SoylentNews

takyon writes:

The email service that was shut down after the FBI demanded access to Edward Snowden's email account is making a comeback:

In 2013, Ladar Levison, founder of the encrypted email service Lavabit, took the defiant step of shutting down the company's service rather than comply with a federal law enforcement request that could compromise its customers' communications. The FBI had sought access to the email account of one of Lavabit's most prominent users — Edward Snowden. [...] Rather than undermine the trust and privacy of his users, Levison ended the company's email service entirely, preventing the feds from getting access to emails stored on his servers. But the company's users lost access to their accounts as well.

[...] On Friday, he's relaunching Lavabit with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. He's also announcing plans to roll out end-to-end encryption later this year, which would give users an even more secure way to send email. The new service addresses what has become a major fault line between tech companies and the government: the ability to demand backdoor access to customer data.

Previously:
The Story of the Lavabit Shutdown

Original Submission

MrPlow writes:

Submitted via IRC for Runaway1956

Once a hallmark of state-on-state conflict, simply finding oneself inside of an American kill box in today's counterterrorism wars is enough to be retroactively defined as guilty.

In laymen’s terms, “kill boxes” sound like torture devices. In military jargon, they are almost incomprehensible; as defined in the Department of Defense Dictionary, they are “a three-dimensional area reference that enables timely, effective coordination and control and facilitates rapid attacks.” But despite their ominous name and complicated technical definition, kill boxes are actually relatively simple in concept: They are three-dimensional cubes of space on a battlefield in which members and allies of the United States military are completely free to open fire.

According to the DoD, “there is no formal kill-box doctrine or tactics, techniques or procedures.” They require a sophisticated web of logistical, bureaucratic, and technological expertise to implement. Like most military tactics, kill boxes aren’t new—they’ve been around for nearly 30 years now. But they are constantly being reinvented for new conflicts. In recent years, kill-box strategy has shifted: They are now used in conflicts that are not between two states, but rather within states against terrorists and fighters who aren’t members of any particular country’s military. With this change, two things have started happening. First, kill boxes have materialized in places the local population might not expect. And second, kill boxes have been used in conjunction with disposition matrices, or “kill lists.” The DoD uses these to target people whose “pattern of life” fit the parameters of an algorithm, rather than specific individuals. For example: Say someone who owns a cellphone has been calling numbers that trigger a response from a computer at the Pentagon. Analysts will triangulate the cellphone’s whereabouts, and military leaders might initiate a “kill box” at that location, authorizing soldiers to kill everyone within the “box.” Mission accomplished.

Source: Defense One

Original Submission

randomerr writes:

London-based fintech firm Trading.co.uk is launching an app that will generate trading alerts for shares based on Donald Trump social media comments. Watching the U.S. President-elect's personal Twitter feed has become a regular pastime for the fund managers and traders.

Trump knocked several billion off the value of pharmaceutical stocks a week ago by saying they were "getting away with murder" with their prices. Comments earlier this week on China moved the dollar and a pair of December tweets sent the share prices of Lockheed Martin (LMT.N) and Boeing (BA.N) spiraling lower.

Original Submission

"exec" writes:

Arthur T Knackerbracket has found the following story:

It was only a matter of time until ransomware groups that wiped data from thousands of MongoDB databases and Elasticsearch clusters started targeting other data storage technologies. Researchers are now observing similar destructive attacks hitting openly accessible Hadoop and CouchDB deployments.

Security researchers Victor Gevers and Niall Merrigan, who monitored the MongoDB and Elasticsearch attacks so far, have also started keeping track of the new Hadoop and CouchDB victims. The two have put together spreadsheets on Google Docs where they document the different attack signatures and messages left behind after data gets wiped from databases.

In the case of Hadoop, a framework used for distributed storage and processing of large data sets, the attacks observed so far can be described as vandalism.

That's because the attackers don't ask for payments to be made in exchange for returning the deleted data. Instead, their message instructs the Hadoop administrators to secure their deployments in the future.

According to Merrigan's latest count, 126 Hadoop instances have been wiped so far. The number of victims is likely to increase because there are thousands of Hadoop deployments accessible from the internet -- although it's hard to say how many are vulnerable.

