Two restaurants have initiated a potential class-action lawsuit against GrubHub for allegedly listing 150,000 restaurants to its site without the businesses' permission. From a report: The Farmer's Wife in Sebastopol, California and Antonia's Restaurant in Hillsborough, NC filed the suit with Gibbs Law Group, accusing Grubhub of adding their restaurants to its site despite not entering into a partnership, which causes "significant damage to their hard-earned reputations, loss of control over their customers' dining experiences, loss of control over their online presence, and reduced consumer demand for their services." Grubhub has explicitly made this false partnership part of their business strategy. Last October, CEO Matt Maloney said the company would be piloting a new initiative of adding more restaurants to its searchable database without entering into an official partnership with them, so customers would believe they had more delivery options with Grubhub, and wouldn't switch to competitors.

It works like this: if you happened to order from a non-partnered restaurant, "the order doesn't go directly to the restaurant," says the lawsuit. "It goes instead to a Grubhub driver, who must first figure out how to contact the restaurant and place the order. Sometimes it's possible to place orders with the restaurant by phone, but other times the restaurant will only accept orders in person. The extra steps often lead to mistakes in customers' orders and often the restaurant won't receive the order at all." Grubhub also wouldn't warn restaurants before they were listed, which led to restaurants suddenly being inundated with Grubhub orders they never expected. Often, Grubhub would list outdated menus with the wrong prices, or include restaurants that don't even offer take-out, leading to canceled orders. The lawsuit includes screenshots from the pages Grubhub created for The Farmer's Wife and Antonia's, using their respective names and logos. The Farmer's Wife alleges the pages are "inaccurate and suggests that The Farmer's Wife is offering to make food that it does not actually make and has never made," which the lawsuit claims hurts the restaurant's reputation, and leads customers to become frustrated with service the restaurant never agreed to provide in the first place. And both restaurants say the language Grubhub uses suggests a partnership that doesn't exist, and in Antonia's case, was actively declined when Grubhub approached them. Further reading: Even If You're Trying To Avoid Grubhub By Calling Your Favorite Restaurant Directly, Grubhub Could Still Be Charging It A Fee; Meal-Delivery Company GrubHub is Buying Thousands of Restaurant Web Addresses, Preventing Mom and Pop From Owning Their Slice of Internet.

An anonymous reader quotes a report from Motherboard: U.S. Customs and Border Protection is refusing to tell Congress what legal authority the agency is following to use commercially bought location data to track Americans without a warrant, according to the office of Senator Ron Wyden. The agency is buying location data from Americans all over the country, not just in border areas. The lack of disclosure around why CBP believes it does not need a warrant to use the data, as well as the Department of Homeland Security not publishing a Privacy Impact Assessment on the use of such location information, has spurred Wyden and Senators Elizabeth Warren, Sherrod Brown, Ed Markey, and Brian Schatz on Friday to ask the DHS Office of the Inspector General (DHS OIG) to investigate CBP's warrantless domestic surveillance of phones, and determine if CBP is breaking the law or engaging in abusive practices.

The news highlights the increased use of app location data by U.S. government agencies. Various services take location data which is harvested from ordinary apps installed on peoples' phones around the world, repackages that, and sells access to law enforcement agencies so they can try to track groups of people or individuals. In this case, CBP has bought the location data from a firm called Venntel. "CBP officials confirmed to Senate staff that the agency is using Venntel's location database to search for information collected from phones in the United States without any kind of court order," the letter signed by Wyden and Warren, and addressed to the DHS OIG, reads. "CBP outrageously asserted that its legal analysis is privileged and therefore does not have to be shared with Congress. We disagree." As well as not obtaining court orders to query the data, CBP said it's not restricting its personnel to only using it near the border, the Wyden aide added. CBP is unable to tell what nationality a particular person is based only on the information provided by Venntel; but what the agency does know is that the Venntel data the agency is using includes the movements of people inside the United States, the Wyden aide said.

