Stories
Slash Boxes
Comments

SoylentNews is people

Log In

Log In

Create Account  |  Retrieve Password


Site News

Join our Folding@Home team:
Main F@H site
Our team page


Funding Goal
For 6-month period:
2019-01-01 to 2019-06-30
(All amounts are estimated)
Base Goal:
$2000.00

Currently:
$1809.38
90.5%
Stretch Goal:
$1000.00

Currently:
$0.00
0.0%

Covers transactions:
2019-01-01 00:00:00 ..
2019-04-18 10:57:46 UTC
(SPIDs: [1022..1087])
Last Update:
2019-04-18 12:24:09 UTC
--martyb


Support us: Subscribe Here
and buy SoylentNews Swag


We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.

What should be the Book Club picks for April+?

  • Oryx and Crake - Book #1 of the MaddAddam trilogy - Margaret Atwood
  • Beggars in Spain - Book #1 of the Sleepless trilogy - Nancy Kress
  • Too Far - Rich Shapiro
  • Revolt in 2100 - (short stories collection) - Robert A. Heinlein
  • Morlock the Maker Short Stories - (pre-Blood of Ambrose?) - James Enge
  • Downbelow Station - C. J. Cherryh
  • Hammerfall - C. J. Cherryh
  • Sundiver - David Brin

[ Results | Polls ]
Comments:12 | Votes:21

posted by mrpg on Thursday April 18, @12:00PM   Printer-friendly
from the kip dept.

Sleep Myths 'Damaging Your Health':

Widely held myths about sleep are damaging our health and our mood, as well as shortening our lives, say researchers.

A team at New York University trawled the internet to find the most common claims about a good night's kip[*].

Then, in a study published in the journal Sleep Health, they matched the claims to the best scientific evidence.

They hope that dispelling sleep myths will improve people's physical and mental health and well-being.

So, how many are you guilty of?

Myth 1 - You can cope on less than five hours' sleep
[...]Myth 2 - Alcohol before bed boosts your sleep
[...]Myth 3 - Watching TV in bed helps you relax
[...]Myth 4 - If you're struggling to sleep, stay in bed
[...]Myth 5 - Hitting the snooze button
[...]Myth 6 - Snoring is always harmless

Another myth is that one should have 7-8 hours of continuous sleep. There is ample evidence that this is a relatively recent phenomenon. Consider embracing a bi-phasic or two-sleep schedule, instead.

I was at first concerned when I found myself waking after 3, 4 or even 5 hours sleep -- I became worried that I might be trending into insomnia. Instead, knowing this is a "thing", I just accept it, now. I get up for an hour or so. Use the bathroom. Maybe do some light reading (SoylentNews FTW!). And, after an hour or so, am ready to go back to bed for the rest of my night's sleep. Naps can be helpful, too.

How well do you sleep?

*kip: chiefly British : sleep, nap


Original Submission

posted by martyb on Thursday April 18, @10:33AM   Printer-friendly
from the argument-for-the-sake-of-argument dept.

To Swedish blogger John Nerst, online flame wars reveal a fundamental shift in how people debate public issues. Nerst and a nascent movement of other commentators online believe that the dynamics of today's debates—especially the misunderstandings and bad-faith arguments that lead to the online flame wars—deserve to be studied on their own terms. "More and less sophisticated arguments and argumenters are mixed and with plenty of idea exchange between them," Nerst explained in an email. "Add anonymity, and knowing people's intentions becomes harder, knowing what they mean becomes harder." Treating other people's views with charity becomes harder, too, he said.

Inspired by this rapid disruption to the way disagreement used to work, Nerst, who describes himself as a "thirty-something sociotechnical systems engineer with math, philosophy, history, computer science, economics, law, psychology, geography and social science under a shapeless academic belt," first laid out what he calls "erisology," or the study of disagreement itself. Here's how he defines it:

Erisology is the study of disagreement, specifically the study of unsuccessful disagreement. An unsuccessful disagreement is an exchange where people are no closer in understanding at the end than they were at the beginning, meaning the exchange has been mostly about talking past each other and/or hurling insults. A really unsuccessful one is where people actually push each other apart, and this seems disturbingly common.

