SoylentNews

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Since the early days of the SSL/TLS protocols, the security community has been struggling with various attacks that have made many press headlines.

[...] The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet.

It soon became clear that a unified standard was required, and an IETF TLS WG was tasked. As a result, TLS 1.0 was specified in 1999, TLS 1.1 in 2006, TLS 1.2 in 2008, and TLS 1.3 will hopefully be released soon. Each protocol version tried to improve its predecessor and mitigated some specific attacks.

As is usually the case in security, there is a "cops and robbers" game going between the designers and developers of the TLS protocol and the people who try to break it (be it from the hacker community or from academia). Unfortunately, this game is open-ended, meaning that it will never end and has no winner.

Not precisely news but it's good to stop, reflect, and look forward now and then.

Source: https://www.helpnetsecurity.com/2017/07/03/tls-security/

Original Submission

martyb writes:

[Update 3: The launch attempt had a hold at T-10 seconds. Because they were at the end of the launch window for this launch attempt, that effectively translated to being a scrub of today's launch attempt. Depending on what the analysis reveals, as well as weather and range considerations, the next launch attempt may be as early as tomorrow: July 4th. --martyb]

[Update 2: Launch now delayed because of weather according to this tweet:

Pushing T-0 to 8:35 p.m. EDT, 00:35 UTC for weather. Vehicle and payload remain in good health in advance of the @INTELSAT 35e launch.

--martyb]

[Update 1: according to this tweet:

New T-0 of 8:07 pm EDT, 00:07 UTC for weather. Vehicle and payload look good--all systems go for launch of @INTELSAT 35e.

For those who would like to follow along, a hosted live stream on YouTube is available. I have been unable to locate a non-youtube live stream; please reply in the comments if you find one. Please also comment if you find a technical webcast of this launch. --martyb]

In an update to a story announcing SpaceX's Sunday 19:36 EDT scheduled launch, Ars Technica now reports:

7:45pm ET Sunday update: The weather cooperated just fine on Sunday evening, near sunset in Florida, but the rocket did not. With just 10 seconds to go before liftoff, the on-board computers detected some issue within the rocket's guidance, navigation, and control system. At that point the flight computers stopped the countdown just before the engines were ignited. This forced a 24-hour scrub.

If it can diagnose and fix the problem, SpaceX will make a second attempt to launch the Intelsat 35e satellite on Monday, with the launch window opening at, or around, 7:37pm ET.

There is no indication that the 58-minute launch window has changed. For those not in the Eastern United States, the new launch window starts at 23:37 UTC on Monday, July 3.

Original Submission

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

A bug in Linux's systemd init system causes root permissions to be given to services associated with invalid usernames, and while this could pose a security risk, exploitation is not an easy task.

A developer who uses the online moniker "mapleray" last week discovered a problem related to systemd unit files, the configuration files used to describe resources and their behavior. Mapleray noticed that a systemd unit file containing an invalid username – one that starts with a digit (e.g. "0day") – will initiate the targeted process with root privileges instead of regular user privileges.

Systemd is designed not to allow usernames that start with a numeric character, but Red Hat, CentOS and other Linux distributions do allow such usernames.

"It's systemd's parsing of the User= parameter that determines the naming doesn't follow a set of conventions, and decides to fall back to its default value, root," explained developer Mattias Geniar.

While this sounds like it could be leveraged to obtain root privileges on any Linux installation using systemd, exploiting the bug in an attack is not an easy task. Geniar pointed out that the attacker needs root privileges in the first place to edit the systemd unit file and use it.

[...] Systemd developers have classified this issue as "not-a-bug" and they apparently don't plan on fixing it. Linux users are divided on the matter – some believe this is a vulnerability that could pose a serious security risk, while others agree that a fix is not necessary.

See, this is why we can't have nice init systems.

