AIESEC, a non-profit that bills itself as the “world’s largest youth-run organization,” exposed more than four million intern applications with personal and sensitive information on a server without a password.
Bob Diachenko, an independent security researcher, found an unprotected Elasticsearch database containing the applications on January 11, a little under a month after the database was first exposed.
The database contained “opportunity applications” contained the applicant’s name, gender, date of birth, and the reasons why the person was applying for the internship, according to Diachenko’s blog post on SecurityDiscovery, shared exclusively with TechCrunch. The database also contains the date and time when an application was rejected.
AIESEC, which has more than 100,000 members in 126 countries, said the database was inadvertently exposed 20 days prior to Diachenko’s notification — just before Christmas — as part of an “infrastructure improvement project.”
The database was secured the same day of Diachenko’s private disclosure.
Laurin Stahl, AEISEC’s global vice president of platforms, confirmed the exposure to TechCrunch but claimed that no more than 40 users were affected.
Stahl said that the agency had “informed the users who would most likely be on the top of frequent search results” in the database — some 40 individuals, he said — after the agency found no large requests of data from unfamiliar IP addresses.
“Given the fact that the security researcher found the cluster, we informed the users who would most likely be on the top of frequent search results on all indices of the cluster,” said Stahl. “The investigation we did over the weekend showed that no more than 50 data records affecting 40 users were available in these results.”
Stahl said that the agency informed Dutch data protection authorities of the exposure three days after the exposure.
“Our platform and entire infrastructure is still hosted in the EU,” he said, despite its recently relocation to headquarters in Canadia.
Like companies and organizations, non-profits are not exempt from European rules where EU citizens’ data is collected, and can face a fine of up to €20 million or four percent — whichever is higher — of their global annual revenue for serious GDPR violations.
It’s the latest instance of an Elasticsearch instance going unprotected.
AIESEC, a non-profit that bills itself as the “world’s largest youth-run organization,” exposed more than four million intern applications with personal and sensitive information on a server without a password.
Bob Diachenko, an independent security researcher, found an unprotected Elasticsearch database containing the applications on January 11, a little under a month after the database was first exposed.
The database contained “opportunity applications” contained the applicant’s name, gender, date of birth, and the reasons why the person was applying for the internship, according to Diachenko’s blog post on SecurityDiscovery, shared exclusively with TechCrunch. The database also contains the date and time when an application was rejected.
AIESEC, which has more than 100,000 members in 126 countries, said the database was inadvertently exposed 20 days prior to Diachenko’s notification — just before Christmas — as part of an “infrastructure improvement project.”
The database was secured the same day of Diachenko’s private disclosure.
Laurin Stahl, AEISEC’s global vice president of platforms, confirmed the exposure to TechCrunch but claimed that no more than 40 users were affected.
Stahl said that the agency had “informed the users who would most likely be on the top of frequent search results” in the database — some 40 individuals, he said — after the agency found no large requests of data from unfamiliar IP addresses.
“Given the fact that the security researcher found the cluster, we informed the users who would most likely be on the top of frequent search results on all indices of the cluster,” said Stahl. “The investigation we did over the weekend showed that no more than 50 data records affecting 40 users were available in these results.”
Stahl said that the agency informed Dutch data protection authorities of the exposure three days after the exposure.
“Our platform and entire infrastructure is still hosted in the EU,” he said, despite its recently relocation to headquarters in Canadia.
Like companies and organizations, non-profits are not exempt from European rules where EU citizens’ data is collected, and can face a fine of up to €20 million or four percent — whichever is higher — of their global annual revenue for serious GDPR violations.
It’s the latest instance of an Elasticsearch instance going unprotected.
If you leave something on the internet long enough, someone will hack it.
The reality is that many device manufacturers make it far too easy by using default passwords that are widely documented, allowing anyone to log in as “admin” and snoop around. Often, there’s no password at all.
