SoylentNews

Fnord666 writes:

Frank Abagnale is world-famous for pretending to be other people. The former teenage con man, whose exploits 50 years ago became a Leonardo DiCaprio film called Catch Me If You Can, has built a lifelong career as a security consultant and advisor to the FBI and other law enforcement agencies. So it's perhaps ironic that four and a half years ago, his identity was stolen—along with those of 3.6 million other South Carolina taxpayers.

"When that occurred," Abagnale recounted to Ars, "I was at the FBI office in Phoenix. I got a call from [a reporter at] the local TV news station, who knew that my identity was stolen, and they wanted a comment. And I said, 'Before I make a comment, what did the State Tax Revenue Office say?' Well, they said they did nothing wrong. I said that would be absolutely literally impossible. All breaches happen because people make them happen, not because hackers do it. Every breach occurs because someone in that company did something they weren't supposed to do, or somebody in that company failed to do something they were supposed to do." As it turned out (as a Secret Service investigation determined), a government employee had taken home a laptop that shouldn't have left the office and connected it—unprotected—to the Internet.

Government breaches of personal information have become all too common, as demonstrated by the impact of the hacking of the Office of Management and Budget's personnel records two years ago. But another sort of organization is now in the crosshairs of criminals seeking identity data to sell to fraudsters: doctors' offices. Abagnale was in Orlando this week to speak to health IT professionals at the 2017 HIMSS Conference about the rising threat of identity theft through hacking medical records—a threat made possible largely because of the sometimes haphazard adoption of electronic medical records systems by health care providers

Abagnale warned that the value of a medical record to identity thieves far surpasses that of just a name, date of birth, and social security number. That's because it provides an even bigger window into an individual's life. Abagnale says the responses of organizations (including the state government of South Carolina and the OPM) to theft of sensitive personal information is far from adequate—and because there's no way to effectively change the data, it can be held for years by criminals and still be valuable.

[...] Abagnale said that there's been a surge in the past few years in medical identity theft. "It's as simple as, I'm in Orlando and I break my leg, I have no insurance, and I go to the hospital and say I'm you," he explained. "I give them your information, they treat me, they bill your insurance agency, and then your insurance company eventually notifies you because there was a deductible. And you say, 'wait a minute, I was never in Orlando, I never broke my leg.' But it's not that simple—trying to get that fixed, and trying to get it off your medical records, and then having collection agencies hounding you for that money is just unbelievable."

Such a scenario is just the beginning of what's possible with the theft of medical data today. "Like every form of identity theft, if I can become you," said Abagnale, "what I can do as you is only limited by my imagination."

Source: ArsTechnica

Original Submission

Fnord666 writes:

Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords, and cookies and tokens used to authenticate users.

A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time, by making Web requests to affected websites, and to access some of the leaked data later by crafting queries on search engines.

"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."

The leakage was the result of a bug in an HTML parser chain Cloudflare uses to modify Web pages as they pass through the service's edge servers. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating email addresses, and excluding parts of a page from malicious Web bots. When the parser was used in combination with three Cloudflare features—e-mail obfuscation, server-side Cusexcludes, and Automatic HTTPS Rewrites—it caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses.

Source: ArsTechnica. Also at TechCrunch.

[Ed. Note: This story link was also submitted by darkfeline.]

Original Submission

Phoenix666 writes:

For all the improvements in computer technology over the years, we still struggle to recreate the low-energy, elegant processing of the human brain. Now, researchers at Stanford University and Sandia National Laboratories have made an advance that could help computers mimic one piece of the brain's efficient design - an artificial version of the space over which neurons communicate, called a synapse.
...
The new artificial synapse, reported in the Feb. 20 issue of Nature Materials, mimics the way synapses in the brain learn through the signals that cross them. This is a significant energy savings over traditional computing, which involves separately processing information and then storing it into memory. Here, the processing creates the memory.

[...] The artificial synapse is based off a battery design. It consists of two thin, flexible films with three terminals, connected by an electrolyte of salty water. The device works as a transistor, with one of the terminals controlling the flow of electricity between the other two.

Like a neural path in a brain being reinforced through learning, the researchers program the artificial synapse by discharging and recharging it repeatedly. Through this training, they have been able to predict within 1 percent of uncertainly what voltage will be required to get the synapse to a specific electrical state and, once there, it remains at that state.

[...] Only one artificial synapse has been produced but researchers at Sandia used 15,000 measurements from experiments on that synapse to simulate how an array of them would work in a neural network. They tested the simulated network's ability to recognize handwriting of digits 0 through 9. Tested on three datasets, the simulated array was able to identify the handwritten digits with an accuracy between 93 to 97 percent.

