SoylentNews

-- OriginalOwner_ writes:

The Inquirer reports

Donald Trump has signed the bill that will allow ISPs to share or sell customers' browsing history for advertising purposes.

Last week, the Republican House of Representatives passed a resolution which overturns a rule laid down by the FCC during the Obama administration that meant that users had to give their permission before such data was used by third-parties and any breach would be reported as a hack.

President Trump signed the bill on Monday [April 4], which means while many ISPs say they will not sell respect[sic] customers privacy and won't flag their browsing history and other personal data, they can now do so under the new rules. Verizon, AT&T, and Comcast will no longer be obligated to obtain consent before selling and sharing data, and they don't have to notify customers about what kind of data they collect.

[...] There's one winner of this privacy-destroying bill, though, and that's VPN providers.

NordVPN said it has already seen an 86 per cent spike in [inquiries].

Common Cause published, via Common Dreams, a comment from Statement of Michael Copps​, former FCC Commissioner & Common Cause Special Adviser:

Despite a campaign filled with rhetoric about the plight of forgotten Americans, Trump has once again come down on the side of corporate profiteering at the expense of Americans who don't sit on corporate boards and can't afford a $200,000 membership at his Mar-a-Lago club in Palm Beach. Trump has flip-flipped on his own campaign promises and handed over Americans' right to privacy to those with the deepest pockets.

Previous: Senate Votes Against FCC Internet Privacy Rules

Original Submission

-- OriginalOwner_ writes:

Foreign Policy In Focus reports A Huge Mining Conglomerate Wanted to Poison This Country's Water. After a Long Fight, They've Finally Lost.

The people of El Salvador and their international allies against irresponsible mining are celebrating a historic victory. After a long battle against global mining companies that were determined to plunder the country's natural resources for short-term profits, El Salvador's Legislative Assembly has voted to ban all metal mining projects.

The new law is aimed at protecting the Central American nation's environment and natural resources. Approved on March 29 with the support of 69 lawmakers [(out of a total of 84) from multiple parties], the law blocks all exploration, extraction, and processing of metals, whether in open pits or underground. It also prohibits the use of toxic chemicals like cyanide and mercury.

[...] Despite the fact that there is a national consensus among communities, civil society organizations, government institutions, and political parties for a mining prohibition, the Australian-Canadian company OceanaGold and its subsidiaries in El Salvador have consistently attempted to slow the bill's progress and sought to gain support for their so-called "Responsible Mining" campaign.

The company launched the campaign at a fancy hotel in San Salvador after losing a $250 million lawsuit against El Salvador in October 2016. The company had filed a claim with the International Center for the Settlement of Investment Disputes (ICSID), demanding compensation when the government declined to grant the firm a permit for a gold extraction project that threatened the nation's water supply. In the face of tremendous opposition from a wide range of groups inside and outside El Salvador, the ICSID tribunal ruled against the company.

[...] By voting in favor of the mining ban, these lawmakers in El Salvador have chosen water over gold, and people and the environment over corporate profits. And they showed that even a very poor country can stand up to powerful global mining firms.

Original Submission

takyon writes:

Biologists sometimes use the phrase "arms race" to describe an evolutionary tug-of-war, but it's rarely this literal. Microbes called dinoflagellates [...] have developed intricate weapons—including a microscopic version of a Gatling gun—to harpoon their dinners, a new study shows. Scientists have known about these harpoons for decades, and some have guessed that the weapons stem from the same source as the ones wielded by jellyfish and other cnidarians. An analysis of the genes and proteins involved with weapon construction, however, shows that dinoflagellates and cnidarians use different proteins to manufacture their weapons—meaning they arrived at similar solutions through separate evolutionary paths, researchers report today in Science Advances.

Microbial arms race: Ballistic "nematocysts" in dinoflagellates represent a new extreme in organelle complexity (open, DOI: 10.1126/sciadv.1602552) (DX)

Original Submission

butthurt submitted a story which was updated to be:

The Inquirer reports on a British inventor who has built a suit with six jets:

The Daedalus suit, designed by former royal marine reservist Richard Browning, looks like a comic book fans' dream, combining four miniaturised arm-mounted gas turbine engines and two hip-mounted versions to provide enough lift to enable the wearer to fly.