An anonymous reader quotes a report from The New York Times: In early September, the City Council in Portland, Ore., met virtually to consider sweeping legislation outlawing the use of facial recognition technology. The bills would not only bar the police from using it to unmask protesters and individuals captured in surveillance imagery; they would also prevent companies and a variety of other organizations from using the software to identify an unknown person. During the time for public comments, a local man, Christopher Howell, said he had concerns about a blanket ban. He gave a surprising reason. "I am involved with developing facial recognition to in fact use on Portland police officers, since they are not identifying themselves to the public," Mr. Howell said. Over the summer, with the city seized by demonstrations against police violence, leaders of the department had told uniformed officers that they could tape over their name. Mr. Howell wanted to know: Would his use of facial recognition technology become illegal?

Portland's mayor, Ted Wheeler, told Mr. Howell that his project was "a little creepy," but a lawyer for the city clarified that the bills would not apply to individuals. The Council then passed the legislation in a unanimous vote. Mr. Howell was offended by Mr. Wheeler's characterization of his project but relieved he could keep working on it. "There's a lot of excessive force here in Portland," he said in a phone interview. "Knowing who the officers are seems like a baseline." Mr. Howell, 42, is a lifelong protester and self-taught coder; in graduate school, he started working with neural net technology, an artificial intelligence that learns to make decisions from data it is fed, such as images. He said that the police had tear-gassed him during a midday protest in June, and that he had begun researching how to build a facial recognition product that could defeat officers' attempts to shield their identity. Mr. Howell is not alone in his pursuit. Law enforcement has used facial recognition to identify criminals, using photos from government databases or, through a company called Clearview AI, from the public internet. But now activists around the world are turning the process around and developing tools that can unmask law enforcement in cases of misconduct. The report also mentions a few other projects around the world that are using facial recognition tools against the police.

An online exhibit called "Capture," was created by artist Paolo Cirio and includes photos of 4,000 faces of French police officers. It's currently down because France's interior minister threatened legal action against Mr. Cirio but he hopes to republish them.

Andrew Maximov, a technologist from Belarus, uploaded a video to YouTube that demonstrated how facial recognition technology could be used to digitally strip away masks from police officers.

The report also notes that older attempts to identify police officers have relied on crowdsourcing. For example, news service ProPublica asks readers to identify officers in a series of videos of police violence. There's also the OpenOversight, a "public searchable database of law enforcement officers" that asks people to upload photos of uniformed officers and match them to the officers' names or badge numbers.

An anonymous reader quotes a report from The Guardian: Working with her Stanford colleague, Michal Kosinski, [Pin Pin Tea-makorn, a PhD student at Stanford] scoured Google, newspaper anniversary notices and genealogy websites for photos of couples taken at the start of their marriages and many years later. From these they compiled a database of pictures from 517 couples, taken within two years of tying the knot and between 20 and 69 years later. To test whether couples' faces grew alike over time, the researchers showed volunteers a photo of a "target" person accompanied by six other faces, one being their spouse, with the other five faces selected at random. The volunteers were then asked to rank how similar each of the six faces were to the target individual. The same task was then performed by cutting-edge facial recognition software.

In the original study in 1987, the late psychologist Robert Zajonc, at the University of Michigan, had volunteers rank the photos of only a dozen couples. He concluded that couples' faces became more alike as their marriages went on, with the effect being greater the happier they were. The explanation, psychologists have argued, is that sharing lives shapes people's faces, with diet, lifestyle, time outdoors, and laughter lines all having a part to play. However, writing in Scientific Reports, Tea-makorn and Kosinski describe how they found no evidence for couples looking more alike as time passed. They did, however, look more alike than random pairs of people at the start of their relationship. Tea-makorn said people may seek out similar-looking partners, just as they look for mates with matching values and personalities.

The Washington Post reports: In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world's largest botnet — one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.