Journal Reference:
Yoeri van de Burgt, et al. A non-volatile organic electrochemical device as a low-voltage artificial synapse for neuromorphic computing. Nature Materials, 2017; DOI: 10.1038/nmat4856

Original Submission

Fnord666 writes:

The US Federal Trade Commission is investigating an auto lender that often requires subprime borrowers to have so-called GPS starter-interrupter devices enabled on purchased vehicles. The so-called kill switches, which can monitor a vehicle's constant whereabouts, also have the remote ability to shut a car off and to prevent a car from starting. This makes it easy for lenders to repossess the car for missed payments. But this modern-day version of the repo-man raises both safety and privacy concerns.

The Credit Acceptance Corp. of Michigan said in a Securities and Exchange Commission filing this month that it received a civil investigative demand from the FTC "seeking information on the Company's policies, practices and procedures in allowing car dealers to use GPS Starter Interrupters on consumer vehicles. We are cooperating with the inquiry and cannot predict the eventual scope, duration or outcome at this time. As a result, we are unable to estimate the reasonably possible loss or range of reasonably possible loss arising from this investigation."

The lender did not immediately respond for comment. There are more than two million of these devices affixed to vehicles on US roads. They are often hidden, and they are required for car buyers with not-so-rosy credit scores as a condition of acquiring a car loan.

The FTC isn't commenting on the probe, which may include other lenders. The investigation likely centers on whether buyers are given adequate notice that the vehicles they are purchasing can track their every move and whether this is an acceptable business practice.

Source: ArsTechnica

Original Submission

Fnord666 writes:

SecurityWeek has an article today about a new open source security web app released by Netflix.

Netflix this week released Stethoscope, an open source web application that gives users specific recommendations for securing their computers, smartphones and tablets.

Stethoscope was developed by Netflix as part of its "user focused security" approach, which is based on the theory that it is better to provide employees actionable information and low-friction tools, rather than relying on heavy-handed policy enforcement.

Netflix believes employees are more productive when they don't have to deal with too many rules and processes. That is why Stethoscope scans their devices and provides recommendations on security measures that should be taken, but allows them to perform the tasks on their own time.

Stethoscope analyzes a device's disk encryption, firewall, automatic updates, operating system and software updates, screen lock, jailbreaking or rooting, and installed security software. Each of these factors is attributed a rating based on its importance.

[...] The Stethoscope source code, along with instructions for installation and configuration, are available on GitHub. Netflix has invited users to contribute to the tool, particularly with new plugins.

Stethoscope is not the only open source security tool released by Netflix. The company has made available the source code for several of the applications it uses, including the XSS discovery framework Sleepy Puppy, and the threat monitoring tools Scumblr and Sketchy.

Original Submission

frojack writes:

Bruce Byfield's Blog covers some drama taking over the NTPSec fork of the NTP (Network Time Protocol) software, which is running on just about every unix-like operating system.

Apparently the original forking team invited Eric Raymond and Susan Sons into their project. That didn't work out too well as Raymond and Sons (no actual offspring involved), proceeded to take over the whole effort and use it for their own grandiosity. Then they ejected the project leader.

Byfield uses the story to spin his distaste for Forks for the Wrong Reasons.

We've seen some rather large projects spin out of forks over the years, some good, some bad, some dead, and others surviving long past any rational reason. The list is long. The quality is varied.

What are some of the WORST forks Soylentils have seen that somehow still persist?

Original Submission

Fnord666 writes:

Apparently anything on a PC that makes noise or light is fair game for exploitation to breach air gapped PCs.

Researchers at Ben-Gurion University of the Negev in Israel have disclosed yet another method that can be used to exfiltrate data from air-gapped computers, and this time it involves the activity LED of hard disk drives (HDDs).

Many desktop and laptop computers have an HDD activity indicator, which blinks when data is being read from or written to the disk. The blinking frequency and duration depend on the type and intensity of the operation being performed.

According to researchers, a piece of malware can indirectly control the LED using specific read/write operations. More precisely, the size of the buffer being written or read is proportional to the amount of time the LED stays on, while sleeping causes the LED to be turned off. Experts have determined that these LEDs can blink up to 6,000 times per second, which allows for high data transmission rates.

The state of the LED can be translated into "0" or "1" bits. The data can be encoded using several methods: LED on is "1" and LED off is "0" (OOK encoding), off and on is "0" and on and off is "1" (Manchester encoding, which is slower but more reliable), or on for a certain duration is "1" and on for a different duration is "0" (Binary Frequency Shift Keying).

