Oracle said on Friday it's moving its headquarters from the Silicon Valley to Austin, Texas. CNBC reports: "Oracle is implementing a more flexible employee work location policy and has changed its Corporate Headquarters from Redwood City, California to Austin, Texas. We believe these moves best position Oracle for growth and provide our personnel with more flexibility about where and how they work," a spokesperson confirmed to CNBC. A bulk of employees can choose their office location, or continue to work from home part time or full time, the company said.

"In addition, we will continue to support major hubs for Oracle around the world, including those in the United States such as Redwood City, Austin, Santa Monica, Seattle, Denver, Orlando and Burlington, among others, and we expect to add other locations over time," Oracle said. "By implementing a more modern approach to work, we expect to further improve our employees' quality of life and quality of output." Oracle is one of Silicon Valley's older success stories, founded in Santa Clara in 1977. It moved into its current headquarters in 1989. Several of the buildings on its campus there are constructed in the shape of a squat cylinder, which is the classic symbol in computer systems design for a database, the product on which Oracle built its empire.

The personal information of more than 243 million Brazilians, including alive and deceased, has been exposed online after web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health's website for at least six months. From a report: The security snafu was discovered by reporters from Brazilian newspaper Estadao, the same newspaper that last week discovered that a Sao Paolo hospital leaked personal and health information for more than 16 million Brazilian COVID-19 patients after an employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub. Estadao reporters said they were inspired by a report filed in June by Brazilian NGO Open Knowledge Brasil (OKBR), which, at the time, reported that a similar government website also left exposed login information for another government database in the site's source code. Since a website's source code can be accessed and reviewed by anyone pressing F12 inside their browser, Estadao reporters searched for similar issues in other government sites.

An anonymous reader quotes a report from Music Business Worldwide: According to a document published last week, Daniel Ek's company is seeking a patent for its "Plagiarism Risk Detector And Interface" technology, which pertains to "Methods, systems and computer program products..for testing a lead sheet for plagiarism." As explained in the filing -- and as our songwriter/musician readers will already know -- a "lead sheet" is a type of music score or musical notation for songs denoting their melody, chords and sometimes lyrics or additional notes. Spotify's invention would allow for a lead sheet to be fed through the platform's "plagiarism detector," which would then, "having been trained on a plurality of preexisting encoded lead sheets," immediately compare the composition in question to all other songs stored in its database.

A set of messages would then be displayed -- describing a detected level of plagiarism regarding "a plurality of elements" such as a chord sequence, melodic fragments, harmony, etc. of a song. The AI software would also potentially calculate "a similarity value" of the song in question vs. other songs in the Spotify lead sheet library. These technology could work the other way around, too, says Spotify's filing, reassuring a songwriter that "the melodic fragment [of your song] appears to be completely new." One particularly interesting element of this is that it would take place in near-real time, allowing a songwriter or composer to tweak elements of their work to avoid infringement before they (and/or their record label) spent the big bucks on recording a final version. Spotify's filing adds that "in some embodiments a link to the media content item that might be infringed (e.g., a track of an album) is provided so that a [songwriter] can quickly... listen to the potentially plagiarized work."

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. From a report: The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis. According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries. The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.

An anonymous reader quotes a report from TechCrunch: Massachusetts lawmakers have voted to pass a new police reform bill that will ban police departments and public agencies from using facial recognition technology across the state. The bill was passed by both the state's House and Senate on Tuesday, a day after senior lawmakers announced an agreement that ended months of deadlock.

The police reform bill also bans the use of chokeholds and rubber bullets, and limits the use of chemical agents like tear gas, and also allows police officers to intervene to prevent the use of excessive and unreasonable force. But the bill does not remove qualified immunity for police, a controversial measure that shields serving police from legal action for misconduct, following objections from police groups. Critics have for years complained that facial recognition technology is flawed, biased and disproportionately misidentifies people and communities of color. But the bill grants police an exception to run facial recognition searches against the state's driver license database with a warrant. In granting that exception, the state will have to publish annual transparency figures on the number of searches made by officers. "The Massachusetts Senate voted 28-12 to pass, and the House voted 92-67," notes the report. "The bill will now be sent to Massachusetts governor Charlie Baker for his signature."

