U.S. Air Force drone documents found for sale on the dark web for $200

You never quite know what you’ll find on the dark web. In June, a threat intelligence team team known as Insikt Group at security research firm Recorded Future discovered the sale of sensitive U.S. military information in the course of monitoring criminal activity on dark web marketplaces.

Insikt explains that an English-speaking hacker purported to have documentation on the MQ-9 Reaper unmanned aerial vehicle. Remarkably, the hacker appears to have been selling the goods for “$150 or $200.”

According to Insikt Group, the documents were not classified but also contained sensitive materials including “the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device (IED) mitigation tactics.” Insikt notes that the other set of documents appears to have been stolen from a U.S. Army official or from the Pentagon but the source was not confirmed.

The hacker appeared to have joined the forum explicitly for the sale of these documents and acknowledged one other incident of military documents obtained from an unaware officer. In the course of its investigation, Insikt Group determined that the hacker obtained the documents by accessing a Netgear router with misconfigured FTP login credentials. When the team corresponded with the hacker to confirm the source of hacked drone documents, the attacker disclosed that he also had access to footage from a MQ-1 Predator drone.

Here’s how he did it:

“Utilizing Shodan’s popular search engine, the actors scanned large segments of the internet for high-profile misconfigured routers that use a standard port 21 to hijack all valuable documents from compromised machines.

“Utilizing the above-mentioned method, the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU. While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”

Insikt Group notes that it is “incredibly rare” for hackers to sell military secrets on open marketplaces. “The fact that a single hacker with moderate technical skills was able to identify
several vulnerable military targets and exfiltrate highly sensitive information in a week’s
time is a disturbing preview of what a more determined and organized group with superior
technical and financial resources could achieve,” the group warns.

California malls are sharing license plate tracking data with ICE

A chain of California shopping centers is sharing its license plate reader data with a well-known U.S. Immigration and Customs Enforcement (ICE) contractor, giving that agency the ability to track license plate numbers it captures in near real-time.

A report from the Electronic Frontier Foundation revealed that real estate group the Irvine Company shares that data with Vigilant Solutions, a private surveillance tech company that sells automated license plate recognition (ALPR) equipment to law enforcement and government agencies. The Irvine Company owns nearly 50 shopping centers across California with locations in Irvine, La Jolla, Newport Beach, Redwood City, San Jose, Santa Clara and Sunnyvale. ICE finalized its contract with Vigilant Solutions in January of this year.

EFF Investigative Researcher Dave Maass discovered Irvine Group’s data sharing activities in a page detailing its ALPR policy, a disclosure required by California law. Ironically, while Irvine Group’s ALPR usage and privacy policy does describe its own practice of deleting the license data it collects once transmitted, it admits that it does in fact transmit all of it straight to Vigilant Solutions, which has no such qualms.

As Vigilant describes, the key offering in its “advanced suite” of license reading tech is unfettered access to a massive trove of license plate data:

“A hallmark of Vigilant’s solution, the ability for agencies to share real-time data nationwide amongst over 1,000 agencies and tap into our exclusive commercial LPR database of over 5 billion vehicle detections, sets our platform apart. “

The Irvine Group is only one example of this kind of data sharing, but it illustrates the ubiquity of the kind of privately owned modern surveillance technology at the fingertips of anyone willing to pay for it. While we’re likely to see more state level legal challenges to license plate tracking technology, for now the powerful pairing of license plate numbers and location data is mostly fair game for anyone who wants to make money off of collecting and aggregating it.

Twitter’s efforts to suspend fake accounts have doubled since last year

Bots, your days of tweeting politically divisive nonsense might be numbered. The Washington Post reported Friday that in the last few months the company has aggressively suspended accounts in an effort to stem the spread of disinformation running rampant on its platform.

The Washington Post reports that Twitter suspended as many as 70 million accounts between May and June of this year, with no signs of slowing down in July. According to data obtained by the Post, the platform suspended 13 million accounts during a weeklong spike of bot banning activity in mid-May.

