An anonymous reader quotes a report from ZDNet: WordPress site owners who use commercial themes provided by ThemeGrill are advised to update one of the plugins that come installed with these themes in order to patch a critical bug that can let attackers wipe their sites. The vulnerability resides in ThemeGrill Demo Importer, a plugin that ships with themes sold by ThemeGrill, a web development company that sells commercial WordPress themes. The plugin, which is installed on more than 200,000 sites, allows site owners to import demo content inside their ThemeGrill themes so they'll have examples and a starting point on which they can build their own sites.

However, in a report published yesterday, WordPress security firm WebARX says that older versions of the ThemeGrill Demo Importer are vulnerable to remote attacks from unauthenticated attackers. Remote hackers can send a specially crafted payload to vulnerable sites and trigger a function inside the plugin. The vulnerable function resets the site's content to zero, effectively wiping the content of all WordPress sites where a ThemeGrill theme is active, and the vulnerable plugin is installed. Furthermore, if the site's database contains a user named "admin," then the attacker is granted access to that user with full administrator rights over the site.

Thousands of images, videos and records pertaining to plastic surgery patients were left on an unsecured database where they could be viewed by anyone with the right IP address, researchers said Friday. From a report: The data included about 900,000 records, which researchers say could belong to thousands of different patients. The data was generated at clinics around the world using software made by French imaging company NextMotion. Images in the database included before-and-after photos of cosmetic procedures. Those photos often contained nudity, the researchers said. Other records included images of invoices that contained information that would identify a patient. The database is now secured. Researchers Noam Rotem and Ran Locar found the exposed database. They published their research with vpnMonitor, a security website. Rotem said he sees exposed health care databases all too often as part of his web-mapping project, which looks for exposed data. "The state of privacy protection, especially in health care, is really abysmal," Rotem said.

Experts are hailing a British Airways flight as the fastest subsonic New York to London journey. From a report: The Boeing 747-436 reached speeds of 825 mph (1,327 km/h) as it rode a jet stream accelerated by Storm Ciara. The four hours and 56 minutes flight arrived at Heathrow Airport 80 minutes ahead of schedule on Sunday morning. According to Flightradar24, an online flight tracking service, it beat a previous five hours 13 minutes record held by Norwegian. The BBC has been unable to independently verify the record as no complete database of flight times was available. Aviation consultant and former BA pilot Alastair Rosenschein said the aeroplane reached a "phenomenal speed." "The pilot will have sat their aircraft in the core of the jet stream and at this time of year it's quite strong. Turbulence in those jet streams can be quite severe, but you can also find it can be a very smooth journey."

America's government "has reportedly acquired access to a commercial database that tracks the movements of millions of cellphones in the U.S.," reports CNET. "The data is being used for immigration and border enforcement, according to sources and documents reviewed by The Wall Street Journal."

Engadget's report on the news notes it's been going on "since at least 2017." The publication says the government bought the data from a company called Venntel, which in turn purchased it from a variety of marketing companies...

"This is a classic situation where creeping commercial surveillance in the private sector is now bleeding directly over into government," Alan Butler, the general counsel of the Electronic Privacy Information Center, told the WSJ.
The American Civil Liberties Union told TechCrunch that it plans the fight the newly-revealed practice, arguing that the government "should not be accessing our location information without a warrant."

CNET adds that the data "is reportedly collected from apps for gaming, weather and shopping that ask users to grant them location access."

v3rgEz writes: Every day government decisions from bus routes to policing used to be based on limited information and human judgment. Governments now use the ability to collect and analyze hundreds of data points everyday to automate many of their decisions.

The non-profit MuckRock, in partnership with Rutgers Institute for Information Policy and Law, has a database detailing how local governments across the U.S. are adopting algorithmic decision making, as well as an open collection of contracts, manuals, and other primary source documents detailing how these programs are implemented and overseen. "Automation and artificial intelligence could improve the notorious inefficiencies of government," argues one page at Muckrock, "and it could exacerbate existing errors in the data being used to power it..."

"Does handing government decisions over to algorithms save time and money? Can algorithms be fairer or less biased than human decision making? Do they make us safer?"

