. They might provide limited #information (datasheets) under #strict #corporate #NDA ( #non-disclosure #agreement ), but even that is not guaranteed. Even ODMs and IBVs can’t get source code from Intel, in most cases (they will just integrate the blobs that Intel provides).

In summary, the Intel #Management #Engine and its applications are a #backdoor with #total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the Libreboot project strongly recommends avoiding it entirely. Since recent versions of it can’t be removed, this means avoiding all #recent #generations of Intel hardware.

Recent Intel graphics chipsets also require firmware blobs


Intel is only going to get #worse when it comes to user freedom. Libreboot has no support recent Intel platforms, precisely because of the problems described above. The only way to solve this is to get Intel to #change their #policies and to be more #friendly to the free software #community. Reverse engineering won’t solve anything long-term, unfortunately, but we need to keep doing it anyway. Moving forward, Intel hardware is a non-option unless a #radical change happens within Intel.

Basically, all Intel hardware from year 2010 and beyond will never be supported by Libreboot. The Libreboot project is actively #ignoring all modern Intel hardware at this point, and focusing on #alternative platforms.

Why is the latest AMD hardware unsupported in Libreboot?


It is extremely unlikely that any post-2013 #AMD hardware will ever be supported in Libreboot, due to severe security and freedom #issues; so #severe, that the Libreboot project recommends avoiding all modern AMD hardware. If you have an AMD based system affected by the #problems described below, then you should get rid of it as soon as possible.

AMD Platform Security Processor (PSP)


This is basically AMD’s own version of the Intel Management Engine. It has all of the same basic security and freedom issues, although the #implementation is wildly different.

The Platform Security Processor (PSP) is built in on all Family 16h + systems (basically anything post-2013), and controls the main #x86 core #startup. PSP firmware is cryptographically signed with a strong key similar to the Intel ME. If the PSP firmware is not present, or if the AMD signing key is not present, the #x86 cores will not be #released from #reset, rendering the system #inoperable.

The PSP is an ARM core with TrustZone #technology, built onto the main CPU die. As such, it has the ability to #hide its own program code, scratch RAM, and any data it may have taken and stored from the lesser-privileged x86 system RAM (kernel encryption keys, #login data, #browsing #history, #keystrokes, who knows!). To make matters worse, the PSP theoretically has access to the entire system memory space (AMD either will not or cannot deny this, and it would seem to be required to allow the DRM “features” to work as intended), which means that it has at minimum MMIO-based access to the #network controllers and any other PCI/PCIe peripherals installed on the #system.

In theory any #malicious entity with access to the AMD signing key would be able to install persistent #malware that could not be eradicated without an external flasher and a known good PSP image. Furthermore, multiple security vulnerabilities have been demonstrated in AMD #firmware in the #past, and there is every #reason to assume one or more zero day vulnerabilities are lurking in the PSP firmware. Given the extreme privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities would have the ability to #remotely #monitor and control any PSP enabled machine completely outside of the user’s #knowledge.

A reliable way to avoid Intel and AMD’s universal backdoors is to use computers with such spyware effectively removed or disabled like the ones certified to Respect Your Freedom (RYF).

#NSA #spyware #spy #mass #surveillance #FSF #GNU #GNULinux #RYF #technology #laptops #CPU #processor #universal #backdoor #malware #Corei3 #Corei5 #Corei7
 
Bild/Foto

Avoid Intel and AMD Universal Backdoors


Only use computers certified to Respect Your Freedom (RYF)

The #Intel #Management #Engine is present on all Intel #desktop, #mobile ( #laptop ), and #server #systems since mid 2006. It consists of an #ARC #processor core (replaced with other processor cores in later generations of the ME), #code and #data #caches, a #timer, and a secure #internal #bus to which additional #devices are connected, including a #cryptography engine, internal #ROM and #RAM, #memory #controllers, and a direct memory access ( #DMA ) engine to access the host operating system’s memory as well as to reserve a region of protected external memory to supplement the ME’s limited internal RAM. The ME also has #network access with its own #MAC #address through an Intel #Gigabit #Ethernet #Controller. Its #boot program, stored on the internal ROM, loads a #firmware “manifest” from the PC’s SPI #flash #chip. This manifest is signed with a strong #cryptographic #key, which differs between versions of the ME firmware. If the manifest isn’t signed by a specific Intel key, the boot ROM won’t load and execute the firmware and the ME processor core will be halted.

