Worldcoin is no longer offering its Orb-verification service in India, Brazil and France, just months after the crypto startup expanded the helmet-shaped eyeball-scanning device to those markets. From a report: Tools for Humanity, the foundation that oversees development of Worldcoin, exclusively told TechCrunch in a statement that it had expanded the Orb to many markets this year for a "limited time access." The sudden retreat, however, comes as a surprise. Worldcoin had opened pop-up kiosks in many parts of India to onboard new users to the platform and drove crowds as people lined up to sign up and collect the free tokens.

An anonymous reader quotes a report from Ars Technica: [L]ast week, researchers at Blackwing Intelligence published an extensive document showing how they had managed to work around some of the most popular fingerprint sensors used in Windows PCs. Security researchers Jesse D'Aguanno and Timo Teras write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft's own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we've reviewed in the last few years. It's likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.

Blackwing's post on the vulnerability is also a good overview of exactly how fingerprint sensors in a modern PC work. Most Windows Hello-compatible fingerprint readers use "match on chip" sensors, meaning that the sensor has its own processors and storage that perform all fingerprint scanning and matching independently without relying on the host PC's hardware. This ensures that fingerprint data can't be accessed or extracted if the host PC is compromised. If you're familiar with Apple's terminology, this is basically the way its Secure Enclave is set up. Communication between the fingerprint sensor and the rest of the system is supposed to be handled by the Secure Device Connection Protocol (SCDP). This is a Microsoft-developed protocol that is meant to verify that fingerprint sensors are trustworthy and uncompromised, and to encrypt traffic between the fingerprint sensor and the rest of the PC.

Each fingerprint sensor was ultimately defeated by a different weakness. The Dell laptop's Goodix fingerprint sensor implemented SCDP properly in Windows but used no such protections in Linux. Connecting the fingerprint sensor to a Raspberry Pi 4, the team was able to exploit the Linux support plus "poor code quality" to enroll a new fingerprint that would allow entry into a Windows account. As for the Synaptic and ELAN fingerprint readers used by Lenovo and Microsoft (respectively), the main issue is that both sensors supported SCDP but that it wasn't actually enabled. Synaptic's touchpad used a custom TLS implementation for communication that the Blackwing team was able to exploit, while the Surface fingerprint reader used cleartext communication over USB for communication. "In fact, any USB device can claim to be the ELAN sensor (by spoofing its VID/PID) and simply claim that an authorized user is logging in," wrote D'Aguanno and Teras."Though all of these exploits ultimately require physical access to a device and an attacker who is determined to break into your specific laptop, the wide variety of possible exploits means that there's no single fix that can address all of these issues, even if laptop manufacturers are motivated to implement them," concludes Ars.

Blackwing recommends all Windows Hello fingerprint sensors enable SCDP, the protocol Microsoft developed to try to prevent this exploit. PC makers should also "have a qualified expert third party audit [their] implementation" to improve code quality and security.

Efforts to curb emissions of a powerful greenhouse gas commonly produced as a by-product of refrigerant manufacture might be falling short, and it seems eastern China is a major culprit. Nature: The hydrofluorocarbon gas, HFC-23, is around 14,700 times as powerful as carbon dioxide at warming the globe and has long been the subject of national and international climate-change mitigation efforts. Those efforts gained new traction nearly a decade ago when China and India -- the world's largest producers of the chemical -- agreed to dial down its emissions. New research, however, confirms that emissions continued to rise in subsequent years, and an analysis of data from atmospheric-monitoring stations suggests that factories in eastern China are responsible for nearly half of the total.

The rogue emissions are one of several air-pollution sources under discussion at the latest meeting of the Montreal Protocol, held in Nairobi, Kenya, this week. Signed in 1987, the Montreal Protocol is generally considered the most effective international environmental treaty in history, having halted the destruction of the ozone layer while also slowing down global warming. But scientists have often played a role, scanning the atmosphere for chemicals, such as ozone-depleting chlorofluorocarbons (CFCs), that governments have agreed to phase out. "Science has been instrumental in evaluating compliance under the treaty," says Megan Lickley, a climate scientist at Georgetown University in Washington DC.

An anonymous reader shares a report: Most Android users have probably never seen Google Play Protect in action. The malware-scanning service is built into every Android device and is supposed to flag malware that users have installed. Recently it flagged some popular apps that are very much not malware: Samsung Wallet and Samsung Messages.