Source: http://www.securityweek.com/linux-systemd-gives-root-privileges-invalid-usernames

Original Submission

takyon writes:

http://www.pcgamer.com/oculus-rift-creator-palmer-luckey-kicks-in-2000-to-crossvr-patreon/

Here's an unexpected twist: Palmer Luckey, co-founder of Oculus VR and the creator of the Oculus Rift, recently pledged $2000 per month to the Patreon for the CrossVR project that's developing Revive—the software that enables the use of Oculus-exclusive software of the HTC Vive headset.

[...] Luckey's support of the project could be seen as an amusing finger in the face of the company he founded but left (under under[sic] less-than-ideal circumstances) earlier this year, but as UploadVR reported in February, Oculus head of content Jason Rubin said at the 2017 DICE Summit that Oculus was not doing anything to stop Revive-type hacks from working, and was actually taking steps to enable them to run more effectively.

Original Submission

n1 writes:

The City watchdog's former enforcement chief is joining the board of a new bank lobbying group that launches this week with the tough task of rebuilding trust in the industry.

Sky News has learnt that Tracey McDermott, who quit the Financial Conduct Authority last year after failing to land the top job, will be among about 20 inaugural directors of UK Finance (UKF).

Ms McDermott, who is now a senior executive at Standard Chartered, will lead UKF's work on fraud and financial crime detection and prevention.

[...] UKF is being chaired by Bob Wigley, a former member of the Court of the Bank of England, and run as CEO by ex-Santander UK and Barclays executive Stephen Jones.

It has been formed by merging six existing trade bodies, including the British Bankers' Association (BBA), Council of Mortgage Lenders and Financial Fraud Action UK.

[...] Significantly, they will include Joanna Elson OBE, chief executive of the Money Advice Trust, who will provide a voice at the UKF boardroom table for issues relating to consumer protection and financial inclusion.

Other prominent directors will include: Jayne-Anne Gadhia, the Virgin Money boss, who will lead on diversity; Peter Smith, founder and CEO of Blockchain; Ashok Vaswani, who runs Barclays UK; Ian Stuart, HSBC's UK chief executive; and Joe Garner, boss of Nationwide, who will oversee UKF's work on mutuals.

Source: Sky News

Original Submission

n1 writes:

Bridge International Academies — a chain of inexpensive private schools — has ambitious plans to revolutionize education for poor children. But can its for-profit model work in some of the most impoverished places on Earth?

[...] Bridge operates 405 schools in Kenya, educating children from preschool through eighth grade, for a fee of between $54 and $126 per year, depending on the location of the school. It was founded in 2007 by May and her husband, Jay Kimmelman, along with a friend, Phil Frei. From early on, the founders’ plans for the world’s poor were audacious. ‘‘An aggressive start-up company that could figure out how to profitably deliver education at a high quality for less than $5 a month could radically disrupt the status quo in education for these 700 million children and ultimately create what could be a billion-dollar new global education company,’’ Kimmelman said in 2014. Just as titans in Silicon Valley were remaking communication and commerce, Bridge founders promised to revolutionize primary-school education. ‘‘It’s the Tesla of education companies,’’ says Whitney Tilson, a Bridge investor and hedge-fund manager in New York who helped found Teach for America and is a vocal supporter of charter schools.

[...] Bill Gates, the Omidyar Network, the Chan Zuckerberg Initiative and the World Bank have all invested in the company; Pearson, the multinational textbook-and-assessment company, has done so through a venture-capital fund. Tilson talked about the company to Bill Ackman, the hedge-fund manager of Pershing Square, which ultimately invested $5.8 million through its foundation.

[...] Rather than approaching profitability, the company was operating at a loss of $1 million a month. In March of this year, May went to London to provide testimony to Parliament as part of a series of hearings about the British government’s international-development efforts in education, including $4.4 million of British government funding for Bridge that had allowed them to expand to Nigeria. In April, the committee chairman issued an open letter to Britain’s secretary of state for international development saying no further investments should be made until there has been ‘‘clear, independent evidence that the schools produce positive learning outcomes for pupils’’ and that there were ‘‘serious questions about Bridge’s relationships with governments, transparency and sustainability.’’ Those questions were echoes, perhaps, of the same question that Bridge skeptics had asked from the beginning: Even if its big dream made sense in theory, could it actually work amid the complicated political forces and brutal poverty of the nations whose children were most in need?

