You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.
A selection of 9 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.
Apple and SensoMotoric Instruments did not respond to multiple requests for comments. SensoMotoric’s phone line was out of service.
SensoMotoric Instruments, founded in 1991, has developed a range of eye tracking hardware and software for several fields of use, including virtual and augmented reality, in-car systems, clinical research, cognitive training, linguistics, neuroscience, physical training and biomechanics, and psychology.
The company’s Eye Tracking Glasses, for instance, are capable of recording a person’s natural gaze behavior in real-time and in real world situations with a sampling rate up to 120Hz. One possible use case is for athletes looking to evaluate and improve their visual performance.
SensoMotoric has also developed eye-tracking technology for virtual reality headsets such as the Oculus Rift, which can analyze the wearer’s gaze and help to reduce motion sickness, a common side effect of VR. The solution can also allow for a person’s gaze to control menus or aim in a game with their gaze.
SensoMotoric’s other eye-tracking solutions include standalone devices, such as the RED250mobile, which allows saccade-based studies to be conducted at 250Hz for researchers who require both mobility and high sampling rate.
Great scoop. And verrrry interesting.
link to this extract
Cognitive capacity and overall brain power are significantly reduced when your smartphone is within glancing distance—even if it’s turned off and face down—according to a recent study. This new report from the University of Texas at Austin, “Brain Drain: The Mere Presence of One’s Own Smartphone Reduces Available Cognitive Capacity,” was published in the Journal of the Association for Consumer Research.
During this study, the UT Austin researchers found that someone’s ability to hold and process data significantly improved if his or her smartphone was in another room while taking a test to gauge attentional control and cognitive processes. Participants who kept their phones in a pocket or bag also outperformed those who kept their phones on the desk while taking the same test. Again, even if the phone was turned off and face down on the desk, the mere sight of one’s own smartphone seemed to induce “brain drain” by depleting finite cognitive resources.
In June 2016, another study reported that the typical smartphone owner interacts with his or her phone an average of 85 times per day. This includes immediately upon waking up, just before going to sleep, and oftentimes in the middle of the night. (For the record: Although I hate to admit it, I am a heavy smartphone user and these statistics accurately describe my waking and sleeping phone habits.)
link to this extract
My quick hashcat results gave me some confidence that we weren’t doing anything terribly wrong with the Discourse password hashes stored in the database. But I wanted to be completely sure, so I hired someone with a background in security and penetration testing to, under a signed NDA, try cracking the password hashes of two live and very popular Discourse sites we currently host.
I was provided two sets of password hashes from two different Discourse communities, containing 5,909 and 6,088 hashes respectively. Both used the PBKDF2-HMAC-SHA256 algorithm with a work factor of 64k. Using hashcat, my Nvidia GTX 1080 Ti GPU generated these hashes at a rate of ~27,000/sec.
Common to all discourse communities are various password requirements:
All users must have a minimum password length of 10 characters.
All administrators must have a minimum password length of 15 characters.
Users cannot use any password matching a blacklist of the 10,000 most commonly used passwords.
Users can choose to create a username and password or use various third party authentication mechanisms (Google, Facebook, Twitter, etc). If this option is selected, a secure random 32 character password is autogenerated. It is not possible to know whether any given password is human entered, or autogenerated.
Using common password lists and masks, I cracked 39 of the 11,997 hashes in about three weeks, 25 from the ████████ community and 14 from the ████████ community.
The list of passwords he cracked are pretty wonderful – “007007bond”, “123password” and more. TL;DR: use a 12-character password at minimum.
link to this extract
a firmware fix—if available—is the best option, though again, availability may be spotty. Microsoft’s Surface Book, for example, does not appear to have a system firmware that includes the fix. I don’t mean to call out Microsoft specifically—I daresay many motherboard firmwares have similarly not been updated in the month and a half since Intel issued its patch—but rather to indicate that even systems that are still supported and do receive regular firmware updates may not have Intel’s latest and greatest microcode yet.