[...] political scientists who study disagreement, unsurprisingly, disagree. Though Nerst has claimed that "no one needs to be convinced" of the needlessly adversarial quality of online discourse, Syracuse University political scientist Emily Thorson isn't buying it. "I actually do need to be convinced about this," she said in an email, "or at least about the larger implication that 'uncivil online discourse' is a problem so critical that we need to invent a new discipline to solve it. I'd argue that much of the dysfunction we see in online interactions is just a symptom of much larger and older social problems, including but not limited to racism and misogyny.

So, old political scientists think they've already identified the root cause of "bad behavior" and that online argument isn't a significant factor, or at least that's the argument they put forth in their e-mail vs the younger blogger... Dismissive, much ;-)


Original Submission

posted by martyb on Thursday April 18, @08:53AM   Printer-friendly
from the What-is-best-in-LIF?-To-crush-your-cancer,-see-it-driven-before-you.... dept.

SALK Institute researchers have discovered a potential therapeutic target for pancreatic cancer.

Pancreatic cancer is often far advanced by the time it is discovered since it is often symptomless until after spreading throughout the body.

Additionally, tumor cells are encased in a "protective shield," a microenvironment conferring resistance to many cancer treatment drugs.

Silent, evasive, and very deadly.

pancreatic stellate cells -- resident cells typically dormant in normal tissue -- become activated and secrete proteins to form a shell around the tumor in an attempt to wall off and contain it. The activated stellate cells also secrete a signaling protein called LIF, which conveys stimulatory signals to tumor cells to drive pancreatic cancer development and progression. Results also suggest LIF may be a useful biomarker to help diagnose pancreatic cancer more quickly and efficiently.

Detection is a good step, but they didn't stop there

After pinpointing LIF as the critical communicator, the researchers wanted to better understand the function of LIF during pancreatic cancer progression to evaluate the protein as a potential therapeutic target. By observing the effects on tumor growth of blocking or destroying LIF (both render the protein nonfunctional) in a mouse model of pancreatic cancer, the researchers could examine how LIF affects tumor progression and response to treatment. Both techniques independently showed that without functional LIF signaling, tumor progression slowed down and responses to chemotherapeutic drugs used in treating human cancer (such as gemcitabine) were improved.

Early days as per usual, but it is about time some progress was made on this particular scourge. Earlier detection and improved responsiveness to treatment could move the needle towards survival.


Original Submission

posted by martyb on Thursday April 18, @07:17AM   Printer-friendly
from the not-in-your-backyard-market dept.

Amazon is closing the local marketplace in China, though the Chinese will still be able to buy goods from Amazon marketplaces outside of China.

https://www.reuters.com/article/us-amazon-com-china/amazon-to-close-domestic-marketplace-business-in-china-sources-idUSKCN1RT2A7

Amazon.com Inc plans to close its domestic marketplace business in China by mid-July, people familiar with the matter told Reuters on Wednesday, focusing efforts on its more lucrative businesses selling overseas goods and cloud services in the world's most populous nation.

Shoppers in China will no longer be able to buy goods from third-party merchants in the country, but they still will be able to order from the United States, United Kingdom, Denmark and Japan via Amazon's global store. Amazon expects to close fulfillment centers and wind down its support for domestic-selling merchants in China in the next 90 days, one of the people said.

[...] Amazon is still expanding aggressively in other countries, notably India, where it is contending with local player Flipkart to dominate that market. China, on the other hand, has appeared to factor less and less in the global aspirations of top U.S. tech firms Amazon, Netflix Inc, Facebook Inc and Alphabet Inc's Google, Pachter said.

Customers of Amazon in China will still be able to purchase its Kindle e-readers and online content, according to sources, who spoke on condition of anonymity. Amazon Web Services, the company's cloud unit that sells data storage and computing power to enterprises, will remain as well.


