An anonymous reader quotes a report from The Daily Beast: Untold riches are promised on Mystery Brand, a website that sells prize-filled "mystery boxes." If you buy one of the digital boxes, some of which cost hundreds of dollars, you might only get a fidget spinner -- or you might get a luxury sports car. For just $100, users can win a box filled with rare Supreme streetwear. For only $12.99, they can win a Lamborghini, or even a $250 million mega-mansion billed as "the most expensive Los Angeles realty." Or at least that's what some top YouTubers have been telling their young fans about the gambling site -- with the video stars apparently seeing that as a gamble worth taking, especially after a dip in YouTube advertising rates.

Over the past week, hugely popular YouTube stars like Jake Paul and Bryan "Ricegum" Le have encouraged their fans to spend money on Mystery Brand, a previously little-known site that appears to be based in Poland. In their videos, Paul and Le show themselves betting hundreds of dollars on the site for a chance to open a digital "box." At first, they win only low-value prizes like fidget spinners or Converse sneakers. By the end of the video, though, they have won thousands of dollars worth of tech and clothing, like rare pairs of sneakers or Apple AirPods. If they like the prize, the YouTube stars have it shipped to their house. The gambling site doesn't list the owner or location where it's based, although the site's terms of service say it's "subject to the laws and jurisdiction of Poland." To make matters worse, users of the site might not even receive the items they believed they have won. "During using the services of the website You may encounter circumstances in which Your won items will not be received," the terms of service reads.

Also, while the ToS say that underage users are ineligible to receive prizes, many of the YouTubers promoting the site have audiences who are underage. "[Jake Paul], for example, has acknowledged that the bulk of his fanbase is between 8 and 15 years old," reports The Daily Beast.

The Los Angeles City Attorney's office issued a cloudy forecast with the possibility of civil penalties for the popular Weather Channel app on Friday, claiming it repeatedly violated the privacy of consumers. From a report: In a civil lawsuit filed in Los Angeles Superior Court, city prosecutors allege that The Weather Channel app led users to believe that it would use location data to provide them with "personalized local weather data, alerts and forecasts" but instead transmitted that data to third parties. The 15-page suit seeks to stop TWC Product and Technology LLC, a subsidiary of IBM, from using consumers' information and seeks civil penalties up to $2,500 for each violation by the company. Prosecutors allege that the firm profited from that data for purposes entirely unrelated to weather or the app. Further reading: The Register; Your Apps Know Where You Were Last Night, and They're Not Keeping It Secret, and Several Popular Apps Share Data With Facebook Without User Consent.

Fred Imbert, writing for CNBC: Larry Kudlow, director of the National Economic Council, said Friday that Apple's technology may have been stolen by the Chinese. "I don't want to surmise too much here, but Apple technology may have been picked off by China and now China is becoming very competitive with Apple. You've got to have rule of law," Kudlow said in an interview with Bloomberg. "There are some indications from China that they're looking at that, but we don't know that yet. There's no enforcement; there's nothing concrete." Kudlow's comments came shortly after China's Commerce Ministry said Chinese and U.S. officials will meet next week to discuss trade. Both countries have been engaged in a trade spat for months that has sent ripples through global markets. John Gruber at DaringFireball comments: I think what he's saying here is that the Chinese stole Apple technology, copied it, and are now flooding the Chinese market with phones based on that stolen tech. I'm 99.8 percent certain that hasn't happened -- if there were Chinese phones built with stolen Apple technology we'd know it because we'd see it.

Marriott has downsized its original estimate on a major data breach, but the number of people affected is still historic. The hotel group announced Friday that it now believes hackers accessed the records of up to 383 million guests, following an investigation it conducted with a forensics and analytics team. In November, it had reported an estimate of as many as 500 million guests. From a report: Even at that lower figure, the Marriott incident remains one of the largest personal data breaches in history, more than double that of Equifax, which exposed the personal data of 147.7 million American. Data breaches have become a common issue for massive companies that collect and store information on millions of people. In 2018, tech giants like Facebook and Reddit have fallen victim to data breaches. Hackers look for poor protection that they can bypass to steal valuable details like Social Security numbers, birth dates, email addresses and credit card numbers.

Hyundai has become the latest car company to explore serious open source alternatives for developing its in-car services. From a report: Ahead of CES 2019, the South Korean automotive giant today announced that it has joined the Linux Foundation and the nonprofit's seven-year-old Automotive Grade Linux (AGL) effort as it looks to contribute to -- and reap benefit from -- software developed by over 140 companies. For Hyundai, open collaboration is crucial as it pursues a "connected car vision," Paul Choo, VP and head of Infotainment Technology Center at Hyundai, said in a statement. Car companies have traditionally taken three years or longer to develop in-vehicle services, such as infotainment systems. The bottleneck usually lies in the quality of code their in-house programmers create. According to a case study published by AGL, a connected car uses some 100 million lines of code, which is about 11 times more than the number that went into the F-35 fighter jet. Getting on AGL's bandwagon would also help Hyundai speed up development of its in-car technologies.

The L3 protection level of Google's Widevine DRM technology has been cracked by a British security researcher who can now decrypt content transferred via DRM-protected multimedia streams. ZDNet's Catalin Cimpanu notes that while this "sounds very cool," it's not likely to fuel a massive piracy wave because "the hack works only against Widevine L3 streams, and not L2 and L1, which are the ones that carry high-quality audio and video content." From the report: Google designed its Widevine DRM technology to work on three data protection levels --L1, L2, and L3-- each usable in various scenarios. According to Google's docs, the differences between the three protection levels is as follows:

L1 - all content processing and cryptography operations are handled inside a CPU that supports a Trusted Execution Environment (TEE).
L2 - only cryptography operations are handled inside a TEE.
L3 - content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn't support a TEE

"Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM," [British security researcher David Buchanan] said on Twitter. "Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg." Albeit Buchanan did not yet release any proof-of-concept code, it wouldn't help anyone if he did. In order to get the DRM-encrypted data blob that you want to decrypt, an attacker would still need "the right/permission" to receive the data blob in the first place. If a Netflix pirate would have this right (being an account holder), then he'd most likely (ab)use it to pirate a higher-quality version of the content, instead of bothering to decrypt low-res video and lo-fi audio. The only advantage is in regards to automating the pirating process, but as some users have pointed out, this isn't very appealing in today's tech scene where almost all devices are capable of playing HD multimedia [1, 2].

Conservation nonprofit Resolve is using AI-equipped cameras to act as remote park rangers and help spot wildlife poachers before they kill endangered animals. "Today, Resolve announced a new custom-made device called TrailGuard AI, which uses Intel-made vision chips to identify animals and humans that wander into view," reports The Verge. "The cameras will be placed on access trails used by poachers, automatically alerting park rangers who can check up on any suspicious activity." From the report: TrailGuard AI builds on past work by Resolve to create remote cameras to aid conservation. However, early devices were bulky, had limited battery life, and were unsophisticated, sending images to rangers every time their motion sensors were tripped. This resulted in lots of false positives, as the cameras would be triggered by non-events, such as the wind shaking tree branches. The new device, by comparison, is no thicker than a human index finger, has a battery life of a year and a half, and can reliably identify humans, animals, and vehicles. The chip used by Resolve is Intel's Movidius Myriad 2 VPU (or vision processing unit), which is the same technology that powered Google's automatic Clips camera.