The Active Management Technology ( #AMT ) application, part of the Intel “vPro” brand, is a #Web server and application code that enables #remote #users to #power on, power off, view information about, and otherwise manage the #PC. It can be used remotely even while the PC is powered off ( via #Wake-on-Lan ). Traffic is encrypted using #SSL / #TLS libraries, but recall that all of the major SSL/TLS implementations have had highly publicized vulnerabilities. The AMT application itself has known #vulnerabilities, which have been #exploited to develop #rootkits and #keyloggers and #covertly gain #encrypted #access to the management features of a PC. Remember that the ME has full access to the PC’s RAM. This means that an #attacker exploiting any of these vulnerabilities may gain access to everything on the PC as it runs: all open #files, all running #applications, all #keys pressed, and more.

ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include an ME application for audio and video DRM called “Protected Audio Video Path” (PAVP). The ME receives from the #host operating system an encrypted #media #stream and encrypted key, decrypts the key, and sends the encrypted media decrypted key to the #GPU, which then #decrypts the media. PAVP is also used by another ME application to draw an #authentication PIN pad directly onto the screen. In this usage, the PAVP application directly controls the graphics that appear on the PC’s screen in a way that the host #OS cannot detect. ME firmware version 7.0 on PCHs with 2nd Generation Intel Core #i3 / #i5 / #i7 (Sandy Bridge) CPUs replaces PAVP with a similar DRM application called “Intel Insider”. Like the AMT application, these DRM applications, which in themselves are defective by design, demonstrate the #omnipotent #capabilities of the ME: this #hardware and its proprietary firmware can access and #control everything that is in RAM and even everything that is shown on the #screen.

The Intel Management Engine with its #proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and #mouse movements, and even #capture or #display #images on the screen. And it has a network interface that is demonstrably #insecure, which can allow an attacker on the network to #inject #rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a #threat to #freedom, #security, and #privacy that can’t be ignored.

Before version 6.0 (that is, on systems from 2008/2009 and earlier), the ME can be disabled by setting a couple of values in the SPI flash memory. The ME firmware can then be #removed entirely from the flash memory space. Libreboot does this on the Intel 4 Series systems that it supports, such as the Libreboot X200 and Libreboot T400. ME firmware versions 6.0 and later, which are found on all systems with an Intel #Core i3/i5/i7 CPU and a PCH, include “ME Ignition” firmware that performs some hardware #initialization and power management. If the ME’s boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.

Due to the signature verification, developing free #replacement firmware for the ME is basically impossible. The only entity capable of replacing the ME firmware is Intel. As previously stated, the ME firmware includes proprietary code licensed from third parties, so Intel couldn’t release the source code even if they wanted to. And even if they developed completely new ME firmware without third-party proprietary code and released its source code, the ME’s boot ROM would reject any modified firmware that isn’t signed by Intel. Thus, the ME firmware is both hopelessly proprietary and #tivoized.

For years, #coreboot has been #struggling against Intel. Intel has been shown to be extremely uncooperative in general. Many coreboot #developers, and #companies, have tried to get Intel to #cooperate; namely, releasing source code for the firmware components. Even #Google, which sells millions of #Chromebooks (coreboot preinstalled) have been #unable to #persuade them.

Even when Intel does cooperate, they still don’t provide source code. They might provide limited #information (datasheets) under #strict #corporate #NDA ( #non-disclosure #agreement ), but even that is not guaranteed. Even ODMs and IBVs can’t get source code from Intel, in most cases (they will just integrate the blobs that Intel provides).

In summary, the Intel #Management #Engine and its applications are a #backdoor with #total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the Libreboot project strongly recommends avoiding it entirely. Since recent versions of it can’t be removed, this means avoiding all #recent #generations of Intel hardware.

Recent Intel graphics chipsets also require firmware blobs


Intel is only going to get #worse when it comes to user freedom. Libreboot has no support recent Intel platforms, precisely because of the problems described above. The only way to solve this is to get Intel to #change their #policies and to be more #friendly to the free software #community. Reverse engineering won’t solve anything long-term, unfortunately, but we need to keep doing it anyway. Moving forward, Intel hardware is a non-option unless a #radical change happens within Intel.

Basically, all Intel hardware from year 2010 and beyond will never be supported by Libreboot. The Libreboot project is actively #ignoring all modern Intel hardware at this point, and focusing on #alternative platforms.