The Supreme Court will hear arguments on Monday in a case that could lead to sweeping changes to America's controversial computer hacking laws -- and affecting how millions use their computers and access online services. From a report: The Computer Fraud and Abuse Act was signed into federal law in 1986 and predates the modern internet as we know it, but governs to this day what constitutes hacking -- or "unauthorized" access to a computer or network. The controversial law was designed to prosecute hackers, but has been dubbed as the "worst law" in the technology law books by critics who say it's outdated and vague language fails to protect good-faith hackers from finding and disclosing security vulnerabilities. At the center of the case is Nathan Van Buren, a former police sergeant in Georgia. Van Buren used his access to a police license plate database to search for an acquaintance in exchange for cash. Van Buren was caught, and prosecuted on two counts: accepting a kickback for accessing the police database, and violating the CFAA. The first conviction was overturned, but the CFAA conviction was upheld. Van Buren may have been allowed to access the database by way of his police work, but whether he exceeded his access remains the key legal question. Orin Kerr, a law professor at the University of California, Berkeley, said Van Buren vs. United States was an "ideal case" for the Supreme Court to take up. "The question couldn't be presented more cleanly," he argued in a blog post in April.

UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week. From a report: "On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support," the company said in an email sent to customers and obtained by ZDNet. Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).

An anonymous reader quotes a report from NBC News: Two notebooks written by the famed British naturalist Charles Darwin in 1837 and missing for years may have been stolen from the Cambridge University Library, according to curators who launched a public appeal Tuesday for information. The notebooks, estimated to be worth millions of dollars, include Darwin's celebrated "Tree of Life" sketch that the 19th-century scientist used to illustrate early ideas about evolution. Officials at the Cambridge University Library say the two notebooks have been missing since 2001, and it's now thought that they were stolen.

"I am heartbroken that the location of these Darwin notebooks, including Darwin's iconic 'Tree of Life' drawing, is currently unknown, but we're determined to do everything possible to discover what happened and will leave no stone unturned during this process," Jessica Gardner, the university librarian and director of library services, said in a statement. The lost manuscripts were initially thought to have been misplaced in the university's enormous archives, which house roughly 10 million books, maps and other objects. But an exhaustive search initiated at the start of 2020 -- the "largest search in the library's history," according to Gardner -- failed to turn up the notebooks and they are now being reported as stolen. Cambridge University officials said a police investigation is underway and the notebooks have been added to Interpol's database of stolen artworks.

Amateur astronomer and YouTuber Alberto Caballero, one of the founders of The Exoplanets Channel, has found a small amount of evidence for a source of the notorious Wow! signal. Phys.Org reports: Back in 1977, astronomers working with the Big Ear Radio Telescope -- at the time, situated in Delaware, Ohio -- recorded a unique signal from somewhere in space. It was so strong and unusual that one of the workers on the team, Jerry Ehman, famously scrawled the word Wow! on the printout. Despite years of work and many man hours, no one has ever been able to trace the source of the signal or explain the strong, unique signal, which lasted for all of 72 seconds. Since that time, many people have suggested the only explanation for such a strong and unique signal is extraterrestrial intelligent life.

In this new effort, Caballero reasoned that if the source was some other life form, it would likely be living on an exoplanet -- and if that were the case, it would stand to reason that such a life form might be living on a planet similar to Earth -- one circling its own sun-like star. Pursuing this logic, Caballero began searching the publicly available Gaia database for just such a star. The Gaia database has been assembled by a team working at the Gaia observatory run by the European Space Agency. Launched back in 2013, the project has worked steadily on assembling the best map of the night sky ever created. To date, the team has mapped approximately 1.3 billion stars. In studying his search results, Caballero found what appears to fit the bill -- a star (2MASS 19281982-2640123) that is very nearly a mirror image of the sun -- and is located in the part of the sky where the Wow! signal originated. He notes that there are other possible candidates in the area but suggests his candidate might provide the best launching point for a new research effort by astronomers who have the tools to look for exoplanets. Caballero shared his findings via arXiv.

