1636 stories

To Fight Revenge Porn, Facebook Is Asking to See Your Nudes

1 Comment and 2 Shares

Facebook has a new strategy for combating revenge porn: It wants to see your nudes first, before an abuser has the chance to spread them.

As part of a new feature the social network is testing in Australia, users are being asked to upload explicit photos of themselves before they send them to anyone else, according to the Australian Broadcasting Corporation (ABC).

This is how the new feature works. First, you upload an explicit image of yourself to Facebook Messenger (you can do so by starting a conversation with yourself). Then, you flag it as a "non-consensual intimate image" for Facebook.

The social network then builds what is referred to as a "hash" of the image, meaning it creates a unique fingerprint for the file. Facebook says it is not storing the photos, just the hashes of the photos. If another user tries to upload the same image on Facebook or Instagram, Facebook will test it against its stored hashes, and stop those labeled as revenge porn from being distributed.

One information security researcher I spoke to said using the new feature requires putting an enormous amount of trust in Facebook. "Yes, they're not storing a copy, but the image is still being transmitted and processed. Leaving forensic evidence in memory and potentially on disk," digital forensics expert Lesley Carhart told me in a Twitter DM. "My speciality is digital forensics and I literally recover deleted images from computer systems all day—off disk and out of system memory. It's not trivial to destroy all trace of files, including metadata and thumbnails."

Facebook's new anti-revenge porn feature follows a similar one it instituted in April. If you report an image as revenge porn when you come across it on Facebook or Instagram, the social network's moderators will tag the image using photo-matching technology in an attempt to keep it from spreading. Facebook says it disables the account of whoever shared the image in the first place, "in most cases."

Non-consensual porn became a major scandal for Facebook earlier this year when the secret group Marines United became public. Over 30,000 current and former US servicemen distributed private and often nude images of women, including their female colleagues, without their consent in the secret group.

The Department of Defense subsequently opened an investigation into the group, and a US Marine later pleaded guilty to distributing photos non-consensually. Marines United exemplified a part of Facebook that is difficult for it to moderate: secret groups.

Facebook is teaming up with the Australian government to roll out the new feature. Users can file a report with the government's eSafety Commissioner. Afterwards, the report is shared with Facebook, and users are asked to send the intimate photos to the social network. The partnership is part of Australia's new national reporting tool for revenge porn, which is the world's first.

Facebook is looking to bring the new feature to other places in the future, and is currently exploring additional countries, a spokesperson told me in an email.

Facebook potentially needs to expand it to the US, or come up with another solution, because sharing non-consensual explicit images may soon become a federal crime in the United States, like child porn. Right now, there are a patchwork of state laws addressing revenge porn on the books.

Facebook's new feature will unfortunately not stop non-consensual images from being shared elsewhere on the internet.

Update 11/7/17 5:23 PM: This post has been updated with comment from Facebook.

Read the whole story
14 days ago
Oakland, CA
Share this story

Five street signs that really mean the street design is wrong

1 Comment and 5 Shares

There are lot of street signs around the region that essentially substitute for safe street design. It's as if decision makers sometimes think "We could design this street to be low-speed and safe for pedestrians, but nah we'll just put up a sign instead and not really fix the problem." Here are some examples we found:

This sign really means the street is designed for driving faster than safety legitimately allows. 

3rd and E Streets, SW. Image by Matt Johnson used with permission.

This sign really means a lot of pedestrians want to make an obvious connection, but it might inconvenience cars so we're not going to let them.

Clarendon Boulevard. Image by the author.

This sign really means we know we should put in bike lanes, but nah

Georgia Avenue in Aspen Hill Image by Dan Reed used with permission.

This sign really means we're happy to throw a guilt trip at outsiders, but not happy to give our children a sidewalk.

Image by Magnolia677 on Wikipedia licensed under Creative Commons.

And the pièce de résistance, this sign, which really means we don't have any intention of even pretending to design a safe street.

Image by Bryan Barnett-Woods used with permission.

Have you come across any signs like this? Please share in the comments!

Comment on this article

Read the whole story
20 days ago
Oakland, CA
Share this story
1 public comment
20 days ago
That's the sign outside our grocery store in Arlington!

Google Pulled Some Shady Shit In Montana, And Now They Have A Violent Asshole Congressman

This is Rob Quist, the nice, singing cowboy from Montana. You’ve never heard of him.

Do you remember Rob Quist? He was the nice, bluegrass cowboy running for Montana’s lone US House of Representatives seat back in May. Rob Quist was not the carpetbagger who bodyslammed Guardian reporter Ben Jacobs on election night for asking a question about repealing the ACA, that was multi-millionaire Republican Greg Gianforte.

