2017-07-01 00:00:00 ..
2017-10-14 10:47:04 UTC
2017-10-14 08:20:03 UTC
We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.
Officials in Tucson, Ariz., uprooted a 21-foot-tall saguaro cactus and tried to have it delivered to Amazon's Seattle headquarters. Birmingham constructed giant Amazon boxes and placed them around the Alabama city. In Missouri, Kansas City's mayor bought a thousand items online from Amazon and posted reviews of each one.
All of these cities are clearly trying hard to get Amazon's attention. Why? Because they know that otherwise, they don't stand a chance against some big-name cities that are all trying to win the contest to land Amazon's second headquarters.
The retail giant announced a month ago that it has plans for a second home outside of Seattle, where it is currently headquartered. The project has been named HQ2, and the deadline for final bids is Thursday. Amazon has promised to invest $5 billion and said the facility will create as many as 50,000 jobs.
It has led to a mad scramble from cities across the nation and even in Canada. And various publications have analyzed cities' chances of landing this deal. Atlanta, Denver and Pittsburgh have made it to a few of those lists.
Many cities don't really figure as finalists on any of those lists. But that hasn't stopped them. In fact, just like Tucson or Birmingham, cities are pulling out all the stops to get noticed.
The Amazonk Prometheans may be coming to your city...
Previously: Amazon Spheres Add to Seattle's Quirky Architecture
Amazon Acquires Whole Foods for $13.7 Billion
Amazon to Invest $5 Billion in Second HQ Outside of Seattle
Amazon Looks to New Food Technology for Home Delivery
Submitted via IRC for SoyCow7568
OpenBSD is a lightweight operating system designed with code correctness and security in mind. The project has released OpenBSD 6.2 which features many new drivers, particularly for the ARM architecture, and network packet handling performance improvements. Some key features have been added to the system installer too, including checking for security updates on the system's first boot: "Installer improvements: The installer now uses the Allotment Routing Table (ART). A unique kernel is now created by the installer to boot from after install/upgrade. On release installs of architectures supported by syspatch, "syspatch -c" is now added to rc.firsttime. Backwards compatibility code to support the 'rtsol' keyword in hostname.if(5) has been removed. The install.site and upgrade.site scripts are now executed at the end of the install/upgrade process. More detailed information is shown to identify disks. The IPv6 default router selection has been fixed. On the amd64 platform, AES-NI is used if present."
Sensitive information about Australia's defence programmes has been stolen in an "extensive" cyber hack.
About 30GB of data was compromised in the hack on a government contractor, including details about new fighter planes and navy vessels. The data was commercially sensitive but not classified, the government said. It did not know if a state was involved.
Australian cyber security officials dubbed the mystery hacker "Alf", after a character on TV soap Home and Away.
The breach began in July last year, but the Australian Signals Directorate (ASD) was not alerted until November. The hacker's identity is not known. "It could be one of a number of different actors," Defence Industry Minister Christopher Pyne told the Australian Broadcasting Corp on Thursday. "It could be a state actor, [or] a non-state actor. It could be someone who was working for another company." Mr Pyne said he had been assured the theft was not a risk to national security.
The story of concrete is so ancient that we don't even know when and where it begins. It is a story of discovery, experimentation, and mystery. Emperors and kings became legends for erecting great concrete structures, some of which are still a mystery to engineers today. Many of history's most skilled architects found inspiration in slabs of the gray building material. Common bricklayers advanced the technology, and a con man played a crucial role in the development of concrete recipes.
Today, the world is literally filled with concrete, from roads and sidewalks to bridges and dams. The word itself has become a synonym for something that is real and tangible. Press your handprints into the sidewalk and sign your name to history. This is the story of concrete.
[...] Let's get this out of the way right here: cement and concrete are not the same thing. Cement, a mixture of powdered limestone and clay, is an ingredient in concrete along with water, sand, and gravel.
So ubiquitous and fundamental, that nobody thinks about it. Its inventor is unknown, but that person changed history.
