SoylentNews

MrPlow writes:

Submitted via IRC for BoyceMagooglyMonkey

The Disclose.io framework seeks to standardize "safe harbor" language for security researchers.

[...] Not a week goes by without another major business or Internet service announcing a data breach. And while many companies have begun to adopt bug bounty programs to encourage the reporting of vulnerabilities by outside security researchers, they've done so largely inconsistently. That's the reason for Disclose.io, a collaborative and open source effort to create an open source standard for bug bounty and vulnerability-disclosure programs that protects well-intentioned hackers.

The lack of consistency in companies' bug-disclosure programs—and the absence of "safe harbor" language that protects well-intended hackers from legal action in many of them—can discourage anyone who discovers a security bug from reporting it. And vague language in a disclosure program can not only discourage cooperation but can also lead to public-relations disasters and a damaged reputation with the security community, as happened with drone maker DJI last November.

[...] But these efforts haven't been translating into a wider adoption of those best practices—which is why Disclose.io was formed. The project has its roots in two separate-but-similar efforts being rolled into Disclose.io. The first is #LegalBugBounties, which is an effort started by Amit Elazari, a doctoral candidate at the University of California at Berkeley School of Law and a grantee of the university's Center for Long-Term Cybersecurity. The second is the Open Source Vulnerability Disclosure Framework, an effort launched in 2016 by Bugcrowd and the law firm CipherLaw.

Source: https://arstechnica.com/information-technology/2018/08/new-open-source-effort-legal-code-to-make-reporting-security-bugs-safer/

Original Submission

An Anonymous Coward writes:

Reuters reports:

EDF has halted four nuclear reactors at three power plants in France because of the current heatwave affecting Europe, a spokesman for the utility said on Saturday.

High temperatures registered in the Rhone and Rhine rivers, from which the three power plants pump their water for cooling, led to a temporary shutdown of the reactors, the spokesman said.

The Associated Press story at The Reading Eagle explains that excessive heat is harmful to fish.

Original Submission

An Anonymous Coward writes:

The Guardian reports:

According to IPMA, the Portuguese weather agency, about a third of the country's meteorological stations broke temperature records on Saturday. The highest was 46.4C [115°F] in Alvega, 120km from Lisbon.

[...] The high temperatures in Portugal and Spain are caused by a plume of warm air from the Sahara, which yesterday turned the sky an eerie orange in places, including above Amareleja.

In 2003, when Amareleja set the record for the country's hottest temperature - 47.4C [117°F] on 1 August - more than 2,000 people died as a direct result of the heat. Official figures on this summer's heat are expected to be made public at the end of the year.

Original Submission

MrPlow writes:

Submitted via IRC for BoyceMagooglyMonkey

The U.S. government is stepping up its sensitivity to foreign governments insisting on reviews of software company's source code.

The section of the bill that passed the Senate with an 87-10 vote stipulates that the Department of Defense cannot use any software product in a range of its systems unless the manufacturer fully discloses the software reviews by foreign governments that it has previously allowed or is under obligation to allow in the future. The language of the order is typically convoluted, and it does not include all foreign governments, only governments that are placed on a forthcoming list of cyber threats that is due within 180 days after the bill is signed. The president still has to sign off on the legislation, something he's expected to do, but you never know with this guy.

It appears that the section was prompted by a Reuters investigation from last year that found Hewlett Packard Enterprise permitted a company to review its source code for a piece of cyber defense technology on the behalf of the Russian government. The software is also used by the Pentagon. A subsequent report found that SAP, Symantec, and McAfee had also given the Russian government permission to dig through their code for software that's also used by the DOD.

Source: https://gizmodo.com/congress-votes-to-force-software-makers-to-reveal-if-th-1828064013

Original Submission

MrPlow writes:

Submitted via IRC for BoyceMagooglyMonkey

23andMe has reached a deal with pharma giant GlaxoSmithKline, giving the company access to their (your) genetic data to potentially develop new drugs. Did they just sell us all out? Not exactly.

