SoylentNews is people
SoylentNews
Site News
Join our Folding@Home team:
Main F@H site
Our team page
Support us: Subscribe Here
and buy SoylentNews Swag
We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.
- [dalek] Privacy policy status: Keeping them honest
- [Mojibake Tengu] Escalation
- [Runaway1956] browseraudit.com
- [DannyB] Polite ways to wake someone up
- [NotSanguine] Tell the FCC not to allow OTA broadcasters to use DRM
- [AnonTechie] HOW DUCK TAPE BECAME FAMOUS
- [Freeman] Of course they did
- [TheLink] From bird calls to bird video calls
- [hubie] A Path to Seeing New Physics in Next-Gen Accelerators
- [turgid] Going Backwards
- [khallow] Why these recent changes?
- [bzipitidoo] bakery employees policing copyright
- [Azuma Hazuki] Hey "conservatives:" this July 4th, thank a liberal!
- [acid andy] Recursive Dos
- [Spook brat] This week's extrajudicial execution is in... Paris
Older Stuff
-
April 16- Technology to Improve Rockfall Analysis on Cliffs Could Save Money, Lives (6)
- USDA Discontinues Use of "Cyanide Bombs" in Idaho After Boy and His Dog Are Sprayed (76)
- Team Finds Way to View Genes Inside Living Cells (0)
- Hydrogen Fuel Cell Cars Face Obstacle: Few Fueling Stations (48)
- Uber Engineer Must Reveal Reason for Pleading the Fifth to Judge (21)
- Texas Bill to Establish Gold & Silver as Legal Tender, Dealing Massive Blow to Federal Reserve (109)
- Star Trek's Tricorder Now Officially Exists Thanks to a Global Competition (16)
- CRISPR Tool "SHERLOCK" Can Detect Tiny Amounts of Viruses and Bacterial Infections (10)
- Meta-Analysis Finds That Spinal Manipulation Can Slightly Relieve Back Pain, Improve Function (42)
- High-Flying Experiments Demonstrate Potential of Balloon-Borne Infrasound Detection (3)
- Researchers Use Genetic Analysis to Determine That Comb Jellies Were the Earliest Animals (4)
- Trump Administration's War on Science Reaches DoJ (65)
-
April 15
Quick Links
One of the founding fathers of the internet, Robert Taylor, has died.
While working at the Pentagon in the 1960s, he instigated the creation of Arpanet - a computer network that initially linked together four US research centres, and later evolved into the internet.
At Xerox, he later oversaw the first computer with desktop-inspired icons and a word processor that formed the basis of Microsoft Word.
Mr Taylor died at home aged 85.
His family told the Los Angeles Times that he had suffered from Parkinson's disease among other ailments.
Mr Taylor studied psychology at university, but worked as an engineer at several aircraft companies and Nasa before joining the US Department of Defense's Advanced Research Project Agency (Arpa) in 1965.
So long, Robert, and thanks for all the fish.
- Read More...
- 13 comments
Edit: The link.
There were lots of good titles for this submission, as in "Breaking news: Poettering clueless?" to finally disprove Betteridge's law, or "systemd surprisingly not as good as advertised" or "Breaking new: systemd broken" or "Poettering censors critics after epic fail".
Systemd implementation of "rm -rf .*" will follow ".." to upper directory and erase /
How to reproduce:
# mkdir -p /foo/dir{1,2}
# touch /foo/.bar{1,2}
# cat /etc/tmpfiles.d/test.conf
R! /foo/.* - - - - -
Reboot.
After the issue was fixed, finally Poettering added this gem of wisdom:
I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?
The answer to this question, as many clarified for him, obviously is a loud "NO!". After being told a couple of times in no uncertain terms, the thread was closed for non-developers
poettering locked and limited conversation to collaborators 4 hours ago
for which I proposed the "freedom-of-speech" department (although I admit it is a weak proposal).
- Read More...
- 172 comments
from the removing-old-ciphers-is-like-taking-old-yeller-behind-the-barn-... dept.
