SoylentNews

MrPlow writes:

Submitted via IRC for SoyCow1984

Hacker lore is littered with tales of mysterious attackers breaking into hotels—perhaps at a conference—to get their hands on someone’s laptop with the goal of installing malware on it by physically connecting to the machine. That’s why the more careful hackers never leave their laptops unattended at events, or bring disposable computers with little to nothing valuable on them.

These types of attacks are called evil maid attacks in the infosec world, because the imaginary attacker is someone who has access to your room and malicious intentions. Pwning a laptop via physical access is a true and tested method to hack someone. But there’s no better way to be reminded of how effective and sometimes effortless these attacks can be than an actual demo.

In early July, security firm Eclypsium posted a video showing how Mickey Shkatov, one of its researchers, hacks into a laptop by opening it up, connecting a device directly to the chip that contains the BIOS, and installing malicious firmware on it—all in just over four minutes. That easy. (In some cases hackers don’t even need to open up the laptop).

“Physical attacks are hard to defend against and most people aren’t doing anything to defend against them,” John Loucaides, Eclypsium’s vice president of engineering, told me. “It’s not that hard of a attack to pull of as most people think. It takes less time and less effort than most people realize.”

[...] The good news is that while it’s relatively easy to hack a laptop once you get your hands on it, it’s all the work that is required to get there (monitoring a target to see where they live or are sleeping, breaking into their room, etc) makes these attacks likely rare.

Source: https://motherboard.vice.com/en_us/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes

Original Submission

Arthur T Knackerbracket has found the following story:

A Paris court on Thursday ordered Twitter to change its smallprint, according to a consumer group which accused the tech giant of having "abusive" clauses in its terms and conditions.

UFC-Que Choisir claimed victory in its case against the US social media platform, saying "the conviction has a gigantic scope for the protection of users' personal data". The consumer association had called on the high court "to recognise the abusive or illegal nature" of 256 clauses contained in Twitter's terms and conditions that it said breached users' privacy.

In particular, UFC-Que Choisir said the court's decision guarantees Twitter users that their photos and tweets can no longer be "commercially exploited" if they have not given their consent. "By ticking a small box to accept the terms of service, the consumer has not expressly accepted their data can be exploited," the group said.

Original Submission

takyon writes:

These half-billion-year-old creatures were animals—but unlike any known today

So-called Ediacaran organisms have puzzled biologists for decades. To the untrained eye they look like fossilized plants, in tube or frond shapes up to 2 meters long. These strange life forms dominated Earth's seas half a billion years ago, and scientists have long struggled to figure out whether they're algae, fungi, or even an entirely different kingdom of life that failed to survive [DOI: 10.1144/gsjgs.149.4.0607] [DX]. Now, two paleontologists think they have finally established the identity of the mysterious creatures: They were animals, some of which could move around, but they were unlike any living on Earth today.

Scientists first discovered the Ediacaran organisms in 1946 in South Australia's Ediacara Hills. To date, researchers have identified about 200 different types in ancient rocks across the world. Almost all appear to have died out by 541 million years ago, just before fossils of familiar animals like sponges and the ancestors of crabs and lobsters appeared in an event dubbed the Cambrian explosion. One reason these creatures have proved so tricky to place in the tree of life is that some of them had an anatomy unique in nature. Their bodies were made up of branched fronds with a strange fractal architecture [open, DOI: 10.1073/pnas.1408542111] [DX], in which the frond subunits resembled small versions of the whole frond.

Ediacaran biota.

Cambrian petalonamid Stromatoveris phylogenetically links Ediacaran biota to later animals (open, DOI: 10.1111/pala.12393) (DX)

Original Submission

takyon writes:

China hints at three-child policy with 'happy family' stamps

Speculation is mounting in China that the country is set to further relax its two-child policy and allow people to have more children.

Postage stamps unveiled earlier this week to mark the incoming Year of the Pig in February 2019 have led many social media users to question whether a loosening of family planning restrictions could be imminent.

The stamps show a parent pig couple and three piglets. On the surface, it hardly appears to be a policy announcement. But users on the popular Sina Weibo microblog have pointed out that two years ago, before the one-child policy was abolished, China issued Year of the Monkey stamps featuring two baby monkeys.

And in recent months, the Chinese government has been strongly encouraging couples to have more than one child. Local authorities have even been offering incentives, such as tax breaks, and education and housing subsidies.

A 2015 UN report projected that China's population would decline to about 1 billion by 2100, although some experts put the number even lower.