A piece of malware that is installed on the targeted air-gapped device can harvest data and exfiltrate it using one of these encoding systems. As for reception and decoding, the attacker must find a way to observe the targeted device's activity LED, either using a local hidden camera, a high-resolution camera that can capture images from outside the building, a camera mounted on a drone, a compromised security camera, a camera carried by a malicious insider, or optical sensors.

Original Submission

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

The Internet can be an ugly place — one where the mere act of expressing an opinion can result in a barrage of name-calling, harassment and sometimes threats of violence.

Nearly half of U.S. Internet users say they have experienced such intimidation; a third say they have resisted posting something online out of fear, according to the nonprofit Data and Society Research Institute. Women, particularly young women and women of color, are disproportionately targeted.

Now Google is zeroing in on the problem. On Thursday, the company publicly released an artificial intelligence tool, called Perspective, that scans online content and rates how "toxic" it is based on ratings by thousands of people.

For example, you can feed an online comment board into Perspective and see the percentage of users that said it was toxic. The toxicity score can help people decide whether they want to participate in the conversation, said Jared Cohen, president of Jigsaw, the company's think tank (previously called Google Ideas). Publishers of news sites can also use the tool to monitor their comment boards, he said.

[...] Google's troll-fighting efforts trail that of other tech companies and nonprofit groups. Earlier this month, Twitter — which has developed a reputation as a playground for abuse — launched new tools to cut on trolling.

[...] Asked whether the site could result in censoring free speech, Cohen said that the software tool wasn't intended to bypass human judgment, but to flag "low-hanging fruit" that could then be passed on to human moderators.

Because speech should only be free if it's polite and you agree with it.

Source: https://www.washingtonpost.com/news/the-switch/wp/2017/02/23/google-fights-online-trolls-with-new-tool/

Original Submission

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

The Department of Homeland Security said it has launched a multi-faceted attempt to defend the nation's computer networks from hackers in light of witnessing a dramatic surge recently with respect to the number of crippling cyberattacks being waged against internet infrastructure.

The DHS's Science and Technology Directorate on Thursday said its cybersecurity division has set its sights on safeguarding the internet against distributed denial-of-service (DDoS) attacks, an elementary but effective tactic used by hackers to overload a network with illegitimate web traffic to render it useless.

An unprecedented DDoS attack waged in October 2016 targeted Dyn, an internet performance company that runs a popular domain name system that effectively functions as an online directory. Millions of computer users across North American and Europe suffered internet disruptions due to the assault, the likes of which was waged by infecting millions of common, "Internet of Things" start devices with a strain of malicious software known as Mirai.

[...] To stifle future attacks, DHS said it's Distributed Denial of Service Defense (DDoSD) project has spearheaded a three-pronged approach intended to give network infrastructure defenders an advantage over malicious actors.

"The project's two primary focuses are on increasing deployment of best practices to slow attack scale growth and defending networks against a one Tbps attack through development of collaboration tools that can be used by medium-size organizations," DHS said in a statement.

A third component aims to address other types of DDoS attacks, specifically including assaults that could be used to disrupt access to 911 and other emergency services.

Source: http://www.washingtontimes.com/news/2017/feb/18/homeland-security-sets-sights-curbing-wide-scale-d/

Original Submission

takyon writes:

Dr. Mixael Laufer and the Four Thieves Vinegar Collective intend to reverse-engineer pharmaceuticals so that the public can make them themselves:

Laufer had already been working through the idea of how to provide free medication to people in need, but the close call with his own health deepened his conviction to solve the problem. So in 2015, he launched the Four Thieves Vinegar collective—a group of guerrilla hackers and scientists working to reverse-engineer critical pharmaceuticals and provide assistance with the synthesis of the compounds with the goal of providing "open-source" healthcare. The collective's goal is to shift the balance of power for making crucial healthcare choices back into the hands of the individuals, empowering people to make DIY versions of drugs and medical devices in their own homes.

[...] What Laufer intends to do is provide the means for the public to create their own pharmaceuticals when no alternatives are available. At the heart of his philosophy is the idea that healthcare is an inalienable human right that supersedes any laws of property. As Laufer explained, "There shouldn't be anything keeping anybody from any query. What is the most fundamental human right? The rights we have over our own bodies and minds. We should have the ability to explore intellectually and treat our body in whatever way we see fit." Last summer, the Four Thieves Vinegar Collective released plans for a $30 version of the Epi-Pen, which it calls the Epi-Pencil. In 2016, it also released the outline for Daraprim, the drug made famous by Martin Shkreli, who jacked up the price in 2015. Laufer said he doesn't track how many people use the plans, since his objective is simply to make them available to those who want them. "I don't know, and I make a point not to make it my business," he told me.

