lol it's those terrifying dolphins ben loves (they don't look so bad here, or were those different/pinker ones)
These adversarial patches can be printed, added to any scene, photographed, and presented to image classifiers; even when the patches are small, they cause the classifiers to ignore the other items in the scene and report a chosen target class.
We present a method to create universal, robust, targeted adversarial image patches in the real world. The patches are universal because they can be used to attack any scene, robust because they work under a wide variety of transformations, and targeted because they can cause a classifier to output any target class.
Mike Kane/Bloomberg/Getty Images
On Wednesday, Delta Airlines flight 9771 flew from Atlanta to Pinal Airpark in Arizona. It wasn't a full flight—just 48 people on board. But it was a milestone—and not just for the two people who got married mid-flight—for it marked the very last flight of a Boeing 747 being operated by a US airline. Delta's last scheduled passenger service with the jumbo was actually late in December, at which point it conducted a farewell tour and then some charter flights. But as of today, after 51 long years in service, if you want to ride a 747 you'll need to be traveling abroad.
Way back in the 1960s, when the white heat of technological progress was burning bright, it looked for a while as if supersonic air travel was going to be the next big thing. France and Britain were collaborating on a new kind of airliner that would fly at twice the speed of sound and shrink the globe. But there was just one thing they hadn't counted on: Boeing and its gargantuan 747 jumbo jet. The double-decker airliner wouldn't break the sound barrier, but its vast size compared to anything else in the skies helped drop the cost of long-haul air travel, opening it up to the people in a way Concorde could never hope to do.
How to Download Fire and Fury: Inside the Trump White House Now as a Free Audiobook?: Check Out Audible’s 30-Day Free Trial
Despite cease and desist orders issued by the president's lawyers, Michael Wolff's Fire and Fury: Inside the Trump White House is now out and it's the #1 bestselling book on Amazon. If you want a print copy, you'll have to wait 2-4 weeks. But there are some more immediate options: You can instantly snag a copy in Kindle format (price $14.99). Or download it as an audio book essentially for free.
If you start a 30 day free trial with Audible.com, you can download two free audio books of your choice. At the end of 30 days, you can decide whether you want to become an Audible subscriber or not. (I definitely recommend the service and use it every day.) No matter what you decide, you get to keep the two free audiobooks. Fire and Fury: Inside the Trump White House can be one of them. It runs 12 hours.
To sign up for Audible's free trial program here, follow the prompts/instructions on this page.
NB: Audible is an Amazon.com subsidiary, and we're a member of their affiliate program. Also, this post is not an endorsement of the book. (We haven't read it yet.) It's simply an fyi on how you can "read" a bestselling book that's in short supply.
If you'd like to support Open Culture and our mission, please consider making a donation to our site. It's hard to rely 100% on ads, and your contributions will help us provide the best free cultural and educational materials.
How to Download <i>Fire and Fury: Inside the Trump White House</i> Now as a Free Audiobook?: Check Out Audible’s 30-Day Free Trial is a post from: Open Culture. Follow us on Facebook, Twitter, and Google Plus, or get our Daily Email. And don't miss our big collections of Free Online Courses, Free Online Movies, Free eBooks, Free Audio Books, Free Foreign Language Lessons, and MOOCs.
lol emulating pong wow
The first step is identification. They're usually microcontrollers, but can someitmes (rarely, even) be pure state machines in the form of an ASIC. This does happen, though, and if they're not an MCU, it makes it a lot harder to emulate.
To identify the MCU, the circuit board (which is usually simple, with just a handful of passive components other than the chip itself) is traced out, and "Sean Riddle" of the Bannister forums tries to match the pinout against any known pinouts.
In the event that it matches an MCU model for which there's a known method for dumping the internal ROM, Sean breaks out one of several test jigs and pulls out the data, then wires up the LCD and photographs the segments to be vectorized.
Since the chips themselves usually have all identifying markings scrubbed, this is about the only way to do it in a safe manner. It also assumes the chip is in a normal plastic or ceramic package. If it's unidentifiable or is "globbed" with an epoxy dot, the real fun begins!