Why is the latest AMD hardware unsupported in Libreboot?


It is extremely unlikely that any post-2013 #AMD hardware will ever be supported in Libreboot, due to severe security and freedom #issues; so #severe, that the Libreboot project recommends avoiding all modern AMD hardware. If you have an AMD based system affected by the #problems described below, then you should get rid of it as soon as possible.

AMD Platform Security Processor (PSP)


This is basically AMD’s own version of the Intel Management Engine. It has all of the same basic security and freedom issues, although the #implementation is wildly different.

The Platform Security Processor (PSP) is built in on all Family 16h + systems (basically anything post-2013), and controls the main #x86 core #startup. PSP firmware is cryptographically signed with a strong key similar to the Intel ME. If the PSP firmware is not present, or if the AMD signing key is not present, the #x86 cores will not be #released from #reset, rendering the system #inoperable.

The PSP is an ARM core with TrustZone #technology, built onto the main CPU die. As such, it has the ability to #hide its own program code, scratch RAM, and any data it may have taken and stored from the lesser-privileged x86 system RAM (kernel encryption keys, #login data, #browsing #history, #keystrokes, who knows!). To make matters worse, the PSP theoretically has access to the entire system memory space (AMD either will not or cannot deny this, and it would seem to be required to allow the DRM “features” to work as intended), which means that it has at minimum MMIO-based access to the #network controllers and any other PCI/PCIe peripherals installed on the #system.

In theory any #malicious entity with access to the AMD signing key would be able to install persistent #malware that could not be eradicated without an external flasher and a known good PSP image. Furthermore, multiple security vulnerabilities have been demonstrated in AMD #firmware in the #past, and there is every #reason to assume one or more zero day vulnerabilities are lurking in the PSP firmware. Given the extreme privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities would have the ability to #remotely #monitor and control any PSP enabled machine completely outside of the user’s #knowledge.

A reliable way to avoid Intel and AMD’s universal backdoors is to use computers with such spyware effectively removed or disabled like the ones certified to Respect Your Freedom (RYF).

#NSA #spyware #spy #mass #surveillance #FSF #GNU #GNULinux #RYF #technology #laptops #CPU #processor #universal #backdoor #malware #Corei3 #Corei5 #Corei7
 
Goodbye #Microsoft #Apple and hello #Linux
A few weeks ago I reported my conversion to #Manjaro and NO I have no regrets.
I had spent some time ridding
myself of dependence on the likes of #Microsoft and #Google and now more goid news.
I own an #ipod nano 8gb that had stopped working using #itunes and #windows. Idug it out of a drawer and hooked it up to my nice fresh #Manjaro. Imagine my surprise, I now have a fully functioning extended battery life mp3 player. However, there is more. It now has a capacity of 12.2gb, really a 50% increase in capacity.
So not only do these huge tech companies want the world, our #data and our money, they are with all their bloatedness not unlike their #president #Trump, completely ungreen!!!!!!!
I not unlike many have had enough and would urge people to stop with the "How can I live without #Google #Apple #Microsoft #Amazon #Facebook #AnyTechGiant #HugeCorpiration" and take direct action. JUST CHANGE YOUR HABITS and give something else a go.
Be Good
Have Fun
Be Free
Big Up
bing
 
Goodbye #Microsoft #Apple and hello #Linux
A few weeks ago I reported my conversion to #Manjaro and NO I have no regrets.
I had spent some time ridding
myself of dependence on the likes of #Microsoft and #Google and now more goid news.
I own an #ipod nano 8gb that had stopped working using #itunes and #windows. Idug it out of a drawer and hooked it up to my nice fresh #Manjaro. Imagine my surprise, I now have a fully functioning extended battery life mp3 player. However, there is more. It now has a capacity of 12.2gb, really a 50% increase in capacity.
So not only do these huge tech companies want the world, our #data and our money, they are with all their bloatedness not unlike their #president #Trump, completely ungreen!!!!!!!
I not unlike many have had enough and would urge people to stop with the "How can I live without #Google #Apple #Microsoft #Amazon #Facebook #AnyTechGiant #HugeCorpiration" and take direct action. JUST CHANGE YOUR HABITS and give something else a go.
Be Good
Have Fun
Be Free
Big Up
bing
 

DataSpii: The catastrophic data leak via browser extensions


by Sam Jadali // SecurityWithSam.com
Imagine if someone could publicly access, in near real-time — within an hour — your sensitive personal data on the websites you are browsing. Imagine, further, this person could access your sensitive business data in much the same way. Moreover, what if you and/or your colleagues were, yourselves, unwittingly leaking such data?
#DataSpii #browserextensions #data #security #leak #wtf #youshouldknow
DataSpii Report
 
Bild/Foto

The Telegraph: Why you should think twice before using viral AI photo editor FaceApp


Natasha Bernal 17 July 2019

Have you ever wondered what you will look like in 40 years' time? Thanks to an incredibly popular Russian artificial intelligence app, you can now share your a photo of your face to find out.