Source: The New York Times

When Bill Gates, Zuckerberg and the World Bank are involved, what could go wrong with the "Tesla of education companies"? I guess there's no need to worry about sustainability and transparency when there's Microsoft Office and Facebook profiles on the table.

Original Submission

Arthur T Knackerbracket has found the following story:

A Minnesota woman has been charged with manslaughter after she shot and killed her boyfriend as part of the pair’s attempt to become YouTube celebrities.

According to court documents, Monalisa Perez called 911 on June 26 at around 6:30pm local time to say that she had shot Pedro Ruiz III. The two had set up two video cameras to capture Perez firing the gun at Ruiz while he held a book in front of his chest. Ruiz apparently convinced Perez that the book would stop the bullet from a foot away. The gun, a Desert Eagle .50 caliber pistol, was not hindered by the book.

[...] A video filmed the day before the shooting features Perez excitedly imagining what would happen when the couple reached 300,000 subscribers on their YouTube channel.

According to a Star Tribune report citing a nearby television station in North Dakota, the shooting took place near the couple's home as their three-year-old daughter was nearby. An aunt of Ruiz, who was not named by WDAY-TV, was quoted as saying that she knew what they planned to do and that she tried to talk them out of it.

The aunt said Ruiz replied, "'Because we want more viewers. We want to get famous.'"

Perez, 19, was released on bail on Wednesday. She is pregnant with the couple's second child.

Further details from The New York Times:

Ms. Perez told investigators that she had shot Mr. Ruiz from about a foot away while he held a 1.5-inch thick book to his chest, the authorities said. She described using a firearm that matched the pistol that was found at the scene.

Mr. Ruiz had been “trying to get her” to fire the gun “for a while,” Ms. Perez told investigators, according to court documents. They state that he had set up one camera on the back of a vehicle and another on a ladder to capture the stunt.

To help persuade her to pull the trigger, Mr. Ruiz had even shown Ms. Perez a book that he had previously shot himself, she told investigators. In that case, she said, the bullet had not gone all the way through the text.

See also: CNN.

-- submitted from IRC

Original Submission

Fnord666 writes:

US authorities intercepted and recorded millions of phone calls last year under a single wiretap order, authorized as part of a narcotics investigation.

The wiretap order authorized an unknown government agency to carry out real-time intercepts of 3.29 million cell phone conversations over a two-month period at some point during 2016, after the order was applied for in late 2015.

The order was signed to help authorities track 26 individuals suspected of involvement with illegal drug and narcotic-related activities in Pennsylvania.

The wiretap cost the authorities $335,000 to conduct and led to a dozen arrests.

But the authorities noted that the surveillance effort led to no incriminating intercepts, and none of the handful of those arrested have been brought to trial or convicted.

The revelation was buried in the US Courts' annual wiretap report, published earlier this week but largely overlooked.

"The federal wiretap with the most intercepts occurred during a narcotics investigation in the Middle District of Pennsylvania and resulted in the interception of 3,292,385 cell phone conversations or messages over 60 days," said the report.

Details of the case remain largely unknown, likely in part because the wiretap order and several motions that have been filed in relation to the case are thought to be under seal.

It's understood to be one of the largest number of calls intercepted by a single wiretap in years, though it's not known the exact number of Americans whose communications were caught up by the order.

Source: ZDnet

Original Submission

canopic jug writes in with a story which became:

Daniel Pocok blogs about the misguided picture that most people have over social media. These web sites turn out to be an effective means to monitor and control the population. One key point he makes is that the public ignores the ease with which social media, such as Facebook and Twitter, facilitate the effective kettling and surveillance of activists, campaigners, and other groups. He writes:

Facebook helps kettle activists in their arm chair. The police state can gather far more data about them, while their impact is even more muted than if they ventured out of their home.