In the continuing saga of website tinkering and people's love of update posts, I'm back with some backend configuration changes. Right now, things have been relatively quiet on the backend side of things. We've got some good news, and some bad news in this update. That being said, we've made a few small updates over the weekend. Rapid fire style, let's go through them:
CAA Records
CAA records define which certificate authorities (CAs) are allowed to sign your domains. They essentially act as a CA whitelist, and the most recent revisions of the Certificate Authority/Browser Baseline Requirements mandates that CAs check for CAA records and respect them. In line with this policy, we've white-listed Let's Encrypt and Gandi's CAs to issue certificates for SoylentNews for the time being as these are the two CAs currently in use here.
In a fun bit of fail, this is the second time I've tried to deploy CAA, and fortunately managed to succeed this go around. The problem stems from the fact that many versions of BIND except the very latest don't recognize the "CAA" record type, and cause the zone file to not process correctly if it's present. As we're still using an older version of BIND as our master server, I had to manually create TYPE257 records as seen below:
soylentnews.org. 3586 IN TYPE257 \# 16 0005697373756567616E64692E6E6574 soylentnews.org. 3586 IN TYPE257 \# 22 000569737375656C657473656E63727970742E6F7267 soylentnews.org. 3586 IN TYPE257 \# 35 0005696F6465666D61696C746F3A61646D696E40736F796C656E746E 6577732E6F7267 soylentnews.org. 3586 IN TYPE257 \# 12 0009697373756577696C643B
Both htbridge.com and ssllabs.com show that the CAA records are properly encoded, and show an additional green bar that they're in place.
Postfix LogJam
Almost two years ago, the Logjam attack on the DH key exchange was discovered and publicized. As part of our general hardening of SoylentNews, we regenerated all the DH parameters to prevent logjam from being a viable attack vector. Unfortunately, we overlooked the mail STARTTLS services on mail.soylentnews.org, and only caught it when I was checking various security things. The DH parameter files have been regenerated. Under normal circumstances, Logjam can't be exploited unless the underlying SSL cipher is relatively weak. As part of previous hardening, we kicked SSLv3 and many insecure ciphers to the curb, but unfortunately RSA_CBC_IDEA was accidentally left in place as a valid protocol for STARTTLS transport. Based on my understanding of the logjam attack, 1024-bit ciphers like RSA_CBC_IDEA are still difficult to exploit, and its likely only a nation state could successfully have breached it.
Given only SN staff have mail accounts, and that users are encouraged to change their passwords after creating an account, I think its safe to assume that we're relatively OK as far as data security and integrity go since email in general at best is opportunistically encrypted, and should always be assumed to be monitor-able (via a STRIPTLS attack). That being said, if you haven't changed your password from account creation though, it's likely a good idea to do so now.
We discovered our IMAP server has been serving a self-signed certificate during this check as well. We'll be replacing this with a properly signed certificate within the near future. I have other things on this topic that will be noted in a future post, so keep a look out for that.
Disabling HTTP Methods
A routine check of the site's security headers showed that we were accepting HTTP TRACE and other methods we don't need on production. The configuration for nginx has been modified to put a bullet in this behavior. We're still checking to make sure we got this everywhere, but we should be good on at least the production servers for now. This has bumped the site security rating up to an A on the HTBridge; we're still missing the referral security header, but we need to check to make sure there's no user impact before deploying it.
3DES Put Out To Pasture
As always in the world of encryption, various algorithms eventually become insecure and weakened as cryptanalysis gets more and more advanced. A few months ago, the SWEET32 attack against 3DES was discovered which drastically weakens the security of 3DES via the birthday paradox problem. In practice, SWEET32 requires a second exploit to even be usable as SoylentNews only allowed 3DES connections as a last resort if AES wasn't supported. As every major browser has supported AES for years, we decided to put 3DES out to pasture and have removed it from the allowed list of ciphers for SN.
Not too much to note in this round of administration games, but we're working to make overhaul changes to the stack to allow the potential for HPKP key pinning in the near future, as well as deploying TLSA/DANE support for both HTTPS and SMTP on SN. As part of this process, we'll also be enabling HSTS across subdomains, and reissuing our SSL certificates to enable OCSP Must-Staple. We'll keep you guys updated as we move towards that goal!