Original Submission

posted by chromas on Thursday April 18, @05:40AM   Printer-friendly

Long-Underfunded Lyme Disease Research Gets an Injection of Money--and Ideas:

Months after a U.S. Congress–mandated working group sounded the alarm about tickborne illnesses and urged more federal action and money, the National Institutes of Health (NIH) is readying a strategic plan for these diseases. Last week it also, serendipitously, issued a rare solicitation for prevention proposals in tickborne diseases. The new pot of money, $6 million in 2020, represents a significant boost; NIH spent $23 million last year on Lyme disease, by far the most common tickborne illness, within $56 million devoted to tickborne diseases overall.

"I'm happy for anything" new going toward research, says John Aucott, director of the Johns Hopkins Lyme Disease Clinical Research Center in Baltimore, Maryland, who chaired the group that wrote the 2018 report. Strategies that may garner support include vaccines that target multiple pathogens carried by ticks or that kill the ticks themselves.

Aucott's panel included academic and government scientists as well as patient advocates; it formed as a result of the 2016 21st Century Cures Act. The group's report described tickborne diseases as a "serious and growing threat." About 30,000 confirmed Lyme disease cases were reported last year to the Centers for Disease Control and Prevention (CDC), but the agency believes the real number to be more than 300,000. Cases of Lyme disease have roughly tripled since the 1990s as ticks carrying Borrelia burgdorferi, the causative bacterium, have spread in response to climate change, neighborhoods encroaching on animal habitats, and other ecologic shifts.

The Lyme disease field has for years been mired in controversy—researchers receive hate mail from angry and desperate patients, and scientific disputes can be vitriolic. That may have left government agencies reluctant to wade too deep into the fray. "I think the discussion is starting to shift," says Monica Embers, a microbiologist at Tulane University in New Orleans, Louisiana. She and others still hope for additional money from NIH and CDC for diagnostics and treatment research. CDC's budget for Lyme disease grew this year from $10.7 million to $12 million—the first increase in 5 years, albeit a modest one. "Preventing infection is going to go a long way if we can do it," Embers says.

Symptoms of Lyme disease vary but can include a rash at the site of the tick bite, fever, fatigue, and swollen lymph nodes. After a course of antibiotics, 10% to 20% of those infected remain sick, and the question is why: Some scientists believe the bacterium can persist in the body, but others dismiss the idea. This dispute, combined with patients whom doctors often can't help, has created a fractious field unlike almost any other.

Wikipedia entry for Borrelia burgdorferi.


Original Submission

posted by chromas on Thursday April 18, @04:20AM   Printer-friendly
from the harder-better-faster-stronger...sharper? dept.

Submitted via IRC for AzumaHazuki

HD emulation mod makes "Mode 7" SNES games look like new

Gamers of a certain age probably remember being wowed by the quick, smooth scaling and rotation effects of the Super Nintendo's much-ballyhooed "Mode 7" graphics. Looking back, though, those gamers might also notice how chunky and pixelated those background transformations could end up looking, especially when viewed on today's high-end screens.

Emulation to the rescue. A modder going by the handle DerKoun has released an "HD Mode 7" patch for the accuracy-focused SNES emulator bsnes. In their own words, the patch "performs Mode 7 transformations... at up to 4 times the horizontal and vertical resolution" of the original hardware.

[...] Games that made use of the SNES "Graphics Mode 7" used backgrounds that were coded in the SNES memory as a 128x128 grid of 256-color, 8x8 pixel tiles. That made for a 1024×1024 "map" that could be manipulated en masse by basic linear algebra affine transforms to rotate, scale, shear, and translate the entire screen quickly.

Some Mode 7 games also made use of an additional HDMA mode (Horizontal-blanking Direct Memory Access) to fake a "3D" plane that stretches off into the horizon. These games would essentially draw every horizontal scanline in a single SDTV frame at a different scale, making pieces lower in the image appear "closer" than ones far away.