This isn't the first deal where 23andMe has allowed companies to use their (your) data for their research. The company makes up to $199 when you buy one of their spit kits and send in your DNA, but their business model has always depended on leveraging the data they amass as a result. The company has previously made similar, though smaller, deals with Genentech and Pfizer.

[...] The company doesn't technically hand over your data; analysts at 23andMe provide "summary statistics" to third parties. This is relatively safe, in theory, but if you're not sure how you feel about it, just click "Change Consent" under your account settings.

Source: https://vitals.lifehacker.com/what-you-re-really-agreeing-to-when-you-sign-up-for-23a-1828034397

Original Submission

"exec" writes:

A bizarre rogue planet without a star is roaming the Milky Way just 20 light-years from Earth. And according to a recently published study in The Astrophysical Journal, this strange, nomadic world has an incredibly powerful magnetic field that is some 4 million times stronger than Earth's, which generates spectacular auroras that would put our northern lights to shame.

The new observations, made with the National Science Foundation's Karl G. Jansky Very Large Array (VLA), provide not only the first radio detection of a planetary mass object beyond our solar system, but also mark the first time researchers have measured the magnetic field of such a body.

[...] The peculiar and untethered object, succinctly named SIMP J01365663+0933473 (we'll call it SIMP for simplicity's sake), was first discovered back in 2016. At the time, researchers thought SIMP was a brown dwarf: an object that's too big to be a planet, but too small to be a star. However, last year, another study showed that SIMP is just small enough, at 12.7 times the mass and 1.2 times the radius of Jupiter, to be considered a planet — albeit a mammoth one.

"This object is right at the boundary between a planet and a brown dwarf, or 'failed star,' and is giving us some surprises that can potentially help us understand magnetic processes on both stars and planets," said Arizona State University's Melodie Kao, who led the new study on SIMP, in a press release.

[...] SIMP seems to be a massive and magnetic exoplanet without a star that may have a moon that is generating brilliant auroras while wandering the Milky Way.

[...] "Detecting SIMP J01365663+0933473 with the VLA through its auroral radio emission also means that we may have a new way of detecting exoplanets, including the elusive rogue ones not orbiting a parent star," said co-author Gregg Hallinan of Caltech.

http://www.astronomy.com/news/2018/08/free-range-planet

-- submitted from IRC

Original Submission

takyon writes:

iPhone supplier TSMC shut down factories after virus attack

Chipmaker Taiwan Semiconductor Manufacturing Co. [(TSMC)] shut down several of its factories last night [Friday] after it its[sic] systems were hit by a computer virus, reports Bloomberg.

TSMC is the largest semiconductor manufacturer in the world, and supplies components for companies like ADM[sic], Apple, Nvidia, and Qualcomm. The company told Bloomberg that the virus infected a "number of its fabrication tools," but that the "degree of infection varies" from factory to factory. Several have resumed their operations, but others won't come back online until tomorrow. The company indicated that its factories weren't infected by a hacker.

Update: TSMC says third-quarter revenue hit by computer virus

Original Submission

takyon writes:

'Fortnite' Avoiding Google Play Store's 30% Cut on Android Version

"Fortnite" will be available on Android, but not on the Google Play Store. Players will be able to download the installer for the game via the official "Fortnite" website, with which they can then download the game onto their compatible Android device.

The confirmation comes from Epic Games just days after speculation rose over whether or not "Fortnite" would come to Google Play, due to source code in the mobile version of "Fortnite" with instructions for users including notes like "This is necessary to install any app outside of the Play Store" found by XDA Developers. This particular prompt is referring to install of "Fortnite" on Android requiring users to select an option on their phone which opens up the device to allow third-party developers to make changes—an action some are calling a security threat.

For Epic, it's a way to bring the game "directly to customers," without the aid of a middleman. In a Q&A released by Epic, the publisher stated that, "We believe gamers will benefit from competition among software sources on Android. Competition among services gives consumers lots of great choices and enables the best to succeed based on merit." Of course, Google's 30% for games released through its Play Store is also a motivator.