Some, including members of the medical community, have warned of the dangers of self-producing pharmaceuticals at home. "It's all fun and games until your product gets contaminated and you get a giant abscess in your muscle," one chemist told the Daily Beast. Others have criticized the Four Thieves Vinegar Collective for making it easier for drug manufacturers to produce illegal substances. But as Laufer sees it, if people find themselves in a place of desperate need, the consequences of home-brewed medications may be a calculated risk. Earlier this year, when it became clear that the Affordable Care Act would be under threat, Laufer said he started hearing more from people with serious health issues who were desperate for his help. "I got a flood of emails from people asking, 'How do I make this work?' and 'I'm gonna die in 19 days if I don't get this to work,'" he told me. "It's been hard." Will open-source pharmaceuticals be the answer for all Americans? Probably not. But it could be a potential option for people without any other options.

So far the Four Thieves Vinegar Collective website has instructions on building an "EpiPencil", which is an epinephrine autoinjector, and an "alpha" release for the synthesis of Pyrimethamine, a drug that costs pennies per dose outside of the U.S. The site also has a public PGP key, onion address (4thievzv3hh26qeh.onion), and a warrant canary.

Original Submission

-- OriginalOwner_ writes:

Clearly Veg reports:

Barbara Hendricks, Germany's environment minister, has banned meat in all official functions and called for only vegetarian food to be served. The ban became clear through an email "to department heads from a senior civil servant in the environment ministry", according to The Telegraph . The e-mail noted that the ministry had a responsibility and should set an example to combat the "negative effects of meat consumption", with a statement by the ministry reading:

"We're not telling anyone what they should eat. But we want to set a good example for climate protection, because vegetarian food is more climate-friendly than meat and fish."

Unsurprisingly, the ban has caused a lot of controversy. Minister of food and agriculture Christian Schmidt, who has previously stated that he will push for a ban on "misleading" vegan labels such as vegan curry sausages, stated that he will not be having this "Veggie Day through the back door", and that "meat and fish are also part of a balanced diet".

[Ed Note: This submission vandalized by cmn32480.]

Original Submission

An Anonymous Coward writes:

From the Huffington Post:

Major League Baseball is about to make a major rule change, altering how intentional walks are handed out. Instead of a pitcher throwing four pitches out of the strike zone, the walk will be awarded by a signal from the dugout, ESPN reported Tuesday night.

The network said the league and its union have agreed to the change, which will take effect this season. MLB has been trying to make its games shorter. However, The Wall Street Journal said last week that the change would save an average of 14 seconds per game.

Fans are not happy about the change, with many pointing out that botched intentional walks have led to game-changing moments.

Wikipedia: Intentional base on balls.

Original Submission

Fnord666 writes:

SecurityWeek has an interesting article today about the first real world SHA-1 collision attack.

Researchers at Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands have managed to conduct the first real world collision attack against SHA-1, creating two documents with different content but identical hashes.

SHA-1 was introduced in 1995 and the first attacks against the cryptographic hash function were announced a decade later. Attacks improved over the years and, in 2015, researchers disclosed a method that lowered the cost of an SHA-1 collision to $75,000-$120,000 using Amazon's EC2 cloud over a period of a few months.

Despite steps taken by companies such as Google, Facebook, Microsoft and Mozilla to move away from SHA-1, the hash function is still widely used.

Google and CWI, which is the national research institute for mathematics and computer science in the Netherlands, have now managed to find a collision, demonstrating that these attacks have become increasingly practical. Their technique has been dubbed "SHA-1 shattered" or "SHAttered."

"We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 2 63.1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years," experts said in their paper.

While the task still required a large number of computations – nine quintillion (9,223,372,036,854,775,808) to be precise – the SHAttered attack is 100,000 times faster than a brute-force attack.

An Anonymous Coward also noted:

Google and CWI have announced the first publicly known SHA-1 collision at: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html The collision is based on a prefix attack and requires 5 orders of magnitude less work to find a collision, when compared to brute force. More information and the actual files are available here: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html and a detection tool here: https://github.com/cr-marcstevens/sha1collisiondetection

Original Submission #1  Original Submission #2 

charon writes:

About 3,000 years ago, a potter near Jerusalem made a big jar. It was meant to hold olive oil or wine or something else valuable enough to send to the king as a tax payment. The jar's handles were stamped with a royal seal, and the pot went into the kiln.