Sources tell the Post that the uptick in suspensions is tied to the company’s efforts to comply with scrutiny from the Congressional investigation into Russian disinformation on social platforms. The report adds that Twitter investigates bots and other fake accounts through an internal project known as “Operation Megaphone” through which it buys suspicious accounts and then investigates their connections.

Twitter declined to provide additional information about the Washington Post report but pointed us to a blog post from last week in which it disclosed other numbers related to its bot hunting efforts. In May of 2018, Twitter identified more than 9.9 million suspicious accounts — triple its efforts in late 2017.

Chart via Twitter

When Twitter identifies an account that it deems suspicious it then “challenges” that account, giving legitimate Twitter users an opportunity to prove their sentience by confirming a phone number. When an account fails this test it gets the boot, while accounts that pass are reinstated.

As Twitter noted in its recent blog post, bots can make users look good by artificially inflating follower counts.

“As a result of these improvements, some people may notice their own account metrics change more regularly,” Twitter warned. The company noted that cracking down on fake accounts means that “malicious actors” won’t be able to promote their own content and accounts as easily by inflating their own numbers. Kicking users off a platform, fake or not, is a risk for a company that regularly reports its monthly active users, though only a temporary one.

As the report notes, at least one insider expects Twitter’s Q2 active user numbers to dip, reflecting its shift in enforcement. Still, any temporary user number setback would prove nominal for a platform that should focus on healthy user growth. Facebook is facing a similar reckoning as a result of the Russian bot scandal, as the company anticipates user engagement stats to dip as it moves to emphasize quality user experiences over juiced up quarterly numbers. In both cases, it’s a worthy tradeoff.

MoviePass subscribers will now pay surcharges for popular showtimes

MoviePass subscribers were just greeted with a special Fourth of July surprise from the company, but it’s not good news. Surprise!

The company’s plan to introduce summer surge pricing goes into effect today. In an email to subscribers introducing “peak pricing,” MoviePass tried to spin this like a new feature introduction rather than a notification that its monthly service had again worsened.

In an FAQ on its site, MoviePass explains its new dynamic pricing plan and the accompanying surcharges in more detail, but not a lot of detail. The company fails to really explain what exactly will determine price fluctuations beyond stating that “movies that are high in demand for title, date, or time of day will be impacted.” It doesn’t provide guidelines for what those surcharges will look like, though a screenshot it provides suggests we might pay $3.43 more to see Avengers: Infinity War at 7:00 PM.

Now, movies in the app will display a red lightning icon when they are in peak pricing and a gray icon when they are approaching peak pricing status. Subscribers will be able to waive one peak pricing fee per month, which is some relief for the thing you paid for now providing less value and convenience but also just makes the whole system more complicated.

Peak pricing will gradually roll out across geographic areas starting on July 5. If it hasn’t hit your local screen yet, rest assured that no one MoviePass subscribers will escape the company’s latest effort to bend its unsustainable business model toward realism.

Bag Week 2018: Chrome’s Niko Hold secures compact camera gear in a sleek package

Most camera bags prioritize function over form, which makes sense for protecting some of your most expensive gear, but it’s still a bummer. If you’re both practical and interested in cultivating cool, aloof photographer vibes instead of dorky ones, Chrome’s Niko lineup of camera bags is definitely worth a look.

Chrome’s Niko Hold ($60, Chrome Industries) is the company’s smallest camera bag, but if you’re looking for something larger the Niko Messenger and the Niko F-Stop backpack share its sensibilities with a larger form factor. The Niko Hold fits a pretty specific niche, but given the soaring popularity of small-bodied mirrorless full frame cameras and increasingly powerful compact cameras, it’s a pretty wide one.

With a volume of seven liters, the Niko Hold won’t carry a full-size DSLR or big zoom lenses well but it’s a great fit for a smaller setup. I used to carry the old version of the Niko backpack, but these days it’s just too much case for my cameras and I’ve been looking for something tough that’s a more suitable size but doesn’t look like it came from the clearance section at Best Buy.

