October 15, 2019 – Peter's Quasi-Daily Blah-g

Amazon Pushing Rekognition Face Recognition to Police With Ring Partnerships: Report

Amazon is marketing its facial recognition software to Florida police departments that are currently partnered with its home surveillance company, Ring—arrangements that allow police to request access to video footage captured by homeowners.

Emails uncovered by an ABC News investigative team in Tampa Bay (WFTS) reportedly show that Amazon has been pushing police departments to adopt its controversial face recognition software, Rekognition, while also helping them acquire access to footage taken by Ring’s doorbell cameras via its Neighbors app.

Ring has repeatedly told reporters that neither its devices nor the law enforcement portal through which police request access to Ring footage use facial recognition. (“Ring does not use facial recognition technology,” a spokesperson told Gizmodo last month.) But Ring’s denials do not appear to rule out the possibility that police may, at some point, obtain doorbell footage and analyze the faces in it using a separate Amazon product.

WFTS said it attempted multiple times to contact Ring, which was acquired by Amazon in 2018, in the week leading up to its report. The company did not respond.

Documents obtained by the American Civil Liberties Union (ACLU) last year showed that Amazon had been handing out its Rekognition tool to police free of charge. The group says the technology, which researchers and critics call unreliable and racially biased, poses a “grave threat” to communities.

“People should be free to walk down the street without being watched by the government. Facial recognition in American communities threatens this freedom. In over policed communities of color, it could effectively eliminate it,” the ACLU and other groups wrote in a letter to the Amazon.

In August, BuzzFeed News reported that, despite Ring’s insistence that it does not use face recognition technology, the company’s Ukraine arm appeared to be developing a face recognition tool. A 2018 presentation unearthed by reporters even shows that, at least at the time, Ring Ukraine had a “head of face recognition research” on staff.

Police departments partnered with Ring are given the ability to request footage directly from Ring customers, but cannot, the company says, obtain it otherwise without a warrant. It remains unclear whether Ring notifies customers of warrants, even in cases where the customer is not suspected of a crime. (Gizmodo has posed this question to Ring on multiple occasions and received no response.)

Gizmodo reported in July that Ring’s contracts with law enforcement agencies forbid police from making public statements about the company and its products without Ring’s permission. Further Gizmodo reporting found that Ring was seeking access to real-time 911 caller data to use as content for its Neighbors app.

In some cases, Ring has barred police departments from using the term “surveillance” to describe its products, stating explicitly in one email that doing so “can flag user privacy concerns.”

Ring’s police partnerships have drawn widespread concern from civil rights organizations that say the technology poses a threat to privacy and civil liberties. A coalition of over 30 groups, including Fight for the Future, Media Justice, and Color of Change, signed an open letter last week calling on local, state, and federal officials to investigate Ring’s business practices.

“A key component of the partnership turns police departments into marketing agencies and police officers into salespeople for Amazon. Amazon provides officers with talking points to promote their technology and products to residents, and requests departments market the products at city events,” the letter states.

It continues: “In the absence of clear civil liberties and rights-protective policies to govern the technologies and the use of their data, once collected, stored footage can be used by law enforcement to conduct facial recognition searches, target protesters exercising their First Amendment rights, teenagers for minor drug possession, or shared with other agencies like ICE or the FBI.”

In a letter to Amazon CEO Jeff Bezos last month, Senator Ed Markey, who sits on the Committee on Commerce, Science, and Transportation, wrote that Ring’s partnerships “raise additional civil liberties concerns” and could enable police to “create a surveillance network that places dangerous burdens on people of color and feeds racial anxieties in local communities.”

“I am particularly alarmed to learn,” he wrote, “that Ring is pursuing facial recognition technology with the potential to flag certain individuals as suspicious based on their biometric information.”

[WFTS Tampa Bay]

via Gizmodo https://gizmodo.com

October 15, 2019 at 04:54PM

October 15, 2019

Microsoft starts inviting people to try Project xCloud

https://www.engadget.com/2019/10/14/microsoft-project-xcloud-public-preview-invites/

Microsoft is starting to invite players to test out its Project xCloud game streaming service. It said last month it would open up a public preview of the platform in October, allowing players to stream games to their Android devices. Now, it’s starting to send out invitations to those eager to try it, with Halo 5: Guardians, Gears 5, Killer Instinct and Sea of Thieves available to play.

Proud of the #ProjectxCloud team for launching the public preview – it’s an exciting time at Xbox. Invitations are rolling out now and will continue over the coming weeks. We’re excited for all of you to help shape the future of game streaming.

