2018-01-01 00:00:00 ..
2018-01-17 20:14:45 UTC
2018-01-18 08:18:51 UTC
We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.
You can log in as root on the latest version of MacOS by pressing enter on the login prompt a few times. Just type in root as the user and press enter. There you go no password required.
Not sure what else to say; is this the stupidest massive security hole ever?
From Extreme Tech:
Reproing the bug is simple (at least until Apple fixes it): Type the login "root," then move the cursor into the password field and hit enter several times. It also apparently works if you simply hit the "login" button several times rather than using the keyboard, though a few tries may be necessary.
This was also reported at Ars Technica. Beware that the behavior seems to be that if you do not already have a root account with a (preferably strong) password, this bug essentially creates a root account with an empty password. Attempting this on your own system should be followed up by ensuring that any root a count has a strong password.
There is a patch that has just been made available; again according to Ars Technica:
Yesterday we learned that Apple had made a serious security error in macOS—a bug that, under certain conditions, allowed anyone to log in as a system administrator on a Mac running High Sierra by simply typing in "root" as the username and leaving the password field blank. Apple says that vulnerability has now been fixed with a security update that became available for download this morning on the Mac App Store. Further, the update will automatically be applied to Macs running High Sierra 10.13.1 later today.
Apple's brief notes for this security update (Security Update 2017-001) explain the bug by saying, "A logic error existed in the validation of credentials," and claims the problem has been addressed "with improved credential validation."
North Korea appears to have launched another intercontinental ballistic missile, the Pentagon said Tuesday, with experts calculating that Washington, D.C., is now technically within Kim Jong Un's reach.
[...] The missile launched early Wednesday local time traveled some 620 miles and reached a height of about 2,800 miles before landing off the coast of Japan, flying for a total of 54 minutes. This suggested it had been fired almost straight up — on a "lofted trajectory" similar to North Korea's two previous intercontinental ballistic missile tests. [...] If it had flown on a standard trajectory designed to maximize its reach, this missile would have a range of more than 8,100 miles, said David Wright, co-director of the global security program at the Union of Concerned Scientists. [...] The U.S. capital is 6,850 miles from Pyongyang.
Although it may be cold comfort, it is still unlikely that North Korea is capable of delivering a nuclear warhead to the U.S. mainland. Scientists do not know the weight of the payload the missile carried, but given the increase in range, it seems likely that it carried a very light mock warhead, Wright said. "If true, that means it would not be capable of carrying a nuclear warhead to this long distance, since such a warhead would be much heavier," he said in a blog post.
[Update: The launch was delayed to the end of the 5-minute launch window because of a vessel in the safety area in the bay. Launch was successful. Second-stage separation went cleanly and the Cygnus supply ship is on course for its journey to the International Space Station. NASA TV coverage resumes for solar array deployment scheduled at 8:45 EST (13:45 UTC) --martyb]
[Update 2: Solar array deployment was successful and "the cargo craft is set to fine-tune its approach to the space station with a series of thruster firings over the next two days." - Fnord666]
Managers aborted liftoff of a commercial Antares cargo launcher Saturday when an aircraft strayed into restricted airspace near the rocket's planned flight path east from Virginia's Eastern Shore.
The Antares rocket and a Cygnus supply ship, both owned by Orbital ATK, were ready for liftoff at 7:37 a.m. EST (1237 GMT) Saturday. The launch team loaded kerosene and liquid oxygen propellants into the first stage of the Antares booster, and a computer-controlled countdown sequencer took over for the final three minutes before liftoff.
But an unidentified aircraft ventured into the safety zone surrounding the rocket and its planned trajectory over the Atlantic Ocean. "LC, LC, we are red," a member of the launch team told Adam Lewis, Orbital ATK's launch conductor. "We have an aircraft in the hazard area." "Copy that," Lewis replied. "Abort, abort, abort. This is LC on the countdown net. Abort, abort, abort. Proceed to the abort safing checklist."
Another attempt will be made today (Sunday) at 7:14 AM EST (1214 GMT). You can watch coverage on NASA TV starting right now.
Also at Spaceflight Insider.
While you were doing whatever you were doing last Sunday, the International Consortium of Investigative Journalists - the same that brought you the Panama papers less than two years ago revealed itself to be in the possession of a 13.4 million leaked documents on tax dodgers.
A trove of 13.4 million records exposes ties between Russia and U.S. President Donald Trump's billionaire commerce secretary, the secret dealings of the chief fundraiser for Canadian Prime Minister Justin Trudeau and the offshore interests of the queen of England and more than 120 politicians around the world.
The leaked documents, dubbed the Paradise Papers, show how deeply the offshore financial system is entangled with the overlapping worlds of political players, private wealth and corporate giants, including Apple, Nike, Uber and other global companies that avoid taxes through increasingly imaginative bookkeeping maneuvers.