In that case, the chip is removed from the board in any way possible, and the whole shebang is dissolved in fuming nitric acid until the silicon die itself is exposed. The silicon die is then cleaned in Whink and put under a microscope.
Multiple photos are taken of the exposed die, then stitched together. At this point, it would be a good time for a small digression about "mask programmed" versus "electrically programmed" silicon chips.
Hand-waving away certain details, the vast majority of modern chips are electrically programmed. The chip starts out blank, and has its program uploaded at the time of manufacturing, usually via pogo pins against the wafer itself, or a custom jig after the chip is packaged.
But, for chips that are going to have a lot of them made, this step costs too much time and money. In these cases, the ROM bits are literally a part of the photolithographic mask used to manufacture the silicon chip itself. So yes, bits in this case are actual physical objects.
The bright side to this is twofold: First, after photographing, the bits can be pulled out of the images however. Computer vision, some unfortunate fellow sitting and manually plugging 0/1 into an editor, whatever method results in the least number of errors.
Second, and most importantly, it means that the actual ROM bits are usually the absolute last thing to break. So, in the event that you have a partly-functioning or non-functioning LCD handheld that you'd like to see dumped, take heart and send me a DM! :-)
He's looking for donations to help him buy a big auction of old handhelds to de-cap and extract.
I understand that MAME can also emulate Pong now, and I'm not even really sure what that means, because Pong was arguably not a computer. It didn't have "code". It didn't have a CPU. It was wire-wrapped out of discrete analog components: a state machine and signal generator made out of relays as big as your thumbnail.
Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.
Life down on the Rubber Band Plantation, brought to you by Dole Pineapple and the British East India Company
so much delicate labor
"It's a pain in the ass. That's why everyone doesn't like it. And there's like a bunch of random strangers, one of who might be a serial killer, OK, great."
""The man trying to build tunnels around the country is awfully unimpressed by the basic concept of shared, mass transportation."
@mattdpearce: first thing I thought of was that Danish inventor guy and his private murder submarine.
@Vinncent: Thinking everyone is a serial killer is a very normal thing to do, rather than serial killer behavior. hey I'm just asking questions
@alexnpress: in musk's defense, if I'd spent years of my life working with peter thiel, I'd probably think there were a lot more serial killers in the world than there actually are
@nandelabra: There's really no way to prove that neither he nor Peter Thiel are in fact not low-rent Patrick Batemans.
@YePirateLiberal: I will eat my own hat if @elonmusk has ever ridden San Francisco's (efficient, if shabby) BART train or (quaintly adequate) Muni trolley as anything but a publicity stunt to "prove how terrible they are".
@collumbo: In fairness getting public transport to / from your hollowed out volcano can be a challenge
@MyDickerson: Have you considered that you don't hate public transit, you just hate the poor? This is so removed from the actual experience of riding the bus. You are a misanthrope.
@brandcoachkelly: Serial killers don't drive? I mean it seems that would be a better way to get away with the crime, but ok!
can anyone confirm?
, so I signed up for a free trial of Spotify and then Tidal. The default tier of Spotify sounds awful, but that's to be expected; if you upgrade to premium, you get "real quality" music, which sounds okay, roughly like the music I already had on my iPhone.
I figured there was basically no chance I'd be able to tell the difference between that and Tidal's "Hi-fi" tier (lossless compression, ~1.4Mbps), given that I don't have particularly high-quality audio equipment (ok, Bose headphones, known more for their noise cancelling than professional-grade audio fidelity).
I was wrong. I can tell the difference. (No, it's not just louder and it doesn't just have more bass.) In fact, it sounds like I remember CDs sounding back in the 1990s. Go figure. I had thought my ears just got worse with age, but no, just this once it wasn't me, it was whole world that degraded.
[There's this kinda weird "scratchiness" in compressed music in the mid ranges, eg. vocals, that kinda crept up on me over the years. Listening to uncompressed music for the first time in forever was a real "wait a minute..." feeling.]
I'm almost 100% sure I'm not an audiophile, so all in all, I'm pretty confused by this.