Thousands of people are flocking to use FaceApp, a smartphone app that can make them look older as part of an "age challenge" on social media, boosting it to the top of the Apple Store this week.

But FaceApp isn't new. The technology, created by Russian company Wireless Lab, first launched in 2017 and sparked outrage for offering people the chance to alter their images and look like they are a different race.

Now it has hit the headlines again because of how realistic the technology has become. It uses neural networks - artificial intelligence modelled after the human brain that can learn from patterns - to map people's faces and generate incredibly realistic images of what they will look like in the distant future.

But just because the app makes people look older, it clearly doesn't make them wiser. The sudden surge of popularity of the app raises concerns about people's privacy - and what this AI could do with an immense archive of people's faces.

One click, and you've handed the app the right to use your face

FaceApp allows you to upload an image of yourself or someone else with the click of a button, and automatically edits it to make a face look much older.

Similar to some of Snapchat's most popular image filters, this app can also alter your pictures to look like you are wearing sunglasses, have different hair colour, or are a different genders.

But when you use the app it is not just mapping your face; it is also sending it to the cloud, where it can be stored for an indefinite period of time.

Unlike other apps, the scanning of your photo does not happen on the smartphone but on the cloud, and the company can save a copy of a photo uploaded through the app even if you delete it from your phone.

In fact, one glance at the terms and conditions of FaceApp shows that you are giving the app a "perpetual, irrevocable, non-exclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license" to use and reproduce your image in all media formats "without compensation to you".

This means that you've sold your face for free and granted FaceApp access to your photo.

"If someone wants to collect personal information for nefarious purposes, one of the easiest ways to do it is to entice people to input the data for what appears to be some 'fun' purpose," says Alan Woodward, privacy expert at the University of Surrey.

"In this case you have no idea where it is being sent or who has access or what it may be used for, now or in the future.

"If you’re not a paying customer, then you will become the product. There's no such thing as a free lunch."

The app could be in 'serious breach' of data protection rules

Experts have already raised serious concerns over whether this app might be in breach of consumer's privacy.

Jonathan Kewley, partner and co-head of technology at law firm Clifford Chance, says that this app could be in serious breach of the European Union's data protection regulation, the GDPR, because it is not clear about how it is using people's data and how long it plans to keep it.

"It's a service directed to European data subjects. Even though it is marketed by a Russian company, it's clearly within the remit of GDPR. They need to have express consent," he argues.

"People think it's fun. But Cambridge Analytica was displayed as a game, and that didn't turn out to be fun."

What you need to know about the privacy row engulfing Facebook and Cambridge Analytica

Very little is known about Wireless Lab, the company that produced FaceApp, as it does not seem to have its own website or information about financial backers aside from its founder, Yaroslav Goncharov, a former technical lead at Microsoft and head of mobile platform at Russian search engine Yandex.

His app's terms and conditions may be available online on the FaceApp website, but those looking to download it straight from the Apple Store are not prompted to accept its terms and conditions before using it, which means that many people could have not provided informed consent.

The Information Commissioner's Office has not yet said whether it will step in to investigate this app, but stated that companies "must provide individuals with information including: purposes for processing their personal data, retention periods for that personal data, and who it will be shared with".

Your face could be gone forever

"It is not clear how FaceApp stores, uses, or manipulates peoples' data, including the detailed biometric maps of their faces, and this could change over time as profit incentives and technologies change," Jade Chong-Smith, legal officer at Privacy International explains. "Even if you delete FaceApp, there is nothing in the terms that governs what the company will do with all the data they have collected about you.

"While people may think that providing their photos and data is a small price to pay for the entertainment FaceApp offers, the app raises concerns about privacy, manipulation, and data exploitation—although these concerns are not necessarily unique to FaceApp."