U.S. Cyber Command's campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter's sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.
U.S. Cyber Command also "stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet's operators," reports security researcher Brian Krebs: Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation. Holden said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world. Holden said the Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets. "They are running normally and their ransomware operations are pretty much back in full swing," Holden said. "They are not slowing down because they still have a great deal of stolen data."

Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.

Today, researchers at Columbia University launched the world's first database of carbon dioxide removal laws, providing an annotated bibliography of legal materials related to carbon dioxide removal and carbon sequestration and use. It is publicly available at cdrlaw.org. Phys.Org reports: The site has 530 resources on legal issues related to carbon dioxide removal, including such techniques as: direct air capture; enhanced weathering; afforestation/reforestation; bioenergy with carbon capture and storage; biochar; ocean and coastal carbon dioxide removal; ocean iron fertilization; and soil carbon sequestration. The database also includes 239 legal resources on carbon capture and storage, utilization, and transportation. New resources are constantly being added.

This site was created by the Sabin Center for Climate Change Law at Columbia Law School, in cooperation with the Carbon Management Research Initiative at the Center on Global Energy Policy at Columbia's School of International and Public Affairs. Generous financial support was provided by the ClimateWorks Foundation and the Earth Institute at Columbia University. The Sabin Center is also undertaking a series of white papers with in-depth examinations of the legal issues in particular carbon dioxide removal technologies. The first of these, "The Law of Enhanced Weathering for Carbon Dioxide Removal," by Romany M. Webb, has just been released.

An anonymous reader quotes a report from Motherboard: The Department of Homeland Security (DHS) finally acknowledged Wednesday that photos that were part of a facial recognition pilot program were hacked from a Customs and Border Control subcontractor and were leaked on the dark web last year. Among the data, which was collected by a company called Perceptics, was a trove of traveler's faces, license plates, and care information. The information made its way to the Dark Web, despite DHS claiming it hadn't. In a newly released report about the incident, the DHS Office of Inspector General admitted that 184,000 images were stolen and at least 19 of them were posted to the Dark Web.

"CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot," the report found. "This incident may damage the public's trust in the Government's ability to safeguard biometric data and may result in travelers' reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry." According to the new report, DHS's biometric database "contains the biometric data repository of more than 250 million people and can process more than 300,000 biometric transactions per day. It is the largest biometric repository in the Federal Government, and DHS shares this repository with the Department of Justice and the Department of Defense." "A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP's biometric data, such as traveler images, to its own company network," the report found. "The DHS OIG made several recommendations in its report that all boil down to 'tighten up security and make sure this doesn't happen again,'" the report adds.

Australia's national public broadcaster ABC reports: A Chinese company with links to Beijing's military and intelligence networks has been amassing a vast database of detailed personal information on thousands of Australians, including prominent and influential figures. A database of 2.4 million people, including more than 35,000 Australians, has been leaked from the Shenzhen company Zhenhua Data which is believed to be used by China's intelligence service, the Ministry of State Security. Zhenhua has the People's Liberation Army and the Chinese Communist Party among its main clients.

Information collected includes dates of birth, addresses, marital status, along with photographs, political associations, relatives and social media IDs. It collates Twitter, Facebook, LinkedIn, Instagram and even TikTok accounts, as well as news stories, criminal records and corporate misdemeanours. While much of the information has been "scraped," some profiles have information which appears to have been sourced from confidential bank records, job applications and psychological profiles.

The company is believed to have sourced some of its information from the so-called "dark web". One intelligence analyst said the database was "Cambridge Analytica on steroids", referring to the trove of personal information sourced from Facebook profiles in the lead up to the 2016 US election campaign. But this data dump goes much further, suggesting a complex global operation using artificial intelligence to trawl publicly available data to create intricate profiles of individuals and organisations, potentially probing for compromise opportunities.

