A Beijing-based online education start-up has developed an artificial intelligence-powered maths app that can check children's arithmetic problems through the simple snap of a photo. Based on the image and its internal database, the app automatically checks whether the answers are right or wrong. From a report: Known as Xiaoyuan Kousuan, the free app launched by the Tencent Holdings-backed online education firm Yuanfudao, has gained increasing popularity in China since its launch a year ago and claims to have checked an average of 70 million arithmetic problems per day, saving users around 40,000 hours of time in total. Yuanfudao is also trying to build the country's biggest education-related database generated from the everyday experiences of real students. Using this, the six-year-old company -- which has a long line of big-name investors including Warburg Pincus, IDG Capital and Matrix Partners China -- aims to reinvent how children are taught in China. "By checking nearly 100 million problems every day, we have developed a deep understanding of the kind of mistakes students make when facing certain problems," said Li Xin, co-founder of Yuanfudao -- which means "ape tutor" in Chinese -- in a recent interview. "The data gathered through the app can serve as a pillar for us to provide better online education courses."

Researchers at the Allen Institute for AI (Ai2) believe that Pictionary could push machine intelligence beyond its current limits. To that end, they have devised an online version of the game that pairs a human player with an AI program. MIT Technology Review reports: In case you've never played it before, Pictionary involves trying to draw an image that conveys a written word or phrase for your teammates to guess. This tests a person's drawing skills but also the ability to convey complex meaning using simple concepts. Given the phrase "wedding ring," for example, a player might try to draw the object itself but also a bride and groom or a wedding ceremony.

That makes it the perfect vehicle to help teach machines. The team developed an online version of the game, called Iconary, that pairs a user with an AI bot called AllenAI. Both take turns as the artist and the guesser. Playing as artist, a user is given a phrase and then has to sketch things to convey it. The sketches are first turned into clip-art icons using computer vision; then the computer program tries to guess the phrase using a database of words and concepts and the relationship between them. If the program gets only part of the phrase, it will ask for another image to clarify. The AI program uses a combination of AI techniques to draw and guess. Over time, by playing against enough people, AllenAI should learn from their common-sense understanding of how concepts (like "books" and "pages") go together in everyday life, Fahadi says. It will also help the researchers explore ways for humans and machines to communicate and collaborate more effectively.

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

A Dutch security researcher says he found credentials for the Russian government's backdoor account for accessing servers of businesses operating in Russia, ZDNet reports: The researcher says that after his initial finding, he later found the same "admin@kremlin.ru" account on over 2,000 other MongoDB databases that had been left exposed online, all belonging to local and foreign businesses operating in Russia. Examples include databases belonging to local banks, financial institutions, big telcos, and even Disney Russia.... "The first time I saw these credentials was in the user table of a Russian Lotto website," Victor Gevers told ZDNet in an interview Monday. "I had to do some digging to understand that the Kremlin requires remote access to systems that handle financial transactions....

"All the systems this password was on were already fully accessible to anyone," Gevers said. "The MongoDB databases were deployed with default settings. So anyone without authentication had CRUD [Create, Read, Update and Delete] access."
"It took a lot of time and also many attempts to contact and warn the Kremlin about this issue," the researcher added -- specifically, three years, five months and 15 days. The Kremlin reused the same credentials "everywhere," reports IT News, "leaving a large number of businesses open to access from the internet."

Long-time Slashdot reader Bismillah calls it "an illustration of the dangers of giving governments backdoors into systems and networks."

An anonymous reader quotes a report from BuzzFeed News: Family Tree DNA, one of the largest private genetic testing companies whose home-testing kits enable people to trace their ancestry and locate relatives, is working with the FBI and allowing agents to search its vast genealogy database in an effort to solve violent crime cases, BuzzFeed News has learned. Federal and local law enforcement have used public genealogy databases for more than two years to solve cold cases, including the landmark capture of the suspected Golden State Killer, but the cooperation with Family Tree DNA and the FBI marks the first time a private firm has agreed to voluntarily allow law enforcement access to its database. While the FBI does not have the ability to freely browse genetic profiles in the library, the move is sure to raise privacy concerns about law enforcement gaining the ability to look for DNA matches, or more likely, relatives linked by uploaded user data.

