Sonos Appears To Have Changed Its Privacy Policy To Allow It To Sell Your Data

Posted in Commentary with tags on June 15, 2024 by itnerd

From the “this is a new low” department comes an apparent privacy policy change by speaker maker Sonos that seems at first glance to give it the right to sell your data. This was spotted by YouTuber Louis Rossman and you can watch the video here:

If you didn’t watch the video, this will act as a TL:DR. Here is the relevant section of the former privacy policy:

Sonos does not and will not sell personal information about our customers. However, certain data practices described throughout this Privacy Statement may constitute a “sale” or “sharing” of data under California and/or other US state laws. See the below CA Addendum for more information applicable to CA residents. We want you to understand that information about our customers is an important part of our business. We only disclose your data as described in this Statement

And now here is the relevant section of the updated policy:

Certain data practices described throughout this Privacy Statement may constitute a “sale” or “sharing” of data under California and/or other US state laws. See the below CA Addendum for more information applicable to CA residents. We want you to understand that information about our customers is an important part of our business. We only disclose your data as described in this Statement

I had a look online and didn’t see anything from Sonos trying to explain this. Instead I saw a lot of people complaining that Sonos has broken their app. So maybe a response from Sonos will be inbound once this makes its way around the Interwebs. And it will be interesting to see what the company says.

Leave a comment »

Microsoft Recall Has Been Recalled

Posted in Commentary with tags on June 15, 2024 by itnerd

Well, after coming out with a feature that everyone said was a security disaster, and trying to make it better to make their problems go away, it appears that Microsoft has thrown in the towel when it comes to Recall. At least for now. Microsoft has posted this revised blog post late yesterday:

Update: June 13, 2024: Today, we are communicating an additional update on the Recall (preview) feature for Copilot+ PCs. Recall will now shift from a preview experience broadly available for Copilot+ PCs on June 18, 2024, to a preview available first in the Windows Insider Program (WIP) in the coming weeks. Following receiving feedback on Recall from our Windows Insider Community, as we typically do, we plan to make Recall (preview) available for all Copilot+ PCs coming soon.  

We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security. This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users. Additionally, as we shared in our May 3 blog, security is our top priority at Microsoft, in line with our Secure Future Initiative (SFI). This is reflected in additional security protections we are providing for Recall content, including “just in time” decryption protected by Windows Hello Enhanced Sign-in Security (ESS), so Recall snapshots will only be decrypted and accessible when the user authenticates. The development of Copilot+ PCs, Recall and Windows will continue to be guided by SFI. 

When Recall (preview) becomes available in the Windows Insider Program, we will publish a blog post with details on how to get the preview. To try Recall (preview) WIP customers will need a Copilot+ PC due to our hardware requirements. We look forward to hearing Windows Insider feedback.   

If you want my take on this, “soon” may mean anywhere from weeks or months from now to never. Microsoft has really dropped themselves in this and this delay, if you want to call it that, for Recall was likely the least worst option. Frankly, I would not be shocked if this feature never sees the light of day outside of Microsoft. And I have to wonder how much the announcement of Apple Intelligence which promises to be private played into this? I say that because Apple has created a clear contrast between themselves and Microsoft that doesn’t make Microsoft look good. We’ll never know if that’s the case. But I for one am happy that Recall has been Recalled.

1 Comment »

Gradio Vulnerabilities Enable Hugging Face Theft of Secrets

Posted in Commentary with tags on June 15, 2024 by itnerd

Horizon3.ai Chief Architect Naveen Sunkavally has just published “Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces” 

On Friday, May 31, the AI company Hugging Face disclosed a potential breach where attackers may have gained unauthorized access to secrets stored in their Spaces platform.

Naveen said:

“This reminded us of a couple of high severity vulnerabilities we disclosed to Hugging Face affecting their Gradio framework last December. When we reported these vulnerabilities, we demonstrated that they could lead to the exfiltration of secrets stored in Spaces.

“Hugging Face responded in a timely way to our reports and patched Gradio. However, to our surprise, even though these vulnerabilities have long been patched, these old vulnerabilities were, up until recently, still exploitable on the Spaces platform for apps running with an outdated Gradio version.”