To test the Niko Hold, I carried this for a week of off-and-on event photography near Los Angeles, both fixed shooting on stages and more candid outdoor shooting. The bag is sleek and solid, with a very structured rectangular vibe that looks and feels professional without being boring. I felt confident that my equipment would be safe if the weather suddenly turned, but this pack is more water resistant than fully waterproof, but you’d probably have a special housing for extreme weather needs anyway. There are plenty of circumstances I shoot in that would be a bad fit for this camera bag but for event and street photography it proved ideal. Obviously, you shouldn’t take the Niko Hold on a backpacking or climbing trip, it’s much more of an urban bag than one designed for the outdoors.

To be clear, the Niko Hold isn’t great for fast access, but it worked well for my shooting needs which were mostly carrying my camera, lenses and accessories to and from a location securely. The Niko Hold’s seam-sealed zipper isn’t fast for getting things in and out, but if I’m ready to shoot my camera would be on my hip anyway. Of course, that won’t always be the case, but there are plenty of other designs with faster access in mind, including the Niko Messenger.

Within the Niko Hold, two dividers offer a little customizable organization, while there are just enough zippered pockets for stashing SD cards and other small accessories, like a phone and wallet if it’s the only bag you’re carrying.

The Niko Hold is small, but it can accommodate plenty of compact gear. In my time testing it, the Niko Hold carried my Sony A7S II body, an 18-200mm lens, all of the necessary chargers, SD cards and extra batteries and sometimes even a backup Sony RX 100 II. Its all-black 1050d ballistic nylon construction meant that the bag looked and felt like a small set of armor for my gear, which was ideal. More than anything, this camera bag feels snug and secure.

Small camera cases are usually intended for casual photographers, but this felt like pro level protection and thoughtfulness, which was refreshing for a professional photographer who has downsized my gear over the years. If you’ve converted to camera equipment on the smaller side, carrying your stuff in Chrome’s Niko Hold will give both your gear and your shooting style the respect it deserves. Finally.

What we know about Maryland’s controversial facial recognition database

When police had difficulty identifying the man whom they believed opened fire on a newsroom in Maryland, killing five people, they turned to one of the most controversial yet potent tools in the state’s law enforcement arsenal.

As The New York Times reports, Anne Arundel County Police Chief Timothy Altomare’s department failed to ID its suspect through fingerprinting. The department then sent a picture of the suspect to the Maryland Coordination and Analysis Center, which combed through one of the nation’s largest databases of mug shots and driver’s license photos in search of a match.

That database is the source of some debate. Maryland has some of the most aggressive facial recognition policies in the nation, according to a national report from Georgetown University’s Center on Privacy & Technology, and that practice is powered by one central system: a pool of face data known as the Maryland Image Repository System (MIRS).

For facial recognition searches, Maryland police have access to three million state mug shots, seven million state driver’s license photos and an additional 24.9 million mug shots from a national FBI database. The state’s practice of face recognition searches began in 2011, expanding in 2013 to incorporate the Maryland Motor Vehicle Administration’s existing driver’s license database. The Maryland Department of Public Safety and Correctional Services (DPSCS) describes MIRS “as a digitized mug shot book used by law enforcement agencies throughout Maryland in the furtherance of their law enforcement investigation duties.”

According to the Georgetown report, “It’s unclear if the [Maryland Department of Public Safety and Correctional Services] ‘scrubs’ its mug shot database to eliminate people who were never charged, had charges dropped or dismissed, or who were found innocent.”

In a letter to Maryland’s House Appropriations and Senate Budget and Taxation Committees in late 2017, DPSCS Secretary Stephen T. Moyer notes that the software “has drawn criticism over privacy concerns.” In that report, the state notes that images uploaded to MIRS are not stored in the database and that “the user’s search results are saved under their session and are not available to any other user.” DPSCS provides these details about the software:

MIRS is an off-the-shelf software program developed by Dataworks Plus. Images are uploaded into the system from MVA, DPSCS inmate case records, and mugshot photos sent into the DPSCS Criminal Justice System-Central Repository (CJIS-CR) from law enforcement agencies throughout the State at the time of an offender’s arrest and booking. Members of law enforcement are able to upload an image to MIRS and that image is compared to the images within the system to determine the highest probability that the uploaded image may relate to an MVA and/or DPSCS image within MIRS.