~ NCommander
- Read More...
- 813 words in story
- 37 comments
- Meta
http://www.space.com/36270-nasa-deep-space-gateway-moon-orbit.html
It looks like NASA's stepping-stone to Mars will be a miniature space station in lunar orbit rather than a chunk of captured asteroid.
The agency plans to build an astronaut-tended "deep space gateway" in orbit around the moon during the first few missions of the Space Launch System (SLS) megarocket and Orion crew capsule, which are scheduled to fly together for the first time in late 2018, NASA officials said.
"I envision different partners, both international and commercial, contributing to the gateway and using it in a variety of ways with a system that can move to different orbits to enable a variety of missions," William Gerstenmaier, associate administrator for Human Exploration and Operations at NASA headquarters in Washington, D.C, said in a statement. [Red Planet or Bust: 5 Crewed Mars Mission Ideas]
"The gateway could move to support robotic or partner missions to the surface of the moon, or to a high lunar orbit to support missions departing from the gateway to other destinations in the solar system," Gerstenmaier added.
One of those "other destinations" is Mars. NASA is working to get astronauts to the vicinity of the Red Planet sometime in the 2030s, as directed by former President Barack Obama in 2010. For the last few years, the agency's envisioned "Journey to Mars" campaign has included the Asteroid Redirect Mission (ARM), an effort to pluck a boulder from a near-Earth asteroid and drag the rock to lunar orbit, where it could be visited by astronauts aboard Orion.
But ARM's future looks bleak; President Donald Trump provided no money for the mission in his proposed 2018 federal budget, which the White House released earlier this month.
Also see:
https://www.nasa.gov/feature/deep-space-gateway-to-open-opportunities-for-distant-destinations
http://www.popularmechanics.com/space/a25872/nasa-cis-lunar-orbit/
https://www.nasa.gov/mission_pages/tdm/sep/index.html
- Read More...
- 42 comments
from the the-truth-is-in-the-bits-and-bytes dept.
Dan Wright and Joanne Leon of Shadowproof interview cybersecurity expert Jeffrey Carr about Crowdstrike's controversial claims on successfully identifying Russia as the actor that hacked the Democratic National Committee:
The evidence has always been thin despite U.S. intelligence agencies ultimately supporting the claim.
Carr discusses Crowdstrike's history of bad calls, including having to recently rewrite a report on alleged Russian hacking in Ukraine. The Ukrainian government as well as other cybersecurity experts heavily disputed Crowdstrikes[sic] initial claims.
[...] For firms like Crowdstrike, there's no financial downside in pretending to be able to attribute a hack as the nature of cyber makes it hard to prove or disprove an attribution. Additionally, each report serves as marketing material for future clients.
- Read More...
- 2 comments
The FBI and DoJ Were Granted a FISA Warrant to Monitor a Trump Campaign Aide Last Summer
A FISA warrant was obtained to monitor Trump campaign aide Carter Page before the election:
The FBI obtained a warrant to secretly surveil former Donald Trump aide Carter Page last summer under the Foreign Intelligence Surveillance Act (FISA), according to a Tuesday Washington Post report.
The FBI and Justice Department demonstrated probable cause that Page is acting on behalf of a foreign state in order to be granted the warrant.
The FISA warrant was part of the FBI's investigation into possible ties between Russia and Trump campaign associates, law enforcement and U.S. officials told the Post.
"This confirms all of my suspicions about unjustified, politically motivated government surveillance," Page told the Post Tuesday. "I have nothing to hide."
Page has not been accused of committing a crime.
Also at MarketWatch.
DiGenova: Rice Ordered 'Spreadsheets' on Calls Involving Trump, Aides
Submitted via IRC for TheMightyBuzzard
Former President Barack Obama's national security adviser Susan Rice ordered U.S. spy agencies to produce "detailed spreadsheets" of legal phone calls involving Donald Trump and his aides when he was running for president, according to former U.S. Attorney Joseph diGenova.