The “True Size” Maps Shows You the Real Size of Every Country (and Will Change Your Mental Picture of the World)
We all understand, on some level, that as adults we must go back and correct the oversimplifications we learned as schoolchildren. But for a sense of how large the scale of those quasi-truths, you must imagine the whole world: that is, you must imagine how you imagine the whole world, a mental picture probably taken straight from the map hung on the classroom wall. And the lines of that map came straight, in a sense, from the work of 16th-century cartographer Gerardus Mercator.
Though Mercator's world-mapping method came as a revolution, it has also given generation after generation after generation very much the wrong idea about how big the world's countries actually are. Mercator Projection, as Citymetric describes it, "re-imagines the earth as the surface of a cylinder.
When laid out flat, it’s pleasingly rectangular, and its eastern and western edges line up neatly." But while "in reality, lines of longitude converge at the poles; on the map, they're parallel. As a result, the closer you get to the poles, the more distorted the map becomes, and the bigger things look relative to their actual size."
Hence the need for such re-imaginings of the world map as The True Size, "a website that lets you compare the size of any nation or US state to other land masses, by allowing you to move them around to anywhere else on the map." Just search for any country in the box in the map's upper-left corner, and that country's borders will appear highlighted in color. When you click and drag those borders to another part of the world, specifically a part of the world at a different latitude, you'll notice that the shape of the dragged country seems to deform.
But that appearance of distortion is only relative to the shapes and sizes we've long internalized from the Mercator map: when you move Australia up and it covers a third of Russia, or when you move the vast-looking Greenland down and it doesn't even cover Argentina, you're looking — perhaps for the first time — at a geographically accurate size comparison. Does that (to quote the humorless representative of the Organization of Cartographers for Social Equality in the West Wing episode cited as one inspiration for the True Size Map) blow your mind?
Explore the True Size Map here.
Based in Seoul, Colin Marshall writes and broadcasts on cities and culture. His projects include the book The Stateless City: a Walk through 21st-Century Los Angeles and the video series The City in Cinema. Follow him on Twitter at @colinmarshall or on Facebook.
The “True Size” Maps Shows You the Real Size of Every Country (and Will Change Your Mental Picture of the World) is a post from: Open Culture. Follow us on Facebook, Twitter, and Google Plus, or get our Daily Email. And don't miss our big collections of Free Online Courses, Free Online Movies, Free eBooks, Free Audio Books, Free Foreign Language Lessons, and MOOCs.
Click here to go see the bonus panel!
Sorry for the serious comic. It'll be back to butt jokes tomorrow. This has been a thing that's been stressing us pretty bad for a few weeks, so I thought I'd share. Apologies to all people who are not from the US, and who are shocked and/or baffled.
Czech Press Photo, Filip Jandourek
// thanks Aimee Lacariere
How American Women “Kickstarted” a Campaign to Give Marie Curie a Gram of Radium, Raising $120,000 in 1921
Marie Curie has a place in history because of her research on radioactivity, of course, but a look into her biography reveals another area she had a part in pioneering: crowdfunding. It happened in 1921, 23 years after she discovered radium and a decade after she won the Nobel Prize in Chemistry (her second Nobel, the first being the Physics prize, shared with her husband Pierre and physicist Henri Becquerel in 1903). The previous year, writes Ann M. Lewicki in the journal Radiology, an American reporter by the name of Marie Meloney had landed a rare interview with Curie, during which the famed physicist-chemist admitted her greatest desire: "some additional radium so that she could continue her laboratory research."
It seems that "she who had discovered radium, who had freely shared all information about the extraction process, and who had given radium away so that cancer patients could be treated, found herself without the financial means to acquire the expensive substance." Radium no longer exists in its pure form now, and even in 1921 it was, to quote Back to the Future's Doc Brown on plutonium, a little hard to come by: it cost $100,000 per gram back then, which Smithsonian.com's Kat Eschner estimates at "about $1.3 million today."