An anonymous reader quotes a report from Motherboard: The IRS was able to query a database of location data quietly harvested from ordinary smartphone apps over 10,000 times, according to a copy of the contract between IRS and the data provider obtained by Motherboard. The document provides more insight into what exactly the IRS wanted to do with a tool purchased from Venntel, a government contractor that sells clients access to a database of smartphone movements. The Inspector General is currently investigating the IRS for using the data without a warrant to try to track the location of Americans. "This contract makes clear that the IRS intended to use Venntel's spying tool to identify specific smartphone users using data collected by apps and sold onwards to shady data brokers. The IRS would have needed a warrant to obtain this kind of sensitive information from AT&T or Google," Senator Ron Wyden told Motherboard in a statement after reviewing the contract. [...]

One of the new documents says Venntel sources the location information from its "advertising analytics network and other sources." Venntel is a subsidiary of advertising firm Gravy Analytics. The data is "global," according to a document obtained from CBP. Venntel then packages that data into a user interface and sells access to government agencies. A former Venntel worker previously told Motherboard that customers can use the product to search a specific area to see which devices were there, or follow a particular device across time. Venntel provides its own pseudonymous ID to each device, but the former worker said users could try to identify specific people. The new documents say that the IRS' purchase of an annual Venntel subscription granted the agency 12,000 queries of the dataset per year.

"In support of Internal Revenue Service (IRS) Criminal Investigation's (CI) law enforcement investigative mission, the Cyber Crimes Unit (CCU) requires one (1) Venntel Mobile Intelligence web-based subscription," one of the documents reads. "This allows tracing and pattern-of-life analysis on locations of interesting criminal investigations, allowing investigators to trace locations of mobile devices even if a target is using anonymizing technologies like a proxy server, which is common in cyber investigations," it adds.

Saturday saw 2020's virtual observation of the annual Aaron Swartz Day and International Hackathon, which the EFF describes as "a day dedicated to celebrating the continuing legacy of activist, programmer, and entrepreneur Aaron Swartz."

Its official web site notes the wide-ranging event includes "projects and ideas that are still bearing fruit to this day, such as SecureDrop, Open Library, and the Aaron Swartz Day Police Surveillance Project." The event even included a virtual session for the Atlas of Surveillance project which involved documenting instances of law enforcement using surveillance technologies like social media monitoring, automated license plate readers, and body-worn cameras. And EFF special advisor Cory Doctorow, director of strategy Danny O'Brien, and senior activist Elliot Harmon also spoke "about Aaron's legacy and how his work lives on today," according to the EFF's announcement: Aaron Swartz was a brilliant champion of digital rights, dedicated to ensuring the Internet remained a thriving ecosystem for open knowledge. EFF was proud to call him a close friend and collaborator. His life was cut short in 2013, after he was charged under the notoriously draconian Computer Fraud and Abuse Act for systematically downloading academic journal articles from the online database JSTOR.

Federal prosecutors stretch this law beyond its original purpose of stopping malicious computer break-ins, reserving the right to push for heavy penalties for any behavior they don't like that happens to involve a computer. This was the case for Aaron, who was charged with eleven counts under the CFAA. Facing decades in prison, Aaron died by suicide at the age of 26. He would have turned 34 this year, on November 8.

In addition to EFF projects, the hackathon will focus on projects including SecureDrop, Open Library, and the Aaron Swartz Day Police Surveillance Project. The full lineup of speakers includes Aaron Swartz Day co-founder Lisa Rein, SecureDrop lead Mickael E., researcher Mia Celine, Lucy Parsons Lab founder Freddy Martinez, and Brewster Kahle — co-founder of Aaron Swartz Day and the Internet Archive.
All of the presentations are now online.

"A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket," reports Threatpost.

"The records include sensitive data, including credit-card details." Prestige Software's "Cloud Hospitality" is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com. The incident has affected 24.4 GB worth of data in total, according to the security team at Website Planet, which uncovered the bucket.

Many of the records contain data for multiple hotel guests that were grouped together on a single reservation; thus, the number of people exposed is likely well over the 10 million, researchers said. Some of the records go back to 2013, the team determined — but the bucket was still "live" and in use when it was discovered this month. "The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks," according to the firm, in a recent notice on the issue. "The S3 bucket contained over 180,000 records from August 2020 alone...."