As spotted by 9to5Google, Samsung users have been getting hit with Play Protect warnings since earlier this month. Users on the Google Support forum have posted screenshots of Play Protect flagging the Samsung system apps, and even Samsung responded to the issue, explaining (in Korean) how to fix any damage caused by the bug. Samsung says (through translation) the issue was caused by "a temporary failure of the Google server" and should now be fixed.

Ron Amadeo reports via Ars Technica: To help combat the surge of sideloaded malware, Google Play can now pop up a malware scanner at install time if it decides the app you're trying to sideload is interesting. Google Play's malware system, called "Google Play Protect," has always been able to check sideloaded apps for malware, but it used faster techniques like a definition file, and this happened quietly in the background. This new technique will delay your app installation with a full-screen "scanning" interface while Google runs a deep scan of the app code. Google's blog post says this is "real-time scanning at the code-level to combat novel malicious apps" and that Google Play Protect can "recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats."

The scan will involve sending bits and pieces of the app to Google for analysis. Google says: "Scanning will extract important signals from the app and send them to the Play Protect backend infrastructure for a code-level evaluation. Once the real-time analysis is complete, users will get a result letting them know if the app looks safe to install or if the scan determined the app is potentially harmful. This enhancement will help better protect users against malicious polymorphic apps that leverage various methods, such as AI, to be altered to avoid detection." [...] Google is first rolling this feature out in India -- a country that topped the malware distribution charts in that 2018 report -- with the company saying the feature "will expand to all regions in the coming months."

A Kenyan parliamentary panel called on the country's information technology regulator on Monday to shut down the operations of cryptocurrency project Worldcoin within the country until more stringent regulations are put in place. From a report: The government suspended the project in early August following privacy objections over its scanning of users' irises in exchange for a digital ID to create a new "identity and financial network". Worldcoin was rolled out in various countries around the world by Tools for Humanity, a company co-founded by OpenAI CEO Sam Altman. It has also come under scrutiny in Britain, Germany and France. The project still has a virtual presence in Kenya and can be accessed via the Internet, even after the August suspension. The regulatory Communications Authority of Kenya should "disable the virtual platforms of Tools for Humanity Corp and Tools for Humanity GmbH Germany (Worldcoin) including blacklisting the IP addresses of related websites," the ad hoc panel of 18 lawmakers said in a report.

An anonymous reader shares a report: Next time you try to wipe a smudge off your iPhone screen, take a closer look. See if you can spot one of the two tiny QR codes etched into its glass. Chances are you won't be able to find them. Both codes are tiny -- one is the size of a grain of sand and can only be seen with special equipment, while the other, roughly the size of the tip of a crayon, is laser-printed on the reverse side of the glass somewhere along its black border or bezel. The codes are placed on the glass at different stages of manufacturing to help Apple track and reduce defects. They represent the company's obsessive attention to detail in manufacturing devices such as the iPhone, which has helped it squeeze costs in a traditionally low-margin business.

"Apple has been granularly and singularly tracking many components in the iPhone for some time, but expanding that to the glass and doing it with a microscopic bar code is another level of obsessive attention to detail that few companies would do," said Kyle Wiens, CEO of iFixit, a popular Apple gadget repair site. "I've never heard of serial numbers on the glass level, but if you're throwing infinite money at improving your manufacturing knowledge, then why not?" Apple added the smaller of the two QR codes -- 0.2 mm in width -- to iPhone screens in 2020 so it can track precisely how many usable cover glass units its two Chinese suppliers, Lens Technology and Biel Crystal, are making and how many defective cover glass units they are throwing away during manufacturing. Lens and Biel have previously stymied Apple's efforts to learn the true rate of defects, which can raise its production costs. Apple has paid millions of dollars to install laser and scanning equipment at Lens and Biel factories to both add the microscopic QR code and scan the cover glass at the end of the production process.

An anonymous reader shares a report: A few lucky WhatsApp beta testers got a surprising treat this week: the company appears to be testing a version of its iOS app that is also optimized for the iPad. As first spotted by WABetaInfo, version 23.19.1.71 of WhatsApp's TestFlight app includes the new iPad app as well. From what we can see in screenshots, the iPad app works exactly like you'd expect. You connect to it by scanning a QR code the same way you'd link your account to any other device. You'll see a list of your conversations on the left and your current chat on the right. It's pretty much the iOS app, but instead of seeing one pane at a time, you see both. It almost makes you wonder what took so long, especially when WhatsApp head Will Cathcart said all the way back in January of 2022 that "we'd love to do it."