Enter “Shodan Safari,” a popular part-game, part-expression of catharsis, where hackers tweet and share their worst finds on Shodan, a search engine for exposed devices and databases popular with security researchers. Almost anything that connects to the internet gets scraped and tagged in Shodan’s vast search engine — including what the device does and internet ports are open, which helps Shodan understand what the device is. If a particular port is open, it could be a webcam. If certain header comes back, it’s backend might be viewable in the browser.
From cameras to routers, hospital CT scanners to airport explosive detector units, you’d be amazed — and depressed — at what you can find exposed on the open internet.
The reality is that Shodan scares people — and it should. It’s a window into the world of absolute insecurity. It’s not just exposed devices but databases — storing anything from two-factor codes to your voter records, and where you’re going to the gym tonight. But devices take up the bulk of what’s out there. Exposed CCTV cameras, license plate readers, sex toys, and smart home appliances. If it’s out there and exposed, it’s probably on Shodan.
If there’s ever a lesson to device makers, not everything has to be connected to the internet.
Here’s some of the worst things we’ve found so far. (And here’s where to send your best finds.)
An office air conditioning controller. (Screenshot: Shodan)
A weather station monitor at an airport in Alabama. (Screenshot: Shodan)
A web-based financial system at a co-operative credit bank in India. (Screenshot: Shodan)
For some reason, a beef factory. (Screenshot: Shodan)
An electric music carillon near St. Louis. used for making church bell melodies. (Screenshot: Shodan)
A bio-gas production and refinery plant in Italy. (Screenshot: Shodan)
A bird. Just a bird. (Screenshot: Shodan via @Joshbal4)
A brewery in Los Angeles. (Screenshot: Shodan)
The back end of a cinema’s projector system. Many simply run Windows. (Screenshot: Shodan via @tacticalmaid)
The engine room of a Dutch fishing boat. (Screenshot: Shodan)
An explosive residue detector at Heathrow Airport’s Terminal 3. (Screenshot: TechCrunch)
A fish tank water control and temperature monitor. (Screenshot: Shodan)
A climate control system for a flower store in Colorado Springs. (Screenshot: Shodan)
The web interface for a Tesla PowerPack. (Screenshot: Shodan via @xd4rker)
An Instagram auto-follow bot.(Screenshot: Shodan)
A terminal used by a pharmacist. (Screenshot: Shodan)
A controller for video displays and speakers at a Phil’s BBQ restaurant in Texas. (Screenshot: Shodan)
A Kodak Lotem printing press. (Screenshot: Shodan)
According to a leaked image from Evan Blass, Samsung’s new flagship device could come in three different versions — the Samsung Galaxy S10, the Samsung Galaxy S10+ and the Samsung Galaxy S10E.
That new leak lines up with previous leaks. As you can see on the photo, the new devices don’t have a notch. They feature a hole-punch selfie camera instead. If you’re looking for the fingerprint sensor, Samsung could choose to embed it in the screen.
Just like in previous years, in addition to the main S10, there will be a bigger version of the device — the S10+. On this photo, you can see that the bigger version has two selfie cameras instead of one.
But the S10E is a new addition to the lineup. Samsung is launching a more affordable version of the S10 at the same time as the S10. The S10E features two cameras on the back instead of three for instance. I wouldn’t be surprised if the S10E had an LCD display instead of an AMOLED display as well.
Samsung plans to unveil the Galaxy S10 at an event in San Francisco on February 20. We’ll have a team on the ground to tell you more about the device.
Using a request under Australia’s Freedom of Information Act, NetzPolitik got hold of a document that shows the two companies spent last year in talks over a collaboration with test flights scheduled for November and December 2018. The duo have collaborated before on communication systems for satellite drones.
Those trials — and it isn’t clear if they took place — involved the use of Airbus’ Zephyr drone, a model that is designed for “defence, humanitarian and environmental missions.” The Zephyr is much like Facebook’s now-deceased Aquila drone blueprint; it is a HAPS — “High Altitude Pseudo Satellite” — that uses solar power and can fly for “months.”