The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more. The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more....

A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in September found. The study from Comparitch showed that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.

Mike Allen, reporting for Axios: President Trump has told friends he wants to start a digital media company to clobber Fox News and undermine the conservative-friendly network, sources tell Axios. The state of play: Some Trump advisers think Fox News made a mistake with an early call (seconded by AP) of President-elect Biden's win in Arizona. [...] Here's Trump's plan, according to the source: There's been lots of speculation about Trump starting a cable channel. But getting carried on cable systems would be expensive and time-consuming. Instead, Trump is considering a digital media channel that would stream online, which would be cheaper and quicker to start. Trump's digital offering would likely charge a monthly fee to MAGA fans. Many are Fox News viewers, and he'd aim to replace the network -- and the $5.99-a-month Fox Nation streaming service, which has an 85% conversion rate from free trials to paid subscribers -- as their top destination. Trump's database of email and cellphone contacts would be a huge head start. Trump's lists are among the most valuable in politics -- especially his extensive database of cellphone numbers for text messages.

Can algorithms identify unusual medication orders or profiles more accurately than humans? Not necessarily. From a report: A study coauthored by researchers at the Universite Laval and CHU Sainte-Justine in Montreal found that one model physicians used to screen patients performed poorly on some orders. The study offers a reminder that unvetted AI and machine learning may negatively impact outcomes in medicine. Pharmacists review lists of active medications -- i.e., pharmacological profiles -- for inpatients under their care. This process aims to identify medications that could be abused, but most medication orders don't show drug-related problems. Publications from over a decade ago illustrate technology's potential to help pharmacists streamline workflows by taking on tasks like reviewing orders. But while more recent research has investigated AI's potential in pharmacology, few studies have demonstrated its efficacy. The coauthors of this latest work looked at a model deployed in a tertiary-care mother-and-child academic hospital between April 2020 and August 2020. The model was trained on a dataset of 2,846,502 medication orders from 2005 to 2018. These had been extracted from a pharmacy database and preprocessed into 1,063,173 profiles. Prior to data collection, the model was retrained every month with 10 years of the most recent data from the database in order to minimize drift, which occurs when a model loses its predictive power.

At this time of year, agricultural burning adds to the air pollution problems across northern India and Pakistan. The region contains 16 of the 20 most polluted cities in the World Health Organization's global PM2.5 database. But are these the most polluted places ever recorded? Lack of measurements make historic comparisons difficult, but we have some clues. From a report: More than 200 years ago, Benjamin Franklin was famously among the first scientists to study electricity in the atmosphere. Lightning is the most obvious manifestation, but air pollution also changes the electrical properties of our air. Electrical measurements near Hyde Park in about 1790 suggest 18th-century London's particle pollution was perhaps half the annual average in the most polluted cities in modern India.

An anonymous reader quotes a report from ZDNet: GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year. The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords. Kibana apps are normally used by a company's IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface. Due to its native features, securing Kibana apps is just as important as securing the databases themselves.

But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020. Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points. The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users' account passwords. While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password). The company secured its infrastructure five days after Diachenko reported the exposed Kibana apps on October 10. It's unknown if someone else accessed the databases to download user data.

More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind. From a report: The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals. Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee. Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites. The idea behind the site isn't unique, and Cit0Day could be considered a reincarnation of similar "data breach index" services such as LeakedSource and WeLeakInfo, both taken down by authorities in 2018 and 2020, respectively.

Scientists from MIT have developed a new AI model that can detect COVID-19 from a simple forced cough. ScienceAlert reports: Evidence shows that the AI can spot differences in coughing that can't be heard with the human ear, and if the detection system can be incorporated into a device like a smartphone, the research team thinks it could become a useful early screening tool. The work builds on research that was already happening into Alzheimer's detection through coughing and talking. Once the pandemic started to spread, the team turned its attention to COVID-19 instead, tapping into what had already been learned about how disease can cause very small changes to speech and the other noises we make.