"What was produced by the intelligence community at the request of Ms. Rice were detailed spreadsheets of intercepted phone calls with unmasked Trump associates in perfectly legal conversations with individuals," diGenova told The Daily Caller News Foundation Investigative Group Monday.
[...] Other official sources with direct knowledge and who requested anonymity confirmed to TheDCNF diGenova's description of surveillance reports Rice ordered one year before the 2016 presidential election.
- Read More...
- 281 words in story
- 104 comments
- Politics
Arthur T Knackerbracket has found the following story:
Most of us tailor our language to our audience. We choose different words when talking to our child than when talking to our spouse, our pastor or our boss. We may not even notice that we are doing it. It's often automatic and unintentional.
At work, knowingly or not, people choose words for specific purposes beyond just conveying an idea. They want to impress, show deference, take credit, look smart, intimidate, dominate or avoid blame. They want to cover up their own incompetence or avoid managerial scrutiny.
Unfortunately, they often employ communications strategies that backfire by distracting from the message and subtext they want to convey and instead placing focus on the language and the speaker. This can make them seem pompous or condescending, caricatures to be mocked rather than professionals to be admired.
Here are a few of the ways people undermine their own credibility.
You verb a noun or adjective by using it as a verb rather than as the original figure of speech. Instead of offering people incentives, you incent them. Instead of giving a gift, you gift them. You upskill yourself instead of learning something new. You workshop ideas, calendar meetings and architect systems.
[...] You jargon your communications by using terms of your trade when speaking to people who are unlikely to fully understand their meaning. Instead of using normal English, you use unknown words or phrases, transforming your ideas into gibberish in the minds of your audience. IT folks have a particularly bad reputation for jargoning our stakeholders to death. We tell them that we will form an agile team, use a mesh network or a NoSQL database, without any explanation.
[...] Acronyming is a lot like jargoning but uses abbreviations that your audience is unlikely to know. "Hi. I'm John from the PMO and you've been assigned as our project SME. We've already decided to use a SaaS model for our IoT product to maximize the ROI." As with jargon, acronyms appear distancing and disrespectful.
We all know what clichéing is: employing overused phases to convey common ideas. "I know we're going to be late, but every cloud has a silver lining." "We're going to avoid that technology like the plague." "I'd fit really well into your team because I'm a jack-of-all-trades, people person."
Clichés may convey the ideas you are trying to communicate, but they also create negative impressions of you. Cliché spouters appear to be inarticulate and imprecise. When someone uses a cliché to explain something to me, I assume that he is using vague generalities because he either doesn't understand or wants to avoid the specifics of the situation at hand. He seems incompetent or secretive.
-- submitted from IRC
- Read More...
- 455 words in story
- 26 comments
Submitted via IRC for TheMightyBuzzard
An editorial in the Wellesley College student newspaper that called for "shutting down" some forms of hateful rhetoric became the latest flashpoint in a contentious national debate over free speech and its limits on college campuses.
The editorial, published Wednesday in the Wellesley News, argues that the campus community will "not stand for hate speech, and will call it out when possible."
"Shutting down rhetoric that undermines the existence and rights of others is not a violation of free speech; it is hate speech," the editorial states. "The spirit of free speech is to protect the suppressed, not to protect a free-for-all where anything is acceptable, no matter how hateful and damaging."
The editorial was widely criticized on social media as antithetical to the free exchange of ideas that is critical in a democracy and in liberal arts education. It comes as colleges across the country are wrestling with how to protect free speech in an era of trigger warnings, safe spaces, and even assaults on incendiary speakers invited to campuses.
Free speech for all. Unless they disagree with us on something...
- Read More...
- 95 comments
The CBC reports that Canada's ruling Liberal Party has proposed legislation concerning the use of cannabis:
The pot plan comes with two new bills; one to regulate the recreational use, sale and cultivation of marijuana, and a second that strengthens measures to stop impaired driving.
It would allow people to possess up to 30 grams of dried or fresh cannabis and sets the minimum at 18 years of age, though provinces and territories can set a higher legal age.
Consumers can grow up to four plants at home or buy from a licensed retailer.