And further down he asks,

Is somebody who takes pictures of you and insists on sharing them with hundreds of people, tagging your face for the benefit of biometric profiling systems, really a friend?

The addictive nature of these so-called services combined with the network effect make it really hard for people to escape, but the negative aspects really suggest that they should make the effort.

Original Submission

Fnord666 writes:

Researchers at UC San Diego have developed a temperature sensor that runs on tiny amounts of power -- just 113 picowatts, around 10 billion times less power than a watt. The sensor was described in a study recently published in Scientific Reports. "We're building systems that have such low power requirements that they could potentially run for years on just a tiny battery," Hui Wang, an author of the study, said in a statement.

The team created the device by reducing power in two areas. The first was the current source. To do that, they made use of a phenomenon that many researchers in their field are actually trying to get rid of. Transistors often have a gate with which they can stop the flow of electrons in a circuit, but transistors keep getting tinier and tinier. The smaller they get, the thinner the gate material becomes and electrons start to leak through it -- a problem called "gate leakage." Here, the leaked electrons are what's powering the sensor. "Many researchers are trying to get rid of leakage current, but we are exploiting it to build an ultra-low power current source," said Hui.

The researchers also reduced power in the way the sensor converts temperature to a digital readout. The result is a temperature sensor that uses 628 times less power than the current state-of-the-art sensors.

Source: Engadget

Journal Reference: Hui Wang & Patrick P. Mercier, Near-Zero-Power Temperature Sensing via Tunneling Currents Through Complementary Metal-Oxide-Semiconductor Transistors, Scientific Reports 7, Article number: 4427 (2017), doi:10.1038/s41598-017-04705-6

Original Submission

takyon writes:

Launch Fails for Chinese Heavy-lift Carrier Rocket

A Chinese rocket launch failed on Sunday evening due to [an] abnormality during the flight following what appeared to be a successful liftoff, the official Xinhua News Agency said.

Experts will investigate the cause of the glitch for the launch of the Long March-5 Y2, China's second heavy-lift carrier rocket, from the Wenchang Space Launch Center in the southern province of Hainan, Xinhua said.

[...] Several launches of the Long March-5 were scheduled in preparation for China's lunar probe, manned space station and Mars probe missions, according to Xinhua. Sunday's launch was to be the last drill before the rocket was to carry a lunar probe later this year. It was not immediately clear how Sunday's failure will affect planned missions.

Chinese media report Long March 5 rocket failed soon after launch

Original Submission

MrPlow writes:

Submitted via IRC for Bytram

On the morning of June 17, the Luxembourg-based satellite operator SES lost control of a large satellite in geostationary space, nearly 36,000km above the Earth's surface. Shortly after, the satellite operator began working with another company that specializes in space situational awareness to track the drifting machine, AMC-9. A few days ago that company, ExoAnalytic Solutions, saw the AMC-9 satellite begin to fragment.

"We have seen several pieces come off of it over the past several days," ExoAnalytic's chief executive officer, Doug Hendrix, told Ars. "We are tracking at least one of the pieces. I would hesitate to say we know for sure what happened."

Sunday 11am ET Update: In response to a query from Ars, the AMC-9 satellite's operator, Luxembourg-based SES, issued the following statement on Sunday morning:

In the early hours of 1st July, the SES Satellite Control reestablished contact to AMC-9. SES and the satellite manufacturer Thales are working around the clock to evaluate the status and define the next steps.

Tracking information received on 29 June had suggested that at least two separate objects were located in the vicinity of AMC-9. Their source has still to be determined. The new piece of information was included by Thales and SES in their investigations.

Kessler syndrome?

Source: A satellite may be falling apart in geostationary orbit

SES's AMC-9 satellite drifting after anomaly

Original Submission

takyon writes:

NASA will impact a small asteroid with a spacecraft and measure changes in its orbit around a larger asteroid:

The first-ever mission to demonstrate an asteroid deflection technique for planetary defense -- the Double Asteroid Redirection Test (DART) -- is moving from concept development to preliminary design phase, following NASA's approval on June 23.