"Scientists have cultivated plants from date palm seeds that languished in ancient ruins and caves for 2,000 years," writes ScienceAlert. schwit1 shared their report: This remarkable feat confirms the long-term viability of the kernels once ensconced in succulent Judean dates, a fruit cultivar lost for centuries. The results make it an excellent candidate for studying the longevity of plant seeds. From those date palm saplings, the researchers have begun to unlock the secrets of the highly sophisticated cultivation practices that produced the dates praised by Herodotus, Galen, and Pliny the Elder.

First, they collected fragments of the seed shells still clinging to the roots of the plants. These were perfect for radiocarbon dating -- which confirmed the seeds date back to between 1,800 and 2,400 years ago. Then, the researchers could conduct genetic analyses of the plants themselves, comparing them to a genetic database of current data palms. This showed exchanges of genetic material from eastern date palms from the Middle East, and western date palms from North Africa.

Indeed, the researchers found that the ancient seeds were up to 30 percent larger than date seeds today, which probably meant the fruit was larger, too.

And, of course, there's the seemingly miraculous germination after so many centuries. As anyone who buys seeds for their garden knows, seeds deteriorate; the longer you have a packet of seeds sitting in storage, the fewer will germinate when you finally plant them. If scientists can discover how the date seeds retained their viability for so long, that could have important implications for agriculture.

Google, YouTube and Venmo have sent cease-and-desist letters to Clearview AI, a facial recognition app that scrapes images from websites and social media platforms, CBS News has learned. The tech companies join Twitter, which sent a similar letter in January, in trying to block the app from taking pictures from their platforms. From the report: Clearview AI can identify a person by comparing their picture to its database of three billion images from the internet, and the results are 99.6% accurate, CEO Hoan Ton-That told CBS News correspondent Errol Barnett. The app is only available to law enforcement to be used to identify criminals, Ton-That said. "You have to remember that this is only used for investigations after the fact. This is not a 24/7 surveillance system," he said. But YouTube, which is owned by Google, as well as Venmo and Twitter say the company is violating its policies. [...] In addition to demanding that Clearview AI stop scraping content from Twitter, the social media platform demanded that the app delete all data already collected from Twitter, according to an excerpt of the cease-and-desist letter given to CBS News. Update: LinkedIn is joining the party.

"Gig economy workers may have won an important, if conditional, battle in their push for better conditions," reports Engadget: Instacart employees in the Chicago suburb of Skokie have voted to unionize through their local branch of United Food and Commercial Workers, giving them more collective bargaining power than they had before.

The move only covers 15 staffers who operate at the Mariano's grocery store, but it's the first time Instacart employees have unionized in the U.S. and could affect issues like turnover rates, work pacing and mysterious employee rating algorithms. In a statement, Instacart said it "will honor" the unionization vote pending certification of the results, and that it intended to negotiate in "good faith" on a collective bargaining agreement. The company added that it "respect[s] our employees' rights to explore unionization."
Motherboard reports that prior to the vote Instacart had "enlisted high-level managers to visit the Mariano's grocery store where the unionizing workers pick and pack groceries for delivery. The managers distributed anti-union literature warning employees that a union would drain paychecks and 'exercise a great deal of control' over workers."

They also cite stats from the "Collective Actions in Tech" database showing there were 100 organizing actions in just the last year by workers at Google, Amazon, Facebook, and Microsoft -- and note that this month will also see the results of a vote by Kickstarter employees on whether to unionize.

SpiceJet, one of India's largest privately owned airlines, suffered a data breach involving the details of more than a million of its passengers, a security researcher told TechCrunch. From the report: The security researcher, who described their actions as "ethical hacking" but whom we are not naming as they likely fell afoul of U.S. computer hacking laws, gained access to one of SpiceJet's systems by brute-forcing the system's easily guessable password. An unencrypted database backup file on that system contained private information of more than 1.2 million passengers of the budget-carrier last month, TechCrunch has learned. Each record included details such as name of the passenger, their phone number, email address and their date of birth, the researcher told TechCrunch. Some of these passengers were state officials, they said. The database included a rolling month's worth of flight information and details of each commuter, they said, adding that they believe that the database was easily accessible for anyone who knew where to look.

Starting today, companies across the world have a new free web service at their disposal that will automatically send out email notifications if one of their employees gets phished. From a report: The service is named "I Got Phished" and is managed by Abuse.ch, a non-profit organization known for its malware and cyber-crime tracking operations. Just like all other Abuse.ch services, I Got Phished will be free to use. Any company can sign-up via the I Got Phished website. Signing up only takes a few seconds. Subscribing for email notifications is done on a domain name basis, and companies don't have to expose a list of their employee email addresses to a third-party service. Once a company's security staff has subscribed to the service, I Got Phished will check its internal database for email addresses for the company's email domain. This database contains logs from phishing operations, with emails for phished victims.