Daedalus, which took Browning a year to put together, also features a heads-up display in the helmet which keeps the user aware of fuel and engine performance and features built-in WiFi support to allow for the live transmission of data from the suit.

So far, Browning has only flown the suit a couple of metres above the ground, but he claims that the system will ultimately be able to fly at several hundred miles per hour and at thousands of feet.

Two YouTube videos that largely overlap in footage show the suit in use.

takyon writes:

The red dwarf strikes again with 42 observed solar flares. Back in February, NASA and ESO announced the discovery of three potentially habitable Earth-like exoplanets in the TRAPPIST-1 system. Astronomers analyzing data from the Kepler space telescope have observed energetic solar flares which they believe could make it less likely that the TRAPPIST-1 system could host life.

Frequent flaring in the TRAPPIST-1 system - unsuited for life? (arXiv:1703.10130)

Related: Probability of CME Impact on Exoplanets Orbiting M Dwarfs and Solar-like Stars (DOI: 10.3847/0004-637X/826/2/195) (DX)

Original Submission

Fnord666 writes:

Denis Grisak, the man behind the Internet-connected garage opener Garadget, is having a very bad week. Grisak and his Colorado-based company SoftComplex launched Garadget, a device built using Wi-Fi-based cloud connectivity from Particle, on Indiegogo earlier this year, hitting 209 percent of his launch goal in February. But this week, his response to an unhappy customer has gotten Garadget a totally different sort of attention.

On April 1, a customer who purchased Garadget on Amazon using the name R. Martin reported problems with the iPhone application that controls Garadget. He left an angry comment on the Garadget community board:

Just installed and attempting to register a door when the app started doing this. Have uninstalled and reinstalled iphone app, powered phone off/on - wondering what kind of piece of shit I just purchased here...

Shortly afterward, not having gotten a response, Martin left a 1-star review of Garadget on Amazon:

Junk - DO NOT WASTE YOUR MONEY - iPhone app is a piece of junk, crashes constantly, start-up company that obviously has not performed proper quality assurance tests on their products.

Grisak then responded by bricking Martin's product remotely, posting on the support forum:

Martin,

The abusive language here and in your negative Amazon review, submitted minutes after experiencing a technical difficulty, only demonstrates your poor impulse control. I'm happy to provide the technical support to the customers on my Saturday night but I'm not going to tolerate any tantrums.

At this time your only option is return Garadget to Amazon for refund. Your unit ID 2f0036... will be denied server connection. [Ed's Comment: As of Apr 5, Garadget have apologised for this action and have restored connectivity]

The exchange then went viral, being picked up by the Twitter account @internetofshit and rising to the top of Hacker News.

Source: ArsTechnica

Original Submission

Apple fans, Android world scramble to patch Broadcom's nasty drive-by Wi-Fi security hole

"exec" writes:

Grab firmware updates ASAP

https://www.theregister.co.uk/2017/04/05/broadcom_wifi_chip_bugs/

-- submitted from IRC

More Detail about Broadcom Wi-Fi Security Problem

kaszz writes:

A Broadcom chip that handles WiFi connections has serious over-the-air security flaws that makes it possible to take over the chip wirelessly. This affects LG/Google Nexus 5, 6, 6P, most Samsung flagship devices, all iPhone 4 and later, newer iPods and iPads.

The wireless system-on-chip (SoC) firmware can with carefully crafted wireless frames using abnormal values in the metadata be tricked into overrunning its stack buffers. This in combination with the frequent timer firings makes it possible to gradually overwrite specific chunks of system-on-chip RAM until arbitrary code is executed. Details of the security flaw is described here.

Broadcom's hidden source code implementation is found to lag behind in modern security. Specifically, it lacks countermeasures like stack cookies, safe unlinking and access permission protection. Neglecting the security features in the microcontroller ARM Cortex R4. And once the system-on-chip is controlled. Escalation into the primary CPU can be attempted.