"DART would be NASA's first mission to demonstrate what's known as the kinetic impactor technique -- striking the asteroid to shift its orbit -- to defend against a potential future asteroid impact," said Lindley Johnson, planetary defense officer at NASA Headquarters in Washington. "This approval step advances the project toward an historic test with a non-threatening small asteroid."

While current law directs the development of the DART mission, DART is not identified as a specific budget item in the Administration's Fiscal Year 2018 budget.

The target for DART is an asteroid that will have a distant approach to Earth in October 2022, and then again in 2024. The asteroid is called Didymos -- Greek for "twin" -- because it's an asteroid binary system that consists of two bodies: Didymos A, about one-half mile (780 meters) in size, and a smaller asteroid orbiting it called Didymos B, about 530 feet (160 meters) in size. DART would impact only the smaller of the two bodies, Didymos B.

https://en.wikipedia.org/wiki/65803_Didymos

Related: https://www.nas.nasa.gov/publications/articles/feature_asteroid_simulations.html

Original Submission

Fnord666 writes:

Smart windows equipped with controllable glazing can augment lighting, cooling and heating systems by varying their tint, saving up to 40 percent in an average building's energy costs.

These smart windows require power for operation, so they are relatively complicated to install in existing buildings. But by applying a new solar cell technology, researchers at Princeton University have developed a different type of smart window: a self-powered version that promises to be inexpensive and easy to apply to existing windows. This system features solar cells that selectively absorb near-ultraviolet (near-UV) light, so the new windows are completely self-powered.

"Sunlight is a mixture of electromagnetic radiation made up of near-UV rays, visible light, and infrared energy, or heat," said Yueh-Lin (Lynn) Loo, director of the Andlinger Center for Energy and the Environment, and the Theodora D. '78 and William H. Walton III '74 Professor in Engineering. "We wanted the smart window to dynamically control the amount of natural light and heat that can come inside, saving on energy cost and making the space more comfortable."

The smart window controls the transmission of visible light and infrared heat into the building, while the new type of solar cell uses near-UV light to power the system.

"This new technology is actually smart management of the entire spectrum of sunlight," said Loo, who is a professor of chemical and biological engineering. Loo is one of the authors of a paper, published June 30, that describes this technology, which was developed in her lab.

Source: Princeton University

Journal Reference: Nicholas C. Davy, Melda Sezen-Edmonds, Jia Gao, Xin Lin, Amy Liu, Nan Yao, Antoine Kahn, Yueh-Lin Loo. Pairing of near-ultraviolet solar cells with electrochromic windows for smart management of the solar spectrum. Nature Energy, 2017; 2: 17104 DOI: 10.1038/nenergy.2017.104

Original Submission

Fnord666 writes:

The High Court has granted Liberty permission to challenge part of the UK's "extreme mass surveillance regime", with a judicial review of the Investigatory Powers Act.

The law forces internet companies to keep logs of emails, phone calls, texts and web browsing histories and to hand them over to the state to be stored or examined. The civil liberties campaign group wants to challenge this mass collection, arguing that the measure breaches British people's rights.

In a separate case in December, the European Court of Justice ruled the same powers in the previous law governing UK state surveillance were unlawful.

The government argues that it needs access to the data to help with criminal investigations and that the legislation is required because so much communication is done online. But Liberty said the legislation had passed through Parliament in part thanks to "shambolic political opposition" and that the government failed to provide evidence that surveillance of everybody in the UK was lawful or necessary.

Martha Spurrier, director of Liberty, said: "It's become clearer than ever in recent months that this law is not fit for purpose. The government doesn't need to spy on the entire population to fight terrorism. All that does is undermine the very rights, freedoms and democracy terrorists seek to destroy."

She added: "Our government's obsession with storing vast amounts of sensitive information about every single one of us looks dangerously irresponsible. If they truly want to keep us safe and protect our cybersecurity, they urgently need to face up to reality and focus on closely monitoring those who pose a serious threat."

Source: ZDNet

Original Submission