The attacks against MongoDB and Elasticsearch followed a similar pattern. The number of MongoDB victims jumped from hundreds to thousands in a matter of hours and to tens of thousands within a week. The latest count puts the number of wiped MongoDB databases at more than 34,000 and that of deleted Elasticsearch clusters at more than 4,600.

A group called Kraken0, responsible for most of the ransomware attacks against databases, is trying to sell its attack toolkit and a list of vulnerable MongoDB and Elasticsearch installations for the equivalent of $500 in bitcoins.

-- submitted from IRC

Original Submission

"exec" writes:

Arthur T Knackerbracket has found the following story:

A security researcher has unearthed evidence showing that three browser-trusted certificate authorities (CAs) owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof HTTPS-protected websites.

One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate.

Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site. The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials. There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is.

[...] "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information."

This is the second major violation of the so-called baseline requirements over the past four months.

-- submitted from IRC

Original Submission

takyon writes:

Toshiba is considering splitting its NAND business into a separate company and selling a stake in it to Western Digital or another investor:

In the recent months, Toshiba ran into a new accounting scandal that may require it to write down as much as 4 billion dollars because of cost overruns at its U.S. nuclear power business. The exact number has not been finalized, but the company is already studying various possibilities to offset the massive loss, which would anger its investors after the company already faced an accounting scandal in 2015. Nikkei reports that Toshiba is mulling to spin off its semiconductor business into a separate entity and then sell a 20% in the new company to someone like Western Digital for about $2.7 billion, while retaining 80% stake as well as operational control of the unit. Toshiba confirmed that it is studying the possibility of its memory business spin-off, but noted that no decision has been made and that the in-house NAND production is a focal business.

Toshiba and Western Digital already operate the world's largest NAND flash production complex in Yokkaichi, Mie prefecture, Japan. Formally, the manufacturing facilities belong to joint ventures between the two companies and WD buys wafers from Toshiba. It is not completely clear how the spinoff would work in this case and which parts of Toshiba's business will be up for sale.

Also at Tom's Hardware.

[Continued...]

charon writes:

Last Thursday the National Highway Traffic Safety Administration delivered the results of its investigation of the 2016 crash of Joshua Brown while he was driving a Tesla with Autopilot software.

"A safety-related defect trend has not been identified at this time and further examination of this issue does not appear to be warranted," NHTSA's investigators found. In other words: Tesla didn't cause Brown's death.

The verdict should relieve not just the electric car builder, but the industry at large. Semi-autonomous and driver assistance technologies are more than a fresh source of revenue for automakers. They're the most promising way to cut into the more than 30,000 traffic deaths on US roads every year. Today's systems aren't perfect. They demand human oversight and can't handle everything the real world throws at them. But they're already saving lives.

NHTSA's goal wasn't to find the exact cause of the crash (that's up to the National Transportation Safety Board, which is running its own inquiry), but to root out any problems or defects with Tesla's Autopilot hardware and software.

The content of the investigation report is available from the NHTSA web site.

[Editor's note: Recently the link to the report has been returning an error occasionally. As an alternative, the Google webcache of the page is available as is a copy of the report at archive.org .]

Original Submission

butthurt writes:

The Christian Science Monitor reports on legislation proposed by Republican law-makers in Wyoming:

The latter would encompass houses (and businesses?) with solar, wind or co-generation equipment. Utility-scale generation, however, could face a $10/MWh penalty.

The article notes that

A PDF of the bill, SF0071, is available on the Wyoming legislature's Web site.

Original Submission

takyon writes:

Francis Collins will remain the director of the National Institutes of Health, for now:

Ending weeks of speculation, President-elect Donald Trump has asked National Institutes of Health (NIH) Director Francis Collins to remain in his position. It is not clear for how long. "We just learned that Dr. Collins has been held over by the Trump administration," an NIH spokesperson said in a statement. "We have no additional details at this time."

Collins, a geneticist who has headed the $32 billion NIH for the past 8 years, has been campaigning to keep his job and met with Trump last week. On Wednesday, he told a reporter at the World Economic Forum in Davos, Switzerland, that he still didn't know what his fate would be. But although Collins had the support of key Republicans in Congress, he has been one of several candidates for the NIH post, including Representative Andy Harris (R–MD).