Related: China's 'Missing Girls' Theory Likely Far Overblown, Study Shows

Original Submission

JesusAmieiro writes:

A browser extension that acted as an anti-censorship tool for 185,000 people has been kicked out of the Chrome store by Google. The open source Ahoy! tool facilitated access to more than 1,700 blocked sites but is now under threat. Despite several requests, Google has provided no reason for its decision.

Last December, TF reported on SitesBloqueados (Blocked Sites) a web portal run by Revolução dos Bytes (Bytes' Revolution), a group of anti-censorship activists in Portugal.

Internet censorship is common in the country, with more than 1,700 sites banned from regular Internet access for reasons ranging from copyright to gambling. The process does not require intervention from the courts so Revolução dos Bytes decided to keep an eye on things with its Ahoy! Chrome and Firefox extension.

"Ahoy! basically bypasses any traffic to a blocked site through our own proxies, allowing the users to navigate in a free, uncensored internet," team member Henrique Mouta previously told TF.

Not only is Ahoy! able to unblock sites, it can also detect newly blocked domains and feed information back, so that its unblocking abilities are always up to date.

Things had been going well. After servicing 100,000 users last December, Ahoy! grew to almost 185,000 users this year. However, progress and indeed the project itself is now under threat after arbitrary action by Google.

"Google decided to remove us from Chrome's Web Store without any justification", Henrique informs TF.

"We always make sure our code is high quality, secure and 100% free (as in beer and as in freedom). All the source code is open source. And we're pretty sure we never broke any of the Google's marketplace rules."

Original Submission

Arthur T Knackerbracket has found the following story:

Four years ago, IOActive security researcher Ruben Santamarta came to Black Hat USA to warn about insecurities in aircraft satellite-communication (SATCOM) systems. Now he's back with more doom and gloom.

During a presentation at this year's hacking conference in Las Vegas this week, he claimed he had found a host of flaws in aircraft, shipping, and military satellite comms and antenna-control boxes that can be exploited to snoop on transmissions, disrupt transportation, infiltrate computers on military bases, and more – including possibly directing radio-transmission electronics to bathe fleshy humans in unhealthy amounts of electromagnetic radiation.

“It’s pretty much the same principle as a microwave oven,” he told The Register. “The flaws allow us to ramp up the frequency.”

The vulnerabilities stem from a variety of blunders made by SATCOM hardware manufacturers. Some build backdoors into their products for remote maintenance, which can be found and exploited, while other equipment has been found to be misconfigured or using hardcoded credentials, opening them up to access by miscreants. These holes can be abused by a canny hacker to take control of an installation's antenna, and monitor the information the data streams contain.

Arthur T Knackerbracket has found the following story:

Researchers at the National Institute of Standards and Technology (NIST) have used a laser detection and ranging (LADAR) system to image three-dimensional (3-D) objects melting in flames. The method could offer a precise, safe and compact way to measure structures as they collapse in fires.

Optical range measurements, already used in manufacturing and other fields, may help overcome practical challenges posed by structural fires, which are too hot to measure with conventional electromechanical sensors mounted on buildings.

As described in Optica, the NIST demonstration used a commercial LADAR system to map distances to objects melting behind flames that produced varying amounts of soot. The experiment measured 3-D surfaces with a precision of 30 micrometers (millionths of a meter) or better from 2 meters away. This level of precision meets requirements for most structural fire research applications, according to the paper.

[...] LADAR offers several advantages as a tool for imaging through flames. The technique is very sensitive and is able to image objects even when small amounts of soot are present in the flames. The method also works at a distance, from far enough away that the equipment is safe from the intense heat of a fire. In addition, the instrument can be compact and portable, relying on fiber optics and simple photodetectors.

[...] The researchers successfully applied LADAR to measure and map 3-D "point clouds"—points are the "voxels" constituting an image—even in a turbulent fire environment with strong signal scattering and distortion. For comparison, the team also made videos of the chocolate as it melted and images of a more complex plastic skeleton.

[...] The initial experiments were conducted with flames just 50 millimeters wide on lab burners at the University of Colorado Boulder. The preliminary results suggest that the LADAR technique could be applied to larger objects and fires. The NIST team now plans to scale up the experiment, first to make 3-D images of objects through flames about 1 meter wide and, if that works, to make quantitative observations of larger structural fires.

Original Submission

Arthur T Knackerbracket has found the following story:

CEO Steve Cooper said that the sale resulted in $126 million “credited to artist accounts on their June 30 royalty statements which are issued around the world in August and September.” A rep confirmed that distributed labels are included in that amount, if their deal terms call for it.