Zhenhua Data's chief executive Wang Xuefeng, a former IBM employee, has used Chinese social media app WeChat to endorse waging "hybrid warfare" through manipulation of public opinion and "psychological warfare"....
The database was leaked to a US academic, who worked with Canberra cyber security company Internet 2.0 and "was able to restore 10 per cent of the 2.4 million records for individuals...

"Of the 250,000 records recovered, there are 52,000 on Americans, 35,000 Australians, 10,000 Indian, 9,700 British, 5,000 Canadians, 2,100 Indonesians, 1,400 Malaysia and 138 from Papua New Guinea."

If you've ever received a parcel from a shopping platform that you didn't order, and nobody you know seems to have bought it for you, you might have been caught up in a "brushing" scam. From a report: It has hit the headlines after thousands of Americans received unsolicited packets of seeds in the mail, but it is not new. It's an illicit way for sellers to get reviews for their products. And it doesn't mean your account has been hacked. Here's an example of how it works: let's say I set myself up as a seller on Amazon, for my product, Kleinman Candles, which cost $3 each. I then set up a load of fake accounts, and I find random names and addresses either from publicly available information or from a leaked database that's doing the rounds from a previous data breach. I order Kleinman Candles from my fake accounts and have them delivered to the addresses I have found, with no information about where they have been sent from. I then leave positive reviews for Kleinman Candles from each fake account -- which has genuinely made a purchase.

This way my candle shop page gets filled with glowing reviews (sorry), my sales figures give me an algorithmic popularity boost as a credible merchant -- and nobody knows that the only person buying and reviewing my candles is myself. It tends to happen with low-cost products, including cheap electronics. It's more a case of fake marketing than cyber-crime, but "brushing" and fake reviews are against Amazon's policies. Campaign group Which? advises that you inform the platform they are sent by of any unsolicited goods.

"A few years ago, a hacker managed to exploit vulnerabilities in Tesla's servers to gain access and control over the automaker's entire fleet," remembers Electrek (in a story shared by long-time Slashdot reader AmiMoJo).

Tesla enthusiast Jason Hughes had already received a $5,000 bug bounty for reporting a vulnerability, but "knowing that their network wasn't the most secure, to say the least, he decided to go hunting for more bug bounties." After some poking around, he managed to find a bunch of small vulnerabilities. The hacker told Electrek, "I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was 'Mothership'." Mothership is the name of Tesla's home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through "Mothership." After downloading and dissecting the data found in the repository, Hughes started using his car's VPN connection to poke at Mothership. He eventually landed on a developer network connection. That's when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla's fleet.

All he needed was a vehicle's VIN number, and he had access to all of those through Tesla's "tesladex" database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
Last week Hughes released an annotated version of the bug report he'd submitted to Tesla. "Hughes couldn't really send Tesla cars driving around everywhere..." reports Electrek, "but he could 'Summon' them..." Telsa gave him a special $50,000 bug report reward — several times higher than their usual maximum — and "used the information provided by Hughes to secure its network."

Electrek calls it "a good example of the importance of whitehat hackers."

More than 2,400 police agencies have entered contracts with Clearview AI, a controversial facial recognition firm, according to comments made by Clearview AI CEO Hoan Ton-That in an interview with Jason Calacanis on YouTube. The Verge reports: The hour-long interview references an investigation by The New York Times published in January, which detailed how Clearview AI scraped data from sites including Facebook, YouTube, and Venmo to build its database. The scale of that database and the methods used to construct it were already controversial before the summer of protests against police violence. "It's an honor to be at the center of the debate now and talk about privacy," Ton-That says in the interview, going on to call the Times investigation "actually extremely fair." "Since then, there's been a lot of controversy, but fundamentally, this is such a great tool for society," Ton-That says.