An anonymous reader quotes a report from BuzzFeed News: Clearview AI, the facial recognition company that claims to have amassed a database of more than 3 billion photos scraped from Facebook, YouTube, and millions of other websites, is scrambling to deal with calls for bans from advocacy groups and legal threats. These troubles come after news reports exposed its questionable data practices and misleading statements about working with law enforcement. Following stories published in the New York Times and BuzzFeed News, the Manhattan-based startup received cease-and-desist letters from Twitter and the New Jersey attorney general. It was also sued in Illinois in a case seeking class-action status.

Despite its legal woes, Clearview continues to contradict itself, according to documents obtained by BuzzFeed News that are inconsistent with what the company has told the public. In one example, the company, whose code of conduct states that law enforcement should only use its software for criminal investigations, encouraged officers to use it on their friends and family members. In the aftermath of revelations about its technology, Clearview has tried to clean up its image by posting informational webpages, creating a blog, and trotting out surrogates for media interviews, including one in which an investor claimed Clearview was working with "over a thousand independent law enforcement agencies." Previously, Clearview had stated that the number was around 600. Clearview has also tried to allay concerns that its technology could be abused or used outside the scope of police investigations. In a code of conduct that the company published on its site earlier this month, it said its users should "only use the Services for law enforcement or security purposes that are authorized by their employer and conducted pursuant to their employment." It bolstered that idea with a blog post on Jan. 23, which stated, "While many people have advised us that a public version would be more profitable, we have rejected the idea.""Clearview exists to help law enforcement agencies solve the toughest cases, and our technology comes with strict guidelines and safeguards to ensure investigators use it for its intended purpose only," the post stated.

But in a November email, a company representative encouraged a police officer to use the software on himself and his acquaintances. "Have you tried taking a selfie with Clearview yet?" the email read. "It's the best way to quickly see the power of Clearview in real time. Try your friends or family. Or a celebrity like Joe Montana or George Clooney. Your Clearview account has unlimited searches. So feel free to run wild with your searches."

An anonymous reader quotes a report from The Hill: The Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency, is coming under increasing pressure to recommend the federal government stop using facial recognition. Forty groups, led by the Electronic Privacy Information Center, sent a letter Monday to the agency calling for the suspension of facial recognition systems "pending further review." "The rapid and unregulated deployment of facial recognition poses a direct threat to 'the precious liberties that are vital to our way of life,'" the advocacy groups wrote.

The PCLOB "has a unique responsibility, set out in statute, to assess technologies and polices that impact the privacy of Americans after 9-11 and to make recommendations to the President and executive branch," they wrote. The agency, created in 2004, advises the administration on privacy issues. The letter cited a recent New York Times report about Clearview AI, a company which claims to have a database of more than 3 billion photos and is reportedly collaborating with hundreds of police departments. It also mentioned a study by the National Institute of Standards and Technology, part of the Commerce Department, which found that the majority of facial recognition systems have "demographic differentials" that can worsen their accuracy based on a person's age, gender or race.

schwit1 shares a report from the Smithsonian: Capable of following fishing boats into remote regions out of reach of monitoring machines like ships, aircraft and even certain satellites, these feathered crimefighters could offer a convenient and cost-effective way to keep tabs on foul play at sea -- and may even help gather crucial conservation data along the way. [...] On top of their stamina and moxie, albatrosses also have a certain fondness for fish-toting vessels, says study author Samantha Patrick, a marine biologist at the University of Liverpool. To the birds, the fishing gear attached to these boats is basically a smorgasbord of snacks -- and albatrosses can spot the ships from almost 20 miles away.