In the 2017 fiscal year, DPSCS paid DataWorks Plus $185,124.24 to maintain the database. The report declined to answer questions about how many users are authorized to access the MIRS system (estimates in The Baltimore Sun put it at between 6,000 and 7,000 individuals) and how many user logins had occurred since 2015, stating that it did not track or collect this information. On a question of what steps the department takes to mitigate privacy risks, DPSCS stated only that “the steps taken to protect citizen’s privacy are inherent in the photos that are uploaded into the system and the way that the system is accessed.”

In 2016, Maryland’s face recognition database came under new scrutiny after the ACLU accused the state of using MIRS without a warrant to identify protesters in Baltimore following the death of Freddie Gray.

Last year, Maryland House Bill 1065 proposed a task force to examine surveillance techniques used by law enforcement in the state. That bill made it out of the House but did not progress past the Senate Judicial Proceedings Committee. Another bill, known as the Face Recognition Act (HB 1148), would mandate auditing in the state to “ensure that face recognition is used only for legitimate law enforcement purposes” and would prohibit the use of Maryland’s face recognition system without a court order. That bill did not make it out of the House Judiciary Committee, though the ACLU intends to revisit it in 2018.

Tinder bolsters its security to ward off hacks and blackmail

This week, Tinder responded to a letter from Oregon Senator Ron Wyden calling for the company to seal up security loopholes in its app that could lead to blackmail and other privacy incursions.

In a letter to Sen. Wyden, Match Group General Counsel Jared Sine describes recent changes to the app, noting that as of June 19, “swipe data has been padded such that all actions are now the same size.” Sine added that images on the mobile app are fully encrypted as of February 6, while images on the web version of Tinder were already encrypted.

The Tinder issues were first called out in a report by a research team at Checkmarx describing the app’s “disturbing vulnerabilities” and their propensity for blackmail:

The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).

While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.

In February, Wyden called for Tinder to address the vulnerability by encrypting all data that moves between its servers and the app and by padding data to obscure it from hackers. In a statement to TechCrunch at the time, Tinder indicated that it heard Sen. Wyden’s concerns and had recently implemented encryption for profile photos in the interest of moving toward deepening its privacy practices.

“Like every technology company, we are constantly working to improve our defenses in the battle against malicious hackers and cyber criminals,” Sine said in the letter. “… Our goal is to have protocols and systems that not only meet, but exceed industry best practices.”

DARPA design shifts round wheels to triangular tracks in a moving vehicle

As part of its Ground X-Vehicle Technologies program, DARPA is showcasing some new defense vehicle tech that’s as futuristic as it is practical. One of the innovations, a reconfigurable wheel-track, comes out of Carnegie Mellon University’s National Robotics Engineering Center in partnership with DARPA. The wheel-track is just one of a handful of designs meant to improve survivability of combat vehicles beyond just up-armoring them.

As you can see in the video, the reconfigurable wheel-track demonstrates a seamless transition between a round wheel shape and a triangular track in about two seconds and the shift between its two modes can be executed while the vehicle is in motion without cutting speed. Round wheels are optimal for hard terrain while track-style treads allow an armored vehicle to move freely on softer ground.

According to Ground X-Vehicle Program Manager Major Amber Walker, the tech offers “instant improvements to tactical mobility and maneuverability on diverse terrains” — an advantage you can see on display in the GIF below.

While wheel technology doesn’t sound that exciting, the result is visually impressive and smooth enough to prompt a double-take.

The other designs featured in the video are noteworthy as well, with one offering a windowless navigation technology called Virtual Perspectives Augmenting Natural Experiences (V-PANE) that integrates video from an array of mounted LIDAR and video cameras to recreate a realtime model of a windowless vehicle’s surroundings. Another windowless cockpit design creates “virtual windows” for a driver, with 3D goggles for depth enhancement, head-tracking and wraparound window display screens displaying data outside the all-terrain vehicle in realtime.

With CBD, marijuana-based medicine gets its first greenlight from the FDA

In a news release today, the FDA announced its approval of a marijuana-derived drug called Epidiolex for the treatment of seizures in a subset of patients suffering from severe epilepsy. Epidiolex contains CBD, a cannabis chemical compound skyrocketing in popularity and driving what is estimated to have doubled into a $200 million market in 2018.

