AARP Swipes Right On Senior Social Network

Can you believe that Facebook turns 18 this year? One of the troubled teenager’s biggest problems is that not only are the young people still leaving in droves, many of the remaining denizens are 50 or over and susceptible to the various predators and sources of misinformation that plague the site.

Well, AARP wants to change the landscape of social media for those who are approaching or already living out their twilight years. Basically, they want to lure them away from Facebook. The organization spent untold amounts of money creating Senior Planet Community, which is kind of like a baby version of reddit in that the site is broken into interest categories such as photography, gardening, pets, and fitness enthusiasts.

The site was developed by Older Adults Technology Service (OATS), who are an AARP affiliate. OATS were leading computer classes for seniors and moved online during the pandemic, and the idea grew from there.

The main difference is that Senior Planet Community is absolutely free (for now, at least), including a complete lack of advertisements. If Grandma’s gonna unwittingly spend hundreds on micro-transactions, it won’t be taking place here, and not just because there’s no mobile app or games just yet. As far as moderation, there’s a long list of house rules that involve courtesy and encourage the citing of sources. Posts can be reported should they violate the rules.

We’ll see how it goes. There are plenty of bad actors that could pretend to be age 50+, or don’t even have to lie about it. We also wonder how long they’ll be able to go without advertisers.

We’re all getting older, including Zuckerberg. Don’t believe it? Here’s video proof.

Main and thumbnail images via Unsplash.

Laptop keyboard with strange characters on the keys

But Think Of The (World Wide) Users!

History is full of stories about technology that makes sense to the designer but doesn’t really fit the needs of the users. Take cake mixes. In 1929, a man named Duff realized that he could capitalize on surplus flour and molasses and created a cake mix. You simply added water to the dry mix and baked it to create a delicious cake. After World War II General Mills and Pillsbury also wanted to sell more flour so they started making cakes. But sales leveled out. A psychologist who was a pioneer in focus groups named Dichter had the answer: bakers didn’t feel like they were contributing to the creation of the cake. To get more emotional investment, the cake mixes would need to have real eggs added in. Actually, Duff had noticed the same thing in his 1933 patent.

It is easy to imagine a bunch of food… scientists? Engineers? Designers?… whatever a person inventing flour mixes in the 1930s was called… sitting around thinking that making a mix that only requires water is a great thing. But the bakers didn’t like it. How often do we fail to account for users?

From Cake Mix to Tech

Apple has made a business of this. Most of us don’t mind things like arcane commands and control key combinations, but the wider pool of global computer users don’t like those things. As the world continues to virtually shrink, we often find our users are people from different lands and cultures who speak different languages. It is, after all, the world wide web. This requires us to think even harder about our users and their particular likes, dislikes, and customs.

Continue reading “But Think Of The (World Wide) Users!”

ua-parser-js compromised

Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised

Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?

In the early days of computing, programmers would write every bit of code they used themselves. Larger teams would work together to develop larger code bases, but it was all done in-house. These days software developers don’t write every piece of code. Instead they use libraries of code supplied by others.

For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.

On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.

What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!

Of course this is by no means a unique occurrence. Last month Maya Posch dug into growing issues that come from some flaws of trust in package management systems. The art for that article is a house of cards, an apt metaphor for a system that is only as stable as the security of each and every package being built upon.

Software Removes The Facebook From Facebook’s VR Headset (Mostly)

It’s not a jailbreak, but [basti564]’s Oculess software nevertheless allows one the option to remove telemetry and account dependencies from Facebook’s Oculus Quest VR headsets. It is not normally possible to use these devices without a valid Facebook account (or a legacy Oculus account in the case of the original Quest), so the ability to flip any kind of disconnect switch without bricking the hardware is a step forward, even if there are a few caveats to the process.

To be clear, the Quest devices still require normal activation and setup via a Facebook account. But once that initial activation is complete, Oculess allows one the option of disabling telemetry or completely disconnecting the headset from its Facebook account. Removing telemetry means that details about what apps are launched, how the device is used, and all other usage-related data is no longer sent to Facebook. Disconnecting will log the headset out of its account, but doing so means apps purchased from the store will no longer work and neither will factory-installed apps like Oculus TV or the Oculus web browser.

What will still work is the ability to sideload unsigned software, which are applications that are neither controlled nor distributed by Facebook. Sideloading isn’t on by default; it’s enabled by putting the headset into Developer Mode (a necessary step to installing Oculess in the first place, by the way.) There’s a fairly active scene around unsigned software for the Quest headsets, as evidenced by the existence of the alternate app store SideQuest.

Facebook’s control over their hardware and its walled-garden ecosystem continues to increase, but clearly there are people interested in putting the brakes on where they can. It’s possible the devices might see a full jailbreak someday, but even if so, what happens then?

Hackaday Links Column Banner

Hackaday Links: October 10, 2021

We have to admit, it was hard not to be insufferably smug this week when Facebook temporarily went dark around the globe. Sick of being stalked by crazy aunts and cousins, I opted out of that little slice of cyber-hell at least a decade ago, so Monday’s outage was no skin off my teeth. But it was nice to see that the world didn’t stop turning. More interesting are the technical postmortems on the outage, particularly this great analysis by the good folks at the University of Nottingham. Dr. Steve Bagley does a great job explaining how Facebook likely pushed a configuration change to the Border Gateway Protocol (BGP) that propagated through the Internet and eventually erased all routes to Facebook’s servers from the DNS system. He also uses a graphical map of routes to show peer-to-peer connections to Facebook dropping one at a time, until their machines were totally isolated. He also offers speculation on why Facebook engineers were denied internal access, sometimes physically, to their own systems.