It's a clever effect but one that can make the underlying map data look especially smeary and blob-like, especially for parts of the map that are "far away." This smearing is exacerbated by the SNES' matrix math implementation, which uses trigonometric lookup tables and rounding to cut down on the time needed to perform all that linear algebra on '90s-era consumer hardware. Translating those transformation results back to SNES-scale tiles and a 420p SD screen leads to some problems on the edges of objects, which can look lumpy and "off" by a pixel or two at certain points on the screen.

The HD Mode 7 mod fixes this problem by making use of modern computer hardware to perform its matrix math "at the output resolution," upscaling the original tiles before any transformations are done. This provides more accurate underlying "sub-pixel" data, which lets the emulator effectively use the HD display and fill in some of the spaces between those "boxy" scaled-up pixels.


Original Submission

posted by chromas on Thursday April 18, @02:56AM   Printer-friendly
from the Strongr,-Fastr,-Crispr dept.

CRISPR, the gene-editing tool, has been used to enhance the blood cells of two cancer patients to attack their cancer for the first time in the United States.

The experimental research, under way at the University of Pennsylvania, involves genetically altering a person's T cells so that they attack and destroy cancer. A university spokesman confirmed it has treated the first patients, one with sarcoma and one with multiple myeloma.

This isn't the first such use of CRISPR however, just the first in the U.S.

Chinese hospitals, meanwhile, have launched a score of similar efforts. Carl June, the famed University of Pennsylvania cancer doctor, has compared the Chinese lead in employing CRISPR to a genetic Sputnik.

More such studies are in progress and on the way

This year, for example, a patient in Europe became the first person to be treated with CRISPR for an inherited disease, beta thalassemia.

Sufferers of beta thalassemia have a defective gene responsible for the production of red blood cells, which leaves them dependent on transfusions. In that trial, a second copy of the gene that is normally deactivated at birth will be reactivated. It is theorized that this could result in an effective cure of the condition.


Original Submission

posted by chromas on Thursday April 18, @01:28AM   Printer-friendly
from the health dept.

Submitted via IRC for Bytram

Bug Allows HIPAA-Protected Malware to Hide Behind Medical Images

A bug in a 30-year-old standard used for the exchange and storage of medical images has been uncovered; it allows an adversary to embed fully-functioning executable code into the image files captured by medical devices such as CT and MRI machines.

This results in hybrid files that allow malware binaries to hide behind intact, standards-compliant images that preserve the original patient data – as such, they can be used and shared by clinicians without arousing suspicion.

“By exploiting this design flaw attackers can take advantage of the abundance and centralization of DICOM imagery within healthcare organizations to increase stealth and more easily distribute their malware, setting the stage for potential evasion techniques and multi-stage attacks,” said Markel Picado Ortiz at Cylera Labs, who found the bug, in an analysis this week.

Further, according to Ortiz, by mixing in with protected health information malware can effectively exploit the data’s clinical and regulatory implications to evade detection. Because of stringent privacy regulations in HIPAA regulations, medical device manufacturers and healthcare organizations often configure anti-malware software to ignore medical imagery and files containing protected health information.

Ortiz said that the vulnerability, which he has a proof-of-concept exploit for, exists in DICOM, which is a global and ubiquitous imaging standard within the healthcare industry, originally drafted by National Electrical Manufacturers Association (NEMA). It defines a file format for the representation and storage of medical imagery and a communication protocol for the transmission of imagery over a network.

The DICOM standard is used by the systems that produce imagery, specialized workstations for analyzing scan results, and even phones and tablets used to view diagnostic information.

[...] “DICOM has become ubiquitous within healthcare,” Ortiz said. “The number of systems supporting DICOM is innumerably large. There is no single vendor that can provide a patch and no single action that can be taken to fix the root cause of the issue across all systems using DICOM. Any change to the specification must be carefully considered to preserve interoperability between systems that may be designed to different versions of the specification before software vendors even begin to upgrade their own implementations.”