Microsoft has made it clear: it will ax third-party printer drivers in Windows. From a report: The death rattle will be lengthy, as the timeline for the end of servicing stretches into 2027 -- although Microsoft noted that the dates will be subject to change. There is, after all, always that important customer with a strange old printer lacking Mopria support.

Mopria is part of the Windows' teams justification for removing support. Founded in 2013 by Canon, HP, Samsung and Xerox, the Mopria Alliance's mission is to provide universal standards for printing and scanning. Epson, Lexmark, Adobe and Microsoft have also joined the gang since then. Since Windows 10 21H2, Microsoft has baked Mopria support into the flagship operating system, with support for devices connected via the network or USB, thanks to the Microsoft IPP Class driver. Microsoft said: "This removes the need for print device manufacturers to provide their own installers, drivers, utilities, and so on."

An anonymous reader shared this report from Bloomberg: China-linked hackers breached the corporate account of a Microsoft engineer and are suspected of using that access to steal a valuable key that enabled the hack of senior U.S. officials' email accounts, the company said in a blog post. The hackers used the key to forge authentication tokens to access email accounts on Microsoft's cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon and State Department officials earlier this year.

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a "crash dump," which is data stored after a computer or application unexpectedly crashes...

The incident has brought fresh scrutiny to Microsoft's cybersecurity practices.
Microsoft's blog post says they corrected two conditions which allowed this to occur. First, "a race condition allowed the key to be present in the crash dump," and second, "the key material's presence in the crash dump was not detected by our systems." We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.

Slash_Account_Dot writes: Customs and Border Protection (CBP) has told airports it plans to increase its targets for scanning passengers with facial recognition as they leave the U.S., according to an internal airport email obtained by 404 Media. The new goal will be to scan 75 percent of all passengers, the email adds. The news signals CBP's increasing focus on biometric, and in particular facial recognition, systems at airports. Although it is unclear if related to the shift in goals, one traveler was also recently told by airline industry staff "CBP said everyone has to do it" when they asked to opt-out of facial recognition while boarding for an international flight last month.

Months before Kenya finally banned iris scans by Sam Altman's crypto startup Worldcoin, the Office of the Data Protection Commissioner (ODPC) had ordered its parent company, Tools for Humanity, to stop collecting personal data. From a report: The ODPC had in May this year instructed the crypto startup to stop iris scans and the collection of facial recognition and other personal data in Kenya, a letter sent to Worldcoin and seen by TechCrunch shows. Tools for Humanity, the company building Worldcoin, did not stop taking biometric data until early this month when Kenya's ministry of interior and administration, a more powerful entity, suspended it following its official launch. Worldcoin's official launch led to a spike in the number of people queuing up to have their eyeballs scanned in exchange for "free money," drawing the attention of authorities.

The letter shows that ODPC had instructed Worldcoin to cease collecting data for intruding on individuals' privacy by gathering biometric data without a well-established and compelling justification. Further, it said Worldcoin had failed to obtain valid consent from people before scanning their irises, saying its agents failed to inform its subjects about the data security and privacy measures it took, and how the data collected would be used or processed. "Your client is hereby instructed to cease the collection of all facial recognition data and iris scans, from your subscribers. This cessation should be implemented without delay and should include all ongoing and future data processing activities," said Rose Mosero, in a letter to Tools for Humanity that outlined the concerns.

Last year, Queens resident David Leacraft filed a lawsuit against Canon claiming that his Canon Pixma All-in-One printer won't scan documents unless it has ink. According to The Verge's Sean Hollister, it has quietly ended in a private settlement rather than becoming a big class-action. From the report: I just checked, and a judge already dismissed David Leacraft's lawsuit in November, without (PDF) Canon ever being forced to show what happens when you try to scan without a full ink cartridge. (Numerous Canon customer support reps wrote that it simply doesn't work.) Here's the good news: HP, an even larger and more shameless manufacturer of printers, is still possibly facing down a class-action suit for the same practice.

As Reuters reports, a judge has refused to dismiss a lawsuit by Gary Freund and Wayne McMath that alleges many HP printers won't scan or fax documents when their ink cartridges report that they've run low. Among other things, HP tried to suggest that Freund couldn't rely on the word of one of HP's own customer support reps as evidence that HP knew about the limitation. But a judge decided it was at least enough to be worth exploring in court. "Plaintiffs have plausibly alleged that HP had a duty to disclose and had knowledge of the alleged defect," wrote Judge Beth Labson Freeman, in the order denying almost all of HP's current attempts to dismiss the suit.