One offshore web leads to Trump's commerce secretary, private equity tycoon Wilbur Ross, who has a stake in a shipping company that has received more than $68 million in revenue since 2014 from a Russian energy company co-owned by the son-in-law of Russian President Vladimir Putin.
In all, the offshore ties of more than a dozen Trump advisers, Cabinet members and major donors appear in the leaked data.
The new files come from two offshore services firms as well as from 19 corporate registries maintained by governments in jurisdictions that serve as waystations in the global shadow economy. The leaks were obtained by German newspaper Süddeutsche Zeitung and shared with the International Consortium of Investigative Journalists and a network of more than 380 journalists in 67 countries.
[...] The most detailed revelations emerge in decades of corporate records from the white-shoe offshore law firm Appleby and corporate services provider Estera, two businesses that operated together under the Appleby name until Estera became independent in 2016.
At least 31,000 of the individual and corporate clients included in Appleby's records are U.S. citizens or have U.S. addresses, more than from any other country. Appleby also counted clients from the United Kingdom, China and Canada among its biggest sources of business.
Keep your eyes peeled for more articles as they are published by various news outlets:
Federal authorities are responding to a shooting at the First Baptist Church in Sutherland Springs, Texas, a small community southeast of San Antonio.
In a press conference Sunday night, an official from the Texas Department of Public Safety described the scene: Around 11:20 am, the suspect, dressed in black, approached the church and began firing an assault rifle. He then entered the church and continued firing.
Gov. Greg Abbott confirmed that at least 26 people were killed. A Texas Department of Public Safety official said the ages of the victims ranged from 5 to 72 years old. The AP reports that the pastor's 14-year-old daughter is among the dead.
The Department of Public Safety confirmed to NPR that at least 20 others were wounded. A DPS official said in the press conference that the gunman was confronted by an armed civilian outside of the church.
Manafort and Gates, were charged with "conspiracy against the United States," "conspiracy to launder money" and other offenses. The two were expected in court in Washington by the afternoon.
The Justice Department indictment on Manafort and Gates contains 12 counts: "conspiracy against the United States, conspiracy to launder money, unregistered agent of a foreign principal, false and misleading FARA statements, false statements, and seven counts of failure to file reports of foreign bank and financial accounts."
Papadopoulos pleaded guilty to making false statements to the FBI.
The Manafort and Gates indictment unsealed on Monday morning does not make any reference to Russia's influence campaign against the presidential election, but it does allege extensive financial ties between Manafort and Gates and powerful Ukrainians.
The Papadopoulos materials, on the other hand, detail the many contacts investigators say he had with Russian-linked operatives. He met at least two people, a man and a woman, who the FBI says were working for the Russian government and had boasted to him about the help it could offer the Trump campaign against Clinton.
This afternoon, Catalonia declared independence. At the same time, Spain invoked article 155, to strip Catalonia from its governing powers putting it under direct rule from the federal government. A vote for independence was raised in Catalonian parliament, with part of parliament leaving before the vote on independence started. The motion declaring independence was approved with 70 in favor, 10 against, and two abstentions of the normal 135 total.
From RT: https://www.rt.com/news/407956-catalan-parliament-votes-independence/
From Aljazeera: http://www.aljazeera.com/news/2017/10/catalan-parliament-begins-vote-independence-171027115908493.html
From BBC: http://www.bbc.com/news/world-europe-41780116
It will be interesting to see how things unfold. In my opinion, Madrid using violence to stop a referendum gave it the legality they later claim the referendum didn't have. The lack of dialogue paved the way into the only possible outcome, Catalonia declaring independence and Madrid denying it. Whatever happens next, I hope will be peaceful. As to how the EU reacts, I'm hoping they ask for an official referendum, and whatever the outcome, pledges that both Catalonia and Spain will be able to remain in the EU if they desire. That may release tensions a bit.
Update: 2,800 documents will be released tonight, others may be released on April 26, 2018.
Update 2: Documents have been released.
Update 3: Check this live feed: JFK files: government releases classified assassination documents – live
John F. Kennedy, often better known as JFK, was the United States of America's 35th President. He was assassinated on November 22, 1963.
The deadline for the release of redacted and withheld records from the JFK Assassination Records Collection is today. Of the approximately 5 million pages in the collection, about 11% are redacted and 1% are withheld in full:
According to the [JFK Assassination Records Collection Act], all [JFK assassination-related] records previously withheld either in part or in full should be released on October 26, 2017, unless authorized for further withholding by the President of the United States. The 2017 date derives directly from the law that states:
Each assassination record shall be publicly disclosed in full, and available in the Collection no later than the date that is 25 years after the date of the enactment of this Act, unless the President certifies, as required by this Act, that –
(i) continued postponement is made necessary by an identifiable harm to military defense, intelligence operations, law enforcement or conduct of foreign relations; and
(ii) the identifiable harm is of such gravity that it outweighs the public interest in disclosure.