Privacy International has warned that mass collection of faces is a "highly-prized commodity" for governments and tech companies, used to train algorithms and for facial recognition-enabled mass surveillance.

FaceApp did not respond to requests to comment.
#FaceApp #security #privacy #WirelessLab #Russia #photo #editor #programm #leak #personal #data #news
 
#Android #phone #data #permission #tracking #location #privacy #SDK #China #Baidu

Thousands of Android apps can track your phone — even if you deny permissions - The Verge



When you explicitly tell an Android app, “No, you don’t have permission to track my phone,” you probably expect that it won’t have abilities that let it do that. But researchers say that thousands of apps have found ways to cheat Android’s permissions system, phoning home your device’s unique identifier and enough data to potentially reveal your location as well.

Even if you say “no” to one app when it asks for permission to see those personally identifying bits of data, it might not be enough: a second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it. The two apps might not seem related, but researchers say that because they’re built using the same software development kits (SDK), they can access that data, and there’s evidence that the SDK owners are receiving it. It’s like a kid asking for dessert who gets told “no” by one parent, so they ask the other parent.

According to a study presented at PrivacyCon 2019, we’re talking about apps from the likes of Samsung and Disney that have been downloaded hundreds of millions of times. They use SDKs built by Chinese search giant Baidu and an analytics firm called Salmonads that could pass your data from one app to another (and to their servers) by storing it locally on your phone first. Researchers saw that some apps using the Baidu SDK may be attempting to quietly obtain this data for their own use.
 
#security #personal #data

Want someone's personal data? Give them a free donut



While you might expect Homer Simpson to hand over personal details in exchange for a donut, you wouldn't expect cybersecurity professionals to do the same.

However, technology services provider Probrand has carried out a study at a cyber expo attended by UK security professionals, where attendees voluntarily shared sensitive data including their name, date of birth and favourite football team -- all to get their hands on a free donut.

This follows recent news that millions of accounts are still using '123456' as a password, with people's names, favourite football teams and favourite bands also commonly employed.

"We wanted to put this theory to the test and see just how willing people were to give up their data," says Mark Lomas, technical architect at Probrand. "We started by asking conversational questions such as 'How are you finding the day? Got any plans for after the event?' If someone happened to mention they were collecting their kids from school, we then asked what their names and ages were. One individual even showed a photograph of their children."

As part of the task, Probrand also asked more direct questions such as, 'Which football team do you support?', 'What type of music are you into?' and 'What is your favourite band?' Whether asking questions transparently as part of a survey, or trying to adopt more hacker-type methods, they were alarmed to find how easy it was to obtain personal data -- which many people may be using as the basis of their passwords.
Want someone's personal data? Give them a free donut
 
#security #personal #data

Want someone's personal data? Give them a free donut



While you might expect Homer Simpson to hand over personal details in exchange for a donut, you wouldn't expect cybersecurity professionals to do the same.

However, technology services provider Probrand has carried out a study at a cyber expo attended by UK security professionals, where attendees voluntarily shared sensitive data including their name, date of birth and favourite football team -- all to get their hands on a free donut.

This follows recent news that millions of accounts are still using '123456' as a password, with people's names, favourite football teams and favourite bands also commonly employed.

"We wanted to put this theory to the test and see just how willing people were to give up their data," says Mark Lomas, technical architect at Probrand. "We started by asking conversational questions such as 'How are you finding the day? Got any plans for after the event?' If someone happened to mention they were collecting their kids from school, we then asked what their names and ages were. One individual even showed a photograph of their children."

As part of the task, Probrand also asked more direct questions such as, 'Which football team do you support?', 'What type of music are you into?' and 'What is your favourite band?' Whether asking questions transparently as part of a survey, or trying to adopt more hacker-type methods, they were alarmed to find how easy it was to obtain personal data -- which many people may be using as the basis of their passwords.
Want someone's personal data? Give them a free donut
 


This data visualization depicts the last 25 years of Antarctic land ice elevation change. Areas in red indicate land ice loss. Areas in blue are regions that saw land ice elevation gains.
#ClimateChange #Antarctica #LandIce #NASA #Data
 


This data visualization depicts the last 25 years of Antarctic land ice elevation change. Areas in red indicate land ice loss. Areas in blue are regions that saw land ice elevation gains.
#ClimateChange #Antarctica #LandIce #NASA #Data
 

Ask HN: How do I improve our data infrastructure?