Original Submission

posted by martyb on Thursday April 18, @12:12AM   Printer-friendly
from the my-friend...flicker? dept.

Reviewers are breaking Samsung's Galaxy Fold smartphone after just a day or two of use. Some have accidentally removed a protective film that Samsung warned should not be removed, but others, including CNBC and The Verge, have seen the devices break after normal use:

The phone has only been given to gadget reviewers, but some of the screens appear to be disconnecting and permanently flashing on or off.

The Verge's Dieter Bohn posted earlier on Wednesday that his phone appears to have a defective hinge with a "small bulge" that he can feel that's causing the screen to "slightly distort." Bloomberg's Mark Gurman says his "review unit is completely broken just two days in," but noted he accidentally removed a protective film on the screen.

YouTube tech reviewer Marques Brownlee also removed the film and experienced a broken display. A Samsung spokesperson had warned on Wednesday not to remove the protective layer.

However, CNBC didn't remove that layer, and our screen is now also failing to work properly. When opened, the left side of the flexible display, which makes up a large 7.3-inch screen, flickers consistently.

Previously: Samsung Announces the Galaxy Fold, a Phone-Tablet Hybrid Device
A Bunch of Mobile World Congress 2019 Stories


Original Submission

posted by martyb on Wednesday April 17, @10:36PM   Printer-friendly
from the let-me-think-about-it-a-bit dept.

Fake news has already fanned the flames of distrust towards media, politics and established institutions around the world. And while new technologies like artificial intelligence (AI) might make things even worse, it can also be used to combat misinformation.

A fake story might, for example, make the claim that a very high percentage of crimes in a European country are committed by foreign immigrants. In theory that might be an easy claim to disprove because of large troves of available open data, yet journalists waste valuable time in finding that data. So Fandango’s tool links all kinds of European open data sources together, and bundles and visualises it. Journalists can use, for example, pooled together national data to address claims about crimes or apply data from the European Copernicus satellites to climate change debates.

Essentially, previous studies show that fake news stories are shared online in different ways from real news stories, says Prof. Bronstein. Fake news might have far more shares than likes on Facebook, while regular posts tend to have more likes than they have shares. By spotting patterns like these, GoodNews attaches a credibility score to a news item.

The GoodNews team hopes to monetise this service through a start-up called Fabula AI, based in London. While they hope to roll out the product at the end of the year, they envisage having customers such as large media companies like Facebook and Twitter, but also individual users.

Can artificial intelligence help end fake news?

[More Info]:
Fandango
GoodNews

Do you think that AI is a solution to the fake news problem ??


Original Submission

posted by takyon on Wednesday April 17, @08:56PM   Printer-friendly
from the Miracle-Max-the-Wizard dept.

Scientists Restore Some Functions in a Pig's Brain Hours after Death:

Circulation and cellular activity were restored in a pig's brain four hours after its death, a finding that challenges long-held assumptions about the timing and irreversible nature of the cessation of some brain functions after death, Yale scientists report April 17 in the journal Nature.

The brain of a postmortem pig obtained from a meatpacking plant was isolated and circulated with a specially designed chemical solution. Many basic cellular functions, once thought to cease seconds or minutes after oxygen and blood flow cease, were observed, the scientists report.

"The intact brain of a large mammal retains a previously underappreciated capacity for restoration of circulation and certain molecular and cellular activities multiple hours after circulatory arrest," said senior author Nenad Sestan, professor of neuroscience, comparative medicine, genetics, and psychiatry.

However, researchers also stressed that the treated brain lacked any recognizable global electrical signals associated with normal brain function.

"At no point did we observe the kind of organized electrical activity associated with perception, awareness, or consciousness," said co-first author Zvonimir Vrselja, associate research scientist in neuroscience. "Clinically defined, this is not a living brain, but it is a cellularly active brain."