— Phil Spencer (@XboxP3) October 14, 2019

When Microsoft announced the public preview, it said players in the US, UK and South Korea would be able to try it out. It’s gradually opening up access to people who signed up for the trial, Xbox chief Phil Spencer said, so don’t be too alarmed if you don’t receive an invitation right away. It’s worth noting the preview doesn’t allow you to stream games from your own Xbox to Android — the trial is currently for cloud-based gaming.

Source: Phil Spencer (Twitter)

via Engadget http://www.engadget.com

October 14, 2019 at 03:12PM

October 15, 2019

Planting tiny spy chips in hardware can cost as little as $200

https://arstechnica.com/?p=1584039

More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The National Security Agency dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for “most overhyped bug” and “most epic fail.” And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company’s hardware supply chain. And one of them has demonstrated that it doesn’t even require a state-sponsored spy agency to pull it off—just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

At the CS3sthlm security conference later this month, security researcher Monta Elkins will show how he created a proof-of-concept version of that hardware hack in his basement. He intends to demonstrate just how easily spies, criminals, or saboteurs with even minimal skills, working on a shoestring budget, can plant a chip in enterprise IT equipment to offer themselves stealthy backdoor access. (Full disclosure: I’ll be speaking at the same conference, which paid for my travel and is providing copies of my forthcoming book to attendees.) With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online, Elkins was able to alter a Cisco firewall in a way that he says most IT admins likely wouldn’t notice, yet would give a remote attacker deep control.

“We think this stuff is so magical, but it’s not really that hard,” says Elkins, who works as “hacker in chief” for the industrial-control-system security firm FoxGuard. “By showing people the hardware, I wanted to make it much more real. It’s not magical. It’s not impossible. I could do this in my basement. And there are lots of people smarter than me, and they can do it for almost nothing.”

A fingernail in the firewall

Elkins used an ATtiny85 chip, about 5 millimeters square, that he found on a $2 Digispark Arduino board—not quite the size of a grain of rice, but smaller than a pinky fingernail. After writing his code to that chip, Elkins desoldered it from the Digispark board and soldered it to the motherboard of a Cisco ASA 5505 firewall. He used an inconspicuous spot that required no extra wiring and would give the chip access to the firewall’s serial port.

The image below gives a sense of how tough spotting the chip would be amid the complexity of a firewall’s board—even with the relatively small, 6- by 7-inch dimensions of an ASA 5505. Elkins suggests he could have used an even smaller chip but chose the ATtiny85 because it was easier to program. He says he also could have hidden his malicious chip even more subtly, inside one of several radio-frequency shielding “cans” on the board, but he wanted to be able to show the chip’s placement at the CS3sthlm conference.

Enlarge /

The bottom side of a Cisco ASA 5505 firewall motherboard, with the red oval marking the 5-millimeter-squared chip that Elkins added.

Monta Elkins

Elkins programmed his tiny stowaway chip to carry out an attack as soon as the firewall boots up in a target’s data center. It impersonates a security administrator accessing the configurations of the firewall by connecting their computer directly to that port. Then the chip triggers the firewall’s password recovery feature, creating a new admin account and gaining access to the firewall’s settings. Elkins says he used Cisco’s ASA 5505 firewall in his experiment because it was the cheapest one he found on eBay, but he says that any Cisco firewall that offers that sort of recovery in the case of a lost password should work. “We are committed to transparency and are investigating the researcher’s findings,” Cisco said in a statement. “If new information is found that our customers need to be aware of, we will communicate it via our normal channels.”

Once the malicious chip has access to those settings, Elkins says, his attack can change the firewall’s settings to offer the hacker remote access to the device, disable its security features, and give the hacker access to the device’s log of all the connections it sees, none of which would alert an administrator. “I can basically change the firewall’s configuration to make it do whatever I want it to do,” Elkins says. Elkins says with a bit more reverse engineering, it would also be possible to reprogram the firmware of the firewall to make it into a more full-featured foothold for spying on the victim’s network, though he didn’t go that far in his proof of concept.

A speck of dust

Elkins’ work follows an earlier attempt to reproduce far more precisely the sort of hardware hack Bloomberg described in its supply chain hijacking scenario. As part of his research presented at the Chaos Computer Conference last December, independent security researcher Trammell Hudson built a proof of concept for a Supermicro board that attempted to mimic the techniques of the Chinese hackers described in the Bloomberg story. That meant planting a chip on the part of a Supermicro motherboard with access to its baseboard management controller, or BMC, the component that allows it to be remotely administered, offering a hacker deep control of the target server.

