Can Tech Firms Prevent Violent Videos Circulating on the Internet?

This week New York's attorney general announced they're officially "launching investigations into the social media companies that the Buffalo shooter used to plan, promote, and stream his terror attack." Slashdot reader echo123 points out that Discord confirmed that roughly 30 minutes before the attack a "small group" was invited to join the shooter's server. "None of the people he invited to review his writings appeared to have alerted law enforcement," reports the New York Times., "and the massacre played out much as envisioned." But meanwhile, another Times article tells a tangentially-related story from 2019 about what ultimately happened to "a partial recording of a livestream by a gunman while he murdered 51 people that day at two mosques in Christchurch, New Zealand." For more than three years, the video has remained undisturbed on Facebook, cropped to a square and slowed down in parts. About three-quarters of the way through the video, text pops up urging the audience to "Share THIS...." Online writings apparently connected to the 18-year-old man accused of killing 10 people at a Buffalo, New York, grocery store Saturday said that he drew inspiration for a livestreamed attack from the Christchurch shooting. The clip on Facebook — one of dozens that are online, even after years of work to remove them — may have been part of the reason that the Christchurch gunman's tactics were so easy to emulate. In a search spanning 24 hours this week, The New York Times identified more than 50 clips and online links with the Christchurch gunman's 2019 footage. They were on at least nine platforms and websites, including Reddit, Twitter, Telegram, 4chan and the video site Rumble, according to the Times' review. Three of the videos had been uploaded to Facebook as far back as the day of the killings, according to the Tech Transparency Project, an industry watchdog group, while others were posted as recently as this week. The clips and links were not difficult to find, even though Facebook, Twitter and other platforms pledged in 2019 to eradicate the footage, pushed partly by public outrage over the incident and by world governments. In the aftermath, tech companies and governments banded together, forming coalitions to crack down on terrorist and violent extremist content online. Yet even as Facebook expunged 4.5 million pieces of content related to the Christchurch attack within six months of the killings, what the Times found this week shows that a mass killer's video has an enduring — and potentially everlasting — afterlife on the internet. "It is clear some progress has been made since Christchurch, but we also live in a kind of world where these videos will never be scrubbed completely from the internet," said Brian Fishman, a former director of counterterrorism at Facebook who helped lead the effort to identify and remove the Christchurch videos from the site in 2019.... Facebook, which is owned by Meta, said that for every 10,000 views of content on the platform, only an estimated five were of terrorism-related material. Rumble and Reddit said the Christchurch videos violated their rules and they were continuing to remove them. Twitter, 4chan and Telegram did not respond to requests for comment For what it's worth, this week CNN also republished an email they'd received in 2016 from 4chan's current owner, Hiroyuki Nishimura. The gist of the email? "If I liked censorship, I would have already done that." But Slashdot reader Bruce66423 also shares an interesting observation from The Guardian's senior tech reporter about the major tech platforms. "According to Hany Farid, a professor of computer science at UC Berkeley, there is a tech solution to this uniquely tech problem. Tech companies just aren't financially motivated to invest resources into developing it." Farid's work includes research into robust hashing, a tool that creates a fingerprint for videos that allows platforms to find them and their copies as soon as they are uploaded... Farid: It's not as hard a problem as the technology sector will have you believe... The core technology to stop redistribution is called "hashing" or "robust hashing" or "perceptual hashing". The basic idea is quite simple: you have a piece of content that is not allowed on your service either because it violated terms of service, it's illegal or for whatever reason, you reach into that content, and extract a digital signature, or a hash as it's called.... That's actually pretty easy to do. We've been able to do this for a long time. The second part is that the signature should be stable even if the content is being modified, when somebody changes say the size or the color or adds text. The last thing is you should be able to extract and compare signatures very quickly. So if we had a technology that satisfied all of those criteria, Twitch would say, we've identified a terror attack that's being live-streamed. We're going to grab that video. We're going to extract the hash and we are going to share it with the industry. And then every time a video is uploaded with the hash, the signature is compared against this database, which is being updated almost instantaneously. And then you stop the redistribution. It's a problem of collaboration across the industry and it's a problem of the underlying technology. And if this was the first time it happened, I'd understand. But this is not, this is not the 10th time. It's not the 20th time. I want to emphasize: no technology's going to be perfect. It's battling an inherently adversarial system. But this is not a few things slipping through the cracks.... This is a complete catastrophic failure to contain this material. And in my opinion, as it was with New Zealand and as it was the one before then, it is inexcusable from a technological standpoint. "These are now trillion-dollar companies we are talking about collectively," Farid points out later. "How is it that their hashing technology is so bad? Read more of this story at Slashdot.
2022-05-22 03:45:01 preview's
Biggest Targets at Pwn2Own Event: Microsoft's Windows, Teams, and Ubuntu Desktop