I was just hired as the first permanent data scientist in a big corporation. They’ve previously relied on consultants to build the infrastructure and the data science pipelines. We’re still around 10 people in the team.

The code is not pretty to look at, but this is not our biggest problem. We inherited a weird infrastructure: a mix of files in HDF5 and Parquet format dumped in S3, read with Hive and Spark.

Here are the current issues:
  • The volume does not require a solution that is this complex (we’re talking 100Gb max accumulated over the past 4 years)
  • It’s a mess: every time we onboard a new person we have to spend several days explaining where the data is.
  • There is no simple way to explore the data.
  • Data and code end up being duplicated: people working on several projects that require the same subset write their own transformation pipeline to get the same results.
Am I the only person here who finds it completely insane?

I was thinking about building a pipeline to dump the raw data in a Postgres and then build other pipelines to denormalize and aggregate the data for each project. The difficulty with this, and any data science project is to find the sweet spot between data that is fine-grained enough to allow to compute features, but fast enough to query to train models. I was thinking that in a first iteration, data scientists would explore their denormalized, aggregated data and create their own feature with code. As the project matures we could tweak the pipeline to compute the features. Do you have any experience with this?

Finally, I love data science and I really don’t want to end up being the person who writes pipelines for everyone. Everyone else is a consultant, and they don’t have any incentive to care about the long-term impact of architecture choices: their management only evaluates delivery (graphs, model metrics, etc.). How do I go about raising awareness?

HN Discussion: https://news.ycombinator.com/item?id=19705461
Posted by remilouf (karma: 64)
Post stats: Points: 120 - Comments: 65 - 2019-04-20T08:45:18Z

\#HackerNews #ask #data #how #improve #infrastructure #our
HackerNewsBot debug: Calculated post rank: 101 - Loop: 207 - Rank min: 100 - Author rank: 25
 

Ask HN: How do I improve our data infrastructure?


I was just hired as the first permanent data scientist in a big corporation. They’ve previously relied on consultants to build the infrastructure and the data science pipelines. We’re still around 10 people in the team.

The code is not pretty to look at, but this is not our biggest problem. We inherited a weird infrastructure: a mix of files in HDF5 and Parquet format dumped in S3, read with Hive and Spark.

Here are the current issues:
  • The volume does not require a solution that is this complex (we’re talking 100Gb max accumulated over the past 4 years)
  • It’s a mess: every time we onboard a new person we have to spend several days explaining where the data is.
  • There is no simple way to explore the data.
  • Data and code end up being duplicated: people working on several projects that require the same subset write their own transformation pipeline to get the same results.
Am I the only person here who finds it completely insane?

I was thinking about building a pipeline to dump the raw data in a Postgres and then build other pipelines to denormalize and aggregate the data for each project. The difficulty with this, and any data science project is to find the sweet spot between data that is fine-grained enough to allow to compute features, but fast enough to query to train models. I was thinking that in a first iteration, data scientists would explore their denormalized, aggregated data and create their own feature with code. As the project matures we could tweak the pipeline to compute the features. Do you have any experience with this?

Finally, I love data science and I really don’t want to end up being the person who writes pipelines for everyone. Everyone else is a consultant, and they don’t have any incentive to care about the long-term impact of architecture choices: their management only evaluates delivery (graphs, model metrics, etc.). How do I go about raising awareness?

HN Discussion: https://news.ycombinator.com/item?id=19705461
Posted by remilouf (karma: 64)
Post stats: Points: 120 - Comments: 65 - 2019-04-20T08:45:18Z

\#HackerNews #ask #data #how #improve #infrastructure #our
HackerNewsBot debug: Calculated post rank: 101 - Loop: 207 - Rank min: 100 - Author rank: 25
 

Google exec finally admits to congress that they're tracking us even with 'Location' Turned Off …and the phone "not in use"


#Google admet finalement traquer les utilisateurs, même lorsqu'ils désactivent la géolocalisation.

extracts / excerpts
Sen. Josh Hawley (R-Mo.) questioned Google Senior #Privacy Counsel Will DeVries about the company's tracking policies during a hearing examining online consumer privacy. Some of DeVries' answers will likely disturb consumers who thought there was a way to avoid being tracked by Google through their #phones.

An Associated Press report in August 2018 found that "many Google services on #Android devices and #iPhones store your location #data even if you’ve used a privacy setting that says it will prevent Google from doing so."