As background, Gradio is a popular open-source Python-based web application framework for developing and sharing AI/ML demos. The framework consists of a backend server that hosts a standard set of REST APIs and a library of front-end components that users can plug in to develop their apps. A number of popular AI apps use Gradio such as the Stable Diffusion Web UI and Text Generation Web UI. Users have several options for sharing Gradio apps: hosting it in a Hugging Face Space; self-hosting; or using the Gradio share feature, which exposes their machine to the Internet using a Gradio-provided proxy URL similar to ngrok.

The Horizon3.ai blog post demonstrates an exploitable path, and Naveen offers recommendations to users for remediation – whether they are using Gradio in a Hugging Face Space or self-hosting.

Leave a comment »

Ascension Health Pwned Via A Malicious File Downloaded By An Employee

Posted in Commentary with tags on June 15, 2024 by itnerd

In an update on the recent Ascension Health care breach, officials say the breach was caused by an employee downloading “a malicious file.” 

“An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake.”

The breach caused Ascension’s EHR system to be taken offline, forcing staff to revert to manual, paper-based processes for recording patient information, ordering tests, and managing medications. Patient care was delayed for days.

In the Wednesday update, Ascension said that some services were still being impacted, more than a month after first detecting the breach on May 8th.

On an encouraging note, the provider said that the attackers were only able to steal data from seven of the approximately 25,000 servers in their network.

“At this point, we now have evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks. These servers represent seven of the approximately 25,000 servers across our network.”

Brett Hansen, CGO, Cigent had this to say:

   “It is naive to presume that people are not going to make mistakes and detection and response will prevent incidents.  Employee education and EDR have long  proven to be insufficient – organizations need to augment to include proactive protection of data with technologies including zero-trust access controls.”

Emily Phelps, Director, Cyware follows with this:

   “Like with cybersecurity, in the healthcare industry, trust is everything. This increased transparency could stem the need and ability for healthcare entities to provide more transparency, more quickly. Regulatory requirements and the potential for severe penalties have undoubtedly played a role, but there is also a heightened awareness of the reputational damage that can arise from mishandled incidents.”

This is a prime example of your defences needing to be Muti-layered. As in having multiple layers of defence so that you are way less likely to be pwned by a threat actor. Because by not doing that, you get this exact result.

Leave a comment »

Calling all wellness enthusiasts… the Samsung Galaxy Watch FE is here

Posted in Commentary with tags on June 14, 2024 by itnerd

Yesterday Samsung announced the release of its new Galaxy Watch FE – the perfect watch for every health and wellness enthusiast.

Equipped with Samsung’s advanced BioActive Sensor, the Galaxy Watch FE provides an array of powerful fitness and wellness functions that deliver personalized and actionable tips around the clock. From supporting better sleep to tracking workouts to sending you motivational messages throughout your wellness journey, this watch is with you every step of the way.

Please see below some highlights of the Galaxy Watch FE’s capabilities:

  • Monitors sleep patterns and provides sleep coaching
  • Tracks over 100 different workouts
  • Provides advanced running analysis, helping users not only analyze overall running performance but provides insights and guidance to help prevent injuries and help users meet their goals

The Galaxy Watch FE is also highly customizable, offering a variety of new watch faces and a one-click band that makes it easy to mix and match bands to meet users’ style. It is also made from Sapphire Crystal glass, offering durability and helping protect against scratches during day-to-day use.

Beginning June 26th, the Galaxy Watch FE will becoming available in Canada in a variety of colours including Black, Pink, Gold and Silver. There will also be new watch bands available featuring distinct blue and orange stitching. 

Leave a comment »

Luma AI Launches Dream Machine

Posted in Commentary on June 14, 2024 by itnerd

There’s yet another new AI tool out there. It’s called Dream Machine and it’s made by a company called Luma AI. Here’s what the company promises:

It is a highly scalable and efficient transformer model trained directly on videos making it capable of generating physically accurate, consistent and eventful shots. Dream Machine is our first step towards building a universal imagination engine and it is available to everyone now!

I experimented with it briefly by typing in the following phrase:

“A Hacker dancing down the street celebrating his latest hack”

This is what I got:

This is kind of interesting. I’ll share my thoughts later. But right now I have a comment from Kevin Surace, Chair, Token & “Father of the Virtual Assistant” on this:

Right now the current group of video generators creates very cool very short videos (in this case 5 seconds). This isn’t storytelling and it’s not movie making nor even shorts, and they can’t talk. It’s just in the toy category. Fun to play with. But you cannot do much with a 5 second clip that’s valuable. Being a filmmaker and an applied AI leader for 25 years…my bar is high.