The solution arrived in the form of the Marie Curie Radium Fund, launched by Meloney and contributed to by numerous female academics, who raised more than half the full sum in less than a year. And so in 1921, as the National Institute of Standards and Technology tells it, "Marie Curie made her first visit to the United States accompanied by her two daughters Irène and Eve." They visited, among other places, the Radium Refining Plant in Pittsburgh and the White House, where she received her gram of radium from President Warren Harding. "The hazardous source itself was not brought to the ceremony," the NIST hastens to add. "Instead, she was presented with a golden key to the coffer and a certificate."
The real stuff went back on the ship to Paris with her. As for that extra $56,413.54 proto-crowdfunded by the Marie Curie Radium Fund, it eventually went on to support the Marie Curie Fellowship, first awarded in 1963 to support a French or American woman studying chemistry, physics, or radiology. Given the costs of innovative research in those fields today, Curie's intellectual descendants might have a hard time funding their work on, say, Kickstarter, but they have only to remember what happened when she ran out of radium to remind themselves of the untapped support potentially all around them.
Based in Seoul, Colin Marshall writes and broadcasts on cities and culture. His projects include the book The Stateless City: a Walk through 21st-Century Los Angeles and the video series The City in Cinema. Follow him on Twitter at @colinmarshall or on Facebook.
How American Women “Kickstarted” a Campaign to Give Marie Curie a Gram of Radium, Raising $120,000 in 1921 is a post from: Open Culture. Follow us on Facebook, Twitter, and Google Plus, or get our Daily Email. And don't miss our big collections of Free Online Courses, Free Online Movies, Free eBooks, Free Audio Books, Free Foreign Language Lessons, and MOOCs.
20% down payment is for commercial loans. Apparently 2.5% is all you need for a standard federal home mortgage. Still, yeesh.
i still say squidbillies is one of the most underrated shows on adult swim. the theme song cover strategy is only one reason why.
The Atlanta Braves' organist shares his spirited version of the theme song. New episodes of Squidbillies premiere Sundays at Midnight.
Squidbillies is Adult Swim's only backwoods comedy starring Appalachian mud squids. Brought to you by Dave Willis (Aqua Teen Hunger Force) and Jim Fortier, Squidbillies is the story of a dysfunctional redneck family and the equally defective Georgia town from which they hail. Early, Granny, and Rusty are proud, beer guzzling, Southern taxpayers who don't take kindly to government intervention or not getting their welfare checks. Come see their ongoing efforts to protect your second amendment rights at http://AdultSwim.com.
Watch Squidbillies: http://bit.ly/SquidbilliesSite
About Adult Swim:
Adult Swim is your late-night home for animation and live-action comedy. Enjoy some of your favorite shows, including Robot Chicken, Venture Bros., Tim and Eric, Aqua Teen, Childrens Hospital, Delocated, Metalocalypse, Squidbillies, and more. Watch some playlists. Fast forward, rewind, pause. It's all here. And remember to visit http://AdultSwim.com for all your full episode needs. We know you wouldn't forget, but it never hurts to make sure.
Connect with Adult Swim Online:
Visit Adult Swim WEBSITE: http://bit.ly/ASWebsite
Like Adult Swim on FACEBOOK: http://bit.ly/ASFacebook
Follow Adult Swim on TWITTER: http://bit.ly/ASTweet
Matthew Kaminski Behind The Scenes | Squidbillies | Adult Swim
this is fuckin stupid. if you look closely, all the detail added to this is spurious. direction of the feathers, the beak, the ear area, the direction of the eye.
you can literally get more information out of the original by squinting.
if this is considered a good move toward CSI-level "enhance" functionality, I expect wrongful convictions to go up, not down.
Single image super-resolution (SISR) is an emerging technology that uses automated texture synthesis to enhance dithered and blurry photos to nearly pristine resolution. This example from EnhanceNet-PAT shows one type. There's even a free website called Let's Enhance where you can up-res your own images. (more…)
1F979 FROWNING PILE OF POO: Question on the justification for encoding this character, and whether it will encourage the encoding of other emotions on PILE OF POO; request to remove character.