If you’ve never heard of Rob Quist before, you’re not alone. A lot of people don’t know who Rob Quist is, and as that late May election drew closer, many people Googling the candidates in Montana’s special election didn’t know about Rob Quist either. With just days to go before the election, a search for “Montana Special Election Candidate” would have turned up one name in Google’s Instant Answers box — Greg Gianforte.

Geeks hired by the Quist campaign thought this was a little weird, so they went into the wayback machine and found that this had been going on for the entire election. Quist started running in early January after Trump tapped grifty bastard Ryan Zinke to be his Interior Secretary, weeks before Gianforte finally finished licking wounds inflicted by Montana’s Democratic governor, Steve Bullock. But when officials from the Quist campaign tried to contact Google to correct this big fucking error, Google kind of shrugged and went back to frolicking in the ashes of its “Don’t Be Evil” banner.

Quist’s campaign was eventually able to get everything sorted out after a bunch of lucky phone calls to people inside the Googleplex. With about 24 hours before polls opened, someone at Google had a fire lit under their ass and added Quist, as well as Libertarian Mark Wicks, to the Instant Answers results. Problem solved, right?

Sure, if you ignore the general Republican electoral fuckery that has become disturbingly common, and Google’s own stupidity.

When Gov. Bullock tried to pass a measure that would allow mail-in ballots for Montana’s special elections, Republicans threw a tantrum. Bullock’s reasoning was not only a cost-saving maneuver that could save counties up to hundreds of thousands of dollars, it would also encourage voting in a state that has historically low voter turnout.

Incensed that some damn dirty Democrats might actually get people to vote against the businessman who wants to drill more than Harvey Weinstein at prom, Republicans jumped into action. In an email sent to the Montana Republican party constituency, State Rep. Jeff Essmann, chairman of the Montana Republican Party, actually says…

“I know that my position will not be popular with many fiscally conservative Republican County commissioners or the sponsor of HB 305. They may be well intended, but this bill could be the death of our effort to make Montana a reliably Republican state.”

Montana’s special election was watched by political junkies and regular folks eager to see if their anti-Trump efforts would pay off. With truckloads of cash being flown in and burned through on mailers, door knockers and TV ads, polls still remained consistent for both the candidates, despite the historical inaccuracy of special election polls.

But the night before the election, Gianforte punched Guardian reporter Ben Jacobs, and that story becomes front page news across the country. Because of the way that Google’s algorithm works (primarily things that get the most clicks appear at the top, though there’s also 200 other smaller factors), this pushed results for “Gianforte” and “Montana special election” even closer together. Anyone searching for information about any candidate wound up getting stories on Gianforte punching Jacobs, and doodly squat about the nice cowboy singer, Rob Quist.


Since we apparently live in Star Trek’s mirror universe, conservative blowhards defended Gianforte for punching Jacobs, calling him a “wuss” and liberal operative (and some haven’t stopped threatening to “shoot” journalists). Gianforte initially denied everything, and said that Jacobs assaulted him, despite a local Fox affiliate confirming Jacobs story. The bullshit response from Gianforte, coupled with all the freaked out op-eds and analysis, was like pouring rocket fuel onto Google’s raging dumpster fire. If you hadn’t heard of Rob Quist before, you weren’t going to now.

Google initially screwed up by not including Quist within its Instant Answers box. In allowing Quist to be marginalized by a 1980s techbro like Gianforte, we’re left with a series of difficult questions, chief among them, “What the fuck are you doing, Google?

Now, it should be known that it’s pretty easy to screw with Google search results for a time. Internet trolls and pranksters do this on a regular basis. This is the reason why the Emperor from Star Wars shows up as the second image when looking for pictures of “The Senate.” With enough diligence, any group of idiots can trick Google’s system.

Lately many people are screaming about regulating big tech and social media companies. As we become aware of what Facebook, Google and Twitter are doing behind the curtain in the magical land of Oz Silicon Valley, it’s become obvious that the they need to be held accountable for their negligence. Yes, there should be laws that regulate big tech; a big sign reminding techbros not to be assholes simply isn’t enough. However, it’s equally important to be very careful about that regulation as most policy makers know as much about technology as a plaid clad Brooklyn beardo does about being a lumberjack. Good policy can help us maintain control of our lives and serve as a counterweight to increasingly destructive forces in the real and digital world. Bad policy could neuter creativity and growth of new inventions, or create even worse problems, like giving Facebook more power, Trump a 1,000 character Twitter account, or making Bing a thing — and nobody wants that.