The White House and congressional Republicans are finalizing a tax plan that would slash the corporate rate while likely reducing the levy for the wealthiest Americans
[...] The plan would likely cut the tax rate for the wealthiest Americans, now at 39.6 percent, to 35 percent, people familiar with the plan said Monday. They spoke on condition of anonymity ahead of a formal announcement.
In addition, the top tax for corporations would be reduced to around 20 percent from the current 35 percent, they said. It will seek to simply the tax system by reducing the number of income tax brackets from seven to three.
[...] Republican senators on opposing sides of the deficit debate have tentatively agreed on a plan for $1.5 trillion in tax cuts. That would add substantially to the debt and would enable deeper cuts to tax rates than would be allowed if Republicans followed through on earlier promises that their tax overhaul wouldn't add to the budget deficit.
Congress has responded strongly to a joint investigation by CBS and The Washington Post (archive) about Drug Enforcement Administration (DEA) employees becoming lobbyists for the pharmaceutical industry, and the passage of a bill in 2016 hobbling the DEA's ability to go after opioid distributors and suspicious drug sales:
Lawmakers and the Drug Enforcement Administration are facing tough questions following an explosive joint investigation by "60 Minutes" and The Washington Post that says Congress helped disarm the DEA.
Drug overdose deaths in the United States have more than doubled over the past decade. The CDC says 188,000 people have died from opioid overdoses from 1999 to 2015.
Joe Rannazzisi used to run the DEA's diversion control. He told "60 Minutes" correspondent Bill Whitaker that the opioid crisis was aided in part by Congress, lobbyists and the drug distribution industry. The DEA says it has taken actions against far fewer opioid distributors under a new law. A Justice Department memo shows 65 doctors, pharmacies and drug companies received suspension orders in 2011. Only six of them have gotten them this year.
[...] [The] DEA's efforts may have been undermined by the so-called "revolving door" culture in Washington. At least 46 investigators, attorneys and supervisors from the DEA, including 32 directly from the division that regulates the drug industry, have been hired by the pharmaceutical industry since the scrutiny on distributors began.
From The Washington Post:
The chief advocate of the law that hobbled the DEA was Rep. Tom Marino, a Pennsylvania Republican who is now President Trump's nominee to become the nation's next drug czar. Marino spent years trying to move the law through Congress. It passed after Sen. Orrin G. Hatch (R-Utah) negotiated a final version with the DEA.
For years, some drug distributors were fined for repeatedly ignoring warnings from the DEA to shut down suspicious sales of hundreds of millions of pills, while they racked up billions of dollars in sales. The new law makes it virtually impossible for the DEA to freeze suspicious narcotic shipments from the companies, according to internal agency and Justice Department documents and an independent assessment by the DEA's chief administrative law judge in a soon-to-be-published law review article. That powerful tool had allowed the agency to immediately prevent drugs from reaching the street.
Political action committees representing the industry contributed at least $1.5 million to the 23 lawmakers who sponsored or co-sponsored four versions of the bill, including nearly $100,000 to Marino and $177,000 to Hatch. Overall, the drug industry spent $102 million lobbying Congress on the bill and other legislation between 2014 and 2016, according to lobbying reports.
President Trump said he would "look into" the reports about Tom Marino, his pick for "drug czar" (the actual name of the position is the Director of National Drug Control Policy).
Do you support "re-arming" the DEA?
It started in a galaxy called NGC 4993, seen from Earth in the Hydra constellation. Two neutron stars, collapsed cores of stars so dense that a teaspoon of their matter would weigh 1 billion tons, danced ever faster and closer together until they collided, said Carnegie Institution astronomer Maria Drout.
The crash, called a kilonova, generated a fierce burst of gamma rays and a gravitational wave, a faint ripple in the fabric of space and time, first theorized by Albert Einstein.
The signal arrived on Earth on Aug. 17 after traveling 130 million light-years. [...] The colliding stars spewed bright blue, super-hot debris that was dense and unstable. Some of it coalesced into heavy elements, like gold, platinum and uranium. Scientists had suspected neutron star collisions had enough power to create heavier elements, but weren't certain until they witnessed it. "We see the gold being formed," said Syracuse's Brown.