As Pwn2Own Vancouver comes to a close, a whopping $1,115,000 has been awarded by Trend Micro and Zero Day Initiative. The 15th anniversary edition saw 17 "contestants" attacking 21 targets, reports Hot Hardware — though "the biggest payouts were for serious exploits against Microsoft's Teams utility." While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector "p3rr0" Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility. Windows 11 itself wasn't spared, though. Marcin Wiazowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft's operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000.... Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked)... Of course, details of the hacks aren't made public, because they're zero-days, after all. That means that they haven't been patched yet, so releasing details of the exploits could allow malicious actors to make use of the bugs. Details will be revealed 3 months from now, during which time Microsoft, Tesla, Apple, and others should have their software all sewn up. With all the points totalled, the winner was Singapore-based cybersecurity company Star Labs, which was officially crowned "Master of Pwn" on Saturday. "They won $270,000 and 27 points during the contest," explains the official Twitter feed for Zero Day Initiative (the judges for the event). A blog post from Zero Day Initiative describes all 21 attacks, including six successful attacks against Windows, three successful attacks against Teams — and four against Ubuntu Desktop. Read more of this story at Slashdot.
2022-05-22 00:45:03 preview's
China Is 3D Printing a Massive 590-Foot-Tall Dam, And Constructing It Without Humans

Chinese engineers will take the ideas of a research paper and turn it into the world's largest 3D-printed project. Popular Mechanics: Within two years, officials behind this project want to fully automate the unmanned construction of a 590-foot-tall dam on the Tibetan Plateau to build the Yangqu hydropower plant -- completely with robots. The paper, published last month in the Journal of Tsinghua University (Science and Technology), laid out the plans for the dam, as first reported in the South China Morning Post. Researchers from the State Key Laboratory of Hydroscience and Engineering at Tsinghua University in Beijing explain the backbone of automation for the planned Yellow River dam that will eventually offer nearly five billion kilowatt-hours of electricity annually. (It's worth noting that China's Three Gorges Dam -- a hydroelectric gravity dam spanning the Yangtze River -- is the world's largest power station in terms of energy output.) But it's hard to tell what's more ambitious: the fact that the researchers plan to turn a dam site into effectively a massive 3D-printing project, or that through every step of the process the project eliminates human workers as they go fully robotic. In the dam-"printing" process, machinery will deliver construction materials to the worksite -- the exact location needed, eliminating human error, they say -- and then unmanned bulldozers, pavers, and rollers will form the dam layer by layer. Sensors on the rollers will keep the artificial intelligence (AI) system informed about the firmness and stability of each of the 3D-printed layers until it reaches 590 feet in height, about the same height as the Shasta Dam in California and shorter than the Hoover Dam's 726 feet. With the largest existing 3D-printed structures rising about 20 feet tall -- from houses in China to an office building in Dubai -- the exploration of 3D-printed projects continues to expand. Already we've seen a 1,640-foot-long retention wall in China, housing and office buildings across the globe, and now the U.S. Army has plans for barracks at Fort Bliss in Texas. Read more of this story at Slashdot.
2022-05-21 20:00:02 preview's
Is Social Media Training Us to Please a Machine?