Ton-That also gave a few more details on how the business runs. Clearview is paid depending on how many licenses a client adds, among other factors, but Ton-That describes the licenses as "pretty inexpensive, compared to what's come previously" in his interview. Ton-That ballparks Clearview's fees as $2,000 a year for each officer with access. According to Ton-That, Clearview AI is primarily used by detectives. You can watch the full interview here.

Two million truckers move 70% of America's goods. But hundreds of thousands of their jobs could be disrupted away, reports Jon Wertheim on the CBS news show 60 Minutes, in "a high-stakes, high-speed race pitting the usual suspects — Google and Tesla and other global tech firms — against small start-ups smelling opportunity."

One of those startups is TuSimple, and their company's chief product officer points out that an AI driving system never gets distracted or falls asleep at the wheel: Chuck Price has unshakable confidence in the reliability of the technology; as do some of the biggest names in shipping: UPS, Amazon and the U.S. Postal Service ship freight with TuSimple trucks. All in, each unit costs more than a quarter million dollars. Not a great expense, considering it's designed to eliminate the annual salary of a driver; currently around $45,000. Another savings: the driverless truck can get coast-to-coast in two days, not four, stopping only to refuel — though a human still has to do that...

Jon Wertheim: How far are we from being able to pick up the specific cars that are passing us? "Oh, that's Joe from New Jersey with six points on his license.

Chuck Price: We can read license plates. So if there was an accessible database for something like that, we could...

Test Driver Maureen Fitzgerald: This truck is scanning mirrors, looking 1,000 meters out. It's processing all the things that my brain could never do and it can react 15 times faster than I could.

Most of her two million fellow truckers are less enthusiastic. Automated trucking threatens to jack-knife an entire $800 billion industry. Trucking is among the most common jobs for American's without a college education.... Sam Loesche represents 600,000 truckers for the teamsters. He's concerned that federal, state and local governments have only limited access to the driverless technology.

Sam Loesche: A lot of this information, understandably, is proprietary. Tech companies wanna keep, you know, their algorithms and their safety data — secret until they can kinda get it right. The problem is that, in the meantime, they're testing this technology on public roads. They're testing it next to you as you drive down the road...

Movie companies and their anti-piracy partners are pressing ahead with their legal action to track down The Pirate Bay. The site reportedly used VPN provider OVPN, which carries no logs, but a security expert -- one that regularly penetration tests several major VPN providers -- believes that information about the notorious site could still be obtained. TorrentFreak reports: After a period of what seemed like calm, this year it became clear that the site's old enemies, Swedish anti-piracy group Rights Alliance, were again working to get closer to the site and its operators. We've covered the back story in detail but in summary, the site is alleged to have used Swedish VPN provider OVPN to hide its true location and Rights Alliance is now engaged in legal action to get its hands on whatever information the VPN provider may hold. The most recent move, playing out this week, is that Rights Alliance has provided testimony from an expert witness, one that has masses of experience in the VPN field.

The name 'Cure53' may not sound familiar to regular Internet users but the cyber-security company is well known for its first-class abilities in penetration testing. So much so, in fact, that the company has audited some of the most popular VPN providers in the world, including Mullvad, Surfshark, and TunnelBear. Given its experience in the field, it's no surprise that Rights Alliance has also sought the expert opinion of someone involved in Cure 53 to assess this VPN-related matter. Importantly, there doesn't appear to be any conflict of interest here, since the conclusions drawn are purely technical in nature and rely on experience and general facts, something we will touch on later. The expert opinion, which appeared in court documents reviewed by TorrentFreak this week, is from Jesper Larsson, who works at security company Ox4a but is involved with Cure 53 where he "regularly" performs penetration tests against the "ten largest VPN Providers in the world." His testimony reveals that he has been commissioned by Sara Lindback of Rights Alliance to comment on how a VPN service works and specifically, what information might potentially be stored at OVPN in relation to The Pirate Bay.