So the ring on your finger is actually the skeletal remains of neutron stars.
Today, physicists and astronomers around the world are announcing a whole new kind of gravitational wave signal at a National Science Foundation press conference in Washington, DC. But it's not just gravitational waves. That August day, x-ray telescopes, visible light, radio telescopes, and gamma-ray telescopes all spotted a flash, one consistent with a pair of neutron stars swirling together, colliding and coalescing into a black hole. The observation, called a "kilonova," simultaneously answered questions like "where did the heavy metal in our Universe come from" and "what causes some of the gamma-ray bursts scientists have observed since the 60s." It also posed new ones.
[...] All in all, the discovery marks an important milestone in gravitational wave astronomy and proof that LIGO and Virgo do more than spot colliding black holes. At present, the detectors are all receiving sensitivity upgrades. When they come back online, they may see other sources like some supernovae or maybe even a chorus of background gravitational waves from the most distant stellar collisions.
[Also Covered By]:
Optical emission from a kilonova following a gravitational-wave-detected neutron-star merger (open, DOI: 10.1038/nature24291) (DX)
Spectroscopic identification of r-process nucleosynthesis in a double neutron-star merger (open, DOI: 10.1038/nature24298) (DX)
A gravitational-wave standard siren measurement of the Hubble constant (open, DOI: 10.1038/nature24471) (DX)
The X-ray counterpart to the gravitational-wave event GW170817 (open, DOI: 10.1038/nature24290) (DX)
A kilonova as the electromagnetic counterpart to a gravitational-wave source (open, DOI: 10.1038/nature24303) (DX)
Origin of the heavy elements in binary neutron-star mergers from a gravitational-wave event (open, DOI: 10.1038/nature24453) (DX)
Multi-messenger Observations of a Binary Neutron Star Merger (open, DOI: 10.3847/2041-8213/aa91c9) (DX)
Gravitational Waves and Gamma-Rays from a Binary Neutron Star Merger: GW170817 and GRB 170817A (open, DOI: 10.3847/2041-8213/aa920c) (DX)
An Ordinary Short Gamma-Ray Burst with Extraordinary Implications: Fermi-GBM Detection of GRB 170817A (open, DOI: 10.3847/2041-8213/aa8f41) (DX)
INTEGRAL Detection of the First Prompt Gamma-Ray Signal Coincident with the Gravitational-wave Event GW170817 (open, DOI: 10.3847/2041-8213/aa8f94) (DX)
The Electromagnetic Counterpart of the Binary Neutron Star Merger LIGO/Virgo GW170817. I. Discovery of the Optical Counterpart Using the Dark Energy Camera (open, DOI: 10.3847/2041-8213/aa9059) (DX)
The Electromagnetic Counterpart of the Binary Neutron Star Merger LIGO/Virgo GW170817. II. UV, Optical, and Near-infrared Light Curves and Comparison to Kilonova Models (open, DOI: 10.3847/2041-8213/aa8fc7) (DX)
The Electromagnetic Counterpart of the Binary Neutron Star Merger LIGO/Virgo GW170817. III. Optical and UV Spectra of a Blue Kilonova from Fast Polar Ejecta (open, DOI: 10.3847/2041-8213/aa9029) (DX)
The Electromagnetic Counterpart of the Binary Neutron Star Merger LIGO/Virgo GW170817. IV. Detection of Near-infrared Signatures of r-process Nucleosynthesis with Gemini-South (open, DOI: 10.3847/2041-8213/aa905c) (DX)
The Electromagnetic Counterpart of the Binary Neutron Star Merger LIGO/Virgo GW170817. V. Rising X-Ray Emission from an Off-axis Jet (open, DOI: 10.3847/2041-8213/aa9057) (DX)
The Electromagnetic Counterpart of the Binary Neutron Star Merger LIGO/Virgo GW170817. VI. Radio Constraints on a Relativistic Jet and Predictions for Late-time Emission from the Kilonova Ejecta (open, DOI: 10.3847/2041-8213/aa905d) (DX)
The Electromagnetic Counterpart of the Binary Neutron Star Merger LIGO/Virgo GW170817. VII. Properties of the Host Galaxy and Constraints on the Merger Timescale (open, DOI: 10.3847/2041-8213/aa9055) (DX)
