Apple Blocks Sites From Abusing HSTS Security Standard to Track Users

#artificialintelligence

Combining the above value reveals the user's unique binary value to the server, helping websites/advertisers to mark users across sites. However, Apple has now added two mitigations to its Safari's WebKit engine that addresses both sides of the attack: where tracking identifiers are created, and the subsequent use of invisible pixels to track users. Mitigation One addresses the super cookie-setting problem, where attackers use long URLs that encode the digits in subdomains of the main domain name and the practice of setting HSTS across a wide range of sub-domains at once. Safari will now limit the HSTS state to either the loaded Hostname, or the Top Level Domain plus one (TLD 1), and "WebKit also caps the number of redirects that can be chained together, which places an upper bound on the number of bits that can be set, even if the latency was judged to be acceptable." "This prevents trackers from efficiently setting HSTS across large numbers of different bits; instead, they must individually visit each domain representing an active bit in the tracking identifier," says Brent Fulgham, a developer who works on Safari WebKit engine. "While content providers and advertisers may judge that the latency introduced by a single redirect through one origin to set many bits is imperceptible to a user, requiring redirects to 32 or more domains to set the bits of the identifier would be perceptible to the user and thus unacceptable to them and content providers." In Mitigation Two, Safari ignores HSTS State for Subresource Requests to Blocked Domains, where WebKit blocks things like invisible tracking pixels from forcing an HSTS redirect, causing HSTS supercookies to become a bit string of only zeroes. However, Apple does not name any individual, organisation, or any advertising firm that was using HSTS supercookie tracking to target Safari users.


Trump Organization Hacked?: Report Claims Hackers Created Malicious Domains On Trump Sites

International Business Times

More than 250 "shadow" domains created under an account belonging to the Trump Organization may serve as evidence that the company has been compromised by hackers, Mother Jones reported. According to security researchers who contacted Mother Jones, an unauthorized source has been creating hundreds of subdomains registered to the Trump Organization and has been carrying out the campaign since 2013. The alleged hackers have supposedly been creating subdomains attached to legitimate Trump Organization websites and have been doing so without detection for several years, suggesting they have had ongoing access to the Trump Organization's account with web domain registrar GoDaddy. The Trump Organization owns its fair share of domain names, including websites like trump.com and trumporg.com A number of other sites have been registered but never have had a website hosted at the domain.


GoDaddy takes down 15,000 subdomains used for online scams

ZDNet

Web hosting provider and domain registrar GoDaddy has taken down more than 15,000 subdomains that were being used as part of a spam operation that lured users on web pages selling fake products. Users would typically receive a spam email promoting a product, and if they'd click links in these emails, they'd land on one of these subdomains, hosted on legitimate sites -without the site's legitimate owner's knowledge. The common theme among all the scammy subdomains was that they all sold products backed by bogus endorsements from celebrities. Celebrity names used in these scams include Stephen Hawking, Jennifer Lopez, Gwen Stefani, Blake Shelton, Wolf Blitzer, the Shark Tank TV show, and others. Most of the products advertised via these subdomains were brain supplements, CBD oil, weight loss pills, and other dietary products.


Sparse Pseudo-input Local Kriging for Large Non-stationary Spatial Datasets with Exogenous Variables

arXiv.org Machine Learning

Gaussian process (GP) regression is a powerful tool for building predictive models for spatial systems. However, it does not scale efficiently for large datasets. Particularly, for high-dimensional spatial datasets, i.e., spatial datasets that contain exogenous variables, the performance of GP regression further deteriorates. This paper presents the Sparse Pseudo-input Local Kriging (SPLK) which approximates the full GP for spatial datasets with exogenous variables. SPLK employs orthogonal cuts which decompose the domain into smaller subdomains and then applies a sparse approximation of the full GP in each subdomain. We obtain the continuity of the global predictor by imposing continuity constraints on the boundaries of the neighboring subdomains. The domain decomposition scheme applies independent covariance structures in each region, and as a result, SPLK captures heterogeneous covariance structures. SPLK achieves computational efficiency by utilizing sparse approximation in each subdomain which enables SPLK to accommodate large subdomains that contain many data points and possess a homogenous covariance structure. We Apply the proposed method to real and simulated datasets. We conclude that the combination of orthogonal cuts and sparse approximation makes the proposed method an efficient algorithm for high-dimensional large spatial datasets.


Top 20 Big Data Experts to Follow (Includes Scoring Algorithm)

@machinelearnbot

Listing the top 20 experts, along with their Twitter handle, rank in reverse order, number of Twitter followers, and Klout score. We hope to soon see a woman among the top 10.The top woman is currently #11. Listing the top 20 experts, along with their Twitter handle, rank in reverse order, number of Twitter followers, and Klout score. We hope to soon see a woman among the top 10.The top woman is currently #11. This is a subset of a bigger list published here.