[...] buying, selling or using marijuana outside the regulatory regime will remain a serious criminal offence with stiff penalties.
Another CBC article describes the bill on impaired driving. Police could ask drivers for samples of saliva or blood; there are also
[...] provisions that will allow for mandatory roadside alcohol screening and new criminal offences for driving while high.
[...] A driver who is found to have two nanograms but less than five nanograms of THC per millilitre of blood could face a maximum fine of up to $1,000[.]
Additional coverage:
Toronto Star (editorial)
- Read More...
- 187 words in story
- 21 comments
KUOW-FM reports about two detention centres operated by The GEO Group, Inc., formerly called the Wackenhut Corrections Corporation (ticker symbol GEO). Detainees for the centres are provided by U.S. Immigration and Customs Enforcement
A class action lawsuit says the company running an immigration detention center in Colorado is violating federal anti-slavery laws. It's the same company that runs the Northwest Detention Center in Tacoma, scene of an expanding hunger strike.
[...] Nina Disalvo is an attorney for the detainees in Colorado. She said it's illegal to pay them $1 a day.
"It's not the market wage that GEO would have to pay [...]," Disalvo said.
The Seattle Times via The News Tribune quoted a U.S. Immigration and Customs Enforcement spokesperson, concerning the hunger strike at the Tacoma facility:
"The sole detainee who is continuing to refuse meals has been allowed to remain in the general population, but the facility personnel are monitoring him closely," Kice wrote of the strike that began Monday.
Kice said about one-third of the civil detainees — who are awaiting immigration hearings or deportation — refused meals but, citing fluctuating numbers, did not provide exact numbers of those who participated in the strike. As of Friday morning, the population count at the facility was 1,401.
According to Free Speech Radio News,
In March, a federal judge approved class-action status for a lawsuit alleging at least 60,000 past and present detainees held at the Aurora ICE facility were forced to do janitorial work, clerical work, landscaping and other jobs for free or $1 a day.
Those who refuse are threatened with solitary confinement.
Additional coverage:
- Seattle Weekly
- The Seattle Times (try disabling CSS if page appears blank)
- Think Progress
- Democracy Now
- Patheos blog
- Read More...
- 281 words in story
- 20 comments
[UPDATED 2017-04-17] Ars Technica reports that Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers — Microsoft fixed critical vulnerabilities in uncredited update released in March.:
Contrary to what Ars and the rest of the world reported Friday, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products. This is according to a Microsoft blog post published late Friday night.
That's because the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks. Those updates—which Microsoft indexes as MS17-010, CVE-2017-0146, and CVE-2017-0147—make no mention of the person or group who reported the vulnerabilities to Microsoft. The lack of credit isn't unprecedented, but it's uncommon, and it's generating speculation that the reporters were tied to the NSA. In a vaguely worded statement issued Friday, Microsoft seemed to say it had had no contact with NSA officials concerning any of the exploits contained in Friday's leak.
Original story follows:
The "Shadow Brokers" released files that purport to expose vulnerabilities in Windows and especially in Windows Server.
Numerous Windows hacking tools are also among the new batch of files the Shadow Brokers dumped Friday. In recent months, the mysterious group has been releasing hacking tools allegedly taken from the NSA, and security researchers say they actually work.
According to PCWorld, but there are plenty of other venues reporting on this.
The group behind the leak, the Shadow Brokers, didn't clearly explain why they dumped the files. But in addition to the documents, the hackers also released what appears to be an arsenal of Windows-based hacking tools -- some of which target previously unknown vulnerabilities.
"This isn't a data dump, this is a damn Microsoft apocalypse," tweeted a security researcher who goes by the name Hacker Fantastic.
Leaked NSA Malware Threatens Windows Users Around the World from the Intercept.
El Reg And why are they "el Reg" They are Brexit, not Spanish?
And Network World, with a very nice picture of the Puzzle Palace.
I have always wondered what it would take. Maybe if Microsoft forcibly dragged a user off of it's platform. After this, however, that may not be necessary.
- Read More...