Related: NIH Won't Fund Human Germline Modification
Group of Scientists and Bioethicists Back Genetic Modification of Human Embryos
Human-Animal Chimeras are Gestating on U.S. Research Farms
NIH Plans To Lift Ban On Research Funds For Human-Animal Chimera Embryos
Neuroscientists Stand Up for Basic Cell Biology Research
Major Biomedical Research Funding Bill Sails Through US House

Original Submission

takyon writes:

It's time to wake up and smell the next frontier in virtual entertainment:

CamSoda's OhRoma features two canisters that attach to the front of the device. Each canister includes three slots for scent cartridges that you can swap out to customize the experience. CamSoda said it developed over 30 different aroma canisters, which include "sensual" scents that simulate the smell of body odor, pleasing environments, and stimulating aphrodisiacs.

The company also developed a mobile app that interfaces with the OhRoma mask and lets you select what you would like to smell during the experience. OhRoma can also sync with another immersive product that CamSoda launched last year called Teledildonics, which replicates the sensations of sex. Teledildonics allow people to have "sex" over the internet with another partner. And with OhRoma added to the mix, CamSoda offers a completely virtual experience that stimulates four of your five senses.

Unlike Ubisoft's Nosulus, CamSoda's version of Smell-O-Vision is not a joke. You can order CamSoda's OhRoma device today. The face mask alone will set you back $70, and you can purchase individual scent packs for as low as $6. CamSoda also offers a combo pack, which includes an OhRoma mask and a complete set of all 30 scents, for $99.

Here's the Nosulus Rift from last year.

Original Submission

mhajicek writes:

According to this paper [PDF], the calculations of spiral galaxy spin which required the dark matter fudge factor were oversimplified. If you actually model the spiral arms in detail the results match observations without the need for dark matter:

"Abstract The gravity fields and rotation curves of whirlpool galaxies with thin disc distribution of material are calculated numerically. It is proved that the gravity field of mass thin disc distribution is greatly different from that of spherically symmetrical distribution. As long as the Newtonian theory of gravity is used strictly, by the proper mass distributions of thin discs, the flat rotation curves of whirlpool galaxies can be explained well. The rotating curve of the Milky Galaxy is obtained which coincides with practical observation. In this way, it is unnecessary for us to suppose the existence of additional dark material in the illuminant discs of whirlpool galaxy again. Meanwhile, in the space outside the illuminant disc, the quantity of dark material needed to maintain the flatness of rotation curves is greatly decreased. By considering the observation fact that the quantity of non-luminous baryon material is 3~10 times more than luminous material, we can explain the flatness of rotation curves of whirlpool galaxies well without the hypotheses of non-baryon dark material. So it is unnecessary for us to suppose that non-baryon dark material is about 5 times more than baryon material in a single whirlpool galaxy, no mater [sic] whether non-baryon dark material exits or not."

Original Submission

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

The aim of the game in 'CropDuster Supreme' [Steam] is to fart on people, now you may think this sounds terrible — but it's actually quite amusing! I know, I'm shocked too.

Usually, a game like this, I would probably blast by saying it's terrible and it doesn't deserve to be sold on Steam. Something like that anyway, but wow, this game is actually quite funny (and it costs less than £1).

Source: https://www.gamingonlinux.com/articles/farting-on-everyone-in-cropduster-supreme-now-available-on-linux-its-actually-hilarious.8922

Original Submission

takyon writes:

Ethicists are bothered by the circumstances surrounding the world's first use of pronuclear transfer to create a baby:

It was a first for the entire world: Using a controversial in vitro fertilization technique, doctors in Kiev, Ukraine, helped a previously infertile couple conceive and deliver a baby girl. Some critics say, for genetic reasons, the use of this IVF method should have been restricted to producing a baby boy. The baby was born on January 5, the result of an experimental technique known as "pronuclear transfer" and sometimes referred to as three-parent IVF. The 34-year-old Ukrainian mother suffered from "unexplained infertility," according to Dr. Valery Zukin, director of the Nadiya Clinic for Reproductive Medicine, where the controversial pronuclear transfer technique was performed. She did not have mitochondrial disease.