The Act was signed by President Bush on October 26, 1992, thus the final release date is October 26, 2017.
Some records related to grand jury information and tax return information will remain withheld, as specified in Sections 10 and 11 of the Collection Act.
Although the current President of the United States could authorize the non-disclosure of any documents in the collection, that action appears unlikely:
Few seem as excited about the release of the final batch of secret documents from the 1963 assassination of John F. Kennedy as the current occupant of the Oval Office. "The long anticipated release of the #JFKFiles will take place tomorrow," President Trump wrote on Twitter on Wednesday. "So interesting!"
Surely, then, it was just a coincidence that Mr. Trump posted that message while on Air Force One heading to, of all places, Dallas. Or was it? Fifty-three years and 11 months after the event that gave rise to a thousand conspiracy theories, the president even landed at Dallas Love Field Airport, where Kennedy's body was brought for the final flight home, and his motorcade came within a few miles of Dealey Plaza, where the fateful shots rang out.
[...] "Of all the presidents since 1963, this is the one who would mind the least if the release of these documents damaged the C.I.A. and the F.B.I., two organizations that he's very angry at at the moment," said Michael Beschloss, a presidential historian.
Multiple Soylentils submitted stories about a newly-reported vulnerability that has been discovered in the WPA-2 protocol that secures communications on Wi-Fi networks. This is a significant vulnerability, but not quite as bad as some sensationalist headlines and stories would suggest. As I understand it, there is a 4-step process by which keys are exchanged to set up wireless encryption. An attacker can force a connection to repeat the 3rd step and thus force known values for the nonce. An attacker can leverage that information to break the encryption and, in many cases, eavesdrop on communications. In certain cases, it is possible to manipulate the communications and modify/insert a payload.
The vulnerability is in the protocol, not in a specific implementation. The spec fails to call out a mitigation that could preclude key re-use. So, it is an error of omission instead of an error of commission. An implementation can avoid this problem by refusing to reuse a previously received key.
The defect is primarily in the remote device, not in the base station. The researcher called out Android 6+ as being especially vulnerable.
A fix for BSD was silently released ahead of the announcement. I saw a report that Linux has already been patched, but without any supporting link.
The researcher, Mathy Vanhoef, has created a web site with details: https://www.krackattacks.com/. A research paper, Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 (pdf), is available.
See the Vulnerability Notes Database for information on specific vendors.
Sensationalist reports are already appearing. For a calmer view, see Kevin Beaumont's take on this at Regarding Krack Attacks — WPA2 flaw where he notes:
- It is patchable, both client and server (Wi-Fi) side.
- Linux patches are available now. Linux distributions should have it very shortly.
- The attack doesn't realistically doesn't[sic] work against Windows or iOS devices. The Group vuln is there, but it's not near enough to actually do anything of interest.
- There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this.
- Android is the issue, which is why the research paper concentrates on it. The issue with Android is people largely don't patch.
My suggestion for organisations is they ask their Wi-Fi network providers for patches — this is absolutely patchable, as per the researcher's own website.
The Guardian has an article on it here https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns.
Heres the researchers description...
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.
The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8 a.m. Monday, east coast time. An advisory the US CERT recently distributed to about 100 organizations described the research this way:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
Woody Leonhard has been my go-to source for the status of safety and usability of updates to Windows for years. He's not usually prone to alarmism, so I'm looking at this announcement on his site with a great deal of trepidation:
There's a lot of buzz this weekend about a flaw that's purported to break security on most Wi-Fi connections, allowing an eavesdropper to snoop or use the connection without permission.
Said to involve CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088, when they're posted.
The reference to the tweet by @campuscodi is to "Catalin Cimpanu [who] is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more." See the tweet for references to background papers which may be of assistance in understanding the nature of the flaw and possible preparations to help try and mitigate the breakage.
There is a web site — https://www.krackattacks.com/ — which was created on October 10 that seems to be a placeholder for posting the details when they are released.
Time to stock up on energy drinks, coffee, and Pringles®?
Submitted via IRC for SoyCow1937
SpaceX will attempt the launch of EchoStar 105/SES-11 at 6:53 PM EDT (10:53 PM UTC). This is SpaceX's second launch attempt in 3 days, following the successful launch of 10 satellites for Iridium on Monday:
It's the third time SpaceX has used one of its landed boosters for a second flight — and if it sticks the landing again, it'll also be the third to have come safely back to Earth for a second time. The first reused Falcon 9 flew in March, with the second one following close behind in June. It's possible we'll see more used rockets fly before the year is out: earlier this year, Musk said the company could fly as many as six used boosters in 2017. Eventually, SpaceX hopes to refly its Falcon 9s much more frequently, by making a landed booster ready to fly again in just 24 hours.