A remarkably literary critique of the internet appeared recently in Damage magazine — a project of the nonprofit Society for Psychoanalytic Inquiry funded by the American Psychoanalytic Foundation. "There are ways in which the internet really does seem to work like a possessing demon..." argues writer Sam Kriss. "We tend to think that the internet is a communications network we use to speak to one another — but in a sense, we're not doing anything of the sort. Instead, we are the ones being spoken through." Teens on TikTok all talk in the exact same tone, identical singsong smugness. Millennials on Twitter use the same shrinking vocabulary. My guy! Having a normal one! Even when you actually meet them in the sunlit world, they'll say valid or based, or say y'all despite being British.... Everything you say online is subject to an instant system of rewards. Every platform comes with metrics; you can precisely quantify how well-received your thoughts are by how many likes or shares or retweets they receive. For almost everyone, the game is difficult to resist: they end up trying to say the things that the machine will like. For all the panic over online censorship, this stuff is far more destructive. You have no free speech — not because someone might ban your account, but because there's a vast incentive structure in place that constantly channels your speech in certain directions. And unlike overt censorship, it's not a policy that could ever be changed, but a pure function of the connectivity of the internet itself. This might be why so much writing that comes out of the internet is so unbearably dull, cycling between outrage and mockery, begging for clicks, speaking the machine back into its own bowels.... The internet is not a communications system. Instead of delivering messages between people, it simulates the experience of being among people, in a way that books or shopping lists or even the telephone do not. And there are things that a simulation will always fail to capture. In the philosophy of Emmanuel Lévinas, your ethical responsibility to other people emerges out of their face, the experience of looking directly into the face of another living subject. "The face is what prohibits us from killing...." But Facebook is a world without faces. Only images of faces; selfies, avatars: dead things. Or the moving image in a FaceTime chat: a haunted puppet. There is always something in the way. You are not talking to a person: the machine is talking, through you, to itself. As more and more of your social life takes place online, you're training yourself to believe that other people are not really people, and you have no duty towards them whatsoever. These effects don't vanish once you look away from the screen.... many of the big conflicts within institutions in the last few years seem to be rooted in the expectation that the world should work like the internet. If you don't like a person, you should be able to block them: simply push a button, and have them disappear forever. The article revisits a 2011 meta-analysis that found massive declines in young people's capacity for empathy, which the authors directly associated with the spread of social media. But then Kriss argues that "We are becoming less and less capable of actual intersubjective communication; more unhappy; more alone. Every year, surveys find that people have fewer and fewer friends; among millennials, 22% say they have none at all. "For the first time in history, we can simply do without each other entirely. The machine supplies an approximation of everything you need for a bare biological existence: strangers come to deliver your food; AI chatbots deliver cognitive-behavioral therapy; social media simulates people to love and people to hate; and hidden inside the microcircuitry, the demons swarm..." So while recent books look for historical antecedents, "I still think that the internet is a serious break from what we had before," Kriss argues. "And as nice as Wikipedia is, as nice as it is to be able to walk around foreign cities on Google Maps or read early modern grimoires without a library card, I still think the internet is a poison." Read more of this story at Slashdot.
2022-05-21 18:45:01 preview's
Why Gov.UK Stopped Using jQuery

The head of the UK government's digital transformation unit recently announced a change to the nation's government services site they've "removed jQuery as a dependency for all frontend apps, meaning 32 KB of minified and compressed JavaScript was removed" for everything from selecting elements to attaching event listeners.... Nearly 84% of mobile pages used jQuery in 2021, points out a new essay at Gov.UK — before explaining why they decided not to: jQuery was an instrumental tool in a time when we really needed a way to script interactivity in a way that smoothed over the differing implementations of stuff like event handling, selecting elements, animating elements, and so on. The web is better because of jQuery — not just because it has such incredible utility, but because its ubiquity led to making what it provided part of the web platform itself. Nowadays, we can do just about anything jQuery can do in vanilla JavaScript... It really begs the question: Do we really need jQuery today? That's a question that GOV.UK has answered with a resounding "no".... This is a big deal when it comes to the user experience, because GOV.UK provides services and information online for The United Kingdom at scale. Not everyone is tapping away on their 2022 MacBook Pro on a rip-roarin' broadband connection. GOV.UK has to be accessible to everyone, and that means keepin' it lean.... dependencies matter when it comes to performance. Don't shortchange your users if the web platform can easily do the job a framework can. This level of commitment to the user experience from a institution that works at the scale GOV.UK does is commendable. I can only hope others follow in their footsteps. Read more of this story at Slashdot.
2022-05-21 15:45:03 preview's
How a Rust Supply-Chain Attack Infected Cloud CI Pipelines with Go Malware