The Houston-based company, which touts itself as a pioneer in the genetic testing industry and the first to offer a direct-to-consumer test kit, disclosed its relationship with the FBI to BuzzFeed News on Thursday, saying in a statement that allowing access "would help law enforcement agencies solve violent crimes faster than ever." While Family Tree does not have a contract with the FBI, the firm has agreed to test DNA samples and upload the profiles to its database on a case-by-case basis since last fall, a company spokesperson told BuzzFeed News. Its work with the FBI is "a very new development, which started with one case last year and morphed," she said. To date, the company has cooperated with the FBI on fewer than 10 cases. The Family Tree database is free to access and can be used by anyone with a DNA profile to upload, not just paying customers.

An anonymous reader shares a report: When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book.

Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.

An anonymous reader quotes a report from TechCrunch: India's largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions. The server, hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500. But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers' information.

The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer's partial bank account number. Some would say when a check had been cashed, and many of the bank's sent messages included a link to download SBI's YONO app for internet banking. The bank sent out close to three million text messages on Monday alone. The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers' finances. SBI claims more than 500 million customers across the globe with 740 million accounts.

secwatcher shares a report from Threatpost: A gamut of kids' GPS-tracking watches are exposing sensitive data involving 35,000 children -- including their location, in real time. Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research. "A year on, we decided to have a look at the Gator watch again to see how their security had improved," said Vangelis Stykas, in a Tuesday posting. "Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents' details etc. Not just Gator watches either -- the same back end covered multiple brands and tens of thousands of watches." "At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control," reports Threatpost. "An attacker with access to the watch's credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information."

dryriver writes: If you look at the last 15 years in tech, just about everything that could go wrong seemingly has gone wrong. Everything you buy and bring into your home tracks you in some way or the other. Some software can only be rented now -- no permanent licenses available to buy. PC games are tethered into cloud crap like Steam, Origin and UPlay. China is messing with unborn baby genes. Drones have managed to mess up entire airports. The Scandinavians have developed a serious hatred of cash money and are instead getting themselves chipped. CPUs have horrible security. Every day some huge customer database somewhere gets pwned by hackers. Cybercrime has gone through the roof. You cannot trust the BIOS on your PC anymore. Windows 10 just will not stop updating itself. And AI is soon going to kill us all, if a self-driving car by Uber doesn't do it first. So: What has -- so far -- not gone wrong in tech that still could go wrong, and perhaps in a surprising way?

Four new iPad models and a 7th-generation iPod Touch have been found in upcoming iOS 12.2, and seven new iPad models were discovered in the Eurasian Economic Commission Database, reports MacRumors. From the report: Developer Steven Troughton-Smith speculates that the iPad model numbers could be new iPad mini devices, which would be in line with rumors suggesting a new iPad mini 5 is in the works. According to Troughton-Smith, none of the iPads have Face ID, which is what we would expect as a new iPad mini is likely to be positioned as an affordable, lower-end device. There's also a reference to "iPod 9,1," which does not match up with any known iPod touch devices, suggesting it is a new next-generation model. The current sixth-generation iPod touch is "iPod 7,1," for reference. The iPod listed in iOS 12.2 does not appear to have Face ID or Touch ID, which is in line with the current iPod touch.

Previous rumors have indeed suggested Apple is working on a 7th-generation iPod touch, an iPad mini 5, and a new version of the lower-cost 9.7-inch iPad, which may actually be upgraded to 10 inches in its next iteration. There's been mixed information about what to expect from an iPad mini update. A case leak suggested a vertical camera and quad speakers, but a photo of an unreleased iPad mini, which could be the new iPad mini, featured an older A9 processor and a design that's similar to the fourth-generation iPad mini.

An anonymous reader quotes a report from TechCrunch: [M]illions of documents were found leaking after an exposed Elasticsearch server was found without a password. The documents contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren't easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server. Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.