It seems the security flaw stems from the implementation of "Tunneled Direct Link Setup" (TDLS) or 802.11z, a seamless way to stream data directly between devices already on the same Wi-Fi network.

Lesson: Broadcom sucks, closed source sucks and new features may be just that and then some..

Kind of reminds of DVB over the air TV exploit. There sure are more wireless chips with clueless security.

Fnord666 writes:

Back in the 90s, in 1996, when the Internet was barely a few years old, two cyber-espionage groups dominated the cyber-space: Moonlight Maze and the Equation Group.

Their operations shocked the world and made people realize that hackers are also capable of stealing state secrets, not just money from bank accounts. That's when the term cyber-warfare became reality and not just the plot B-rated Hollywood movies.

While details collected about the Equation Group across the years have allowed researchers to issue theories on its connections with the US National Security Agency, very few details were collected about Moonlight Maze, the first ever APT.

Moonlight Maze, the first ever APT

The group was active in the late 90s and seemed to have disappeared at the turn of the century. Their attacks were studied and studied again and their mode of operation became standard practice for malware and cyber-attackers.

The group and its attacks achieved mythical status in the cyber-security world and were the subject of many books.

Through the years, Moonlight Maze hacked many important US targets such as government agencies and top universities. Victims included the Pentagon, NASA, the US Navy, and the Department of Energy, just to name the bigger ones.

takyon writes:

Amazon has won the rights to stream Thursday night National Football League games by quintupling the price Twitter paid for the last season's games:

Amazon is getting into the live sports broadcasting business. The retailing giant, which has spent hundreds of millions of dollars acquiring content for its subscription video business, has won the rights to stream "Thursday Night Football" games for this upcoming season.

Sources confirmed to ESPN that the deal to stream the games, which will be simulcast on the NFL Network and either CBS or NBC, is worth $50 million, up from the $10 million that Twitter paid for the streaming in the deal last season.

Original Submission

butthurt writes:

The Chicago Tribune reports that the 7th Circuit Court of Appeals—which sets precedent in Indiana, Illinois and Wisconsin—ruled

that workplace discrimination based on sexual orientation violates Title VII of the Civil Rights Act of 1964.

The plaintiff, a college teacher, said she was reprimanded for kissing her girlfriend, then was not given full-time work at the college and was dismissed. The college denied that it discriminated against her.

MP3 audio of the oral arguments is available.

additional coverage:

• Indianapolis Star
• Washington Post
• New York Magazine

Original Submission

Phoenix666 writes:

New research by the University of Manchester has found that people are less likely to attend religious services regularly if their income rises.

Dr Ingrid Storm analysed survey data on more than 20,000 people in Britain to compare their income and religious attendance.

Her research is the first of its kind to use data on the same people measured over time, from 1991 to 2012.

Dr Storm found that a rise in income of about £10,000 a year (£880 a month) meant that people were 6 percentage points less likely to attend services monthly.

But a fall in income had no effect on people's monthly attendance at churches, mosques and other places of worship, the research showed.

She said that a reason that people turned away from religious services when their income increased was that they had less need for the social support found in religious communities.

People who are busy have less time for extra-curricular activities.

Original Submission

requerdanos, Demose, and Jonathan sent us this story:

Ars Technica reports that Unity, Ubuntu's controversial self-developed desktop environment, is no more.

Six years after making Unity the default user interface on Ubuntu desktops, Canonical is giving up on the project and will switch the default Ubuntu desktop back to GNOME next year. Canonical is also ending development of Ubuntu software for phones and tablets, spelling doom for the goal of creating a converged experience with phones acting as desktops when docked with the right equipment.

Mark Shuttleworth of Canonical posted online about the change to, as he put it, "Growing Ubuntu for Cloud and IoT, rather than Phone and convergence":

We are wrapping up an excellent quarter and an excellent year for the company, with performance in many teams and products that we can be proud of. As we head into the new fiscal year, it's appropriate to reassess each of our initiatives. I'm writing to let you know that we will end our investment in Unity8, the phone and convergence shell. We will shift our default Ubuntu desktop back to GNOME for Ubuntu 18.04 LTS.