Interestingly, neither Canon nor HP spent any time trying to argue their printers do scan when they're low on ink in the lawsuit responses I've read. Perhaps they can't deny it? Epson, meanwhile, has an entire FAQ dedicated to reassuring customers that it hasn't pulled that trick since 2008. (Don't worry, Epson has other forms of printer enshittification.) HP does seem to be covering its rear in one way. The company's original description on Amazon for the Envy 6455e claimed that you could scan things "whenever". But when I went back now to check the same product page, it now reads differently: HP no longer claims this printer can scan "whenever" you want it to. Now, we wait to see whether the case can clear the bars needed to potentially become a big class-action trial, or whether it similarly settles like Canon, or any number of other outcomes.

An anonymous reader quotes a report from BleepingComputer: Open source project Moq (pronounced "Mock") has drawn sharp criticism for quietly including a controversial dependency in its latest release. Distributed on the NuGet software registry, Moq sees over 100,000 downloads on any given day, and has been downloaded over 476 million times over the course of its lifetime. [...] Last week, one of Moq's owners, Daniel Cazzulino (kzu), who also maintains the SponsorLink project, added SponsorLink to Moq versions 4.20.0 and above. This move sent shock waves across the open source ecosystem largely for two reasons -- while Cazzulino has every right to change his project Moq, he did not notify the user base prior to bundling the dependency, and SponsorLink DLLs contain obfuscated code, making it is hard to reverse engineer, and not quite "open source."

"It seems that starting from version 4.20, SponsorLink is included," Germany-based software developer Georg Dangl reported referring to Moq's 4.20.0 release. "This is a closed-source project, provided as a DLL with obfuscated code, which seems to at least scan local data (git config?) and sends the hashed email of the current developer to a cloud service." The scanning capability is part of the .NET analyzer tool that runs during the build process, and is hard to disable, warns Dangl. "I can understand the reasoning behind it, but this is honestly pretty scary from a privacy standpoint."

SponsorLink describes itself as a means to integrate GitHub Sponsors into your libraries so that "users can be properly linked to their sponsorship to unlock features or simply get the recognition they deserve for supporting your project." GitHub user Mike (d0pare) decompiled the DLLs, and shared a rough reconstruction of the source code. The library, according to the analyst, "spawns external git process to get your email." It then calculates a SHA-256 hash of the email addresses and sends it to SponsorLink's CDN: hxxps://cdn.devlooped[.]com/sponsorlink. "Honestly Microsoft should blacklist this package working with the NuGet providers," writes Austin-based developer Travis Taylor. "The author can't be trusted. This was an incredibly stupid move that's just created a ton of work for lots of people." Following the backlash, Cazzulino updated the SponsorLink project's README with a lengthy "Privacy Considerations" section that clarifies that no actual email addresses, just their hashes, are being collected.

An anonymous reader shares a report: Production companies are scanning the faces and bodies of actors and actresses, who fear their likeness will be used to create fake AI doubles for TV shows and films in the future. Some workers spoke to NPR last week about being subjected to the scans, and feeling like they couldn't say no. Alexandria Rubalcaba, who was working as a background actor, described being called into a trailer and asked to stand in front of cameras.

"Have your hands out. Have your hands in. Look this way. Look that way. Let us see your scared face. Let us see your surprised face," she said. What was most concerning, however, was that she didn't know what or how her images were going to be used. "My first thought leaving the trailer was, 'Oh this might just be the future," Lubsey said. "We might just lose our jobs," Dom Lubsey, an actor from Los Angeles, added. Studios already use computational techniques to create synthetic images of people to create fake crowds for backgrounds in films.

It's not too far-fetched to think that extras can also be generated too. Andrew Susskind, an associate professor at Drexel University's film and TV department, explained how AI-made background actors would slash production budgets. "Imagine ballroom scenes, party scenes, any scenes that need tons of extras," Susskind said. "Imagine the amounts of money they would be saving. Not paying $180 a day. Plus meals. Plus costuming," he said.

Kenya's Ministry of the Interior has issued a decree suspending Worldcoin enrollment in the country, citing concerns with the "authenticity and legality" of its activities in the areas of security, financial services and data protection. TechCrunch reports: The suspension covers both Worldcoin and "any other entity that may be similarly engaging the people of Kenya" and will remain in place until the authorities determine "the absence of any risks to the general public whatsoever." Up until today, Kenya had one of the largest collections of venues -- at least 18, according to the company's directory last week -- where you could visit an "Orb," as the company's spherical and mirrored iris scanners are called, "and verify your World ID." Now there is only one listed -- after Orb operators, overwhelmed by the huge turnout, shifted their stations on Sunday to Kenyatta International Convention Centre (KICC), a bigger ground in Kenya's capital that could accommodate the thousands of people streaming in.

