SoylentNews

upstart writes:

Submitted via IRC for SoyCow0824

E-commerce site is infected not by one, but two card skimmers

Payment card skimming that steals consumers’ personal information from e-commerce sites has become a booming industry over the past six months, with high-profile attacks against Ticketmaster, British Airways, Newegg, and Alex Jones’ InfoWars, to name just a few. In a sign of the times, security researcher Jérôme Segura found two competing groups going head to head with each other for control of a single vulnerable site.

The site belongs to sportswear seller Umbro Brasil, which as of Tuesday morning was infected by two rival skimmer groups. The first gang planted plaintext JavaScript on the site that caused it to send payment card information to the attackers as customers were completing a sale. The malicious JavaScript looked like this: [image]

A second gang exploited either the same or a different website vulnerability as the first. The second group then installed much more advanced JavaScript that was encoded in a way to prevent other programs from seeing what it did. This is what it looked like: [image]

The obfuscated JavaScript actively tampered with the less-sophisticated payment skimmer installed by the first gang. Specifically, it replaced the last digit of a credit card number with a randomly generated digit before being sent to the first group. As a result, there was a 90 percent chance that the number obtained by the first group would be incorrect. Because the first group used unobfuscated JavaScript, the skimmer is much more vulnerable to tampering by rivals.

Original Submission

upstart writes:

Submitted via IRC for SoyCow1984

MPAA: Making All Domain WHOIS Data Public Will Advance Privacy

Anti-piracy groups witnessed their work becoming more complicated this year after the EU's new privacy regulations limited access to domain name WHOIS data. This measure is supposed to increase privacy for registrants but in a submission to the US Government, Hollywood's MPAA stresses that restoring full access increases the privacy of the public at large.

A few weeks ago, the US National Telecommunications and Information Administration (NTIA), asked the public for input on ways to improve consumer privacy. [...] The request came a few months after the EU's new privacy regulation, the GDPR, was implemented. The GDPR requires many online services and tools to tighten their privacy policies, which also affects domain registrars.

As of June 2018, ICANN implemented a temporary measure to restrict access to personal data that would previously have been available through WHOIS, unless explicit permission is given. A welcome privacy change to many domain registrants, but anti-piracy groups are not happy. While the limited WHOIS data is supposed to improve user privacy, the MPAA tells the NTIA that the opposite is true. They believe that opening it up again "will advance privacy while protecting prosperity and innovation," in line with NTIA's aims.

[...] The MPAA says that when it comes to WHOIS data, sharing more personal data in public – as it was in the past – benefits the public at large. Sharing personal data of all website owners allows visitors to check who they are dealing with. "Users are not 'reasonably informed' or 'empowered to meaningfully express privacy preferences' if they cannot determine the entity behind a website," the MPAA explains. [...] Concerns about limited WHOIS data are not new. Previously, a group of 50 organizations warned that it makes pirates harder to catch, which is of course the MPAA's main stake in the matter.

Original Submission

An Anonymous Coward writes:

As part of the company's Supercomputing 2018, a new FPGA accelerator card was announced by Xilinx. The Xilinx Alveo U280 is one of the company's pre-ACAP 16nm UltraScale+ architecture FPGA products. The U280 features 8GB of Samsung High Bandwidth Memory (HBM2) plus 32GB of DDR4 memory. The goal of the new card is to accelerate database search and analytics, machine learning inference, and other memory-bound applications.

Buried in the documentation for the card is a nugget of extremely interesting information:

"The U280 acceleration card includes CCIX support to leverage existing server interconnect infrastructure for high bandwidth, low latency cache coherent shared memory access with CCIX enabled processors including Arm and AMD." (Source: Xilinx Alveo U280 whitepaper WP50 (v1.0) accessed 16 November 2018)

We were recently at the AMD Next Horizon Event and STH friend Dr. Ian Dr. Ian Cutress at Anandtech (not a typo, that is what his SC18 badge said) touched upon this in his interview with AMD CTO Mark Papermaster. Neither in the Rome disclosure nor the interview did AMD confirm CCIX support. However, AMD publicly supports CCIX and Gen-Z and when we asked if this means Rome supports CCIX all we received was that AMD supports CCIX but has not announced a product with it yet. Arm may have chips derived from its IP with CCIX support, but AMD has a more well-defined roadmap.

https://www.servethehome.com/xilinx-alveo-u280-launched-possibly-with-amd-epyc-ccix-support/

Original Submission

takyon writes:

Jeff Bezos' new 'shadow' adviser at Amazon is a female executive of Chinese descent

Amazon CEO Jeff Bezos has a new "shadow" adviser, a role that's highly coveted inside the company because it involves following around the billionaire founder for a year or two and learning all aspects of the business.