Hudson, who worked in the past for Sandia National Labs and now runs his own security consultancy, found a spot on the Supermicro board where he could replace a tiny resistor with his own chip to alter the data coming in and out of the BMC in real time, exactly the sort of attack that Bloomberg described. He then used a so-called field reprogrammable gate array—a reprogrammable chip sometimes used for prototyping custom chip designs—to act as that malicious interception component.

Hudson’s FPGA, at less than 2.5 millimeters square, was only slightly larger than the 1.2-millimeters-square resistor it replaced on the Supermicro board. But in true proof-of-concept style, he says he didn’t actually make any attempts to hide that chip, instead connecting it to the board with a mess of wiring and alligator clips. Hudson argues, however, that a real attacker with the resources to fabricate custom chips—a process that would likely cost tens of thousands of dollars—could have carried out a much more stealthy version of the attack, fabricating a chip that carried out the same BMC-tampering functions and fit into a much smaller footprint than the resistor. The result could even be as small as a hundredth of a square millimeter, Hudson says, vastly smaller than Bloomberg‘s grain of rice.

“For an adversary who wants to spend any money on it, this would not have been a difficult task,” Hudson says.

“There’s no need for further comment about false reports from more than a year ago,” Supermicro said in a statement.

But Elkins points out that his firewall-based attack, while far less sophisticated, doesn’t require that custom chip at all—only his $2 one. “Don’t discount this attack because you think someone needs a chip fab to do it,” Elkins says. “Basically anyone who’s an electronic hobbyist can do a version of this at home.”

Elkins and Hudson both emphasize that their work isn’t meant to validate Bloomberg‘s tale of widespread hardware supply chain attacks with tiny chips planted in devices. They don’t even argue that it’s likely to be a common attack in the wild; both researchers point out that traditional software attacks can often give hackers just as much access, albeit not necessarily with the same stealth.

But both Elkins and Hudson argue that hardware-based espionage via supply-chain hijacking is nonetheless a technical reality, and one that may be easier to accomplish than many of the world’s security administrators realize. “What I want people to recognize is that chipping implants are not imaginary. They’re relatively straightforward,” says Elkins. “If I can do this, someone with hundreds of millions in their budget has been doing this for a while.”

This story originally appeared on wired.com.

via Ars Technica https://arstechnica.com

October 13, 2019 at 05:57AM

October 15, 2019

Google Stadia launching at 9 a.m. PST, November 19

https://arstechnica.com/?p=1585459

The hardware you get with the $129.99 Stadia “Founder’s Edition.”
Close-up of the exclusive Founder’s Edition Controller.
Shoulder buttons!
Extra Stadia Controllers will be available for $69 in three colors including “Just Black”…
…”Clearly White”…
…and “Wasabi.”
A Chromecast Ultra is the easiest way to stream Stadia games to your TV.

At its Made With Google event this morning, Google announced that the Stadia streaming gaming service will roll out to preorder customers on November 19.

That specific date further clarifies a vaguer “November” launch window that was announced back in June. In a blog post accompanying the on-stage announcement, Google further clarified that the service would go live at 9am PST (12pm EST, 5pm BST) on that day.

previously discussed

, the only players that will be able to access Stadia on that launch day are those who spend $129 to purchase the Stadia Founder’s Edition package (or

the substantially similar Premiere Edition

that was announced later). Those packages comes with a Wi-Fi Stadia Controller, a Chromecast Ultra for TV streaming, three months of Stadia Pro, and a streamable copy of

Destiny 2

Google promises a free streaming tier will be available sometime next year, though users will still have to buy most games on the service à la carte.

At the Made with Google event, chief Rick Osterloh sold Stadia as part of Google’s “ambient computing vision,” which promises that “throughout your home, technology works as a single system, rather than a bunch of devices doing one thing.” To that end, Osterloh says Stadia is “aiming to deliver the best games ever made to just about any screen in your life.”

This is a breaking news story and will be updated with more information

I wonder if this is what Harrison’s room at home looks like.
Take that, consoles!
Lookit all those logos.
A 10 Mbps connection is recommended for the lowest-end Stadia experience.
From the company that brought you…
You can use other controllers, not just the Stadia Controller, when playing on PC, tablet, or phone.
It’s not cheap to be a Pro.
We heard you like Destiny, so we put Destiny in your Stadia so you can Destiny whileyou Stadia.
Comes with everything you see here! Operators are standing by!
Smash that pre-order button, viewers.