"Avoiding the 30% 'store tax' is a part of Epic's motivation," Epic Games' Tim Sweeney stated in a Q&A. "It's a high cost in a world where game developers' 70% must cover all the cost of developing, operating, and supporting their games. And it's disproportionate to the cost of the services these stores perform, such as payment processing, download bandwidth, and customer service. We're intimately familiar with these costs from our experience operating 'Fortnite' as a direct-to-customer service on PC and Mac."

Fortnite.

See also: Epic Games' strategy for Fortnite on Android is stupid, greedy, and dangerous

Related: Epic Games Sues 14-Year-Old after He Files a DMCA Counterclaim for a How-to-Cheat Video
Sony Faces Growing 'Fortnite' Backlash At E3

Original Submission

An Anonymous Coward writes:

Marketwatch brings good news for the USA: American workers are finally reaping the benefits of the lowest unemployment rate and best jobs market in decades: Wages and benefits are rising at the fastest pace in a decade. Firms have sought to fill openings by offering better benefits such as more vacation time or flexible hours. When push comes to shove, they are offering higher pay. While bigger paychecks are great for workers, the US Federal Reserve is watching closely to see if rising compensation is stoking inflation. The Federal Reserve could increase U.S. interest rates if it becomes a big worry, but so far inflation remains relatively mild.

Original Submission

MrPlow writes:

Submitted via IRC for BoyceMagooglyMonkey

The ancient Maya were an innovative people. They constructed intricate cities throughout the tropical lowlands of the Yucatán Peninsula, communicated using one of the world's first written languages, and created two calendar systems by studying the stars. But despite their achievements, the thriving Mayan civilization mysteriously collapsed sometime between the eighth and ninth centuries. We still don't know exactly why.

The general consensus is that the Mayan collapse was caused by a number of things, including disease, war, and other sociopolitical conflicts. One natural factor may have contributed to all of these issues: drought. A particularly bad drought would have made it difficult for the Maya to collect enough drinking water and to irrigate their crops. It also could have encouraged the spread of disease and increased the strain between Mayan leaders and their people.

[...] By analyzing sediment from Lake Chichancanab in the Yucatán Peninsula, Gázquez-Sánchez and his colleagues found that compared to today, annual rainfall decreased by between 41 percent and 54 percent over the multi-decade Mayan drought. When the drought was most severe, rainfall plummeted by as much as 70 percent, the researchers wrote in their study published Thursday in Science.

The team developed a method to extract that thousand-year-old water [trapped in lake bottom sediment's gypsum] and study the hydrogen and oxygen isotopes inside. During drought conditions, lighter water isotopes evaporate first, and the heavier isotopes are left to be trapped in gypsum. By tallying when those heavy isotopes were more common, the researchers were able to create rainfall and humidity estimates.

[...] It could even tell us about the climate histories of other planets: Mars, for instance, also has gypsum deposits.

Source: https://gizmodo.com/scientists-just-measured-the-drought-that-may-have-brou-1828053642

Original Submission

canopic jug writes:

The Latacora firm has a blog post asserting that OpenSSH-portable has poor defaults for encrypting private RSA keys because of its reliance on OpenSSL. The blog goes into why this is a problem and how you can test it for yourself.

There is nothing wrong with the generated RSA keys themselves, however, just the encryption of the private RSA keys -- if made using current defaults. There are two ways of encrypting RSA keys, an old and apparently insecure way, and a new key format available but not default. Newer key types like Ed25519 use only the new key format and are not bothered by this problem.

Earlier on SN:
WikiLeaks Unveils CIA Implants That Steal SSH Credentials From Windows, Linux PCs (2017)
Upgrade Your SSH Keys (2016)
OpenSSH 6.8 Will Feature Key Discovery and Rotation for Easier Switching to DJB's Ed25519 (2015)

Original Submission

Fnord666 writes:

Creators of fake accounts and news pages on Facebook are learning from their past mistakes and making themselves harder to track and identify, posing new challenges in preventing the platform from being used for political misinformation, cyber security experts say.

This was apparent as Facebook tried to determine who created pages it said were aimed at sowing dissension among U.S. voters ahead of congressional elections in November. The company said on Tuesday it had removed 32 fake pages and accounts from Facebook and Instagram involved in what it called "coordinated inauthentic behavior."