CBD is the common abbreviation for cannabidiol, a chemical derived from cannabis. In contrast to THC, the far more popular cannabinoid CBD does not produce strong psychoactive effects when consumed. The chemical’s use in seizure prevention is well-documented in reputable research, and now, after conducting its own trials, the FDA is on board.

As the FDA itself notes, “this is the first FDA-approved drug that contains a purified drug substance derived from marijuana.” Epidiolex, produced by GW Research Ltd., is now approved to treat the conditions known as Lennox-Gastaut syndrome and Dravet syndrome.

The FDA news signals that the DEA will likely adjust its scheduling for CBD, which is currently a Schedule I substance, denoting high potential for abuse and no medical applications.

“The FDA prepares and transmits… a medical and scientific analysis of substances subject to scheduling, like CBD, and provides recommendations to the Drug Enforcement Administration (DEA) regarding controls under the [Controlled Substances Act],” the FDA stated, indicating that it will recommend that CBD be rescheduled but the act of shifting the substance’s legality is ultimately in the DEA’s hands.

Prior to the FDA decision, a press officer for the DEA confirmed to Leafly that the FDA decision will prompt action from the DEA. “If they on June 27 announce that they’re approving Epidiolex, absolutely we’ll go into a different schedule. There’s no ifs, ands, or buts about it.”

The FDA notes that it will still “take action” against illegal CBD products making “serious, unproven medical claims.”

The medicinal acknowledgment of CBD should come as good news to marijuana startups eyeing the compound for consumer and medical consumption. Cannabis-derived CBD products are available where recreational marijuana is sold, though CBD derived from industrial hemp faces fewer regulations and is even stocked by some grocery stores.

By some measures, consumer interest appears to be moving away from traditional high-potency THC-based products and toward CBD. In February, even Bon Appétit magazine got in on the trend with a story titled “What Is CBD, and Why Is It in Everything Right Now?” Cannabis startups are likely tuned into that fact and keeping an ear to the ground for the DEA decision on what by most accounts is the next big thing in cannabis.

Bag Week 2018: Timbuk2’s Launch featherweight daypack is tough and tiny

If you need something small, lightweight and indestructible, Timbuk2’s Lightweight Launch Backpack ($129) might be right up your alley. The pack, constructed from famously tough Tyvek, can fit a 13″ laptop comfortably and plenty else. At only 18L, it sounds small, but due to its drawstring top design and large main compartment, it holds more than enough to make it a functional all-purpose daypack for work or play.

The Launch’s distinct look will be what makes up most people’s minds about this pack. Beyond the drawstring design and this fun lemon-lime interior color, the Launch doesn’t have too many bells and whistles. Still, it checks important boxes with the inclusion of stuff like a water bottle holder, a sternum strap, and weather resistant build material.

If you’re a fan of tough lightweight packs, know that the Launch’s Tyvek material gives it more structure than most stuff made out of this kind of material. That’s both a good and bad thing: more structure is great so your pack doesn’t just collapse into a little pile but because the Tyvek lacks any stretch whatsoever both its front pocket and the top compartment that sits on top of the main part of the pack can be a little tricky to dig things in and out of.

Happily, the Launch holds a laptop very well thanks to a padded compartment accessible via a full-length side zipper — always the best way to access a laptop in a backpack! The laptop area is a nice touch for such a lightweight pack and makes Timbuk2’s Launch a unique, super light laptop pack for everyday use so long as you’re not carrying too much.

If you’re a longtime Timbuk2 fan know that the pack both looks and feels different from most of Timbuk2’s classic designs and unfortunately doesn’t come in the bright, playful tri-color look that some of its classic messengers do. Still, if you’re into more natural, subdued tones and really don’t want your day-to-day pack to weigh you down unnecessarily, Timbuk2’s Launch is totally worth a look.

What it is: A small but not too small Tyvek daypack that carries a laptop well.

What it isn’t: A Timbuk2 design that you’re used to.

Read more reviews from TechCrunch Bag Week 2018.