The Electromagnetic Counterpart of the Binary Neutron Star Merger LIGO/Virgo GW170817. VIII. A Comparison to Cosmological Short-duration Gamma-Ray Bursts (open, DOI: 10.3847/2041-8213/aa9018) (DX)
The Discovery of the Electromagnetic Counterpart of GW170817: Kilonova AT 2017gfo/DLT17ck (open, DOI: 10.3847/2041-8213/aa8edf) (DX)
A Deep Chandra X-Ray Study of Neutron Star Coalescence GW170817 (open, DOI: 10.3847/2041-8213/aa8ede) (DX)
The Unprecedented Properties of the First Electromagnetic Counterpart to a Gravitational-wave Source (open, DOI: 10.3847/2041-8213/aa905e) (DX)
The Emergence of a Lanthanide-rich Kilonova Following the Merger of Two Neutron Stars (open, DOI: 10.3847/2041-8213/aa90b6) (DX)
Observations of the First Electromagnetic Counterpart to a Gravitational-wave Source by the TOROS Collaboration (open, DOI: 10.3847/2041-8213/aa9060) (DX)
The Old Host-galaxy Environment of SSS17a, the First Electromagnetic Counterpart to a Gravitational-wave Source (open, DOI: 10.3847/2041-8213/aa9116) (DX)
The Distance to NGC 4993: The Host Galaxy of the Gravitational-wave Event GW170817 (open, DOI: 10.3847/2041-8213/aa9110) (DX)
The Rapid Reddening and Featureless Optical Spectra of the Optical Counterpart of GW170817, AT 2017gfo, during the First Four Days (open, DOI: 10.3847/2041-8213/aa9111) (DX)
Optical Follow-up of Gravitational-wave Events with Las Cumbres Observatory (open, DOI: 10.3847/2041-8213/aa910f) (DX)
A Neutron Star Binary Merger Model for GW170817/GRB 170817A/SSS17a (open, DOI: 10.3847/2041-8213/aa91b3) (DX)
A technology genius always has two basic options. For example, he can dedicate his work to creating a medical breakthrough that will save thousands of lives—or he can develop an app that will let people amuse themselves. In most cases, the technology genius will be pushed to focus on the product that has the potential to create millions of dollars in profits. Profit is the North Star of conventional economics. Lacking a collective destination, the only highway sign we follow is the North Star of profit. Nobody is putting up any highway signs that will lead the world toward a collectively desired destination.
It raises the question, does the world have a destination? If not, should it?
As I've explained, the UN's sustainable development goals (SDGs) are an attempt to define an immediate destination over a very short period. They represent a good beginning. The SDGs give us a destination over a 15-year stretch— just a moment in time out of the human journey of hundreds or thousands of years. Many people and institutions have made commitments to travel in the direction that the SDGs reveal—but, unfortunately, most for-profit companies are not redirecting themselves in meaningful ways to reach those goals because the market definition of success does not include them.
Toward what SDGs should tech people direct their work?
The obesity rate in the U.S. is continuing to rise (slowly, off the couch):
The new measure of the nation's weight problem, released early Friday by statisticians from the Centers for Disease Control and Prevention, chronicles dramatic increases from the nation's obesity levels since the turn of the 21st century.
Adult obesity rates have climbed steadily from a rate of 30.5% in 1999-2000 to 39.8% in 2015-2016, the most recent period for which data were available. That represents a 30% increase. Childrens' rates of obesity have risen roughly 34% in the same period, from 13.9% in 1999-2000 to 18% in 2015-2016.
Seen against a more distant backdrop, the new figures show an even starker pattern of national weight-gain over a generation. In the period between 1976 and 1980, the same national survey found that roughly 15% of adults and just 5.5% of children qualified as obese. In the time that's elapsed since "Saturday Night Fever" was playing in movie theaters and Ronald Reagan won the presidency, rates of obesity in the United States have nearly tripled.