It may be a couple of decades overdue, but the US Federal Communications Commission finally decided to allow FM voice transmissions on Citizen’s Band radios. It seems odd to be messing around with a radio service whose heyday was in the 1970s, but Cobra, the CB radio manufacturer, petitioned for a rule change to allow frequency modulation in addition to the standard amplitude modulation that’s currently mandatory. It’s hard to say how this will improve the CB user experience, which last time we checked is a horrifying mix of shouting, screaming voices often with a weird echo effect, all put through powerful — and illegal — linear amps that distort the signal beyond intelligibility. We can’t see how a little less static is going to improve that.

Can you steal a car with a Game Boy? Probably not, but car thieves in the UK are using some sort of device hidden in a Game Boy case to boost expensive cars. A group of three men in Yorkshire used the device, which supposedly cost £20,000 ($27,000), to wirelessly defeat the security systems on cars in seconds. They stole cars for garages and driveways to the tune of £180,000 — not a bad return on their investment. It’s not clear how the device works, but we’d love to find out — for science, of course.

There have been tons of stories lately about all the things AI is good for, and all the magical promises it will deliver on given enough time. And it may well, but we’re still early enough in the AI hype curve to take everything we see with a grain of salt. However, one area that bears watching is the ability of AI to help fill in the gaps left when an artist is struck down before completing their work. And perhaps no artist left so much on the table as Ludwig von Beethoven, with his famous unfinished 10th Symphony. When the German composer died, he had left only a few notes on what he wanted to do with the four-movement symphony. But those notes, along with a rich body of other works and deep knowledge of the composer’s creative process, have allowed a team of musicologists and AI experts to complete the 10th Symphony. The article contains a lot of technical detail, both on the musical and the informatics sides. How will it sound? Here’s a preview:

And finally, Captain Kirk is finally getting to space. William Shatner, who played captain — and later admiral — James Tiberius Kirk from the 1960s to the 1990s, will head to space aboard Blue Origin’s New Shepard rocket on Tuesday. At 90 years old, Shatner will edge out Wally Funk, who recently set the record after her Blue Origin flight at the age of 82. It’s interesting that Shatner agreed to go, since he is said to have previously refused the offer of a ride upstairs with Virgin Galactic. Whatever the reason for the change of heart, here’s hoping the flight goes well.

This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll

The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.

curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'

If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.

# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>

The Day The Internet Stood Still

You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale.
Continue reading “This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll”

All The Good VR Ideas Were Dreamt Up In The 60s

Virtual reality has seen enormous progress in the past few years. Given its recent surges in development, it may come as a bit of a surprise to learn that the ideas underpinning what we now call VR were laid way back in the 60s. Not all of the imagined possibilities have come to pass, but we’ve learned plenty about what is (and isn’t) important for a compelling VR experience, and gained insights as to what might happen next.

If virtual reality’s best ideas came from the 60s, what were they, and how did they turn out?

Interaction and Simulation

First, I want to briefly cover two important precursors to what we think of as VR: interaction and simulation. Prior to the 1960s, state of the art examples for both were the Link Trainer and Sensorama.

The Link Trainer was an early kind of flight simulator, and its goal was to deliver realistic instrumentation and force feedback on aircraft flight controls. This allowed a student to safely gain an understanding of different flying conditions, despite not actually experiencing them. The Link Trainer did not simulate any other part of the flying experience, but its success showed how feedback and interactivity — even if artificial and limited in nature — could allow a person to gain a “feel” for forces that were not actually present.

Sensorama was a specialized pod that played short films in stereoscopic 3D while synchronized to fans, odor emitters, a motorized chair, and stereo sound. It was a serious effort at engaging a user’s senses in a way intended to simulate an environment. But being a pre-recorded experience, it was passive in nature, with no interactive elements.

Combining interaction with simulation effectively had to wait until the 60s, when the digital revolution and computers provided the right tools.

The Ultimate Display

In 1965 Ivan Sutherland, a computer scientist, authored an essay entitled The Ultimate Display (PDF) in which he laid out ideas far beyond what was possible with the technology of the time. One might expect The Ultimate Display to be a long document. It is not. It is barely two pages, and most of the first page is musings on burgeoning interactive computer input methods of the 60s.

The second part is where it gets interesting, as Sutherland shares the future he sees for computer-controlled output devices and describes an ideal “kinesthetic display” that served as many senses as possible. Sutherland saw the potential for computers to simulate ideas and output not just visual information, but to produce meaningful sound and touch output as well, all while accepting and incorporating a user’s input in a self-modifying feedback loop. This was forward-thinking stuff; recall that when this document was written, computers weren’t even generating meaningful sounds of any real complexity, let alone visual displays capable of arbitrary content. Continue reading “All The Good VR Ideas Were Dreamt Up In The 60s”