This character is damaging to both ISO/IEC 10646 and the Unicode Standard. It is bad enough that the ESC came up with it, but it beggars believe that the UTC actually approved it. Organic waste isn't cute. The existing PILE OF POO character was added for compatibility with Japanese telco sets. It is a pity that Apple followed Softbank rather than KDDI in its reference glyph, since a coil of dog dirt with stink lines and flies is surely the only proper semantic.ANDREW WEST:
The idea that our committees would sanction further cute graphic characters based on this should embarrass absolutely everyone who votes yes on such an excrescence. Will we have a CRYING PILE OF POO next? PILE OF POO WITH TONGUE STICKING OUT? PILE OF POO WITH QUESTION MARKS FOR EYES? PILE OF POO WITH KARAOKE MIC? Will we have to encode a neutral FACELESS PILE OF POO?
As an ordinary user, I don't want this kind of crap on my phone. As a representative of the National Standards Authority of Ireland, I have to wonder what possible good could come of encoding such a character. Bullying, perhaps? Requested change: Remove this character from the PDAM and reject its encoding.
I'm concerned that this character will open the floodgates for an open-ended set of PILE OF POO emoji with emotions, such as CRYING PILE OF POO, PILE OF POO WITH LOOK OF TRIUMPH, PILE OF POO SCREAMING IN FEAR, etc. Is there really any need to add a range of emotions to PILE OF POO?
I personally think that changing PILE OF POO to a de facto SMILING PILE OF POO was wrong, but adding F|FROWNING PILE OF POO as a counterpart is even worse. If this is accepted then there will be no neutral, expressionless PILE OF POO, so at least a PILE OF POO WITH NO FACE would be required to be encoded to restore some balance. I recommend removing FROWNING PILE OF POO pending further study and public consultation on the need for additional PILE OF POO emoji.
Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.
This year San Francisco has overtaken Philadelphia for the top spot, which now ranks #3 right behind San Jose.
Within San Jose, the top specific neighborhoods for trick-or-treating were West San Jose, Willow Glen, Cambrian Park, Rose Garden, Almaden Valley.
Source: The Merc
2) Why does US media always refer to this bombing as a terrorist bombing when the target was a military target? I remember once at a conference at Fletcher School of Law and Diplomacy at Tufts University, I asked University of Chicago professor, Robert Pape about why he just referred to this bombing as a terrorist bombing when the target is a military one. I will never forget his answer. He said: because everyone considers it a terrorist bombing. I said: should we as academic not try harder?
3) Media never mentions what the US marines were doing in Lebanon and that their mission was the support of the right-wing death squads of the Phalanges who were installed in power by the Israelis.
while riding my bike, i almost fell into the un-roped-off ditch they dug for the plumbing of this place! It was at least 8 feet deep and my bike tire was like 3 inches from the edge and overall was like looking into my own damn grave!
The new Bay 101 looks really sleek and is filled with modern touches like dynamic lighting, open spaces, and abstract art. The building spans 68,000 SQFT and has 49 gaming tables. Bay 101 also features a flagship Asian fusion restaurant called The Province, which is owned by the same people as Sino, Straits, and Roots & Rye at Santana Row. The restaurant will be higher-end than anything at M8trix (or the immediate area for that matter) and bring with it some nightlife and one of the most impressive outdoor patios in San Jose.
Future phases of the Bay 101 project include two hotels and a 237,000 SQFT tech campus. The first hotel is an Embassy Suites with 174 rooms in a seven-story building. For the development enthusiasts out there, yes that is a huge missed opportunity for one of the few parcels in San Jose where a 35-story building is not only economically viable but allowed by airport regulations. Perhaps they will think bigger for the second hotel. One thing is for sure, Bay 101 is going to help make North San Jose a lot more interesting.
Source: The Merc, hat tip to Arnold Kwok for sending this in!
man, the perils of blogging
A 19-year-old Canadian man was found guilty of making almost three dozen fraudulent calls to emergency services across North America in 2013 and 2014. The false alarms, two of which targeted this author — involved phoning in phony bomb threats and multiple attempts at “swatting” — a dangerous hoax in which the perpetrator spoofs a call about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.