The new report, from the CDC's National Center for Health Statistics, measures obesity according to body mass index. This is a rough measure of fatness that takes a person's weight (measured in kilograms) and divides it by their height (measured in meters) squared. For adults, those with a BMI between 18.5 and 24.9 are considered to have a "normal" weight. A BMI between 25 and 29.9 is considered overweight, and anything above 30 is deemed obese. (You can calculate yours here.)
Obesity rates for children and teens are based on CDC growth charts that use a baseline period between 1963 and 1994. Those with a BMI above the 85th percentile are considered overweight, and those above the 95th percentile are considered obese.
70.7% of Americans are overweight or obese, according to the CDC's data for 2015-2016.
The Organization for Economic Cooperation and Development expects the U.S. obesity rate to reach 47% in 2030.
Related: Obesity Surges to 13.6% in Ghana
A Canadian passenger plane landed safely after it was hit by a drone in the first case of its kind in the country, a cabinet minister said Sunday.
With increasing numbers of unmanned aerial devices in the skies, collisions are still rare, but authorities around the world are looking at ways to keep jetliners out of harm's way.
The Canadian incident happened last Thursday when a drone collided with a domestic Skyjet plane approaching Jean-Lesage International Airport in Quebec City, Transport Minister Marc Garneau said in a statement.
"This is the first time a drone has hit a commercial aircraft in Canada and I am extremely relieved that the aircraft only sustained minor damage and was able to land safely," said the minister, a former astronaut.
The aircraft, carrying six passengers and two crew, was struck on its right wing at an altitude of about 450 meters (about 500 yards) and roughly three kilometers (two miles) from the airport, according to Le Journal de Quebec newspaper.
Well, don't keep us in suspense! Who won, the locomotive or the bumblebee?
Tired of slow internet connections? CableLabs announces a new version of DOCSIS 3.1 (Data Over Cable Service Interface Specification) with Full Duplex 10Gbps connectivity. From an article at The Register:
Which is why an announcement by the cable industry's research and development arm, CableLabs, this week is such good news. The organization has completed work on an upgrade to the next-generation DOCSIS 3.1 spec that in the next few years will replace the "M" in Mbps with a "G" for gigabit.
DOCSIS 3.1 is the cutting edge of home cable technology, and big players such as Comcast in the US are testing it in specific markets with a new generation of modems. That testing and rollout of near-gigabit broadband in the US, UK, Canada and beyond has been somewhat marred, though, by the fact that high-speed DOCSIS 3.1 home gateways powered by Intel Puma chips suffer from annoying latency jittering under certain conditions, and can be trivially knocked offline by attackers. No fixes are available.
Those hardware problems aside, the DOCSIS 3.1 spec has another issue: it sticks to the age-old sucky 10-to-1 downlink-uplink ratio.
No longer with the Full Duplex Data Over Cable Service Interface Specification. Full Duplex DOCSIS 3.1 will allow broadband subscribers – in the next two years – to benefit from up to 10Gbps both up and down. And it will be possible on existing household connections rather than requiring the installation of new fiber.
[...] You can find out more about Full Duplex DOCSIS 3.1 on the CableLabs website.
So, you could reach your monthly 1 TB data cap allowance in just under 3 hours, assuming, of course that the upstream link is not so oversubscribed that you only actually get a fraction of that.
All kidding aside, that is a huge speed improvement. A quick back-of-the-envelope calculation suggests that a 100GB BDXL Blu-ray disk could be downloaded in about 2 minutes. As the connection is full-duplex, it could be uploaded in about 2 minutes, too.
I can't even think of anything where that kind of speed would be useful in a home, except for making for speedier downloads of game/OS updates/installs and maybe for offsite backups.
Submitted via IRC for Bytram and SoyCow1937
OnePlus mobiles are phoning home rather detailed information about handsets without any obvious permission or warnings, setting off another debate about what information our smartphones are emitting.
Software engineer Christopher Moore discovered that the information collected included the phone's International Mobile Equipment Identity, phone numbers, MAC addresses, and mobile network among other things. Moore further found that his OnePlus 2 was sending information about when he opened and closed applications or unlocked his phone to a domain at net.oneplus.odm.