Of course anything A16Z backs gets attention. So it doesn’t hurt. But the question again is what is the current usefulness of this? And at this point the GPU cost of generation is high. And so is their service cost. They promise to generate 5 seconds of video in 2 minutes but for now it’s taking more than 20 minutes. The GPU costs and load are tremendous. I suspect 99% of users won’t renew given the limited usefulness.

A 5 second deep fake is unlikely to convince anyone. And it’s hard to get these models to utilize an ACTUAL living human in them. If someone can jailbreak them, perhaps a 5 second clip might convince someone…but these also all have built-in technology to ID they were AI-generated. I think the risk here is very low.

Deep fakes can hurt company and exec reputations. The biggest concern is around live deep fakes on Zoom and we will all be using wearable biometric check-ins to be sure that whomever we are talking to is the real deal.

This is a valid point. At some point these gimmicky tools will become useful and dangerous. And we need guardrails in place before that happens. Or this will not end well.

Leave a comment »

Horizon3.ai Has A Deep Dive & POC For Ivanti Endpoint Mgr. SQL Injection RCE Vulnerability

Posted in Commentary with tags on June 13, 2024 by itnerd

Horizon3ai Chief Attack Engineer Zach Hanley and the Horizon3.ai Attack Team have just published “CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability.” Their POC can be found here

Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that enables centralized management of devices within an organization. Ivanti is a widely deployed secure access solution across enterprise functions and divisions to reduce costs, optimize service performance, and help support a secure and  agile environment. 

On May 24, 2024, the Zero Day Initiative (ZDI) and Ivanti released the advisory  “Ivanti Endpoint Manager RecordGoodApp SQL Injection Remote Code Execution Vulnerability” describing a SQL injection resulting in remote code execution with a CVSS score of 9.8.

Leave a comment »

For The Second Day In A Row, Elon Musk Gets Trolled On Twitter

Posted in Commentary with tags on June 13, 2024 by itnerd

Hot on the heels of Elon Musk getting community noted and trolled on Twitter over his rants about the Apple Intelligence/OpenAI partnership, he’s getting trolled again on Twitter. This time it’s about hiding likes so that you can’t see what Twitter posts a particular user liked. I wrote about this here. Well that went into effect in the last 24 hours or so. And the backlash is epic.

You have to believe that in some corner of a Tesla or Twitter office, Elon must bewildered by this response. But to be frank, you can’t be surprised that this is happening. Elon has once again done something that has opened himself up to this sort of response. And most normal people after the first or maybe second time that this happens to them would reconsider their life choices and course correct. But Elon isn’t normal and seems to relish this attention. Why I don’t know because I’m a computer nerd and not a mental health professional. But I will be curious to see if and how Elon reacts to this because that will be interesting to watch.

Leave a comment »

AHEAD Signs Enterprise Services Master Agreement With LA County

Posted in Commentary with tags on June 13, 2024 by itnerd

AHEAD announced today that it has entered Los Angeles County’s Enterprise Systems Management Architecture (ESMA) program, a framework that helps manage and integrate various software applications and systems within the LA County government.

This agreement means that AHEAD meets the required criteria and has been chosen to contribute Information Management, IT Transformation Services, and Privacy Consulting Services to the ESMA program in LA County.

AHEAD can now help drive LA County initiatives in key areas, including infrastructure upgrades, cloud adoption, digital transformation, data management and analytics, cybersecurity enhancement, collaborative tooling and communication, mobile and remote access, and open data initiatives.

Pending approval within additional Privacy Compliance Consulting categories, AHEAD’s service offerings will also include breach and incident management, privacy audits and assessments, data inventory, classification and mapping services, and privacy rights and consent management services.

Leave a comment »

Review: HyperX Cloud Stinger 2 Wireless Headphones

Posted in Products with tags on June 13, 2024 by itnerd

When you speak to competitive gamers, they will all likely say the same thing. Wired is better for winning. Wired mice, wired keyboards, wired all the things. The same is true for headsets. However HyperX is trying to change the game on that front with their HyperX Cloud Stinger 2 Wireless Headphones. Here’s what you get in the box:

Let’s start with the headphones. They are light and comfortable. They didn’t put any real pressure on my head or ears. That means that I can wear them for an extended period of time comfortably. More on that in a bit. There are adjustable and removable memory foam ear cups as part of the deal. Meaning that you can not only dial in your fit, but replace the ear cups when they become too gross to wear. The headband in the middle portion has the same memory foam as well which means that it also provides a fair amount of comfort. The headphones are made of plastic which is fine as I am not expecting AirPods Max type of materials for a gaming headset. One thing that I should note is that the microphone flips up and down. And that’s important because when you flip it up, it mutes you. When you flip it down, your speech becomes audible again. That’s pretty clever.