Curtis Gervais of Ottawa was 16 when he began his swatting spree, which prompted police departments across the United States and Canada to respond to fake bomb threats and active shooter reports at a number of schools and residences.
Gervais, who taunted swatting targets using the Twitter accounts “ProbablyOnion” and “ProbablyOnion2,” got such a high off of his escapades that he hung out a for-hire shingle on Twitter, offering to swat anyone with the following tweet:
Several Twitter users apparently took him up on that offer. On March 9, 2014, @ProbablyOnion started sending me rude and annoying messages on Twitter. A month later (and several weeks after blocking him on Twitter), I received a phone call from the local police department. It was early in the morning on Apr. 10, and the cops wanted to know if everything was okay at our address.
Since this was not the first time someone had called in a fake hostage situation at my home, the call I received came from the police department’s non-emergency number, and they were unsurprised when I told them that the Krebs manor and all of its inhabitants were just fine.
Minutes after my local police department received that fake notification, @ProbablyOnion was bragging on Twitter about swatting me, including me on his public messages: “You have 5 hostages? And you will kill 1 hostage every 6 times and the police have 25 minutes to get you $100k in clear plastic.” Another message read: “Good morning! Just dispatched a swat team to your house, they didn’t even call you this time, hahaha.”
I told this user privately that targeting an investigative reporter maybe wasn’t the brightest idea, and that he was likely to wind up in jail soon. On May 7, @ProbablyOnion tried to get the swat team to visit my home again, and once again without success. “How’s your door?” he tweeted. I replied: “Door’s fine, Curtis. But I’m guessing yours won’t be soon. Nice opsec!”
I was referring to a document that had just been leaked on Pastebin, which identified @ProbablyOnion as a 19-year-old Curtis Gervais from Ontario. @ProbablyOnion laughed it off but didn’t deny the accuracy of the information, except to tweet that the document got his age wrong.
A day later, @ProbablyOnion would post his final tweet before being arrested: “Still awaiting for the horsies to bash down my door,” a taunting reference to the Royal Canadian Mounted Police (RCMP).
A Sept. 14, 2017 article in the Ottawa Citizen doesn’t name Gervais because it is against the law in Canada to name individuals charged with or convicted of crimes committed while they are a minor. But the story quite clearly refers to Gervais, who reportedly is now married and expecting a child.
The Citizen says the teenager was arrested by Ottawa police after the U.S. FBI traced his Internet address to his parents’ home. The story notes that “the hacker” and his family have maintained his innocence throughout the trial, and that they plan to appeal the verdict. Gervais’ attorneys reportedly claimed the youth was framed by the hacker collective Anonymous, but the judge in the case was unconvinced.
Apparently, Ontario Court Justice Mitch Hoffman handed down a lenient sentence in part because of more than 900 hours of volunteer service the accused had performed in recent years. From the story:
Hoffman said that troublesome 16-year-old was hard to reconcile with the 19-year-old, recently married and soon-to-be father who stood in court before him, accompanied in court Thursday by his wife, father and mother.
“He has a bright future ahead of him if he uses his high level of computer skills and high intellect in a pro-social way,” Hoffman said. “If he does not, he has a penitentiary cell waiting for him if he uses his skills to criminal ends.”
According to the article, the teen will serve six months of his nine-month sentence at a youth group home and three months at home “under strict restrictions, including the forfeiture of a home computer used to carry out the cyber pranks.” He also is barred from using Twitter or Skype during his 18-month probation period.
Most people involved in swatting and making bomb threats are young males under the age of 18 — the age when kids seem to have little appreciation for or care about the seriousness of their actions. According to the FBI, each swatting incident costs emergency responders approximately $10,000. Each hoax also unnecessarily endangers the lives of the responders and the public.
In February 2017, another 19-year-old — a man from Long Beach, Calif. named Eric “Cosmo the God” Taylor — was sentenced to three year’s probation for his role in swatting my home in Northern Virginia in 2013. Taylor was among several men involved in making a false report to my local police department at the time about a supposed hostage situation at our house. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax.