To test the birds' patrolling potential, the researchers stomped into the marshy nesting grounds of wandering albatrosses (Diomedea exulans) and Amsterdam albatrosses (Diomedea amsterdamensis) roosting on Crozet, Kerguelen and Amsterdam, three remote island locales in the southern Indian Ocean. After selecting 169 individuals of different ages, the team taped or glued transceivers, each weighing just two ounces, to the birds' backs and bid them adieu. Over the course of six months, the team's army of albatrosses surveyed over 20 million square miles of sea. Whenever the birds came within three or so miles of a boat, their trackers logged its coordinates, then beamed them via satellite to an online database that officials could access and cross-check with automatic identification system (AIS) data. Of the 353 fishing vessels detected, a whopping 28 percent had their AIS switched off. The number of covert ships was especially high in international waters, where about 37 percent of vessels operated AIS-free. [...] Because the birds and their transceivers detected only radar, no identifying information was logged. The task of verifying a boat's legal status still falls to officials, who must then decide whether to take action, Patrick explains. But in mapping potential hotspots of illegal fishing, the birds set off a chain reaction that could help bring perpetrators to justice. The results of the tracking method were published in the journal PNAS.

A proposed law introduced in Maryland's state senate last week would criminalize the possession of ransomware and other criminal activities with a computer. However, CEO of Luta Security Katie Moussouris warns that the current bill "would prohibit vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored." Ars Technica reports: The bill, Senate Bill 3, covers a lot of ground already covered by U.S. Federal law. But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 10 years of imprisonment and a fine of up to $10,000. The bill also states (in all capital letters in the draft) that "THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."

Additionally, the bill would outlaw unauthorized intentional access or attempts to access "all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed." It also would criminalize under Maryland law any act intended to "cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data, or "possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person." There are no research exclusions in the bill for these provisions. "While access or attempted access would be a misdemeanor (punishable by a fine of $1,000, three years of imprisonment, or both), breaching databases would be a felony if damages were determined to be greater than $10,000 -- punishable by a sentence of up to 10 years, a fine of $10,000, or both," the report adds. "The punishments go up if systems belonging to the state government, electric and gas utilities, or public utilities are involved, with up to 10 years of imprisonment and a $25,000 fine if more than $50,000 in damage is done."

Kashmir Hill reporting for The New York Times: A mysterious company that has licensed its powerful facial recognition technology to hundreds of law enforcement agencies is facing attacks from Capitol Hill and from at least one Silicon Valley giant. Twitter sent a letter this week to the small start-up company, Clearview AI, demanding that it stop taking photos and any other data from the social media website "for any reason" and delete any data that it previously collected, a Twitter spokeswoman said. The cease-and-desist letter, sent on Tuesday, accused Clearview of violating Twitter's policies.

The New York Times reported last week that Clearview had amassed a database of more than three billion photos from social media sites -- including Facebook, YouTube, Twitter and Venmo -- and elsewhere on the internet. The vast database powers an app that can match people to their online photos and link back to the sites the images came from. The app is used by more than 600 law enforcement agencies, ranging from local police departments to the F.B.I. and the Department of Homeland Security. Law enforcement officials told The Times that the app had helped them identify suspects in many criminal cases. It's unclear what social media sites can do to force Clearview to remove images from its database. "In the past, companies have sued websites that scrape information, accusing them of violating the Computer Fraud and Abuse Act, an anti-hacking law," notes the NYT. "But in September, a federal appeals court in California ruled against LinkedIn in such a case, establishing a precedent that the scraping of public data most likely doesn't violate the law."

An anonymous reader quotes a report from ZDNet: Microsoft disclosed today a security breach that took place last month in December 2019. In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between December 5 and December 31. The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.

The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other. Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year's Eve. The servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. Microsoft said that most of the records didn't contain any personal user information. "Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed," adds ZDNet.

They went on to list several changes to prevent this sort of thing from happening again, such as "auditing the established network security rules for internal resources" and "adding additional alerting to service teams when security rule misconfigurations are detected."

We make decisions by weighing pros and cons. Artificial intelligence has the potential to help us with that by sifting through ever-increasing mounds of data. But to be truly useful, it needs to reason more like a human. An artificial intelligence technique known as argument mining could help. From a report: IBM has just taken a big step in that direction. The company's Project Debater team has spent several years developing an AI that can build arguments. Last year IBM demonstrated its work-in-progress technology in a live debate against a world-champion human debater, the equivalent of Watson's Jeopardy! showdown. Such stunts are fun, and it provided a proof of concept. Now IBM is turning its toy into a genuinely useful tool. The version of Project Debater used in the live debates included the seeds of the latest system, such as the capability to search hundreds of millions of new articles. But in the months since, the team has extensively tweaked the neural networks it uses, improving the quality of the evidence the system can unearth. One important addition is BERT, a neural network Google built for natural-language processing, which can answer queries. The work will be presented at the Association for the Advancement of Artificial Intelligence conference in New York next month.