On the left ear, you get a USB-C port and the power switch. Pro tip: You need to hold the power switch to power these headphones on or off.

On the right side, you get a volume control. One thing that I should note about these headsets is that while they don’t claim to be Mac compatible, they worked just fine and spinning the volume control brought up the volume indicator on the screen. That was kind of neat.

Also included are a USB-C to USB-A cable for charging purposes along with the 2.4 GHz wireless receiver that you need use these headphones.

Here’s some other specs that I pulled off of the HyperX website:

  • Driver: Dynamic, 50mm with neodymium magnets
  • Type: Closed back
  • Frequency response: 10Hz – 20.2 kHz
  • Sensitivity: -12 dBFS/Pa at 1kHz
  • T.H.D: ≤ 2%
  • Microphone
    • Element: Electret condenser microphone
    • Polar Pattern: Bi-directional, Noise-cancelling
    • Sensitivity: -12 dBFS/Pa at 1kHz
  • USB Specification: USB 2.0
  • Bit-Depth: 16-bit
  • Wireless Range: Up to 20m

Now, some random thoughts before I get into the rather unique testing that I did with these headphones:

  • Battery life: HyperX claims 20 hours of battery life with a 3.5 hour recharge time. At the time of writing this review, I had charged them to full and used them for 11 hours without an issue on anything to game playing to Microsoft Teams calls. So 20 hours of battery life seems plausible to me.
  • Setup: This is laughably easy. Plug in the 2.4 GHz receiver into a free USB port, turn on the headset, and set your audio output and input to the headset assuming that you’re on a PC or a Mac and declare victory. For the record, this will also work with a PS5 in a similar manner. But I did not test that as I do not have a PS5.
  • Microphone Quality: People that I talked to had no complaints about being able to hear me clearly over the bi-directional noise-cancelling microphone, especially with the foam windscreen which helps reduce and filter out breathing noise. The key word is reduce because I did find one scenario where this wasn’t the case which I will get to later.
  • Sound Quality: The sound put out by the headset is definitely crisp and clear, and depending on what you use it with, the sound can be quite loud. On the PC side of the fence, you can install their NGENUITY software and use it to not only tweak your sound, but to also unlock DTS Headphone:X Spatial Audio for even better sound.

Now, how did I test these headphones. As most of you know, I use an online cycling platform called Zwift to help me to keep and improve my fitness. You can get more info on that here, and here. But what you likely don’t know is that I am part of an online race team called Galaxy Cycling Club. Galaxy races on Zwift as well as run group rides on the platform as well. I race two or three times a week and one of those times is a team time trial where three to eight riders ride together to get the fastest time possible on a course that is anywhere from 30 to 50 kilometres in length. Here’s a picture of one of the time trials that I was in a few weeks ago:

You can see all of us in a line. That’s done to have the first person in line break the wind, and the others benefit from being in the draft of that person because they are doing about 20% less work than the person at the front of the line. That means you can go faster and have more in the metaphorical gas tank at the end. The person in the front spends 60 to maybe 90 seconds on the front before pulling off and going to the back of the line. That requires constant communication with the rest of the team so that the line is maintained. That’s where these headsets came in handy. I used them in one of these time trials and exposed them to not only sweat, but the sound of two fans that I keep in front of me to keep me cool. I will admit that this is an extreme test of these headphones. Especially since HyperX makes no claims as to water resistance. But I had almost no issues in the one hour and sixteen minutes that I was racing (covering 43K in that time for the record). The only issue that I had was the fans were clearly audible to my teammates which implies the fans overwhelmed the microphone’s ability to cancel out noise. That I do not think will be an issue for most people as most people will have a pair of fans cranked up to the max blowing cool air in front of them.

So after doing that extreme test of the headphones, let me get to the best part about them. The price. They retail for $129.99 CAD normally, but are currently on sale for $20 off. That’s a very good value for considering what these headphones can do for you. If you’re a competitive gamer, and even if you aren’t, these headphones are very much worth a look.

1 Comment »

« Older Entries
Newer Entries »