“In February 2016, we were the first major to announce a policy to share proceeds from equity in streaming services with artists,” Cooper noted. However, Music Business Worldwide reports that unlike Sony Music, which is also sharing proceeds from the sale of its Spotify equity, Warner is not overlooking artists’ and labels’ unrecouped balances, which means that the proceeds could go not directly to the artist but to Warner as part of the recoupment of an artist’s advance and/or other label expenses. A rep for WMG did not immediately respond to Variety‘s requests for comment or confirmation on that matter.

Of the other three label groups, Sony Music sold approximately 50% of its shares for an estimated $750 million, the company revealed in a public filing in May, while independent label collective Merlin sold 100% of its shares for an amount estimated at upward of $125 million and immediately distributed the earnings to its members. Universal Music Group has not sold its shares, perhaps in anticipation of parent company Vivendi’s plan to sell 50% of that business unit.

UPDATED: In its earnings call on Tuesday morning, Warner Music Group announced that it has now sold its entire stake in Spotify, realizing $504 million. CEO Steve Cooper said that the sale resulted in $126 million “credited to artist accounts on their June 30 royalty statements which are issued around the world in August and September.

Original Submission

Arthur T Knackerbracket has found the following story:

Investigators at the Army's Institute for Soldier Nanotechnologies (ISN), located at MIT, have developed a 3-D printing platform that can enable both the modeling and design of complex magnetically actuated devices. The new approach utilizes a 3-D printing platform fitted with an electromagnet nozzle and a new type of 3-D printable ink infused with magnetic particles. Their findings could lead to new biomedical applications, magnetic ink optimized to strengthen soft robotic functionality, and new on-demand flexible material systems for integration into Soldier systems.

Arthur T Knackerbracket has found the following story:

Although a wide range of potential applications exists for the ARMV8-M processors, developers working on secure real-time applications will certainly see the largest benefit. So far, the ARMV8-M architecture can be found in M23 and M33 Cortex-M and M35P processors. Let’s take a look at the new features included in ARMV8-M and how these processors differ from previous generation ARMV7-M parts.

[...] The ARMV8-M feature that really sets the M23, M33, and M35P apart is their support for ARM TrustZone. TrustZone is a security extension that provides hardware isolation within the microcontroller so that developers can create secure and unsecure regions. These regions can be locations in RAM, Flash, or even interrupts and peripherals. The separation between secure and unsecure regions creates isolation within the microcontroller, allowing developers to protect mission-critical code and data.

The isolation creates two new modes that the processor can be running in: secure and unsecure. When in secure mode, the executing code can access all memory within both the secure and unsecure zones. However, if the processor is executing in the unsecure zone, only the unsecure regions can be seen. The secure regions are hidden and cannot be executed from the unsecure state without special code being added, which creates a gateway to access a secure call. This makes it possible to use secure functions while hiding what is happening behind the scenes. 

There are several other new features that developers will find interesting besides the TrustZone extension. These include:

• Simpler MPU setup
• Flexible breakpoint configuration
• Improved trace support
• Instruction set enhancements
• Dynamic reprioritization of interrupts

Original Submission

takyon writes:

NASA Announces New Partnerships to Develop Space Exploration Technologies

NASA is partnering with six U.S. companies to develop 10 "tipping point" technologies that have the potential to significantly benefit the commercial space economy and future NASA missions, including lunar lander and deep space rocket engine technologies.

Selections are based on the agency's third competitive Tipping Point solicitation, and have a combined total award value of approximately $44 million – a significant investment in the U.S. space industry.

A technology is considered at a "tipping point" if investment in a ground or flight demonstration will result in significantly maturing the technology and improving the company's ability to bring it to market.

The companies are Blue Origin, Space Systems/Loral, United Launch Alliance, Frontier Aerospace Corporation, Paragon Space Development Corporation, and Astrobotic Technology, Inc.

Also at Engadget.

Original Submission

chromas writes:

Buzzfeed News:

To convince workers to join the unstable and unreliable world of freelance work, startups and platforms often promise freedom and flexibility. But on the digital freelance platform Upwork, company software tracks hundreds of freelancers while they work by saving screenshots, measuring the frequency of their clicks and keystrokes, and even sometimes taking webcam photos of the workers.

Upwork, which hosts "millions" of coding and design gigs, guarantees payment for freelancers, even if the clients who hired them refuse to pay. But in order to get the money, freelancers have to agree in advance to use Upwork's digital Work Diary, which counts keystrokes to measure how "productive" they are and takes screenshots of their computer screens to determine whether they're actually doing the work they say they're doing.

Upwork's tracker isn't automatically turned on for all gigs on the platform. Some freelancers like it because it guarantees payment, but others find it unnerving. Adam Florin is a digital freelancer who says he's used various time tracking tools during his 15-year career, and he finds Upwork's software particularly "creepy."