Read the whole story
25 days ago
Oakland, CA
Share this story

Neil Gaiman

2 Comments and 13 Shares
My friend told me a story he hadn’t told anyone for years. When he used to tell it years ago people would laugh and say, ‘Who’d believe that? How can that be true? That’s daft.’ So he didn’t tell it again for ages. But for some reason, last night, he knew it would be just the kind of story I would love.
When he was a kid, he said, they didn’t use the word autism, they just said ‘shy’, or ‘isn’t very good at being around strangers or lots of people.’ But that’s what he was, and is, and he doesn’t mind telling anyone. It’s just a matter of fact with him, and sometimes it makes him sound a little and act different, but that’s okay.
Anyway, when he was a kid it was the middle of the 1980s and they were still saying ‘shy’ or ‘withdrawn’ rather than ‘autistic’. He went to London with his mother to see a special screening of a new film he really loved. He must have won a competition or something, I think. Some of the details he can’t quite remember, but he thinks it must have been London they went to, and the film…! Well, the film is one of my all-time favourites, too. It’s a dark, mysterious fantasy movie. Every single frame is crammed with puppets and goblins. There are silly songs and a goblin king who wears clingy silver tights and who kidnaps a baby and this is what kickstarts the whole adventure.
It was ‘Labyrinth’, of course, and the star was David Bowie, and he was there to meet the children who had come to see this special screening.
‘I met David Bowie once,’ was the thing that my friend said, that caught my attention.
‘You did? When was this?’ I was amazed, and surprised, too, at the casual way he brought this revelation out. Almost anyone else I know would have told the tale a million times already.
He seemed surprised I would want to know, and he told me the whole thing, all out of order, and I eked the details out of him.
He told the story as if it was he’d been on an adventure back then, and he wasn’t quite allowed to tell the story. Like there was a pact, or a magic spell surrounding it. As if something profound and peculiar would occur if he broke the confidence.
It was thirty years ago and all us kids who’d loved Labyrinth then, and who still love it now, are all middle-aged. Saddest of all, the Goblin King is dead. Does the magic still exist?
I asked him what happened on his adventure.
‘I was withdrawn, more withdrawn than the other kids. We all got a signed poster. Because I was so shy, they put me in a separate room, to one side, and so I got to meet him alone. He’d heard I was shy and it was his idea. He spent thirty minutes with me.
‘He gave me this mask. This one. Look.
‘He said: ‘This is an invisible mask, you see?
‘He took it off his own face and looked around like he was scared and uncomfortable all of a sudden. He passed me his invisible mask. ‘Put it on,’ he told me. ‘It’s magic.’
‘And so I did.
‘Then he told me, ‘I always feel afraid, just the same as you. But I wear this mask every single day. And it doesn’t take the fear away, but it makes it feel a bit better. I feel brave enough then to face the whole world and all the people. And now you will, too.
‘I sat there in his magic mask, looking through the eyes at David Bowie and it was true, I did feel better.
‘Then I watched as he made another magic mask. He spun it out of thin air, out of nothing at all. He finished it and smiled and then he put it on. And he looked so relieved and pleased. He smiled at me.
‘'Now we’ve both got invisible masks. We can both see through them perfectly well and no one would know we’re even wearing them,’ he said.
‘So, I felt incredibly comfortable. It was the first time I felt safe in my whole life.
‘It was magic. He was a wizard. He was a goblin king, grinning at me.
‘I still keep the mask, of course. This is it, now. Look.’
I kept asking my friend questions, amazed by his story. I loved it and wanted all the details. How many other kids? Did they have puppets from the film there, as well? What was David Bowie wearing? I imagined him in his lilac suit from Live Aid. Or maybe he was dressed as the Goblin King in lacy ruffles and cobwebs and glitter.
What was the last thing he said to you, when you had to say goodbye?
‘David Bowie said, ‘I’m always afraid as well. But this is how you can feel brave in the world.’ And then it was over. I’ve never forgotten it. And years later I cried when I heard he had passed.’
My friend was surprised I was delighted by this tale.
‘The normal reaction is: that’s just a stupid story. Fancy believing in an invisible mask.’
But I do. I really believe in it.
And it’s the best story I’ve heard all year.
— Paul Magrs (via yourfluffiestnightmare)

(via winneganfake)

Short URL for this post: <a href="" rel="nofollow"></a>

Read the whole story
43 days ago
44 days ago
Oakland, CA
Share this story
2 public comments
42 days ago
David Bowie was amazing. I wish I knew more about him when I was younger.
44 days ago
The truly amazing people are always truly amazing. What a lovely story.
Portland, Oregon, USA, Earth

Tonight’s comic wants to bestow the dark blessing upon you.

sleep is dumb
Read the whole story
57 days ago
Oakland, CA
Share this story

Researchers Find Vulnerability in Smart Home Control Apps

1 Share

We've seen many vulnerabilities in internet-of-things (IoT) devices over the past several years, but the problems can also extend to their companion mobile applications and cloud services. If you're using Wink or Insteon hubs to control sensors, door locks, and other sensitive devices in your home, make sure you update to the latest versions of their Android applications and encrypt your phone.