"Relevant security, financial service and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities, and the safety and protection of the data being harvested, and how the harvesters intend to use the data," said Kithure Kindiki, Kenya's cabinet secretary for the ministry of interior and national administration. The news come amid separate reports that Worldcoin plans to expand its operations to sign up more users globally and allow other organizations to use its iris-scanning and identity-verifying technology.

Further reading: Sam Altman's Worldcoin Eyeball-Scanning Crypto Project Launches

Worldcoin will expand its operations to sign up more users globally and aims to allow other organisations to use its iris-scanning and identity-verifying technology, a senior manager for the company behind the project told Reuters. From the report: "We are on this mission of building the biggest financial and identity community that we can," said Ricardo Macieira, general manager for Europe at Tools For Humanity, the San Francisco and Berlin-based company behind the project.

Macieira said Worldcoin would continue rolling out operations in Europe, Latin America, Africa and "all the parts of the world that will accept us." Worldcoin's website mentions various possible applications, including distinguishing humans from artificial intelligence, enabling "global democratic processes" and showing a "potential path" to universal basic income, although these outcomes are not guaranteed. Most people interviewed by Reuters at sign-up sites in Britain, India and Japan last week said they were joining in order to receive the 25 free Worldcoin tokens the company says verified users can claim.

An asteroid-hunting algorithm called HelioLinc3D has spotted a potentially hazardous 600-foot-long space rock that's currently about 4 astronomical units from Earth. The asteroid is 2022 SF289 and "swings by Earth on the opposite side of its orbit, classifying it as a potentially hazardous asteroid (or PHA)," reports Gizmodo. From the report: "Potentially hazardous" merely means there is some chance the object could impact Earth, and thus it is worth keeping an eye on. What's significant about 2022 SF289 is not that it is hazardous, but that it was spotted by a new algorithm called HelioLinc3D. The recent asteroid spotting demonstrated that the algorithm can detect near-Earth asteroids with fewer observations than traditional methods. Because the Rubin Observatory is not yet up and running, HelioLinc3D was tested using the University of Hawaii's ATLAS survey.

"By demonstrating the real-world effectiveness of the software that Rubin will use to look for thousands of yet-unknown potentially hazardous asteroids, the discovery of 2022 SF289 makes us all safer," said Ari Heinze, a scientist and researcher at the Rubin Observatory and the University of Washington, and the principal developer of the new algorithm, in a university release. "This is just a small taste of what to expect with the Rubin Observatory in less than two years, when HelioLinc3D will be discovering an object like this every night," said Mario Juric, a scientist at the Rubin Observatory, director of the DiRAC Institute, astronomer at the University of Washington, and leader of the team behind HelioLinc3D, in the same release.

"From HelioLinc3D to AI-assisted codes, the next decade of discovery will be a story of advancement in algorithms as much as in new, large, telescopes," Juric added. The Rubin Observatory is now expected to commence its observations in early 2025, though we'll have to wait and see if that timeline sticks.

Worldcoin (WLD), the eyeball-scanning crypto project launched by OpenAI's Sam Altman, is being investigated by French data protection regulator CNI for "questionable" practises, the regulator told CoinDesk. From a report: "The legality of this [data] collection seems questionable, as do the conditions for preservation of biometric data," a CNIL spokesperson said in a written statement, referring to Worldcoin's practise of scanning retinas to ensure that no single person can claim crypto rewards twice.

"CNIL has initiated investigations," supporting the work of Bavarian privacy regulators who have primary responsibility under EU law, the spokesperson added. Worldcoin went live on Monday and its cheerleaders say it could spread crypto wider than bitcoin (BTC), but it has drawn the ire of privacy watchdogs in the U.K., where the Information Commissioner's Office has warned that people must freely give consent to the processing of their personal data, and be able to withdraw it without detriment.

Worldcoin, Sam Altman's audacious eyeball-scanning crypto startup, has started the global rollout of its services to help build a reliable solution for "distinguishing humans from AI online," enable "global democratic processes" and "drastically increase economic opportunity." From a report: The startup, which has raised about $250 million altogether and counts Andreessen Horowitz, Khosla Ventures and Reid Hoffman among its backers, said it's rolling out its identity technology as well as the token internationally. Individuals can download World App, the startup's protocol-compatible wallet software, and visit an Orb, the startup's helmet-shaped eyeball-scanning verification device, to receive their World ID.