It turns out that data was exposed again -- but this time, it was the original documents. Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see -- and download -- the files stored inside. The bucket contained 21 files containing 23,000 pages of PDF documents stitched together -- or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday's report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from the U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules and other sensitive financial information. Many of the files also contained names, addresses, phone numbers, Social Security numbers and more.

Microsoft on Thursday said that it's acquiring Citus Data, a start-up that has commercialized open-source database software called PostgreSQL. Terms of the deal weren't disclosed. From a report: The deal could help Microsoft make its argument that it supports open-source technologies, particularly in the cloud, while continuing to make money from popular proprietary software like Windows and Office. In the cloud business, Microsoft wants to use openness as a way to pick up business amid competition from Google, market leader Amazon and others. Currently, Citus Data's website advertises a version of its database software that's hosted on Amazon Web Services. Microsoft's blog post announcing the acquisition mentions the competing Azure cloud 10 times.

An anonymous reader quotes ZDNet: MongoDB is an open-source document NoSQL database with a problem. While very popular, cloud companies, such as Amazon Web Services (AWS), IBM Cloud, Scalegrid, and ObjectRocket has profited from it by offering it as a service while MongoDB Inc. hasn't been able to monetize it to the same degree. MongoDB's answer? Relicense the program under its new Server Side Public License (SSPL).

Open-source powerhouse Red Hat's reaction? Drop MongoDB from Red Hat Enterprise Linux 8. Red Hat's Technical and Community Outreach Program Manager Tom Callaway explained, in a note stating MongoDB is being removed from Fedora Linux, that "It is the belief of Fedora that the SSPL is intentionally crafted to be aggressively discriminatory towards a specific class of users." Debian Linux had already dropped MongoDB from its distribution....

The business point behind MongoDB's license change is to force cloud companies to use one of MongoDB's commercial cloud offerings. This hasn't worked either. AWS just launched DocumentDB, a database, which "is designed to be compatible with your existing MongoDB applications and tools," wrote AWS evangelist Jeff Barr.

An anonymous reader quotes a report from ZDNet: Researchers have disclosed the existence of a server exposed to the public which not only contained terabytes of confidential government data but information relating to FBI investigations. According to UpGuard cybersecurity researchers Greg Pollock and Chris Vickery, the open storage server belonged to the Oklahoma Department of Securities (ODS), a U.S. government department which deals with securities cases and complaints. The database was found through the Shodan search engine which registered the system as publicly accessible on November 30, 2018.

The UpGuard team stumbled across the database on December 7th and notified the department a day later after verifying what they were working with. To ODS' credit, the department removed public access to the server on the same day. In order to examine the security breach, the team was able to download the server's contents. The oldest records dated back to 1986 and the most recent was timestamped in 2016. In total, three terabytes of information representing millions of files. Contents ranged from personal data to system credentials and internal communication records. ODS said in a statement to ZDNet: "All state IP addresses, and many city and county addresses, are registered to OMES, but the agency has no visibility into the computer systems at the Oklahoma Department of Securities. For the past eight years the state has been working to consolidate all IT infrastructure under OMES and ODS had the option to consolidate its systems voluntarily and they did not."

A collection of almost 773 million unique email addresses and just under 22 million unique passwords were exposed on cloud service MEGA. Security researcher Troy Hunt said the collection of data, dubbed Collection #1, totaled over 12,000 separate files and more than 87GB of data. ZDNet reports: "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see." Some passwords, including his own, have been "dehashed", that is converted back to plain text. Hunt said he gained the information after multiple people reached out to him with concerns over the data on MEGA, with the Collection #1 dump also being discussed on a hacking forum. "The post on the forum referenced 'a collection of 2000+ dehashed databases and Combos stored by topic' and provided a directory listing of 2,890 of the files," Hunt wrote. The collection has since been removed. You can visit Hunt's Have I Been Pwned service to see if you are affected by this breach.

Federal prosecutors unveiled charges in an international stock-trading scheme that involved hacking into the Securities and Exchange Commission's EDGAR corporate filing system. "The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine," reports CNBC. "Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were 'test filings,' which corporations upload to the SEC's website." From the report: The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services. Carpenito, in a press conference Tuesday, said the thefts included thousands of valuable, private business documents. "After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public," he said.

Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies' stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito. The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said.

According to a report from HackenProof, a database containing resumes of over 200 million job seekers in China was exposed last month. "The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well," reports The Next Web. From the report: Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28. Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn't have any password protection and was open to anyone to read.

Diachenko wasn't able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website's spokesperson denied the leak. Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.

An anonymous reader quotes a report from Vox: More than 150 people who previously stayed in Marriott properties are suing the hotel chain in a federal class-action lawsuit, claiming that Marriott didn't do enough to protect them from a data breach that exposed more than 300 million guests' personal information, including names, credit card information, and passport numbers. The suit, which was filed Maryland federal district court on January 9, claims that Marriott did not adequately protect guest information before the breach and, once the breach had been discovered, "failed to provide timely, accurate, and adequate notice" to guests whose information may have been obtained by hackers.

According to the suit, Marriott's purchase of the Starwood properties [in 2016] is part of the problem. "This breach had been going on since 2014. In conducting due diligence to acquire Starwood, Marriott should have gone through and done an accounting of the cybersecurity of Starwood," Amy Keller, an attorney at DiCello Levitt & Casey who is representing the Marriott guests, told Vox. "In so doing, it should have caught -- at the very least -- that there was some suspicious activity concerning the database where a lot of consumer information was contained." Instead, Keller said, the breach continued for an additional two years after the acquisition, until Marriott caught it in September 2018. And even then, the suit claims, the company waited until November to tell guests about the breach.

Amazon-owned Ring allowed employees to access customers' live camera feeds, according to a report from The Intercept. "Ring's engineers and executives have 'highly privileged access' to live camera feeds from customers' devices," reports 9to5Google. "This includes both doorbells facing the outside world, as well as cameras inside a person's home. A team tasked with annotating video to aid in object recognition captured 'people kissing, firing guns, and stealing.'" From the report: U.S. employees specifically had access to a video portal intended for technical support that reportedly allowed "unfiltered, round-the-clock live feeds from some customer cameras." What's surprising is how this support tool was apparently not restricted to only employees that dealt with customers. The Intercept notes that only a Ring customer's email address was required to access any live feed.

According to the report's sources, employees had a blase attitude to this potential privacy violation, but noted that they "never personally witnessed any egregious abuses." Meanwhile, a second group of Ring employees working on R&D in Ukraine had access to a folder housing "every video created by every Ring camera around the world." What's more, these employees had a "corresponding database that linked each specific video file to corresponding specific Ring customers." Also bothersome is Ring's reported stance towards encryption. Videos in that bucket were unencrypted due to the costs associated with implementation and "lost revenue opportunities due to restricted access." In response to the report, Ring said: "We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."

Kashmir Hill, reporting at Gizmodo: The visitors started coming in 2013. The first one who came and refused to leave until he was let inside was a private investigator named Roderick. He was looking for an abducted girl, and he was convinced she was in the house. John S. and his mother Ann live in the house, which is in Pretoria, the administrative capital of South Africa and next to Johannesburg. They had not abducted anyone, so they called the police and asked for an officer to come over. Roderick and the officer went through the home room by room, looking into cupboards and under beds for the missing girl. Roderick claimed to have used a "professional" tracking device "that could not be wrong," but the girl wasn't there. This was not an unusual occurrence. John, 39, and Ann, 73, were accustomed to strangers turning up at their door accusing them of crimes; the visitors would usually pull up maps on their smartphones that pointed at John and Ann's backyard as a hotbed of criminal activity.

[...] The outline of this story might sound familiar to you if you've heard about this home in Atlanta, or read about this farm in Kansas, and it is, in fact, similar: John and Ann, too, are victims of bad digital mapping. There is a crucial difference though: This time it happened on a global scale, and the U.S. government played a key role. [...] Technologist Dhruv Mehrotra crawled MaxMind's free database for me and plotted the locations that showed up most frequently. Unfortunately, John and Ann's house must have just missed MaxMind's cut-off for remediation. Theirs was the 104th most popular location in the database, with over a million IP addresses mapped to it.