"It is clear on OVPN's website that it strives to protect its users; privacy by storing as little user data as possible in their databases," the testimony filed with the court and obtained by TorrentFreak reads. "Although [OVPN] strive to store as little data as possible, there must be data connecting users and identities to make the VPN service work. In this case, a user has paid for a VPN account with the ability to connect a public static address to OVPN which the user has then chosen to link to the file sharing site 'the piratebay,' i.e the user has configured his VPN account to point to the given domain." [...] "For this type of configuration to be possible, data about the configuration must be stored at OVPN at least during the time when the account is active," Larsson continues. "It should be considered extremely likely that the user or identity associated with the above configuration is stored in a user database where a given user can be connected to the VPN configuration, configuration regarding where the static IP address should be pointed to, and payment information that should describe how long a given account is active and which payment method the user has used. OVPN should thus be able to search its VPN servers for the given IP address, or alternatively search in their user databases or in backups of these to locate a given user or identity," the security expert adds.

An anonymous reader quotes a report from Forbes: The security research team at Comparitech today disclosed how an unsecured database left almost 235 million Instagram, TikTok and YouTube user profiles exposed online in what can only be described as a massive data leak. The data was spread across several datasets; the most significant being two coming in at just under 100 million each and containing profile records apparently scraped from Instagram. The third-largest was a dataset of some 42 million TikTok users, followed by just under 4 million YouTube user profiles.

Comparitech says that, based on the samples it collected, one in five records contained either a telephone number or email address. Every record also included at least some, sometimes all, the following information: Profile name; Full real name; Profile photo; and Account description. Statistics about follower engagement, including: Number of followers; Engagement rate; Follower growth rate; Audience gender; Audience age; Audience location; Likes; Last post timestamp; Age; and Gender. "The information would probably be most valuable to spammers and cybercriminals running phishing campaigns," Paul Bischoff, Comparitech editor, says. "Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation," Bischoff adds. Indeed, Bischoff told me that it would be easy for a bot to use the database to post targeted spam comments on any Instagram profile matching criteria such as gender, age or number of followers. The data appeared to have originated from a company called Deep Social, which was banned by both Facebook and Instagram in 2018 after scraping user profile data. The company was wound down sometime after this.

The researchers reached out to Deep Social, which then forwarded the disclosure to a Hong Kong-registered social media influencer data-marketing company called Social Data. Social Data shut down the database about three hours after the researchers' initial email. "Social Data has denied any connection between itself and Deep Social," reports Forbes, citing Comparitech.

When people build a database to manage reading lists or feed their neighbors, that's coding -- and culture. From an essay: We are past the New York City Covid-19 peak. Things have started to reopen, but our neighborhood is in trouble, and people are hungry. There's a church that's opened space for a food pantry, a restaurant owner who has given herself to feeding the neighborhood, and lots of volunteers. [...] It's a complex data model. It involves date fields, text fields, integers, notes. You need lots of people to log in, but you need to protect private data too. You'd think their planning conversations would be about making lots of rice. But that is just a data point. The tool the mutual aid group has settled on to track everything is Airtable, a database-as-a-service program. You log in and there's your database. There are a host of tools like this now, "low-code" or "no-code" software with names like Zapier or Coda or Appy Pie. At first glance these tools look like flowcharts married to spreadsheets, but they're powerful ways to build little data-management apps. Airtable in particular keeps showing up everywhere for managing office supplies or scheduling appointments or tracking who at WIRED has their fingers on this column. The more features you use, the more they charge for it, and it can add up quickly. I know because I see the invoices at my company; we use it to track projects.