The Alzheimer's research repurposed for COVID-19 involved a neural network known as ResNet50. It was trained on a thousand hours of human speech, then on a dataset of words spoken in different emotional states, and then on a database of coughs to spot changes in lung and respiratory performance. When the three models were combined, a layer of noise was used to filter out stronger coughs from weaker ones. Across around 2,500 captured cough recordings of people confirmed to have COVID-19, the AI correctly identified 97.1 percent of them -- and 100 percent of the asymptomatic cases.

That's an impressive result, but there's more work to do yet. The researchers emphasize that its main value lies in spotting the difference between healthy coughs and unhealthy coughs in asymptomatic people -- not in actually diagnosing COVID-19, which a proper test would be required for. In other words, it's an early warning system. The researchers now want to test the engine on a more diverse set of data, and see if there are other factors involved in reaching such an impressively high detection rate. If it does make it to the phone app stage, there are obviously going to be privacy implications too, as few of us will want our devices constantly listening out for signs of ill health. The research has been published in the IEEE Open Journal of Engineering in Medicine and Biology.

The man on the trail went by "Mostly Harmless." He was friendly and said he worked in tech. After he died in his tent, no one could figure out who he was. Wired: It's usually easy to to put a name to a corpse. There's an ID or a credit card. There's been a missing persons report in the area. There's a DNA match. But the investigators in Collier County couldn't find a thing. Mostly Harmless' fingerprints didn't show up in any law enforcement database. He hadn't served in the military, and his fingerprints didn't match those of anyone else on file. His DNA didn't match any in the Department of Justice's missing person database or in CODIS, the national DNA database run by the FBI. A picture of his face didn't turn up anything in a facial recognition database. The body had no distinguishing tattoos.

Nor could investigators understand how or why he died. There were no indications of foul play, and he had more than $3,500 cash in the tent. He had food nearby, but he was hollowed out, weighing just 83 pounds on a 5'8" frame. Investigators put his age in the vague range between 35 and 50, and they couldn't point to any abnormalities. The only substances he tested positive for were ibuprofen and an antihistamine. His cause of death, according to the autopsy report, was "undetermined." He had, in some sense, just wasted away. But why hadn't he tried to find help? Almost immediately, people compared Mostly Harmless to Chris McCandless, whose story was the subject of Into the Wild. McCandless, though, had been stranded in the Alaska bush, trapped by a raging river as he ran out of food. He died on a school bus, starving, desperate for help, 22 miles of wilderness separating him from a road. Mostly Harmless was just 5 miles from a major highway. He left no note, and there was no evidence that he had spent his last days calling out for help.

The investigators were stumped. To find out what had happened, they needed to learn who he was. So the Florida Department of Law Enforcement drew up an image of Mostly Harmless, and the Collier County investigators shared it with the public. In the sketch, his mouth is open wide, and his eyes too. He has a gray and black beard, with a bare patch of skin right below the mouth. His teeth, as noted in the autopsy, are perfect, suggesting he had good dental care as a child. He looks startled but also oddly pleased, as if he's just seen a clown jump out from behind a curtain. The image started to circulate online along with other pictures from his campsite, including his tent and his hiking poles.

"The Linux Foundation has formed a new group to provide public health authorities with free technology for tracking the spread of the coronavirus and future epidemics," writes Business Insider. Launched in July, the group has already released two apps "that notify users if they've been in contact with someone who has tested positive with COVID-19." Since these apps are open source, people can contribute code and customize them, allowing regions with similar needs to collaborate, general manager at Linux Foundation Public Health, Dan Kohn, told Business Insider. Developers that want to build an app off these projects can access or download the source code.

These apps take advantage of technology launched by Apple and Google, which can be integrated into any app, that uses Bluetooth on people's smartphones to track who a user has been in close proximity with, without identifying the specific people. If anyone tests positive for COVID-19 and uploads that information to a database run by a local public health authority, any user who has been in close contact with that person will get a notification through their app saying they may have been exposed — again, without identifying who has COVID-19. If someone knows that they may have been exposed, they can either self-quarantine or get tested.

"Essentially we think exposure notification could have a big impact on reducing the overall rate of exposure," Kohn said. An Oxford University study in April said that if about 60% of the population used a contact tracing app, it could grind the diseases spread to a halt. Researchers on the team also found that digital contact tracing can cut down spread even at much lower levels of usage.