The position is now held by Wei Gao, a female executive of Chinese descent, whose LinkedIn profile says she's had the role of "VP, Technical Advisor to CEO" since July. Gao, only the second female to shadow Bezos, replaced Jeffrey Helbling, who was named technical adviser in early 2017. CNBC learned of the change from two people familiar with the matter who asked not to be named because they're not authorized to speak for the company.

Gao, who was most recently a vice president of forecasting, has filled various roles during her 13 years at Amazon, including senior positions in the Kindle and inventory planning teams.

The shadow job, which entails sticking by Bezos' side and accompanying him to all of his meetings, often portends good things for those who are picked. Maria Renz, who left the position in 2017, is now vice president of delivery experience. Other high-profile shadows from the past include Andy Jassy, now CEO of Amazon Web Services, Greg Hart, vice president of of[sic] Prime Video, and Dilip Kumar, vice president of Amazon Go.

The richest man in the world (on paper) casts a big shadow.

Original Submission

isj writes:

The privacy-oriented search engine Findx has shut down: https://privacore.github.io/

The reasons cited are:

• While people are starting to understand the importance of privacy it is a major hurdle to get them to select a different search engine.
• Search engines eat resources like crazy, so operating costs are non-negligible.
• Some sites (including e.g. github) use a whitelist in robots.txt, blocking new crawlers.
• The amount of spam, link-farms, referrer-linking, etc. is beyond your worst nightmare.
• Returning good results takes a long time to fine-tune.
• Monetizing is nearly impossible because advertising networks want to know everything about the users, going against privacy concerns.
• Buying search results from other search engines is impossible until you have least x million searches/month. Getting x million searches/month is impossible unless you buy search results from other search engines (or sink a lot of cash into making it yourself).

So what do you soylentils think can be done to increase privacy for ordinary users, search-engine-wise ?

Dislaimer: I worked at Findx.

Original Submission

stretch611 writes:

In a long article on Bloomberg News, but well worth the read:

How unscrupulous lenders have used an obscure legal document to wreck havoc against small businesses nationwide.

The lenders’ weapon of choice is an arcane legal document called a confession of judgment. Before borrowers get a loan, they have to sign a statement giving up their right to defend themselves if the lender takes them to court. It’s like an arbitration agreement, except the borrower always loses. Armed with a confession, a lender can, without proof, accuse borrowers of not paying and legally seize their assets before they know what’s happened. Not surprisingly, some lenders have abused this power. In dozens of interviews and court pleadings, borrowers describe lenders who’ve forged documents, lied about how much they were owed, or fabricated defaults out of thin air.

By seizing their bank deposits, Yellowstone had managed to collect its money ahead of schedule(60k on a 38k loan) and tack on $9,990 in extra legal fees, payable to a law firm in which it owns a stake. In about three months, the company and its affiliates almost doubled their money. At that rate of return, one dollar could be turned into 10 in less than a year.

Everyone else involved in the collection process got a slice, too. SunTrust got a $100 processing fee. Barbarovich’s office(NYC Marshal) got approximately $2,700, with about $120 of that passed along to the city. The Orange County Clerk’s office got $41 for its rubber stamps. The New York state court system got $184.

Cash-advance companies have secured more than 25,000 judgments in New York since 2012 worth an estimated $1.5 billion.

It sure explains why my small business gets a ton of loan/cash advance offers.

It should be noted that these letters have been prohibited in some states for over 50 years, and banned nationwide for consumers since 1984. (but even when banned by a state, they pursue it in a state where they are legal.)

Original Submission

takyon writes:

SpaceX CEO Elon Musk's use of cannabis during an interview with Joe Rogan has led to safety reviews at both SpaceX and Boeing:

In addition to spurring problems for the car company Tesla, Elon Musk's puff of marijuana in September will also have consequences for SpaceX. On Tuesday, The Washington Post reported that NASA will conduct a "safety review" of both of its commercial crew companies, SpaceX and Boeing. The review was prompted, sources told the paper, because of recent behavior by Musk, including smoking marijuana on a podcast.

According to William Gerstenmaier, NASA's chief human spaceflight official, the review will be "pretty invasive" and involve interviews with hundreds of employees at various levels of the companies, across multiple worksites. The review will begin next year, and interviews will examine "everything and anything that could impact safety," Gerstenmaier told the Post.