Sonic Drive-In, a fast-food chain with nearly 3,600 locations across 45 U.S. states, has acknowledged a breach affecting an unknown number of store payment systems. The ongoing breach may have led to a fire sale on millions of stolen credit and debit card accounts that are now being peddled in shadowy underground cybercrime stores, KrebsOnSecurity has learned.
The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic.
I directed several of these banking industry sources to have a look at a brand new batch of some five million credit and debit card accounts that were first put up for sale on Sept. 18 in a credit card theft bazaar previously featured here called Joker’s Stash:
This batch of some five million cards put up for sale today (Sept. 26, 2017) on the popular carding site Joker’s Stash has been tied to a breach at Sonic Drive-In. The first batch of these cards appear to have been uploaded for sale on Sept. 15.
Sure enough, two sources who agreed to purchase a handful of cards from that batch of accounts on sale at Joker’s discovered they all had been recently used at Sonic locations.
Armed with this information, I phoned Sonic, which responded within an hour that it was indeed investigating “a potential incident” at some Sonic locations.
“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC,” reads a statement the company issued to KrebsOnSecurity. “The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”
Christi Woodworth, vice president of public relations at Sonic, said the investigation is still in its early stages, and the company does not yet know how many or which of its stores may be impacted.
The accounts apparently stolen from Sonic are part of a batch of cards that Joker’s Stash is calling “Firetigerrr,” and they are indexed by city, state and ZIP code. This geographic specificity allows potential buyers to purchase only cards that were stolen from Sonic customers who live near them, thus avoiding a common anti-fraud defense in which a financial institution might block out-of-state transactions from a known compromised card.
Malicious hackers typically steal credit card data from organizations that accept cards by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers.
Prices for the cards advertised in the Firetigerr batch are somewhat higher than for cards stolen in other breaches, likely because this batch is extremely fresh and unlikely to have been canceled by card-issuing banks yet.
Dumps available for sale on Joker’s Stash from the “FireTigerrr” base, which has been linked to a breach at Sonic Drive-In. Click image to enlarge.
Most of the cards range in price from $25 to $50, and the price is influenced by a number of factors, including: the type of card issued (Amex, Visa, MasterCard, etc); the card’s level (classic, standard, signature, platinum, etc.); whether the card is debit or credit; and the issuing bank.
I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash. There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.
The last known major card breach involving a large nationwide fast-food chain impacted more than a thousand Wendy’s locations and persisted for almost nine months after it was first disclosed here. The Wendy’s breach was extremely costly for card-issuing banks and credit unions, which were forced to continuously re-issue customer cards that kept getting re-compromised every time their customers went back to eat at another Wendy’s.
Part of the reason Wendy’s corporate offices had trouble getting a handle on the situation was that most of the breached locations were not corporate-owned but instead independently-owned franchises whose payment card systems were managed by third-party point-of-sale vendors.
According to Sonic’s Wikipedia page, roughly 90 percent of Sonic locations across America are franchised.
Dan Berger, president and CEO of the National Association of Federally Insured Credit Unions, said he’s not looking forward to the prospect of another Wendy’s-like fiasco.
“It’s going to be the financial institution that makes them whole, that pays off the charges or replaces money in the customer’s checking account, or reissues the cards, and all those costs fall back on the financial institutions,” Berger said. “These big card breaches are going to continue until there’s a national standard that holds retailers and merchants accountable.”
Financial institutions also bear some of the blame for the current state of affairs. The United States is embarrassingly the last of the G20 nations to make the shift to more secure chip-based cards, which are far more expensive and difficult for criminals to counterfeit. But many financial institutions still haven’t gotten around to replacing traditional magnetic stripe cards with chip-based cards. According to Visa, 58 percent of the more than 421 million Visa cards issued by U.S. financial institutions were chip-based as of March 2017.
Likewise, retailers that accept chip cards may present a less attractive target to hackers than those that don’t. In March 2017, Visa said the number of chip-enabled merchant locations in the country reached two million, representing 44 percent of stores that accept Visa.