[...] All those years ago, as potters continued to throw clay, the molten iron that was rotating deep below them tugged at tiny bits of magnetic minerals embedded in the potters' clay. As the jars were heated in the kiln and then subsequently cooled, those minerals swiveled and froze into place like tiny compasses, responding to the direction and strength of the Earth's magnetic field at that very moment.

"It's kind of like a tape recorder," [Erez] Ben-Yosef says.

[...] When Ben-Yosef and his colleagues studied 67 jar handles spanning from the late 8th century B.C. to the late 2nd century B.C., they found that the Earth's magnetic activity has been a lot choppier than people expected.

Source: http://www.npr.org/sections/thetwo-way/2017/02/14/515032512/iron-age-potters-carefully-recorded-earths-magnetic-field-by-accident

Ben-Yosef et al. Six centuries of geomagnetic intensity variations recorded by royal Judean stamped jar handles [PNAS (2017) - Early Edition] DOI: 10.1073/pnas.1615797114

Original Submission

takyon writes:

A team of astronomers investigating extreme trans-Neptunian objects (orbiting at more than 150 AU) has found two objects that may have been torn apart by a gravitational encounter with a planet:

a team of researchers led by the Instituto de Astrofisica de Canarias (IAC) in collaboration with the Complutense University of Madrid has taken a step towards the physical characterization of these bodies, and to confirm or refute the hypothesis of Planet Nine by studying them. The scientists have made the first spectroscopic observations of 2004 VN112 and 2013 RF98, both of them particularly interesting dynamically because their orbits are almost identical and the poles of the orbits are separated by a very small angle.

This [suggests] a common origin, and their present-day orbits could be the result of a past interaction with the hypothetical Planet Nine. This study, recently published in Monthly Notices of the Royal Astronomical Society, suggests that this pair of ETNOs was a binary asteroid which separated after an encounter with a planet beyond the orbit of Pluto.

Also at the Instituto de Astrofísica de Canarias.

Visible spectra of (474640) 2004 VN112–2013 RF98 with OSIRIS at the 10.4 m GTC: evidence for binary dissociation near aphelion among the extreme trans-Neptunian objects (open, DOI: 10.1093/mnrasl/slx003) (DX)

The existence of significant anisotropies in the distributions of the directions of perihelia and orbital poles of the known extreme trans-Neptunian objects (ETNOs) has been used to claim that trans-Plutonian planets may exist. Among the known ETNOs, the pair (474640) 2004 VN112–2013 RF98 stands out. Their orbital poles and the directions of their perihelia and their velocities at perihelion/aphelion are separated by a few degrees, but orbital similarity does not necessarily imply common physical origin. In an attempt to unravel their physical nature, visible spectroscopy of both targets was obtained using the OSIRIS camera-spectrograph at the 10.4 m Gran Telescopio Canarias (GTC). From the spectral analysis, we find that 474640–2013 RF98 have similar spectral slopes (12 versus 15 per cent/0.1 μm), very different from Sedna's but compatible with those of (148209) 2000 CR105 and 2012 VP113. These five ETNOs belong to the group of seven linked to the Planet Nine hypothesis. A dynamical pathway consistent with these findings is dissociation of a binary asteroid during a close encounter with a planet and we confirm its plausibility using N-body simulations. We thus conclude that both the dynamical and spectroscopic properties of 474640–2013 RF98 favour a genetic link and their current orbits suggest that the pair was kicked by a perturber near aphelion.

Recently: NASA Website Allows Public to Search WISE Data for Nearby Objects and Planet Nine

Original Submission

charon writes:

As you stretch gold into a strand one atom thick, an expressway for heat opens up. It's called a quantum of thermal conductance and University of Michigan researchers have observed this phenomenon for the first time at room temperature.

They report their results in a study published online in the journal Science today.

A quantum of thermal conductance represents the largest possible heat flow through a channel in a material. You can think of the channel as a highway for the flow of heat. The researchers proved that gold atomic chains have such a channel at room temperature.

[...] While this heat flow behavior governed by quantum mechanics has been theorized, it had only been observed at ultra-cold temperatures. However, to create useful nanoscale systems, the effects need to be observed at room temperatures.

Toward this goal, the U-M team developed picowatt-resolution heat flow sensors called "calorimeters" that were able to measure heat flows in single-atom strands of gold and platinum. The picowatt resolution they achieved is 100 times finer than their previous devices, enabling them to observe quantized heat flow properties in gold.

Cui, et. al. Quantized thermal transport in single-atom junctions Science DOI: 10.1126/science.aam6622

Original Submission