The Model S version chosen by Facebook sports a 25-meter wingspan, can operate at up to 20km altitude and it uses millimeter-wave radio to broadcast to the ground.
The Zephyr Model S and Model T as displayed on the Airbus website
The Facebook and Airbus were designed to test a payload from the social network — doubtless internet broadcasting gear — but, since the document covers planning and meetings prior to the tests, we don’t know what the outcome or results were.
“We continue to work with partners on High Altitude Platform System (HAPS) connectivity. We don’t have further details to share at this time,” a Facebook spokesperson told NetzPolitik.
TechCrunch contacted Facebook for further comment (06:55 am EST), but the company had not responded at the time of writing.
Facebook has a raft of projects that are aimed at increasing internet access worldwide, particularly in developing regions such as Asia, Africa and Latin America. The drone projects may be its boldest, they are aimed at bringing connectivity to remote areas, but it has also used software and existing infrastructure to try to make internet access more affordable.
That has included the controversial Internet.org project, which was outlawed in India because it violated net neutrality by selecting the websites and apps that could be used. Since renamed to Free Basics — likely promoted by the Indian setback — it has been scaled back in some markets but, still, Facebook said last year that the program has reached nearly 100 million people to date. Beyond that top line number, little is known about the service, which also includes paid tiers for users.
That aside, the company also has a public-private WiFi program aimed at increasing hotspots for internet users while they are out and about.
The CNIL, the French data protection watchdog, has issued its first GDPR fine of $57 million (€50 million). The regulatory body claims that Google has failed to comply with the General Data Protection Regulation (GDPR) when new Android users set up a new phone and follow Android’s onboarding process.
Two nonprofit organizations called ‘None Of Your Business’ (noyb) and La Quadrature du Net had originally filed a complaint back in May 2018 — noyb originally filed a complaint against Google and Facebook, so let’s see what happens to Facebook next. Under the GDPR, complaints are transferred to local data protection watchdogs.
While Google’s European HQ is in Dublin, the CNIL first concluded that the team in Dublin doesn’t have the final say when it comes to data processing for new Android users — that decision probably happens in Mountain View. That’s why the investigation continued in Paris.
The CNIL then concluded that Google fails to comply with the GDPR when it comes to transparency and consent.
Let’s start with the alleged lack of transparency. “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” the regulator writes.
For instance, if a user wants to know how their data is processed to personalize ads, it takes 5 or 6 taps. The CNIL also says that it’s often too hard to understand how your data is being used — Google’s wording is broad and obscure on purpose.
Second, Google’s consent flow doesn’t comply with the GDPR according to the CNIL. By default, Google really pushes you to sign in or sign up to a Google account. The company tells you that your experience will be worse if you don’t have a Google account. According to the CNIL, Google should separate the action of creating an account from the action of setting up a device — consent bundling is illegal under the GDPR.
If you choose to sign up to an account, when the company asks you to tick or untick some settings, Google doesn’t explain what it means. For instance, when Google asks you if you want personalized ads, the company doesn’t tell you that it is talking about many different services, from YouTube to Google Maps and Google Photos — this isn’t just about your Android phone.
In addition to that, Google doesn’t ask for specific and unambiguous consent when you create an account — the option to opt out of personalized ads is hidden behind a “More options” link. That option is pre-ticked by default (it shouldn’t).
Finally, by default, Google ticks a box that says “I agree to the processing of my information as described above and further explained in the Privacy Policy” when you create your account. Broad consent like this is also forbidden under the GDPR.
The CNIL also reminds Google that nothing has changed since its investigation in September 2018.
Chairman of noyb Max Schrems has sent us the following statement:
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be complaint is not enough. We are also pleased that our work to protect fundamental rights is bearing fruit. I would also like to thank our supporters who make our work possible.”