Hawley pointed out on Tuesday that a user's location is sent to Google hundreds of times a day, even when the phone is not in use. In fact, Hawley said, a user's location is tracked "every four minutes, or 14 times an hour, roughly 340 times during a 24-hour period," even when the phone is not in use.

"But Google collects #geolocation data even if Location History is turned off, correct?" Hawley pressed.

"Yes, senator, it can in order to operate other services—"

"So the consumer cannot meaningfully opt out," Hawley shot back, reiterating the fact that the phone is still communicating and sending information to Google even when the phone is not in use and Location Services are turned off. "And you're #monetizing it and using it to direct #ads at him, correct?"

"It's not complicated," Hawley insisted. "What's complicated is that you don't allow consumers to stop your tracking of them. You tell them that you do. You would anticipate that they do — that the consumer would have a reasonable expectation based on what you've told them, that they're not being tracked — but in fact, you're still tracking them. You're still gathering the #information and you're still using it."
#geolocalisation #gafam #bastards #nopub #noandroid #FuckOffGoogle #liars #surveillance #surveillancedemasse
 
#data & #Targeting
#Explizite #Einwilligung nötig:
#IAB verschärft Vorgaben für #Consent #Management
von Lisa Gradow
 

De digitale samenleving heeft een nieuwe infrastructuur nodig


NRC

Interview | Dirk Helbing - Bedrijven en geheime diensten schenden onze digitale privacy en gebruiken de data om ons te manipuleren. Hoog tijd voor publieke tegenmacht, betoogt computersocioloog Helbing. (...)

Helbing is zelf ook niet vies van een beetje dystopisch denken: hij waarschuwt al jaren voor een ‘dictatuur van data’. Daarover schreef hij boeken en veel opinie-artikelen in wetenschappelijke tijdschriften als Nature, en Europese kranten. „Maar we moeten het nu ook eens goed over de oplossingen hebben”, vertelt hij via Skype vanuit Zwitserland. „Die zijn namelijk best simpel.”

We moeten meer zeggenschap krijgen over onze data, vindt hij. (...)

Bedrijven en geheime diensten bouwen nauwgezette digitale profielen die volgens Helbing feitelijk simulaties zijn van onszelf. „Deze digitale dubbelgangers worden gebruikt om politieke boodschappen en advertenties op maat te maken van onze voorkeuren en zwaktes. Supercomputers worden gevoed met data over zoveel mogelijk mensen. (...)

Politiediensten gebruiken uitgebreide modellen om crimineel gedrag te voorspellen, predictive policing. Ziekenhuizen benutten grote hoeveelheden data over patiënten om hartaanvallen en psychoses beter te zien aankomen. Bedrijven als Facebook hebben er hun specialiteit van gemaakt aan adverteerders te voorspellen waar gebruikers het gretigst op zullen klikken. Dat is op zijn zachtst gezegd niet altijd in ons eigen belang. (...)

„We moeten een laag op het internet bouwen waarmee we weer zelf controle krijgen over wie toegang heeft tot onze data. Een platform om te bepalen welke gegevens beschikbaar zijn voor welke bedrijven en overheden.” (...)

Hij ziet veel in Solid, een initiatief van www-uitvinder en MIT-hoogleraar Tim Berners-Lee om zijn uitvinding te heroveren op techmonopolisten als Facebook en Google. (...)

Klinkt mooi, maar naast allerlei technische uitdagingen zijn ook nog wat maatschappelijke en economische drempels te overwinnen voordat we massaal aan de datakluisjes kunnen. Dit lijkt niet iets wat de markt snel zal oplossen.

Helbing: „De overheid moet de voorwaarden scheppen voor dit soort oplossingen.” (...)

„Het verdienmodel van sociale media werkt polariserend. Hoe extremer een bericht, hoe meer likes of retweets. Dat draagt niet bij aan de kwaliteit van het publieke debat. Terwijl je gebruik zou kunnen maken, móéten maken, van de collectieve intelligentie van burgers.” (...)

Zie het als publieke infrastructuur, zoals wegen en scholen: „Elke samenleving heeft publieke instituties nodig om te functioneren. Op digitaal gebied ontbreken die nog totaal.” (...)

Zo heeft de digitale samenleving ook een nieuwe publieke infrastructuur nodig, zegt Helbing. „Naar mijn mening is er ook niet echt een alternatief: anders verliezen wij onze autonomie, onze democratie, onze zelfbeschikking, en kunnen we de mensenrechten wel opdoeken.”