[...] researchers in Sestan's lab, whose research focuses on brain development and evolution, observed that the small tissue samples they worked with routinely showed signs of cellular viability, even when the tissue was harvested multiple hours postmortem. Intrigued, they obtained the brains of pigs processed for food production to study how widespread this postmortem viability might be in the intact brain. Four hours after the pig's death, they connected the vasculature of the brain to circulate a uniquely formulated solution they developed to preserve brain tissue, utilizing a system they call BrainEx. They found neural cell integrity was preserved, and certain neuronal, glial, and vascular cell functionality was restored.

Journal Reference:
Vrselja, Z. et al. Restoration of brain circulation and cellular functions hours post-mortem. Nature, 2019 DOI: 10.1038/s41586-019-1099-1

Also at The New York Times, National Geographic, and NPR.

The article in The New York Times explores some of the medical ethics of this experimentation and what it may hold down the line. Consider, for example, current policies and practices concerning organ donations from "dead" people.

Previously: Researchers are Keeping Pig Brains Alive Outside the Body


Original Submission

posted by chromas on Wednesday April 17, @07:07PM   Printer-friendly

Breaking Bad: Japan Prof 'Made Students Produce Ecstasy':

A Japanese university professor could face up to 10 years in jail after allegedly getting his students to produce ecstasy, officials said Wednesday, in an echo of TV hit series "Breaking Bad".

Authorities suspect the 61-year-old pharmacology professor from Matsuyama University in western Japan got his pupils to make MDMA—commonly known as ecstasy—in 2013 and another so-called "designer drug" 5F-QUPIC last year.

The professor told investigators he was aiming to further the "education" of his pharmaceutical sciences students, an official from the local health ministry told AFP.

The ecstasy allegedly produced has not been found and has "probably been discarded," added this official, who asked to remain anonymous.

[...] Japanese law states that a researcher needs a licence issued by regional authorities to manufacture narcotics for academic purposes.

Next on the syllabus was how to start, organize, and operate a fast-growing business?


Original Submission

posted by mrpg on Wednesday April 17, @04:40PM   Printer-friendly
from the striking-development? dept.

Possible Evidence of an Extrasolar Object Striking the Earth in 2014:

A pair of researchers has found possible evidence of an extrasolar object striking the Earth back in 2014. In their paper uploaded to the arXiv preprint server, Amir Siraj and Abraham Loeb describe their study of data in the Center for Near-Earth Object studies database and what they found.

[...]Loeb and Siraj had reasoned that space objects traveling faster than normal might be evidence enough of an extrasolar visitor. That led to them to perform searches in the Center for Near-Earth Object studies database for objects that traveled faster than normal. They report that they found three hits, two of which they dismissed because of incomplete data. The third described a meteor that was believed to be slightly less than a meter wide that had been observed disintegrating in the atmosphere on January 8th, 2014, at a height of 18.7 kilometers near Papua New Guinea. Its speed had been measured by a government sensor at 216,000 km/h. By looking at its trajectory and tracing backward, the researchers report that it likely came from somewhere outside of our solar system. If the evidence pans out, the sighting would be the first known instance of an extrasolar object striking the Earth.

The researchers suggest that the object's high speed indicates that it was likely flung out of another star system. And if that were the case, it would have been reasonably close to its star at some point, deep in the interior of a planetary system—perhaps in its "Goldilocks zone," which means there was some chance it carried life. The researchers have written a paper describing their findings, which they have submitted to The Astrophysical Journal Letters.

For various definitions of 'striking' and 'Earth'.


Original Submission

posted by chromas on Wednesday April 17, @03:06PM   Printer-friendly
from the an-internet-vs-The-Internet dept.

The Russian parliament has approved a law creating a separate, domestic network, separate from the Internet. This Russian network of networks will be fully isolatable and will mean that the country's communications will become autonomous and able to continue functioning even when the plug is pulled on Russia's connections to the Internet at large. Concerns increase that this move will be used more for control of content and even just plain censorship, and make any attempts at circumventing restrictions much more difficult. The law is expected to take effect November 1st. Russia has already banned certain programs, such as Telegram.