Update: A Google spokesperson has sent us the following statement:
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
Tesla can now deliver Model 3 vehicles to European customers. The automakers midsize sedan was recently granted approval from RDW, the Dutch regulator and European authority tasked by Tesla to approve the vehicle for European roads.
The approval comes just ahead of the vehicle’s European introduction next month. Right now, it’s been reported that a cargo ship full of Model 3s is currently en route to Zeebrugge, Belgium and should arrive around February 2.
The nod from the European governing body was a critical last step. Tesla is clearly racing to get its least expensive vehicle in Europe ahead of the onslaught of EVs planned by European auto makers.
Last week, Tesla announced a cost-savings plan in an effort to shore up its international Model 3 deliveries. The automaker stated that it was cutting 7 percent of its full-time workers. In the email, CEO Elon Musk says the focus must be on delivering “at least the mid-range Model 3 variant in all markets.” He also warns those employees not set to be axed that there are “many companies that can offer a better work-life balance, because they are larger and more mature or in industries that are not so voraciously competitive.”
GoFundMe is partnering with Deepak Chopra to launch a different kind of campaigns. The company is going beyond its usual role as a platform and hosting its own campaign to provide relief for government workers impacted by the current government shutdown.
The company is partnering with several nonprofit organizations that are providing support to government workers. For now, GoFundMe is supporting #ChefsForFeds, an initiative that serves free meals in Washington D.C., as well as the National Diaper Bank Network to help parents impacted by the shutdown. Other nonprofit organizations can reach out to partner with this campaign.
“I hope the shutdown ends soon. In the meantime, please join me and help our fellow Americans by providing some short term relief,” GoFoundMe CEO Rob Solomon said in the announcement. “ This is not about politics. This is lending a helping hand to someone in need.”
As of this writing, 1,170 people have donated over $94,000. It represents an average of $80 per donation.
A couple of weeks ago, GoFundMe issued refunds for another campaign — a Trump-inspired campaign that wanted to raise money to build a wall on the southern U.S. border. It was operated by an individual and ended up with over $20 million.
GoFundMe refunded backers as the campaign administrator wanted to change the terms of the campaign so that backers wouldn’t be able to get refunds.
Once again, GoFundMe’s role is unclear. Many individuals use the platform to pay for medical bills and compensate the flaws of the healthcare system in the U.S. This time, a GoFundMe campaign is taking over during a government shutdown. In other words, a private company is managing the budget of government workers, or at least their most essential needs.
GoFundMe can’t evenly cover the needs of all government workers across all states. Some will see a direct impact from that GoFundMe campaign while others won’t see any of that money. That’s the role of the government.
Kaia Health, a self-styled digital therapeutics” startup, has pulled in $10 million in Series A funding for an app-based approach to chronic pain management.
The idea is to offer an alternative to painkillers, using mobile technology to deliver what the founder describes as multimodal, “mind body therapy” for musculoskeletal (MSK) disorders — comprised of guided physical exercises, psychological techniques and on tap medical education.
“Once you fall into this category of you’re a chronic pain patient, and not just you have acute pain for two or three days, then this is the best therapy to do,” says co-founder and CEO Konstantin Mehl. “But at the moment because this therapy is so expensive only 2% of the patients who should get access to it actually get access to it and the other 98% of patients are treated with treatments against acute pain, like painkillers and surgery… This is why there’s this crazy cost explosion when you look at the costs in the healthcare systems.”
The 2015-founded startup has developed a personal trainer app that uses computer vision technology so it can act as a fully autonomous exercise coach. The app works by visually monitoring the user as they perform exercises (via their smartphone’s camera), enabling it to keep track of repetitions and also provide vocal feedback — to correct posture and motion.
The idea is to offer a more accessible and less expensive alternative to the one-on-one in person physiotherapy which a person suffering chronic pain from a MSK disorder might otherwise use to manage their pain — such as by visiting a dedicated pain center for weeks of guided treatment. However as Mehl notes that can be prohibitively expensive and also entail long wait times to get seen.