Going up on this flight is a hybrid satellite that will be used by two companies, SES and EchoStar. Called EchoStar 105/SES-11, the satellite will sit in a high orbit 22,000 miles above Earth, providing high-definition broadcasts to the US and other parts of North America. While this is the first time EchoStar is flying a payload on a used Falcon 9, this is familiar territory for SES. The company's SES-10 satellite went up on the first "re-flight" in March. And SES has made it very clear that it is eager to fly its satellites on previously flown boosters.
Update: Liftoff was successful and the first stage landed successfully on a drone ship in the Atlantic Ocean.
Update 2: EchoStar 105/SES-11 successfully deployed.
The death toll from Northern California's wildfires now stands at 15, officials say, with a total of nine confirmed fatalities in Sonoma County. The Sonoma County Sheriff's Office said on its Twitter page that the number of dead had increased from seven to nine. Three others are dead in Mendocino County, two more in Napa and one in Yuba, officials say. In Sonoma County, more than 200 people have been reported missing, and 45 of those have since been located, officials said.
The fires have burned 115,000 acres statewide and destroyed at least 2,000 homes and businesses, Cal Fire Ken Pimlott said Tuesday. More than 4,000 emergency workers have been deployed to help battle the fires, including a massive effort at McClellan Air Park, where a record 45 missions were flown Monday that dumped 266,000 acres of retardant on the blazes.
Vice President Mike Pence visited the state's emergency operations center at Mather Air Park Tuesday and announced that President Trump had approved the state's request for federal assistance in the counties of Butte, Lake, Mendocino, Napa, Nevada, Sonoma, and Yuba.
A gunman fired upon thousands of people attending a music festival on the Las Vegas Strip Sunday night, in a brutal attack that is blamed for at least 58 deaths, police say. In the mass shooting and panic that ensued, 515 people were injured. At least one of the dead is an off-duty police officer who was attending the concert.
Editorializing: Interesting how media always emphasize ISLAMIC terrorists, but downplay domestic terrorism as psychologically disturbed individual lone-wolfs.
As if the onslaught of hurricanes Irma and Maria were not enough, the National Weather Service in San Juan is reporting that a major dam is failing in Puerto Rico and that 70,000 people are being evacuated by bus. From CBS:
The National Weather Service in San Juan said Friday that the northwestern municipalities of Isabela and Quebradillas, home to some 70,000 people, were being evacuated with buses because the nearby Guajataca Dam was failing after Hurricane Maria hit the U.S. territory.
Maria poured more than 15 inches of rain on the mountains surrounding the dam, swelling the reservoir behind it.
Details remained slim about the evacuation with communications hampered after the storm, but operators of the dam reported that the failure was causing flash-flooding downstream. The 345-yard dam holds back a man-made lake covering about 2 square miles and was built decades ago, U.S. government records show.
"Move to higher ground now," the weather service said in a statement. "This is an extremely dangerous and life-threatening situation. Do not attempt to travel unless you are fleeing an area subject to flooding or under an evacuation order."
"Act quickly to protect your life," it added. "Buses will be evacuating people from these areas."
Wikipedia has a page about Guajataca Dam
The BBC is reporting that North Korea has fired another missile:
North Korea has fired a missile eastwards from its capital, Pyongyang, towards Japan, media reports say.
Japan said that the missile likely passed over its territory and has warned residents to take shelter, local media report.
South Korea and the US are analysing the details of the launch, the South's military said.
Al Jazeera reports:
The projectile was launched at 6:57am (21:57GMT Thursday) and flew over the northern Japanese island of Hokkaido before falling into the Pacific Ocean - 2,000km east of Cape Erimo, said Japan's Chief Cabinet Secretary Yoshihide Suga.
"Japan protests the latest launch in the strongest terms and will take appropriate and timely action at the United Nations and elsewhere, staying in close contact with the United States and South Korea," Suga told reporters.
South Korea's defence ministry said the missile travelled about 3,700km and reached a maximum altitude of 770km - both higher and further than previous tests.
Just more saber rattling? Another step in escalation? What's next?
The New York Daily News reports Len Wein has died at the age of 69:
Legendary comic book writer and editor Len Wein has died.
He was 69.
Wein helped revive the "X-Men" franchise in 1975 with artist Dave Cockrum, creating characters including Nightcrawler, Storm, Colossus and Thunderbird.
A year earlier, in "The Incredible Hulk" #180, he debuted Wolverine, who eventually joined the "X-Men" team in later years.
In the late '80s, Wein left Marvel for DC Comics, where he worked as a writer and later an editor.
His work included "Batman" and "Green Lantern," as well as editing Alan Moore's and Dave Gibbons' "Watchmen" and "Swamp Thing," also by Moore.
I was surprised to learn just how tremendously prolific he actually was. Wikipedia has a thorough rundown of his life and works.