Sentinel Labs provides malware/threat intelligence analysis for the enterprise cybersecurity platform SentinelOne. Thursday they reported on "a supply-chain attack against the Rust development community that we refer to as 'CrateDepression'." On May 10th, 2022, the Rust Security Response Working Group released an advisory announcing the discovery of a malicious crate hosted on the Rust dependency community repository. The malicious dependency checks for environment variables that suggest a singular interest in GitLab Continuous Integration (CI) pipelines. Infected CI pipelines are served a second-stage payload. We have identified these payloads as Go binaries built on the red-teaming framework, Mythic. Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected. We suspect that the campaign includes the impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency and sets off the infection chain.... In an attempt to fool rust developers, the malicious crate typosquats against the well known rust_decimal package used for fractional financial calculations.... The malicious package was initially spotted by an avid observer and reported to the legitimate rust_decimal github account.... Both [Linux and macOs] variants serve as an all-purpose backdoor, rife with functionality for an attacker to hijack an infected host, persist, log keystrokes, inject further stages, screencapture, or simply remotely administer in a variety of ways.... Software supply-chain attacks have gone from a rare occurrence to a highly desirable approach for attackers to 'fish with dynamite' in an attempt to infect entire user populations at once. In the case of CrateDepression, the targeting interest in cloud software build environments suggests that the attackers could attempt to leverage these infections for larger scale supply-chain attacks. Read more of this story at Slashdot.
2022-05-21 12:45:02 preview's
Microsoft Warns of 'Stealthy DDoS Malware' Targeting Linux Devices

"In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos," writes the Microsoft 365 Defender Research Team. It's a trojan combining denial-of-service functionality with XOR-based encryption for communication. Microsoft calls it part of "the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things devices." And ZDNet describes the trojan "one of the most active Linux-based malware families of 2021, according to Crowdstrike." XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers... Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker's command and control infrastructure. While DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets. "We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft notes... Microsoft didn't see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities... XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks. Microsoft's team warns that the trojan's evasion capabilities "include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis. "We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions." Read more of this story at Slashdot.
2022-05-21 10:45:03 preview's
The Online Spider Market Is Massive -- and Crawling With Issues

An anonymous reader shares an excerpt from a report via Wired: Spiders and scorpions may seem like creatures that need to be crushed rather than conserved, but wildlife experts say a growing global pet trade is putting wild populations at risk, even though they help humans and ecosystems. Collectors are now trading more than 1,200 species of arachnids (the group that includes both spiders and scorpions), according to a new report out today in the journal Communications Biology, with 80 percent of them unmonitored and vulnerable to extinction. "These are species for which trade is completely legal, but there's no data on how sustainable it is," says Alice Hughes, an author of the study and an associate professor of biological sciences at the University of Hong Kong. Hughes and her colleagues developed an algorithm to scan websites that sell spiders and scorpions online, including those that represent brick-and-mortar pet shops. Then they compared those to existing trading databases compiled by the US Fish and Wildlife Service and the Convention on International Trade in Endangered Species of Wild Fauna and Flora (CITES). The researchers found that from 2000 to 2021, 77 percent of one species known as the emperor scorpion were collected from the wild, with 1 million imported into the US. More than half of the existing species of tarantulas are being traded, including 600,000 Grammostola tarantulas, a group that includes the Chilean rose tarantula, which is commonly found in pet stores. The study estimates that two-thirds of spiders and scorpions that are traded commercially were collected from the wild, rather than captive-bred. Researchers like Hughes, who conducts field studies throughout southeast Asia, still do not have enough information about the abundance of arachnids worldwide; her study notes that there are more than a million invertebrate species on the planet that have been identified by biologists but fewer than 1 percent have been assessed by the International Union for Conservation of Nature (IUCN) as to their population status. And commercial trade is putting arachnids at risk before scientists can learn much about them. While spiders and scorpions may seem dangerous, they are usually not so if left alone. Arachnids also keep insect pests in check, and spider venoms have been found to contain antimicrobial, painkilling, and cancer-fighting compounds, making them potential candidates for new drug development. Read more of this story at Slashdot.
2022-05-21 09:15:01 preview's
The Real Reason Matrix Resurrections Bombed

It’s back on HBO Max. Nobody cares. Because moviegoers hate themselves.
2022-05-21 07:15:03