[...] One source familiar with NASA's motivations said the agency has grown weary of addressing questions about SpaceX's workplace culture, from the long hours its employees work to Musk's behaviors on social media. "SpaceX is the frat house," this source said. "And NASA is the old white guy across the street yelling at them to 'Get off my lawn.'"

The "Big Falcon/Fucking Rocket" (BFR) has been renamed. The upper stage will be called Starship, while the booster will be called Super Heavy:

SpaceX CEO Elon Musk tweeted late Monday night that he has renamed the company's largest (and yet to be built) BFR rocket to Starship. Or more precisely, the spaceship portion will be called Starship. The rocket booster used to propel Starship from Earth's gravitational grasp will be called Super Heavy.

Plans to add a "mini-BFS" second stage to the Falcon 9 were scrapped less than 2 weeks after they were announced. Yet another design change for the BFR/Starship was also hinted at:

takyon writes:

Exclusive: After Khashoggi murder, some Saudi royals turn against king's favorite son

Amid international uproar over the killing of journalist Jamal Khashoggi, some members of Saudi Arabia's ruling family are agitating to prevent Crown Prince Mohammed bin Salman from becoming king, three sources close to the royal court said.

Dozens of princes and cousins from powerful branches of the Al Saud family want to see a change in the line of succession but would not act while King Salman - the crown prince's 82-year-old father - is still alive, the sources said. They recognize that the king is unlikely to turn against his favorite son, known in the West as MbS.

Rather, they are discussing the possibility with other family members that after the king's death, Prince Ahmed bin Abdulaziz, 76, a younger full brother of King Salman and uncle of the crown prince, could take the throne, according to the sources.

Prince Ahmed, King Salman's only surviving full brother, would have the support of family members, the security apparatus and some Western powers, one of the Saudi sources said.

Prince Ahmed returned to Riyadh in October after 2-1/2 months abroad. During the trip, he appeared to criticize the Saudi leadership while responding to protesters outside a London residence chanting for the downfall of the Al Saud dynasty. He was one of only three people on the Allegiance Council, made up of the ruling family's senior members, who opposed MbS becoming crown prince in 2017, two Saudi sources said at the time.

Meanwhile, the Trump administration's continued support of Saudi Arabia has been denounced by several U.S. Senators:

The White House's pledge to maintain its strong military and economic alliance with Saudi Arabia amid reports that U.S. intelligence has assessed that Crown Prince Mohammed bin Salman ordered the gruesome murder of dissident journalist Jamal Khashoggi, has ignited a flurry of bipartisan condemnation in Washington.

After President Trump issued a remarkable statement on Tuesday in which he acknowledged that the heir apparent to the Saudi throne may have known about the "tragic event," but that his administration nevertheless "intended to remain a steadfast partner of Saudi Arabia," several Republican and Democratic members of Congress denounced the White House's position.

Previously: Turkey Says that a Missing Critic of the Saudi Government was Killed in Saudi Consulate in Istanbul
Saudi Arabia Reportedly Prepared to Admit Involvement in Journalist's Death
CIA Concludes That Saudi Crown Prince Ordered Khashoggi Killed

Original Submission

Phoenix666 writes:

New Scientist:

After four years of deliberation, NASA has picked its next Mars landing spot: Jezero crater. The hope is that it has the right environment to preserve signs of ancient life.

Satellite images suggest the 50-kilometre-wide crater once had a river flowing along its rim and into a big lake. It is thought to hold rocks that can preserve organic molecules, such as clays and carbonates. It is located 18 degrees north of Mars's equator.

If there are no delays, the rover will launch July 2020 and arrive February 2021.

Original Submission

Phoenix666 writes:

The Guardian:

New York City’s subway and bus service is already in crisis. It could be getting worse. And more expensive.

Officials at the Metropolitan Transportation Authority (MTA) warned last week that without a major infusion of cash, they will have to drastically cut service or increase fares on the system that carries millions of New Yorkers around the city.

[...] The system’s financial straits have gotten worse in part because it has fewer riders, and is collecting less money in fares. Expected passenger revenue over a five-year period has dropped by $485m since July.

“They’ve entered this death spiral,” said Benjamin Kabak, who runs the transit website Second Avenue Sagas. “The subway service and the bus service has become unreliable enough for people to stop using it. If people aren’t using it, there’s less money, and they have to keep raising fares without delivering better service.”

Bike-sharing and ride-hailing apps have emerged as alternatives for commuters. Is mass transit finding itself in a valley of death between those who are price-conscious and those who want maximum convenience?