Researchers from security firm Rapid7 analyzed the Android applications that people use to control their Wink Hub 2 and Insteon Hub devices and found that both of them store sensitive access credentials in plain text in their configuration files. Under Android's security model, apps aren't normally able to access each others' files (with the exception of system services with special privileges), so at first glance this shouldn't be a big problem.

However, there are ways for attackers to get at this data, which is why Android provides a built-in secure keystore for storing sensitive information. There are various other methods for encrypting credentials in storage, but it turns out that some developers—especially those in the IoT space—don't use these mechanisms.

If left unprotected, application data can easily be extracted from phones that have been lost or stolen and are not locked with a strong password or use full device encryption—a feature that not all Android phones support.

"It takes very little effort," Deral Heiland, the research lead at Rapid7, told me. "Anyone who wants to take 45 minutes to an hour out of their life and can use Google, can quickly find out how to pull such data out of a phone."

Furthermore, due to the version fragmentation in the Android ecosystem there are millions of phones out there that are no longer supported by manufacturers and don't receive security updates. Those devices have known vulnerabilities that malicious applications can exploit to gain administrative privileges, or root access.

With privileged access, Android malware—which is not uncommon even on the policed Google Play store—can read other applications' data, including credentials stored in plain text.

The risk is even higher when those credentials are for smart home hubs because these devices often control security-related systems like door locks, garage doors, window sensors, alarms and so on.

The Android application for the Wink Hub 2 was insecurely storing the OAuth access tokens that Wink's servers use to track authenticated user sessions. These tokens allow the mobile applications to send commands to Wink hubs through the company's cloud service.

Heiland also found that Wink's service did not revoke old tokens even when new ones were generated, for example after a password change. So, even if users would have tried to limit the risk after losing their phones by changing their Wink passwords, the OAuth tokens stored on their devices would have continued to work.

According to the researcher, Wink released an update for its Android application and plans to fix the token revocation issue with a server-side change in the future. Users are advised to use the Wink Android application v6.3.0.28 or later.

Wink doesn't make its own peripheral devices, but instead integrates its hub with existing products from other vendors. However, Insteon manufactures a variety of switches, light bulbs, power outlets, sensors, door locks, cameras and other devices that work with its own hub.

These devices communicate over a proprietary radio frequency (RF) protocol that uses the 915MHz band and which, according to Heiland, doesn't use encryption. This makes it susceptible to replay attacks, where an attacker who is in the communications range of the hub can capture a command sent to a device and then replay it later to achieve the same result.

Heiland tested this attack successfully against Insteon's Garage Door Control Kit, capturing the signal to open and close the door from the hub and replaying it later to open the garage door.

The lack of encryption in Insteon's protocol was previously reported by a security researcher named Peter Shipley in a talk at the DEF CON security conference in 2015. According to Heiland, even though the protocol's documentation mentions that encryption can be used, the actual implementation used by Insteon's Garage Door Control Kit or lighting products, doesn't.

The Android application used to control the Insteon Hub was also found to store credentials in plain text, namely the username and password for the user's online account, as well as the username and password that can be used to control the hub directly over the local area network.

Rapid7 notified Insteon about the vulnerabilities on Jul. 19 and even though the company acknowledged having received the report and their intention to review it, it hasn't communicated any patching plans, Heiland said. Details about the vulnerabilities were published after 60 days, which is Rapid7's normal vulnerability disclosure deadline unless vendors ask for extra time, the he explained.

When it comes to replay attacks, there's not much users can do to protect themselves without a vendor patch, other than simply not using the vulnerable products, Heiland said. "That's typically my recommendation."

To reduce the risk of credential theft from mobile apps, users should keep their mobile operating systems up to date and also lock their mobile devices with a password, the researcher said. "If you make it difficult for someone to gain access to your device it's more likely they're just going to wipe it and keep it rather than try to gain access to the data. So you want to make it a little more difficult for them."

More generally, Heiland advises users to research the security track record of the devices they intend to buy, as well as how their creators respond to security vulnerabilities. All software has bugs, but the way in which companies handle vulnerability reports and release patches is what makes the difference.

Wink and Insteon did not immediately respond to a request for comment.

Read the whole story
57 days ago
Oakland, CA
Share this story
Next Page of Stories