Kaia’s first focus has been on back pain which Mehl knows plenty about — having suffered himself for two years. His struggles to find effective and affordable pain management were the inspiration for setting up the company, he tells us.
The goal he’s shooting for with Kaia is to democratize access to proven multimodal therapies and reduce reliance on pharmaceuticals — pointing to rising use of opioid-based painkillers, including in the U.S., where reliance on the drug has been driven by over-prescription leading to an epidemic of addiction and rising numbers of overdose deaths.
“Most treatments against chronic back pain are just crazy expensive and crazy ineffective. Which is a weird combination,” he says. “There’s a lot of people out there who don’t know how to cope with their pain.”
Kaia’s approach addresses “the root causes of chronic pain”, according to Mehl, though he concedes it cannot claim the digital therapy will cure everybody, saying: “That’s just not realistic.”
Though he emphasizes “you can definitely reverse chronic pain when you have a low or medium chronification level” via therapies Kaia’s app is designed to deliver digitally — as happened in his own case, albeit in person at a pain center.
He also suggests digital therapeutics can provide greater support than even a dedicated pain center can because many patients don’t feel comfortable or safe carrying on doing exercises at home. Whereas an app coach offers an “opportunity to control yourself all the time, 24/7”, which is really what chronic pain patients need.
“We track every point on your body. And that’s the cool thing about us — that we can give you feedback on a millimeter basis of what movements you do wrong if you want,” he adds, talking up the advantages of using computer vision rather than wearable sensors to monitor physical exercise. “At the moment we have more of a problem that we give too much feedback; that people complain about the app never stops correcting me!”
Last summer another startup, Hinge Health, announced a $26M Series B round for another drug-free platform-based approach to managing musculoskeletal disorders. Though its approach involves not just an app but wearable sensors and also some one-to-one health coaching — delivered remotely but by an actual human, rather than Kaia’s fully automated, sensor-free AI coach.
Mehl says it experimented with wearable sensors but found many users were reluctant to use them so decided to focus fully on a system of visual monitoring, feeding user data into continued training of the machine learning algorithms — getting to a level with the motion control that it’s very happy with around two months ago.
“We had one exercise already one year ago — a squat — so we released a standalone app which we called the Squat Challenge, just to see how people are able to use this technology. And then the challenge was to just track all different body positions. So that took another six months to add all body positions. And now recently, since six weeks, we are able to track all body positions. And now we can basically correct any exercise.”
“We are a very scalable solution,” he adds. “That’s so important for us because [Hinge Health] charge a lot of money per patient, so they maximize the dollars per patient, which is a typically thing you do in the pharma industry. Which I’m totally against. Because then we repeat the mistakes of pharma companies to artificially limit the access again, right. So we want to democratize the access to this best in class therapy and not build these artificial barriers to access.”
The Series A round was led by Balderton Capital which says it’s excited by the potential for Kaia to build a platform for a family of pain intervention tools — flagging the startup’s research around conditions such as the lung disease COPD, and potentially even Parkinson’s.
In a blog about the investment, Balderton partner James Wise writes: “The platform KaiaHealth is building has the potential to extend well beyond back pain. By combining clinical levels of research with longitudinal tracking and computer vision expertise, they are becoming a platform for any intervention where pain can be relieved through regular clinical observation and guidance.
“Rather than just giving patients another way to connect to a carer, KaiaHealth has utilised the most powerful and prevalent tools we have to provide clinically effective health treatments, at a fraction of the cost, and freeing up physiotherapists time for more meaningful interactions. It’s an exciting antidote to the Baumol cost disease, and one we hope will change many people’s lives.”
Kaia has around 250,000 users at this stage, via a b2c solution as well as organizations in Europe and the U.S. which make its app available (such as via medical insurance).
The new funding will be put towards scaling up in the U.S. especially with a new office for New York City, with Mehl saying they want to flip the current usage ratio of 80% Europe; 20% U.S.