- 382 words in story
- 19 comments
An Anonymous Coward writes:
BusinessInsider reports on some creative solutions that have been submitted for "The Trump Wall"
Main link:
http://www.businessinsider.com/design-trumps-border-wall-hyperloop-2017-4
Homeland Security has put out a request for proposal and some of the submissions are truly creative. This article focuses on a joint Mexican-US proposal to convert land along the border to a neutral zone and build a Hyperloop along the border.
The Trump administration is reviewing design bids for its proposed wall along the US-Mexico border. But not all plans are interpreting the word "wall" literally.
A group of Mexican and American engineers and urban planners called MADE Collective want to build a $1 trillion hyperloop transportation network instead. The plan would turn the border into a shared nation, called Otra Nation, with an independent local government and nonvoting representatives in the US and Mexican legislatures.
...
The plan would cost approximately $15 billion — less than the $21 billion that the Department of Homeland Security estimated a border wall would cost. The designers also predict that their system would create $1 trillion in trade.
...
The group submitted its design to the US Customs and Border Protection's official call for proposals in March.
While this certainly wasn't what your AC was expecting, it appears to be a completely serious proposal from experienced builders and planners -- http://www.otranation.com/proposal
Other proposals submitted include:
MADE Collective is not the only one to submit a fantastical design for the border wall. Other proposals include a wall covered in solar panels, a binational park, and an "Inflatoborder" made of plastic bubbles.
- Read More...
- 34 comments
The World Socialist Web Site reports
The American Society of Civil Engineers (ASCE) released its quadrennial "Report Card" last month on the condition of infrastructure in the United States. Once again, the association gave the country an overall grade of D+, the same as in 2013.
The report is a damning appraisal of the state of American society under capitalism, and the Obama years, which saw essential social needs starved of funding while the stock market tripled in value and vast public resources were squandered on war. This will only accelerate under Trump.
The ASCE report assesses the state of sixteen different categories of infrastructure: aviation, bridges, dams, drinking water, energy, hazardous waste, inland waterways, levees, parks and recreation, ports, rail, roads, schools, solid waste, transit and wastewater.
Twelve of the sixteen sections evaluated earned a D grade. The report defines a D grade as "The infrastructure is in poor to fair condition and mostly below standard, with many elements approaching the end of their service life. A large portion of the system exhibits significant deterioration. Condition and capacity are of serious concern with strong risk of failure."
According to ASCE, the total costs to bring all US infrastructure into an adequate condition would exceed two trillion dollars.
[...] ASCE's answer to this crisis is not only inadequate but downright reactionary.
[...] In the section of the report titled "solutions to raise the grade" the authors suggest that "Infrastructure owners and operators must charge, and Americans must be willing to pay, rates and fees that reflect the true cost of using, maintaining, and improving infrastructure." Other sections advocate "user generated fees", hiking the gasoline tax, and other regressive proposals that would disproportionately affect the country's poorest citizens. The report also calls for more "public-private" partnerships, along with the streamlining of approval for private investment in public infrastructure projects.
Such free-market measures would only create an ever-greater class-based infrastructure system, where only those who could afford to will be able to drive on high toll expressways and bridges, send their children to quality schools, drink clean water, and live in areas not threatened with constant flooding or environmental disasters.
View the ASCE's report card here.
- Read More...
- 38 comments
The Cassini spacecraft has taken the closest-ever images of Saturn's 40.8 × 35.4 × 18.8 km moon Atlas. The images were taken on April 12th from a closest approach of about 11,000 km.
Next up is a final flyby of Titan on April 22nd, and the Cassini Grand Finale from April 26th to September 15th.
Previously: Cassini Spacecraft to Begin Diving Between Saturn and its Rings This Month
- Read More...
- 3 comments
Betanews reports on an announcement from Microsoft regarding its Windows 10 operating system:
[...] come May 9 it will stop updating the original release, known as 1507. The software giant had intended to stop supporting that release on March 26, but pushed back the deadline.
additional coverage:
Computerworld
related story:
Microsoft Kills Windows Vista On April 11: No Security Patches, No Hot Fixes, No Support, Nada
- Read More...
- 41 comments