To train their AI, lead researcher Noam Slonim and his colleagues at IBM Research in Haifa, Israel, drew on 400 million documents taken from the LexisNexis database of newspaper and journal articles. This gave them some 10 billion sentences, a natural-language corpus around 50 times larger than Wikipedia. They paired this vast evidence pool with claims about several hundred different topics, such as "Blood donation should be mandatory" or "We should abandon Valentine's Day." They then asked crowd workers on the Figure Eight platform to label sentences according to whether or not they provided evidence for or against particular claims. The labeled data was fed to a supervised learning algorithm.

Bruce Schneier, writing at New York Times: Communities across the United States are starting to ban facial recognition technologies. In May of last year, San Francisco banned facial recognition; the neighboring city of Oakland soon followed, as did Somerville and Brookline in Massachusetts (a statewide ban may follow). In December, San Diego suspended a facial recognition program in advance of a new statewide law, which declared it illegal, coming into effect. Forty major music festivals pledged not to use the technology, and activists are calling for a nationwide ban. Many Democratic presidential candidates support at least a partial ban on the technology. These efforts are well intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we're in the process of building. Ubiquitous mass surveillance is increasingly the norm. In countries like China, a surveillance infrastructure is being built by the government for social control. In countries like the United States, it's being built by corporations in order to influence our buying behavior, and is incidentally used by the government.

In all cases, modern mass surveillance has three broad components: identification, correlation and discrimination. Let's take them in turn. Facial recognition is a technology that can be used to identify people without their knowledge or consent. It relies on the prevalence of cameras, which are becoming both more powerful and smaller, and machine learning technologies that can match the output of these cameras with images from a database of existing photos. But that's just one identification technology among many. People can be identified at a distance by their heart beat or by their gait, using a laser-based system. Cameras are so good that they can read fingerprints and iris patterns from meters away. And even without any of these technologies, we can always be identified because our smartphones broadcast unique numbers called MAC addresses. Other things identify us as well: our phone numbers, our credit card numbers, the license plates on our cars. China, for example, uses multiple identification technologies to support its surveillance state.

One police detective bragged that photos "could be covertly taken with a telephoto lens" then input into Clearview AI's database of more than three billion scraped images to immediately identify suspects.

Long-time Slashdot reader v3rgEz writes: For the past year, government transparency non-profits and Open the Government have been digging into how local police departments around the country use facial recognition. The New York Times reports on their latest discovery: That a Peter Thiel-backed startup Clearview has scraped Facebook, Venmo, and dozens of other social media sites to create a massive, unregulated tool for law enforcement to track where you were, who you were with, and more, all with just a photo.

Read the Clearview docs yourself and file a request in your town to see if your police department is using it.
The Times describes Clearview as "the secretive company that might end privacy as we know it," with one of the company's early investors telling the newspaper that because information technology keeps getting more powerful, he's concluded that "there's never going to be privacy."

He also expresses his belief that technology can't be banned, then acknowledges "Sure, that might lead to a dystopian future or something, but you can't ban it."

schwit1 shares a report from The Wall Street Journal: Nearly 150 years ago, [German physician Carl Reinhold August Wunderlich] analyzed a million temperatures from 25,000 patients and concluded that normal human-body temperature is 98.6 degrees Fahrenheit. In a new study, researchers from Stanford University argue that Wunderlich's number was correct at the time but is no longer accurate because the human body has changed. Today, they say, the average normal human-body temperature is closer to 97.5 degrees Fahrenheit (Warning: source paywalled; alternative source).

To test their hypothesis that today's normal body temperature is lower than in the past, Dr. Parsonnet and her research partners analyzed 677,423 temperatures collected from 189,338 individuals over a span of 157 years. The readings were recorded in the pension records of Civil War veterans from the start of the war through 1940; in the National Health and Nutrition Examination Survey I conducted by the U.S. Centers for Disease Control and Prevention from 1971 through 1974; and in the Stanford Translational Research Integrated Database Environment from 2007 through 2017. Overall, temperatures of the Civil War veterans were higher than measurements taken in the 1970s, and, in turn, those measurements were higher than those collected in the 2000s. The study has been published in the journal eLife.