Blijkbaar zijn dystopische voorspellingen soms toch nodig om het over de oplossingen te kunnen hebben.

Hele artikel

Dirk Helbing (red.): Towards Digital Enlightenment. Essays on the Dark and Light Sides of the Digital Revolution. Springer 222 blz. €22,99.

Bild/Foto

Tags: #nederlands #internet #privacy #data #data mining #persoonlijke gegevens #profiel #profilering #facebook #google #alphabet #solid #datakluis #overheid #publieke infrastructuur #sociale media #polarisering #click bait
 

De digitale samenleving heeft een nieuwe infrastructuur nodig


NRC

Interview | Dirk Helbing - Bedrijven en geheime diensten schenden onze digitale privacy en gebruiken de data om ons te manipuleren. Hoog tijd voor publieke tegenmacht, betoogt computersocioloog Helbing. (...)

Helbing is zelf ook niet vies van een beetje dystopisch denken: hij waarschuwt al jaren voor een ‘dictatuur van data’. Daarover schreef hij boeken en veel opinie-artikelen in wetenschappelijke tijdschriften als Nature, en Europese kranten. „Maar we moeten het nu ook eens goed over de oplossingen hebben”, vertelt hij via Skype vanuit Zwitserland. „Die zijn namelijk best simpel.”

We moeten meer zeggenschap krijgen over onze data, vindt hij. (...)

Bedrijven en geheime diensten bouwen nauwgezette digitale profielen die volgens Helbing feitelijk simulaties zijn van onszelf. „Deze digitale dubbelgangers worden gebruikt om politieke boodschappen en advertenties op maat te maken van onze voorkeuren en zwaktes. Supercomputers worden gevoed met data over zoveel mogelijk mensen. (...)

Politiediensten gebruiken uitgebreide modellen om crimineel gedrag te voorspellen, predictive policing. Ziekenhuizen benutten grote hoeveelheden data over patiënten om hartaanvallen en psychoses beter te zien aankomen. Bedrijven als Facebook hebben er hun specialiteit van gemaakt aan adverteerders te voorspellen waar gebruikers het gretigst op zullen klikken. Dat is op zijn zachtst gezegd niet altijd in ons eigen belang. (...)

„We moeten een laag op het internet bouwen waarmee we weer zelf controle krijgen over wie toegang heeft tot onze data. Een platform om te bepalen welke gegevens beschikbaar zijn voor welke bedrijven en overheden.” (...)

Hij ziet veel in Solid, een initiatief van www-uitvinder en MIT-hoogleraar Tim Berners-Lee om zijn uitvinding te heroveren op techmonopolisten als Facebook en Google. (...)

Klinkt mooi, maar naast allerlei technische uitdagingen zijn ook nog wat maatschappelijke en economische drempels te overwinnen voordat we massaal aan de datakluisjes kunnen. Dit lijkt niet iets wat de markt snel zal oplossen.

Helbing: „De overheid moet de voorwaarden scheppen voor dit soort oplossingen.” (...)

„Het verdienmodel van sociale media werkt polariserend. Hoe extremer een bericht, hoe meer likes of retweets. Dat draagt niet bij aan de kwaliteit van het publieke debat. Terwijl je gebruik zou kunnen maken, móéten maken, van de collectieve intelligentie van burgers.” (...)

Zie het als publieke infrastructuur, zoals wegen en scholen: „Elke samenleving heeft publieke instituties nodig om te functioneren. Op digitaal gebied ontbreken die nog totaal.” (...)

Zo heeft de digitale samenleving ook een nieuwe publieke infrastructuur nodig, zegt Helbing. „Naar mijn mening is er ook niet echt een alternatief: anders verliezen wij onze autonomie, onze democratie, onze zelfbeschikking, en kunnen we de mensenrechten wel opdoeken.”

Blijkbaar zijn dystopische voorspellingen soms toch nodig om het over de oplossingen te kunnen hebben.

Hele artikel

Dirk Helbing (red.): Towards Digital Enlightenment. Essays on the Dark and Light Sides of the Digital Revolution. Springer 222 blz. €22,99.

Bild/Foto

Tags: #nederlands #internet #privacy #data #data mining #persoonlijke gegevens #profiel #profilering #facebook #google #alphabet #solid #datakluis #overheid #publieke infrastructuur #sociale media #polarisering #click bait
 
Later posts Earlier posts