"Real" coders in my experience have often sneered at this kind of software, even back when it was just FileMaker and Microsoft Access managing the flower shop or tracking the cats at the animal shelter. It's not hard to see why. These tools are just databases with a form-making interface on top, and with no code in between. It reduces software development, in all its complexity and immense profitability, to a set of simple data types and form elements. You wouldn't build a banking system in it or a game. It lacks the features of big, grown-up databases like Oracle or IBM's Db2 or PostgreSQL. And since it is for amateurs, the end result ends up looking amateur. But it sure does work. I've noticed that when software lets nonprogrammers do programmer things, it makes the programmers nervous. Suddenly they stop smiling indulgently and start talking about what "real programming" is. This has been the history of the World Wide Web, for example. Go ahead and tweet "HTML is real programming," and watch programmers show up in your mentions to go, "As if." Except when you write a web page in HTML, you are creating a data model that will be interpreted by the browser. This is what programming is. Code culture can be solipsistic and exhausting. Programmers fight over semicolon placement and the right way to be object-oriented or functional or whatever else will let them feel in control and smarter and more economically safe, and always I want to shout back: Code isn't enough on its own. We throw code away when it runs out its clock; we migrate data to new databases, so as not to lose one precious bit. Code is a story we tell about data.

Boeing 747-400s still use floppy disks for loading critical navigation databases, Pen Test Partners has revealed to the infosec community after poking about one of the recently abandoned aircraft. From a report: The eye-catching factoid emerged during a DEF CON video interview of PTP's Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck. Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline's decision to scrap its B744 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task.

"Aircraft themselves are really expensive beasts, you know," said Lomas as he filmed inside the big Boeing. "Even if you had all the will in the world, airlines and manufacturers won't just let you pentest an aircraft because [they] don't know what state you're going to leave it in." While giving a tour of the aircraft on video, Lomas pointed out the navigation database loader.

Using millions of programs in online repositories, Intel, Georgia Tech, and MIT researchers created a tool called MISIM (Machine Inferred code Similarity) with a database of code scored by the similarity of its outcomes to suggest alternatives (and corrections) to programmers.

The hope is "to aid developers with nitty-gritty choices like 'what is the most efficient way to use this API' or 'how can I correctly validate this input',"Ryan Marcus, scientist at Intel Labs, told ZDNet. "This should give engineers a lot more time to focus on the elements of their job that actually create a real-world impact..." Justin Gottschlich, the lead for Intel's "machine programming" research team, told ZDNet that as software development becomes ever-more complex, MISIM could have a great impact on productivity. "The rate at which we're introducing senior developers is not on track to match the pace at which we're introducing new chip architectures and software complexity," he said. "With today's heterogeneous hardware — CPUs, GPUs, FPGAs, ASICs, neuromorphic and, soon, quantum chips — it will become difficult, perhaps impossible, to find developers who can correctly, efficiently, and securely program across all of that hardware."

But the long-term goal of machine programming goes even further than assisting software development as it stands today. After all, if a technology can assess intent and come up with relevant snippets of code in response, it doesn't seem far-fetched to imagine that the algorithm could one day be used by any member of the general public with a good software idea. Combined with natural language processing, for example, MISIM could in theory react to verbal clues to one day let people write programs simply by describing them. In other words, an Alexa of sorts, but for software development.

Gottschlich explained that software creation is currently limited to the 27 million people around the world who can code. It is machine programming's ultimate goal to expand that number and one day, let people express their ideas in some other fashion than code — be it natural language, visual diagrams or even gestures.
Intel currently plans to use the new tool internally.

An anonymous reader quotes a report from Bloomberg Law: The U.S. government charges too much for access to an electronic database of federal court records, the Federal Circuit ruled in a decision curbing a revenue stream the court system uses to help fund other programs. The U.S. Court of Appeals for the Federal Circuit affirmed a lower court's decision that the government was not authorized under federal law to spend $192 million in Public Access to Court Records system fees on court technology projects. The lower court "got it just right" when it limited the government's use of PACER revenues to the costs of operating the system, the court said in a precedential opinion Thursday.

