Article URL: https://staltz.com/an-off-grid-social-network.html

Comments URL: https://news.ycombinator.com/item?id=14050049

Points: 561

# Comments: 251

Roborace

In just its third season, Formula E deserves credit for trying out new ideas in motorsport. Not everything has been a success, but the risk of trying to innovate in broad daylight is that people will see your mistakes as they happen. Take Roborace for example. The idea is to create a series of support races for Formula E where each team uses an identical driverless car, competing to write the best-racing AI. That driverless race car isn't quite ready yet, but Roborace took a pair of DevBots to Argentina this weekend for a demonstration at the Buenos Aires ePrix.

It may not have been the demonstration that Roborace hoped for. One of the DevBots—the yellow one—ran out of talent and clipped a wall. But that happens to rookie human drivers, too, and at least in this case there was no chance of a rookie seriously hurting themselves. Some argue that this is bad news for Roborace and self-driving cars, but this is racing. If it were easy to get right, it wouldn't be any fun.

Read 4 remaining paragraphs | Comments

Wired is reporting on a new slot machine hack. A Russian group has reverse-engineered a particular brand of slot machine -- from Austrian company Novomatic -- and can simulate and predict the pseudo-random number generator.

The cell phones from Pechanga, combined with intelligence from investigations in Missouri and Europe, revealed key details. According to Willy Allison, a Las Vegas­-based casino security consultant who has been tracking the Russian scam for years, the operatives use their phones to record about two dozen spins on a game they aim to cheat. They upload that footage to a technical staff in St. Petersburg, who analyze the video and calculate the machine's pattern based on what they know about the model's pseudorandom number generator. Finally, the St. Petersburg team transmits a list of timing markers to a custom app on the operative's phone; those markers cause the handset to vibrate roughly 0.25 seconds before the operative should press the spin button.

"The normal reaction time for a human is about a quarter of a second, which is why they do that," says Allison, who is also the founder of the annual World Game Protection Conference. The timed spins are not always successful, but they result in far more payouts than a machine normally awards: Individual scammers typically win more than $10,000 per day. (Allison notes that those operatives try to keep their winnings on each machine to less than $1,000, to avoid arousing suspicion.) A four-person team working multiple casinos can earn upwards of $250,000 in a single week.

The easy solution is to use a random-number generator that accepts local entropy, like Fortuna. But there's probably no way to easily reprogram those old machines.

Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners.

Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.

Left: Clean picture; middle: picture with malicious content; right: malicious version enhanced for illustrative purposes. (credit: Eset)

The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect. After verifying that the targeted browser isn't running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities.

Read 6 remaining paragraphs | Comments

In a truly terrible ruling, the US 9th Circuit Court ruled that using someone else's password with their permission but without the permission of the site owner is a federal crime.

The argument McKeown made is that the employee who shared the password with Nosal "had no authority from Korn/Ferry to provide her password to former employees."

At issue is language in the CFAA that makes it illegal to access a computer system "without authorization." McKeown said that "without authorization" is "an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission." The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?

Reinhardt argues that Nosal's use of the database was unauthorized by the firm, but was authorized by the former employee who shared it with him. For you and me, this case means that unless Netflix specifically authorizes you to share your password with your friend, you're breaking federal law.

The EFF:

While the majority opinion said that the facts of this case "bear little resemblance" to the kind of password sharing that people often do, Judge Reinhardt's dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husband's user credentials to access his bank account to pay bills, Judge Reinhardt noted: "So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates." As a result, although the majority says otherwise, the court turned anyone who has ever used someone else's password without the approval of the computer owner into a potential felon.

The Computer Fraud and Abuse Act has been a disaster for many reasons, this being one of them. There will be an appeal of this ruling.

This is a good summary article on the fallibility of DNA evidence. Most interesting to me are the parts on the proprietary algorithms used in DNA matching:

William Thompson points out that Perlin has declined to make public the algorithm that drives the program. "You do have a black-box situation happening here," Thompson told me. "The data go in, and out comes the solution, and we're not fully informed of what happened in between."

Last year, at a murder trial in Pennsylvania where TrueAllele evidence had been introduced, defense attorneys demanded that Perlin turn over the source code for his software, noting that "without it, [the defendant] will be unable to determine if TrueAllele does what Dr. Perlin claims it does." The judge denied the request.

[...]

When I interviewed Perlin at Cybergenetics headquarters, I raised the matter of transparency. He was visibly annoyed. He noted that he'd published detailed papers on the theory behind TrueAllele, and filed patent applications, too: "We have disclosed not the trade secrets of the source code or the engineering details, but the basic math."

It's the same problem as any biometric: we need to know the rates of both false positives and false negatives. And if these algorithms are being used to determine guilt, we have a right to examine them.