[...] I took the view that, if convergence was the future and we could deliver it as free software, that would be widely appreciated both in the free software community and in the technology industry, where there is substantial frustration with the existing, closed, alternatives available to manufacturers. I was wrong on both counts.

Some love Unity; for others, it never caught on. Will it be missed, nostalgically and/or technologically?

Original Submission #1  Original Submission #2  Original Submission #3 

-- OriginalOwner_ writes:

Via Security Intelligence, Larry Loeb published an article entitled
Malware Attack Targets Open Source Developers

Early this year, Palo Alto Networks observed that developers who posted their work on GitHub were receiving phishing emails from .ru domains. The attackers used social engineering ploys to influence recipients to open malicious attachments. Some emails included compliments on posted code, while others featured job offers or other misleading links in the body text.

Despite different body texts, the emails all included the same attachment: a .gz file that resolves to a .doc file. In actuality, the attachment was an embedded PowerShell command that would download and run a file called Dimnie. Dimnie has existed since 2014, the researchers said, but only previously targeted Russian users.

[...] Dimnie is stealthy and sophisticated. It cloaks the internal GET requests so that they appear to go to Google-owned domain names, but they actually go to an attacker-controlled IP address. The malware downloads various modules for functions such as keylogging, screen grabbing and more. Once downloaded, it leaves no direct trace of these modules on the target computer's hard drive.

Basically, Dimnie is designed to steal information. It stores itself and the information it gets into memory to cover its footprints. There is even a self-destruct module to remove any residual traces left on the target machine.

Once Dimnie has grabbed its targeted information, the swag is encrypted using AES-256 in Electronic Codebook (ECB) mode and then appended to image headers.

In his quasi-daily news digest at TechRights (under the heading "Security"), Roy Schestowitz notes

Articles like these neglect to say that only developers who use Microsoft Windows are at risk.

Better headline: Malware targets Windows users who are registered at GitHub. Must have Microsoft Word and PowerShell.

Original Submission

Two Soylentils submitted stories about recently-disclosed attacks against ATMs [Automated Teller Machines].

Self-Deleting Malware Makes ATMs Spit out Cash

Fnord666 writes:

Security researchers have uncovered one of the most sophisticated ATM heists to date, involving a group of cyber criminals specialized in hacking bank networks using fileless malware, and ATM malware that spits out cash and then self-deletes.

These ATM heists are the work of a group of hackers that's been active for years. Most recently, starting 2016, this group has switched to using legitimate Windows apps and fileless malware to hack into government agencies and banks in at least 40 countries.

Because those attacks used stealthy techniques that left a minimal footprint on infected servers, investigators weren't able to detect what the crooks were after. Nevertheless, they suspected the hackers stole data from infected systems, albeit they didn't know what data.

More clues about these attacks came to light only recently. Security researchers from Kaspersky Lab, the ones who identified the initial attacks this February, believe they uncovered the purpose of some of the bank hacks.

Source: Bleeping Computer

Attackers Physically Drilling Into ATMs to Steal Thousands of Dollars From Banks

Fnord666 writes:

Yesterday, at the BlackHat Asia 2017 security conference, researchers from cyber-security firm Cylance disclosed two vulnerabilities in the firmware of Gigabyte BRIX small computing devices, which allow an attacker to write malicious content to the UEFI firmware.

During their presentation, researchers installed a proof-of-concept UEFI ransomware, preventing the BRIX devices from booting, but researchers say the same flaws can be used to plant rootkits that allow attackers to persist malware for years.

Cylance researchers said they've identified these flaws at the start of the year, and have worked with Gigabyte, American Megatrends Inc. (AMI), and CERT/CC to fix the flaws in time.

Affected Gigabyte devices include GB-BSi7H-6500 (firmware version vF6), and GB-BXi7-5775 (firmware version vF2).

Gigabyte is expected to release firmware vF7 for GB-BSi7H-6500 devices in the upcoming days. The GB-BXi7-5775 line is not being produced anymore and has reached EOL (End Of Life), so Gigabyte won't be releasing a new firmware for this series.

Source: BleepingComputer

Original Submission