"We agree with plaintiffs and amici that the First Amendment stakes here are high," the court said. But it said it doesn't foresee the lower court's interpretation "as resulting in a level of user fees that will significantly impede public access to courts." The ruling is a win for public access to court information, as PACER fees will go down if the ruling withstands a possible government appeal. But access still won't be free, despite calls for the government to stop charging for it. The Federal Circuit said it was up to Congress to decide whether to require free access. Challengers said PACER fees were too high, while the government said the middle ground reached by the lower court made the fees too low. Fees for downloading a copy of a filing run 10 cents per page, up to $3 per document. The Administrative Office of the U.S. Courts collected more than $145 million in fees in 2014 alone, according to the complaint in the case. Under a 2020 change to the fee waiver rules, about 75% of users pay nothing each quarter.

LastPass is updating its Security Dashboard with a feature that provides an overview of all your accounts, highlighting any passwords that could pose a security risk. The password manager is also introducing dark web monitoring, although it will require you to be a paid LastPass subscriber. Engadget reports: If you already use LastPass and the Security Dashboard sounds familiar, it's because it builds on the Security Challenge functionality LastPass developer LogMeIn added in 2010. As before, grading is a major aspect of the interface. When you first navigate to the Security Dashboard, you'll see a score of all your logins, followed by a breakdown of passwords that are either old, inactive, weak or reused. You can click or tap on a problematic password to change it, and LastPass will automatically take you to the webpage where you can update your login information. LogMeIn hasn't changed how the app calculates the overall score it gives to each user. But one significant improvement the Security Dashboard brings over the Security Challenge is that you don't need to manually run it each time you want to see the security of your online accounts. The score and steps you can take to improve your online security are there each time you visit that part of the software's interface.

With today's update, LogMeIn is also introducing dark web monitoring. When you enable the feature, LastPass will proactively check your online accounts against Enzoic's compromised credentials database. If it detects an issue, it will notify you through both email and the app. Dark web monitoring is available to LastPass Premium, Family and Business subscribers. The dashboard, by contrast, is available to all LastPass users.

China already has hundreds of millions of surveillance cameras in place, reports the Atlantic's deputy editor, and "because a new regulation requires telecom firms to scan the face of anyone who signs up for cellphone services, phones' data can now be attached to a specific person's face."

But the article also warns that when it comes to AI-powered surveillance, China "could also export it beyond the country's borders, entrenching the power of a whole generation of autocrats" and "shift the balance of power between the individual and the state worldwide..." The country is now the world's leading seller of AI-powered surveillance equipment.... China uses "predatory lending to sell telecommunications equipment at a significant discount to developing countries, which then puts China in a position to control those networks and their data," Michael Kratsios, America's CTO, told me. When countries need to refinance the terms of their loans, China can make network access part of the deal, in the same way that its military secures base rights at foreign ports it finances. "If you give [China] unfettered access to data networks around the world, that could be a serious problem," Kratsios said...

Having set up beachheads* in Asia, Europe, and Africa, China's AI companies are now pushing into Latin America, a region the Chinese government describes as a "core economic interest." China financed Ecuador's $240 million purchase of a surveillance-camera system. Bolivia, too, has bought surveillance equipment with help from a loan from Beijing. Venezuela recently debuted a new national ID-card system that logs citizens' political affiliations in a database built by ZTE.
* The article provides these additional examples:

• In Malaysia, the government is working with Yitu, a Chinese AI start-up, to bring facial-recognition technology to Kuala Lumpur's police...
• Chinese companies also bid to outfit every one of Singapore's 110,000 lampposts with facial-recognition cameras.
• In South Asia, the Chinese government has supplied surveillance equipment to Sri Lanka.
• On the old Silk Road, the Chinese company Dahua is lining the streets of Mongolia's capital with AI-assisted surveillance cameras.
• In Serbia, Huawei is helping set up a "safe-city system," complete with facial-recognition cameras and joint patrols conducted by Serbian and Chinese police aimed at helping Chinese tourists to feel safe.
• Kenya, Uganda, and Mauritius are outfitting major cities with Chinese-made surveillance networks...