[...] "I've never had a client expect to be able to look over my shoulder for every minute of every day," Florin told BuzzFeed News via direct message. "That's what Upwork is providing."

Florin said the idea of rating a freelancer's productivity by counting keyboard taps and mouse clicks is "bogus," and he thinks Upwork's use of screenshots is an overreach.

Original Submission

JesusAmieiro writes:

Ben-Gurion University of the Negev (BGU) cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously.

The researchers analyzed and found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will. They tested three of the most widely sold smart irrigation systems: GreenIQ, BlueSpray, and RainMachine smart irrigation systems.

“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty flood water reservoir overnight,” Ben Nassi, a researcher at Cyber@BGU, says. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware.”

Water production and delivery systems are part of a nation’s critical infrastructure and generally are secured to prevent attackers from infecting their systems. “However, municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don’t have the same critical infrastructure security standards.”

In the study, the researchers present a new attack against urban water services that doesn’t require infecting its physical cyber systems. Instead, the attack can be applied using a botnet of smart irrigation regulation systems at urban water services that are much easier to attack.

The researchers demonstrated how a bot running on a compromised device can detect a smart irrigation system connected to its LAN in less than 15 minutes, and turn on watering via each smart irrigation system using a set of session hijacking and replay attacks.

Original Submission

takyon writes:

After years of hype, Magic Leap starts selling $2,300 AR headset

After years of behind-closed-doors demos and over-the-top hype, Magic Leap's augmented reality glasses took one more step towards reality today. The company has opened up orders for the $2,295 "Creator Edition" of its first headset, the Magic Leap One.

That price includes in-person delivery and setup of the developer-focused hardware, though that delivery is only available in select US cities for the time being—Chicago, Los Angeles, Miami, New York, the San Francisco Bay Area, and Seattle will be covered on day one. Those in other locations have to reserve a spot and wait for wider availability.

The hand-delivery is in part to determine which of two adjustable sizes for the headset is most appropriate for you—Magic Leap says "you'll be measured upon delivery to ensure the perfect fit." Magic Leap also says "limited quantities" are being made available now and that delivery of current orders will take place within "120 days and typically much sooner."

Compare the price to the $3,000-$5,000 developer versions of Microsoft's HoloLens, or the $1,500 Google Glass.

It requires a connected "lightpack" computer that clips onto a pocket or shoulder strap. The device has an Nvidia Tegra X2 chipset (2 Denver 2.0 cores, 4 ARM Cortex A57 cores, with one Denver core and two of the A57 cores accessible to developers), 8GB of memory, 128GB of storage, and a battery supposedly offering 3 hours of use. It also comes with a wireless handheld controller similar to ones offered by Oculus, Samsung, etc., although it is fully tracked by the headset's cameras, offering "a full range of motion" according to The Verge.

The field of view of the device is 40° horizontal, 30° vertical. This is larger than HoloLens's 30° horizontal, 17.5° vertical field of view, but is far less than that of VR headsets (typically 100-110° horizontal, and 200-210° horizontal for the Pimax and StarVR headsets) and human vision (around 220° horizontal when including peripheral vision).

Detailed review at The Verge.

Previously: Magic Leap Bashed for Being Vaporware
Magic Leap Finally Announces a Product, But is It Still Vaporware?

Original Submission

JesusAmieiro writes:

Linux Kernel 4.17 saw the inclusion of NSA's 'controversial' encryption algorithm Speck. Linux Kernel 4.18 will see Speck being available as a supported algorithm with fscrypt and not everyone is happy about it.

Before you panic or form wrong conclusions, you should know that Speck is not a backdoor. It's just a not-so-strong encryption algorithm from American agency NSA and it's available as a module in Linux Kernel.

The algorithm in question, Speck, is a 'weak' encryption (lightweight block cipher) designed for devices with low computing powers i.e., IoT devices.

NSA wanted Speck and its companion algorithm Simon to become a global standard for next generation of internet-of-things gizmos and sensors.

NSA tried to aggressively push this algorithm to an extent that some cryptographer alleged bullying and harassment at the hands of NSA.

The problem with the algorithm is that the International Organization of Standards (ISO) rejected Speck and Simon.

Google engineer Eric Biggers requested the inclusion of Speck in Kernel 4.17 because Google is going to provide Speck as an option for dm-crypt and fscrypt on Android.

The focus is on providing encryption on Android Go, an Android version tailored to run on entry-level smartphones. As of today, these devices are not encrypted because AES is not fast enough for the low-end devices.

Original Submission