[...] Facebook said it had shared evidence connected to the latest flagged posts with several private sector partners, including the Digital Forensic Research Lab, an organization founded by the Atlantic Council, a Washington think tank.

Facebook also said the use of virtual private networks, internet phone services, and domestic currency to pay for advertisements helped obfuscate the source of the accounts and pages. The perpetrators also used a third party, which Facebook declined to name, to post content.

Source: Reuters

Original Submission

Fnord666 writes:

A major US non-profit group focused on improving child health has abruptly terminated US$3 million in research grants — leaving nearly 40 scientists confused, angry and scrambling to secure new funding.

On 24 July, 37 grant recipients received an e-mail from the March of Dimes Foundation in New York City informing them that their 3-year grants had been cut off, retroactively, starting on 30 June. Many of the researchers were only a year into their projects, and had had just enough time to hire and train staff, purchase supplies and generate preliminary results. Now, several say that they might need to lay off employees, euthanize lab animals and shelve their research projects if they cannot find other funding — fast.

The March of Dimes, which is supported largely by individual donations, made the decision to revoke the grants because of a budget shortfall, says Kelle Moley, the group's chief scientific officer. "I know this is harsh news," Moley says. "As a former grantee, this would be devastating to me as well."

That is small consolation to many researchers whom Nature spoke to.

Source: Nature

Original Submission

Fnord666 writes:

Like other migrating beasts, hackers travel huge distances for feeding, breeding, and breaking things every summer -- at Defcon in Las Vegas. The way they move about the city is driven primarily by the availability of free booze at corporate parties or the convenience of air-conditioned infosec habitats; the heat makes them torpid. As such, everyone takes taxis, Ubers, and Lyfts everywhere, day and night.

The mostly-male migration forgoes the braggadocio of colorful plumage as seen in avian species. Instead, they establish social dominance and attract attention of potential mates and recruiters by bragging. Thus, according to my taxi-related experiences while covering the conference over the years, Las Vegas car drivers overhear way more of infosec's boasting and swagger than they probably should.

Ferrying hackers and feds during "hacker summer camp" has got to be a dream gig for a spy. How could it not be? Spying on hackers is usually more trouble than it's worth. Thanks to Uber and Lyft's gig economy it's much easier. No union, no problem (for them at least).

Source: https://www.engadget.com/2018/08/03/when-your-uber-driver-is-a-spy/

Original Submission

MrPlow writes:

Submitted via IRC for BoyceMagooglyMonkey

Next week, NASA is scheduled to send human technology closer to a star than ever before. What they learn could change our understanding of, well, the whole galaxy.

The Parker Solar Probe is a mission set to orbit the Sun at just 3.8 million miles. Compare that to Earth's average distance of 93 million miles, or Mercury's average distance of 36 million miles. The spacecraft will need to shield itself from temperatures as high as 2,500 degrees Fahrenheit in order to find answers to the many questions scientists still have about our Sun and stars in general.

"The message is simple," Jim Garvin, chief scientist at NASA Goddard Space Flight Center, told Gizmodo. "By understanding our Sun in this way, [it will] connect the dots between how the Sun works, how it affects the Earth and other worlds throughout the Solar System, and... how we look at planetary systems around other stars."

[...] The probe is at Cape Canaveral, loaded into a Delta IV heavy rocket. Following its August 11-at-the-earliest launch, it will hurtle towards the Solar System's center at speeds as fast as 430,000 miles per hour, according to a NASA fact sheet. It will pass our neighboring planet Venus seven times for a gravitationally assisted slow down, studying our gassy neighbor along the way, before arriving at its final solar orbit.

[...] The mission comes with extreme challenges that the project engineers have done their best to prepare for. An 8-foot-wide, 4.5-inch-thick carbon-composite shield protects the probe, keeping its instruments at a cozy 85 degrees Fahrenheit, according to NASA. The outside face of the shield is coated with white ceramic paint to further reflect heat away from the probe.

Source: https://gizmodo.com/nasas-sun-probe-set-to-launch-next-week-on-its-journey-1828053654

Original Submission