On systems without either a firmware fix or updated driver, disabling hyperthreading is believed to be a robust solution. Most users, however, will probably just want to take their chances; the exact sequence of instructions and runtime conditions that cause problems seem to be rare (certainly rarer than Intel’s description of the bug, “Short Loops Which Use AH/BH/CH/DH Registers May Cause Unpredictable System Behavior,” might otherwise indicate), and, under most circumstances, affected systems appear to be stable anyway. More than 18 months passed before this bug was fixed, after all, and there haven’t been too many reports of Skylake machines crashing left and right because of it.
Eying up AMD systems as an alternative might be tempting, but they’re susceptible to comparable issues, too, in which certain sequences of instructions under certain system conditions can cause crashes or other misbehavior. The workaround in AMD’s case is to disable the micro-op cache. Processors are certainly more reliable than software, but they all have bugs, no matter what chip you choose.
When it comes to online access and activity, mothers in the UK differ from nonmothers by both device preference and content choice, according to a recent study by UKOM and comScore Inc.
Based on January 2017 usage data, the report found that UK women ages 25 to 54 with children in their households spent most of their time online (59%) via smartphone. By comparison, among women in that age group without children at home, the smartphone figure was a more modest 48%. The nonmothers spent comparatively more time on desktop computers (35%) than did the women with kids at home (26%).
The device usage patterns were similar for men, with male parents of kids at home also overindexing for smartphone time spent online compared with child-free men in the UK ages 25 to 54.
Parenthood also appeared to influence the types of content accessed online. The study found that mothers spent over 2 hours more on social media per month than nonmothers, and nearly that much more time on entertainment sites. But mothers spent more than 2 hours less on news or information sites than did women without children in the home.
Also, the mothers and fathers had children to look after. This tends to be a big difference between parents and nonparents.
link to this extract
Slack has become the centre of many journalistic organizations: reporters and editors use it to talk about stories, swap files, and generally run their day-to-day operations.
But using Slack or similar services for delicate work is not always a great idea; lawyers working for Hulk Hogan managed to get hold of Gawker staffs’ Campfire logs, in part, because the messages are not end-to-end encrypted.
There’s another, albeit slightly niche issue that journalists and activists may need to consider when using Slack: the service does not appear to strip uploaded images of metadata. Depending on the situation and the image itself, this could potentially expose where a photo was taken, or give clues as to who took it; not great if you’re working with a source.
Security analyst Jerry Gamblin recently highlighted the issue in a tweet, and Motherboard verified that Slack preserves image metadata when using the service’s web client. (In a second test, Motherboard was unable to replicate Gamblin’s results, and in a third, metadata was retained, including geolocation information).
In case you were wondering. Useful to know.
link to this extract
The change was made on Thursday to include the “confidential, personal medical records of private people” in the bracket of information Google may remove unprompted from search results. Other examples of such information include national or government issued identification numbers, bank account numbers, credit card numbers and images of signatures.
The leaking of private medical records can be extremely damaging to the victims, both financially and emotionally, with future prospects affected and private lives of the vulnerable exposed. Given that Google’s indexing system will capture anything that’s publicly accessible on the internet, leaks such as those created by an Indian pathology lab which uploaded more than 43,000 patient records in December, including names and HIV blood test results, can be particularly damaging.
The last change to the removal policy was made in 2015 with the addition of “nude or sexually explicit images that were uploaded or shared without your consent” to cover so-called revenge porn.
The new addition to Google’s scrubbing policy marks a change from the search company’s traditional hands-off, algorithmic approach which resists attempts at censorship. This has come under scrutiny over the last few years due to the spread of fake news and misinformation. Google recently adjusted its search results to down-rank contested information such as fake news.
For many Google has become the gateway to the internet, meaning that removal from the company’s search results effectively scrubs them from the internet.
Google implementing a “right to be private”? Interesting development.
link to this extract
Errata, corrigenda and ai no corrida: none notified