One of the law's goals is to keep as much of the data exchanged between Russian internet users within the country's borders as possible. This aim may sound like a move to protect Russian users from external threats, but rights groups have warned that the new measures could ultimately be directed at Kremlin critics rather than international adversaries.

The idea of increasing the government's control over the internet is part of a more long-term national policy trend. In 2017, officials said they wanted 95% of internet traffic to be routed locally by 2020. Since 2016, a law has required social networks to store data about Russian users on servers within the country. The law was officially presented as an anti-terrorism measure — but many criticized it as an attempt to control online platforms that can be used to organize anti-government demonstrations.

Also at Silicon: Russian Parliament Passes Bill To Isolate Internet.


Original Submission

posted by janrinok on Wednesday April 17, @01:46PM   Printer-friendly
from the and-he-shall-rain-down-fire-and-brimstone dept.

Ars Technica is running an article about a "Self-proclaimed security provider" who has released exploits for three separate Zero day vulnerabilities within plugins used in the WordPress (an open-source content management system) software ecosystem.

According to the Ars Technica article:

Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

In-the-wild exploits against Social Warfare, a plugin used by 70,000 sites, started three weeks ago. Developers for that plugin quickly patched the flaw but not before sites that used it were hacked.

All three waves of exploits caused sites that used the vulnerable plugins to surreptitiously redirect visitors to sites pushing tech-support scams and other forms of online graft. In all three cases, the exploits came after a site called Plugin Vulnerabilities published detailed disclosures on the underlying vulnerabilities. The posts included enough proof-of-concept exploit code and other technical details to make it trivial to hack vulnerable sites. Indeed, some of the code used in the attacks appeared to have been copied and pasted from the Plugin Vulnerabilities posts.

The author also pointed out that 11 days passed between the disclosure of the Yuzo Related Posts zeroday and the first known reports it was being exploited. Those exploits wouldn't have been possible had the developer patched the vulnerability during that interval, the author said.

Asked if there was any remorse for the innocent end users and website owners who were harmed by the exploits, the author said: "We have no direct knowledge of what any hackers are doing, but it seems likely that our disclosures could have led to exploitation attempts. These full disclosures would have long ago stopped if the moderation of the Support Forum was simply cleaned up, so any damage caused by these could have been avoided, if they would have simply agreed to clean that up."

[...] The crux of the author's beef with WordPress support-forum moderators, according to threads such as this one, is that they remove his posts and delete his accounts when he discloses unfixed vulnerabilities in public forums. A recent post on Medium said he was "banned for life" but had vowed to continue the practice indefinitely using made-up accounts. Posts such as this one show Plugin Vulnerabilities' public outrage over WordPress support forums has been brewing since at least 2016.

Ars Technica goes on to editorialize:

To be sure, there's plenty of blame to spread around recent exploits. Volunteer-submitted WordPress plugins have long represented the biggest security risk for sites running WordPress, and so far, developers of the open source CMS haven't figured out a way to sufficiently improve the quality. What's more, it often takes far too long for plugin developers to fix critical vulnerabilities and for site administrators to install them. Warfare Plugins' blog post offers one of the best apologies ever for its role in not discovering the critical flaw before it was exploited.

But the bulk of the blame by far goes to a self-described security provider who readily admits to dropping zerodays as a form of protest or, alternatively, as a way to keep customers safe (as if exploit code was necessary to do that). With no apologies and no remorse from the discloser—not to mention a dizzying number of buggy, poorly-audited plugins in the WordPress repository—it wouldn't be surprising to see more zeroday disclosures in the coming days.

A weakness of community developed software, which is also its biggest strength, is that profit is not the motive. As such, developers may or may not be responsive to reports of security vulnerabilities.

So where do Soylentils fall on this? Is the guy who disclosed the vulnerabilities without reporting them to the developers first most at fault for site compromises, or are the plugin developers who failed to patch their code in a timely fashion the real villains?


Original Submission