OnePlus, for the uninitiated, is a Chinese smartphone manufacturer that specialises in developing and marketing Android phones, recently launching a higher-end model. Its earlier models gained a lot of cachet from their by-invitation-only status.
[...] Privacy-focused users have the option of stopping these data collecting system services every time they boot the phone or removing these via ADB (Android Debug Bridge utility), a process that wouldn't require an initial rooting of the device.
According to The Verge,
Chinese smartphone manufacturer OnePlus is collecting data from its users and transmitting it to a server along with each device's serial number, according to security researcher Chris Moore. In a January blog post (which has gained newfound attention this week), Moore detailed how OnePlus devices running OxygenOS record data at various points, including when a user locks or unlocks the screen; when apps are opened, used, and closed; and which Wi-Fi networks the device connects to. That's all relatively standard.
But OnePlus also collects the phone's IMEI, phone number, and mobile network names, so the data sent is identifiable to you personally with little to no effort required, which is what makes this very problematic. According to Moore, the code responsible for the data collection is part of OnePlus Device Manager and OnePlus Device Manager Provider. Moore says in his case, the services had sent off 16MB of data in 10 hours.
I was initally under the impression that Postsingular and Hylozoic continued the Ware Tetralogy but these are two distinct fictional "universes". Although there is an expectation for authors to continually out-do themselves with ever more fantastical ideas, Postsingular fails to satisfy on multiple criteria. It is too knowingly in the present, using "tweet" in the contemporary context and also having search engines. It may be that Rudy Rucker's feedback from fans and increased knowledge about computing makes the book less entertaining.
Regardless, nanotechnology, synthetic telepathy, natural telepathy and multiple forms of teleportation are explored in depth in the context of reality television, augmented reality spam and post-scarcity economics. Several characters are introduced very poorly and Rudy Rucker continues a tradition of ridiculous character names. Thankfully, characters become more rounded as plot develops. One character, Dick Dibbs, is uncannily similar to Donald Trump and Postsingular accurately captures some of the North American 2016 pre-election hysteria almost 10 years before it occurred.
Given Rudy Rucker's previous dependence upon Penrose tiling in the Ware Tetralogy, it was surprising that it was only mentioned once, obliquely, when a building was described as having an irregular pattern of triangles. However, readers of Postsingular would benefit from an understanding of Cantor dust, reversible computing, quantum computing, entropy in the context of bitstrings, public key cryptography, timing attacks, nanobot gray goo scenarios, Planck units and the untestable pseudo-science of superstring theory.
The extensive writing notes are available and provide character background information, deleted scenes, book promotion details and interaction with publishers and literary agents. The latter may may of particular interest to lesser-known science fiction authors. The writing notes also reveal that Postsingular was heavily influenced by Charles Stross' Accelerando and the attempt to build and differentiate from this work may explain why Postsingular errs more towards Snowcrash and Cryptonomicon rather than the Ware Tetralogy.
Postsingular has numerous plot holes. For example, it is never explained why a telepathic race retains speech. Nor is it explained how a quantum shielded building remains unmapped when nanobots freely pass in and out of the area. There is also a pointlessly grating book-within-a-book which is being written by a needlessly exotic character. Furthermore, the book-within-a-book becomes an increasingly belated account of an event which would have experienced by every potential reader. By far, it is not the best example of A Young Lady's Illustrated Primer.
The climax is less satisfying than any of the Tetralogy books because allegiances switch freely and the final line-up of "good guys" win through superior firepower rather than moral imperative. Postsingular could have explored folklore, religion, memes and imagery in much more detail. Instead, it concentrated a rogue hacker saving the world, a corrupt politician, San Francisco counter-culture, an indifferent/malevolent AI, a boy genius and an evil genius with tertiary transsexual characteristics. I'm vaguely surprised that there wasn't an antagonist with an evil hand. Although Postsingular is inferior to Snowcrash and Accelerando, it is superior to Cryptonomicon, the Difference Engine and REAMDE. Despite much silliness, it is thoroughly enjoyable.