It also plans to fund further clinical studies — including longer follow up studies, running to 24 months (vs the three, six and twelve month studies it has already done).
A peer-reviewed, random controlled trial study of Kaia’s approach is also pending being published in a leading journal, according to Mehl.
Memes are the new vernacular of political culture and we dismiss them at our own peril. Liberals learned this the hard way late in the presidential campaign, when they began realizing how deftly the alt-right was able to use viral jokes, hashtags, and images as a propaganda tool, often to bolster white supremacist ideology. The phenomenon was propagated by Donald Trump, often through retweets (the president’s Twitter account, @realDonaldTrump, is arguably a meme farm at the highest level of government). Progressives have tried to fight back with their own memes, but nothing has gained the potency of say, new vocabulary like “cuck” or Pepe the Frog, the comic book character whose misappropriation as an alt-right mascot was condemned by its creator Matt Furie and his publisher.
Then on Sunday, Ocasio-Cortez dropped into YouTuber Hbomberguy’s (AKA Harry Brewis) Twitch marathon of Donkey Kong 64, a fundraiser for transgender youth support group Mermaids, to voice her support. Speaking about discrimination against transgender people, Ocasio-Cortez said “it’s important that we do talk about these issues in the economic frame, but not let go of the fact that discrimination is a core reason for the economic hardship” (she also declared the Nintendo 64 “probably the best system out of all of them”).
— New Super Blood Wolf Moon Bros. U Deluxe (@GenePark) January 20, 2019
Ocasio-Cortez, the Congressional representative for New York’s 14th district in Queens and the Bronx, has also shown an adept understanding of how to satirize meme culture, turning it against itself even as she participates. This is something that any public figure who wants to own their own narrative and point of view must now be able to master. And Democrats seem to understand this, since they asked her to lead a training session about social media).
Her critics have credited Ocasio-Cortez’s ability to go viral as a result of her youth and appearance. That’s certainly a factor, which Ocasio-Cortez has addressed. But she has figured out how to use even that criticism to her advantage. When a fake nude selfie of Ocasio-Cortez was reposted by right-wing news site the Daily Caller, it was an attempt to turn meme culture (and her looks) against her, but the Congresswoman instead flipped it into a discussion about misogyny against women leaders.
For those out of the loop, Republicans began to circulate a fake nude photo of me. The @DailyCaller reposted it (!) and refused to indicate it was fake in the title as well.
Completely disgusting behavior from Conservative outlets.
But Ocasio-Cortez’s messages aren’t just for her political opponents. They also serve as a signal to people who have felt increasingly disenfranchised and scared over the last few years that the country’s problems, while profound, can be approached with intelligence and even some wry humor.
A week after she was sworn into Congress, tech investor Vinod Khosla casually dismissed her credentials, expressing doubt that she “understands basic economics, actual humans and technology.” This was a strange statement to make about someone who placed second in microbiology at the Intel International Science and Engineering Fair and earned a degree in international relations and economics at Boston University.
That is assuming she understands basic economics, actual humans and technology. I doubt if any of those are true.
“Good at memes” might not look as good on a resume as her prize in one of the most prestigious research competitions for high school students (other alumni have gone on to win the Nobel Prize and National Medal of Science), but it shows that Ocasio-Cortez understands tech (and actual humans) on a level that her critics, including Khosla, Sorkin, and Piers Morgan, who admonished Ocasio-Cortez to start “acting like a grown-up not a juvenile smart-a**e,” are perhaps incapable of.
Ocasio-Cortez has often been compared to Trump for their ability to control the narrative through social media, especially Twitter. To cite another meme, however, Trump is chaotic evil, acting on the urge of impulses he seems unable to control even as they profoundly affect the lives of vulnerable people. Maybe it’s too early to tell exactly where Ocasio-Cortez’s political influence will fall on the D&D alignment chart, but it is anything but chaotic.
(Codename: DRAKO) (@m0rb) 