[...] The reason this experimental method is a cause for concern -- and was vigorously debated in the UK before approval -- is the genetic modifications produced in a girl baby could be passed onto her children, according to Lori P. Knowles, adjunct assistant professor at the University of Alberta School of Public Health.

Boy babies carrying donor mitochondria cannot pass their modified genetics onto any future children they may have because once a sperm fuses with an egg to form an embryo, the masculine mitochondrion withers and dies leaving the resulting embryo with only mitochondrion from the mother's egg. "I do think it's highly significant that this is a girl because we know for sure that she will be passing on her mitochondrial DNA through her maternal line," said Knowles. If in the future this baby girl has genetic children, they will inherit her genetic modifications "and that's always been a really bright line," said Knowles -- a line not to be crossed until rigorous scientific testing proves it is safe.

The previous three-parent baby was conceived using spindle nuclear transfer, and couldn't pass on donor mitochondrial DNA (well, conventionally anyway) as a male. The Ukrainian procedure was used as a workaround for infertility rather than mitochondrial disease. The article also notes that Dr. Valery Zukin, director of the Nadiya Clinic for Reproductive Medicine where the procedure was performed, is also the vice president of the medical review board that approved the procedure.

Also at BBC and Smithsonian Magazine:

The mother in question had been unable to get pregnant for 15 years. Using the procedure as an IVF technique allows doctors to bypass cells or enzymes in the mother's egg that might prevent pregnancy or hinder cell division, explains Andy Coghlan at New Scientist .

Previously: Mitochondrial DNA Manipulation and Ethics
Approval for Three-Parent Embryo Trials
Fatal Genetic Conditions Could Return in Some 'Three-Parent' Babies

Original Submission

MrPlow writes:

Submitted via IRC for AndyTheAbsurd

A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS. This CVE reports that if you execd into a running container, the processes inside of the container could attack the process that just entered the container.

If this process had open file descriptors, the processes inside of the container could ptrace the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.

[...] It could do that, if you aren't using SELinux in enforcing mode. If you are, though, SELinux is a great tool for protecting systems from 0 Day vulnerabilities.

Note: SELinux can prevent a process from strace-ing another process if the types or MCS Labels are not the same, but when you exec into a container, docker/runc sets the labels to match the container label.

Mainly this is a host-based attack. This is where SELinux steps in to thwart the attack. SELinux is the only thing that protects the host file system from attacks from inside of the container. If the processes inside of the container get access to a host file and attempt to read and write the content SELinux will check the access.

Source: http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/

Original Submission

MrPlow writes:

Submitted via IRC for AndyTheAbsurd

In 1998, Slovenian toy company Mehano designed a line of children's electronic typewriter toys with the ability to write secret messages.

Eventually, the company licensed the typewriter to another company, (none other than Barbie herself), that had something altogether different in mind for the toys. Slathered in pink, it was soon headed to market to appeal "to girls."

[...] The four encryption modes — each featuring a simple alphabet substitution cipher (or 1-to-1 encoding) — were left out of Mattel's instruction manuals and advertisements. Mattel is Barbie's parent company. Even the latest model, produced in 2015, omitted this novel feature.

[...] It's an all-too-common marketing assumption that continues to plague the "pink aisle" of girls' toys. They often fail to encourage little girls to grow up to be engineers and scientists. A December report by the Institution of Engineering and Technology showed that boys were almost three times more likely to receive a STEM-themed toy for Christmas.

"STEM toys are by default for boys," says Meryl Alper, professor of communication studies at Northeastern University. "We have to add 'for girls.'" With over a decade of experience working in children's media at Northeastern, Sesame Workshop and Nick Jr., Alper emphasizes the importance of representation and diversity in characters and storylines. Playtime matters.

"Children use the objects in their world to think through ideas," she says. "If you have objects that signal to a kid that it's not for them, either explicit or implicit, you reduce that opportunity to learn through manipulation."

Source: https://www.pri.org/stories/2017-01-17/barbie-typewriter-toys-had-secret-ability-encrypt-messages-they-didnt-think-girls

Original Submission