Listing image by Google

via Ars Technica https://arstechnica.com

October 15, 2019 at 09:35AM

October 15, 2019

HP Unveils Chromebox Enterprise G2: A Chrome OS-Based Business Desktop

https://www.anandtech.com/show/14981/hp-unveils-chromebox-enterprise-g2-a-chrome-osbased-business-desktop

Business and enterprise desktops is an interesting market recently – on the one hand, because extended support for Windows 7 nears its end early in 2020, multiple companies are eager to buy new PCs; on the other hand, margins are low and competition between suppliers is cut-throat. To minimize competition, HP has released one of the industry’s first Chromebox for Enterprise: a UCFF desktop PC for frontline workers, call centers, shared spaces, kiosks, or digital signage applications.

The Chromebox Enterprise G2 comes in a small 14.93×14.93×4 cm black box that packs Intel’s 7^th Generation dual-core Core i3-7130U with UHD 620 graphics CPU or Celeron 3867U with UHD 610 graphics CPU that is paired with 16 GB DDR4-2400 DRAM as well as an M.2 SSD.

In a bid to meet requirements of all possible applications, the Chromebox Enterprise G2 features rather vast connectivity capabilities that include GbE, Wi-Fi 5, Bluetooth 4.2, three USB 3.0 Type-A ports, two USB 2.0 Type-A ports, one USB Type-C connector, one HDMI display output, one 3-in-1 SD card reader, and a 3.5-mm headphone jack. Depending on configuration, the Chromebox Enterprise G2 comes with a 65 W or a 90 W power brick.

HP’s Chromebox Enterprise G2
Model		Celeron	Core i3
CPU		Intel Celeron 3867U (2C, 1.8 GHz, 2 MB cache)	Intel® Core i3-7130U (2C, 2.7 GHz, 3 MB cache)
GPU		Intel HD Graphics 610	Intel HD Graphics 620
DRAM		16 GB DDR4-2400 Two DDR4 SO-DIMM slots
Motherboard		proprietary
Storage	SSD	32 GB or 64 GB M.2 SSD
	DFF	–
	SD	3-in-1 card reader
Wireless		Intel Dual Band Wireless-AC 7265 802.11ac (2×2) and Bluetooth 4.2
Ethernet		1 × GbE port (Realtek RTL8151GH-CG GbE LOM)
USB	Front	1 × USB 3.0 Type-A
	Back	1 × USB 3.0 Type-C 1 × USB 3.0 Type-A 2 × USB 2.0 Type-A
Display Outputs		1 × HDMI
Audio		1 × 3.5mm audio jack for headsets (Realtek ALC5662-CG codec)
PSU		External 65 W	External 90 W
Warranty		Typical, varies by country
Dimensions		Length: 14.93 cm \| 5.87 inches Width: 14.93 cm \| 5.87 inches Height: 4 cm \| 1.57 inches
OS		Chrome OS with Chrome Enterprise Upgrade
MSRP		?	?

Unlike Chromebooks, Chromeboxes have not really gained traction on the market partly because people expect high performance and advanced multimedia capabilities from their desktops, but mostly because people are so used to Windows programs. By releasing a Chromebox for Enterprise, HP obviously faces some risks, but believes that since many people use web-based apps nowadays, they will use a Chrome OS-based desktop without any problems. Meanwhile, the advantage of web-based applications is also their disadvantage because they depend on reliability of Internet connection. On the other hand, one indisputable trump that HP’s Chromebox Enterprise G2 has is support for numerous capabilities aimed precisely at businesses, including 24/7 Google support, automatic software updates through June 2024, virus protection, sandboxing, verified boot, remote management, and easy deployment. All in all, it will be interesting to sell how successful HP’s Chromebox for Enterprise is going to be.

HP’s Chromebox Enterprise machines will be available in November. Pricing will depend on configurations.

AT-ATimus Prime and Other Custom Transformers: Truly More Than Meets the Eye

https://www.geeksaresexy.net/2019/10/12/at-atimus-prime-and-other-custom-transformers-truly-more-than-meets-the-eye/

Artist and custom toy maker Spoonman is both a fan of Star Wars and The Tranformers, so he decided to create a transforming mashup between the leader of the Autobots, Optimus Prime, and an AT-AT walker from Star Wars. Check out the extra pics below, including some of Spoonman’s other creations!