Original Submission

upstart writes:

Submitted via IRC for SoyCow1984

Widely Used Reference for the Human Genome is Missing 300 Million Bits of DNA

Known as the GRCh38 reference genome, it is periodically updated with DNA sequences from other individuals, but in a new analysis, Johns Hopkins scientists now say that the collective genomes of 910 people of African descent have a large chunk — about 300 million bits — of genetic material that is missing from the basic reference genome.

“There’s so much more human DNA than we originally thought,” says Steven Salzberg, Ph.D., the Bloomberg Distinguished Professor of Biomedical Engineering, Computer Science, and Biostatistics at The Johns Hopkins University.

Knowing the variations in genomes across populations is essential to research design to reveal why certain people or groups of people may be more or less susceptible to common health conditions, such as heart disease, cancer and diabetes, and Salzberg says that scientists need to build more reference genomes that more closely reflect different populations.

“The whole world is relying on what is essentially a single reference genome, and when a particular DNA analysis doesn’t match the reference and you throw away those non-matching sequences, those discarded bits may in fact hold the answers and clues you are seeking,” says Salzberg.

Original Submission

upstart writes:

Submitted via IRC for SoyCow1984

Health care providers – not hackers – leak more of your data

Your personal identity may fall at the mercy of sophisticated hackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits.

New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers – not because of hackers or external parties.

“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors – but rather by internal negligence,” said John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business.

The research, published in JAMA Internal Medicine, follows the joint 2017 study that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over seven years, with 33 hospitals experiencing more than one substantial breach.

Original Submission

MostCynical writes:

The Sydney Morning Herald has a front-page story detailing apparent Chinese redirection and interception of Australian internet traffic.

Internet traffic heading to Australia was diverted via mainland China over a six-day period last year. The diverted traffic from Europe and North America was logged as a routing error by the state-owned China Telecom, according to data released for the first time by researchers at Tel Aviv University and the Naval War College in the US.

The targeting of data bound for Australia comes amid revelations China's peak security agency has overseen a surge in cyber attacks on Australian companies over the past year, breaching a bilateral agreement to not steal each other's commercial secrets.

The re-directions happened between the 7th and 13th of June last year and resulted in a small portion of the total internet traffic coming into Australia taking up to six times longer to arrive as it went via China. One of the researchers, says he believes the target of the attack was a UK cyber-security company with offices in Australia.

The data diversions were possible as China Telecom has 10 Points of Presence (PoPs) in North America. Foreign carries have no comparable infrastructure across mainland China.

China Telecom has long been regarded as a passive service provider, despite being state-owned, and therefore has attracted none of the suspicion of Chinese telecommunications providers like Huawei or ZTE.

In the research paper quoted in the article, three other examples of such diversions over the past two years are highlighted, including traffic from Scandinavia to the Japanese office of a major US media outlet being diverted via China.

Original Submission

Phoenix666 writes:

New Atlas:

Discovered in the Jinju Formation in South Korea, each of the footprints measures about 1 cm (0.4 in) long. Although they resemble modern bird tracks, they only have two toes, indicating they were made by raptors. That's because raptors, as you might remember from Jurassic Park, hold their clawed third toe off the ground in a curved position.

"These 110-million-year-old footprints and trackways were made by carnivorous dinosaurs commonly known as raptors," says Anthony Romilio, an author of the study. "The diminutive sizes of these new tracks are extraordinary; the tracks were made by tiny dinosaurs about the size of sparrows. They are the world's smallest dinosaur tracks."

How long before they find dinosaur tracks that dead-end at tire tracks that lead away?

Original Submission

Phoenix666 writes:

New Atlas:

There have been a number of electric motorcycles that have broken away from the traditional designs of their gas-powered brethren, including the Rocsie and Zeus. But what would happen if a moto was specifically designed for Fused Filament Fabrication printing? Germany's BigRep has debuted a number of automotive and e-mobility prototypes at this year's formnext additive manufacturing exhibition, including the world's first 3D-printed working electric motorcycle.

The 190 x 90 x 55 cm (74.8 x 35.4 x 21.6 in) Nera bike was designed by Marco Mattia Cristofori with Maximilian Sedlak from the company's Nowlab innovation consultancy and printed on BigRep's own large-scale 3D printers using ProHT, ProFLEX, PETH and PLA filaments through a 0.6 - 1 mm nozzle at a layer height of 0.4 - 0.6 mm.
...
Everything except the electrical components has been produced on a 3D printer – that includes the tires (with custom tread), rhomboid wheel rims, frame, fork and seat. The Nera bike also rocks flexible bumpers to replace the traditional suspension found in other motos.

Custom-printed electric motorcycles, but will they ever be allowed on the road?

Original Submission