Postsingular is available under a restrictive Creative Commons licence. However, HTML and PDF versions may by truncated. An EPub [PKZip of XML] with SHA512 fafc56c94f71969535b5e568582cdfb3bcbbb951b7b00f6518492012c7b5488b82d580a77c6ecfdaf03b3b2af7ae0c100a461063dc65202c3766b41c87474d1c may be preferable. The sequel, Hylozoic, is available under commercial license.
Endurance couch-surfer and WikiLeaker-in-chief Julian Assange has thanked US authorities for the banking blockade that made it hard to donate fiat currencies to his organisation, because it inadvertently enriched the organisation.
The blockade first appeared in 2010, after the United States expressed its ire at WikiLeaks' publication of diplomatic cables. Not long afterwards, Mastercard and Visa stopped processing donations sent to the site.
Which brings us to an Assange Tweet from Sunday, as follows.
My deepest thanks to the US government, Senator McCain and Senator Lieberman for pushing Visa, MasterCard, Payal, AmEx, Mooneybookers, et al, into erecting an illegal banking blockade against @WikiLeaks starting in 2010. It caused us to invest in Bitcoin -- with > 50000% return. pic.twitter.com/9i8D69yxLC
— Julian Assange 🔹 (@JulianAssange) October 14, 2017
Multiple Soylentils submitted stories about a newly-reported vulnerability that has been discovered in the WPA-2 protocol that secures communications on Wi-Fi networks. This is a significant vulnerability, but not quite as bad as some sensationalist headlines and stories would suggest. As I understand it, there is a 4-step process by which keys are exchanged to set up wireless encryption. An attacker can force a connection to repeat the 3rd step and thus force known values for the nonce. An attacker can leverage that information to break the encryption and, in many cases, eavesdrop on communications. In certain cases, it is possible to manipulate the communications and modify/insert a payload.
The vulnerability is in the protocol, not in a specific implementation. The spec fails to call out a mitigation that could preclude key re-use. So, it is an error of omission instead of an error of commission. An implementation can avoid this problem by refusing to reuse a previously received key.
The defect is primarily in the remote device, not in the base station. The researcher called out Android 6+ as being especially vulnerable.
A fix for BSD was silently released ahead of the announcement. I saw a report that Linux has already been patched, but without any supporting link.
The researcher, Mathy Vanhoef, has created a web site with details: https://www.krackattacks.com/. A research paper, Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 (pdf), is available.
See the Vulnerability Notes Database for information on specific vendors.
Sensationalist reports are already appearing. For a calmer view, see Kevin Beaumont's take on this at Regarding Krack Attacks — WPA2 flaw where he notes:
- It is patchable, both client and server (Wi-Fi) side.
- Linux patches are available now. Linux distributions should have it very shortly.
- The attack doesn't realistically doesn't[sic] work against Windows or iOS devices. The Group vuln is there, but it's not near enough to actually do anything of interest.
- There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this.
- Android is the issue, which is why the research paper concentrates on it. The issue with Android is people largely don't patch.
My suggestion for organisations is they ask their Wi-Fi network providers for patches — this is absolutely patchable, as per the researcher's own website.
The Guardian has an article on it here https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns.
Heres the researchers description...
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.
The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8 a.m. Monday, east coast time. An advisory the US CERT recently distributed to about 100 organizations described the research this way:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
Woody Leonhard has been my go-to source for the status of safety and usability of updates to Windows for years. He's not usually prone to alarmism, so I'm looking at this announcement on his site with a great deal of trepidation:
There's a lot of buzz this weekend about a flaw that's purported to break security on most Wi-Fi connections, allowing an eavesdropper to snoop or use the connection without permission.
Said to involve CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088, when they're posted.
The reference to the tweet by @campuscodi is to "Catalin Cimpanu [who] is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more." See the tweet for references to background papers which may be of assistance in understanding the nature of the flaw and possible preparations to help try and mitigate the breakage.
There is a web site — https://www.krackattacks.com/ — which was created on October 10 that seems to be a placeholder for posting the details when they are released.
Time to stock up on energy drinks, coffee, and Pringles®?