SoylentNews

MrPlow writes:

Submitted via IRC for SoyCow4463

Academics have come up with a new technique that leaks data about users' browsers; enough to defeat anti-fingerprinting systems and privacy-preserving browser extensions to provide ways to identify users by their browser and underlying platform in a way that has not been done before. Called "JavaScript Template Attack," this new technique revolves around the concept of JavaScript properties and the default values that browser engines return for basic JavaScript queries seeking the value of a certain property.

The researchers, all three from the Graz University of Technology, in Austria, created a system that automates the querying and collection of thousands of JavaScript properties and their default values from a user's environment.

The basic idea was to automate these queries and then rotate browsers, operating systems, hardware platform, and browser extensions, to collect the default values of all known JavaScript properties for each environment/installation. Researchers then built a matrix of each environment's default properties values, creating a template -- hence the name of JavaScript Template Attack -- for each possible detection scenario, listing all environment-dependent property values.

The research team says these templates can be used at a later point to scan a visiting user and detect specific environment details based on the default property values the user's browser's returns.

This data can be used for creating user profiles (for traffic/user fingerprinting) that break user anonymity or for devious means, like refining the targeting of zero-day exploits.

[...] Furthermore, because browsers makers tend to improve their software with new Web APIs -- all of which are controllable via JavaScript -- the number of JavaScript properties has grown in the past years and is expected to grow, and improve the accuracy of JavaScript Template Attacks even more.

Source: https://www.zdnet.com/article/javascript-template-attacks-expose-new-browser-fingerprinting-vectors/

Original Submission

realDonaldTrump writes:

Google's cloud is getting very big, but it plans on getting bigger.

Alphabet Inc.'s Google announced Thursday that it plans to buy Looker, a business-intelligence and big-data analytics company, for $2.6 billion in cash.

[...] The acquisition builds on an existing four-year-old partnership between the companies, which already share more than 350 joint customers like Buzzfeed, Hearst, Sunrun and Yahoo, Google said in a news release,

Also reported at:

• https://techcrunch.com/2019/06/06/google-to-acquire-analytics-startup-looker-for-2-6-billion/
• https://www.forbes.com/sites/petercohan/2019/06/07/4-reasons-google-bought-looker/#5ae933486dcd

Original Submission

upstart writes:

Submitted via IRC for RandomFactor

Robotic asteroid mining spacecraft wins a grant from NASA - Universe Today

Back in April, NASA once again put out the call for proposals for the next generation of robotic explorers and missions. As part of the NASA Innovative Advanced Concepts (NIAC) Program, this consisted of researchers, scientists, and entrepreneurs coming together to submit early studies of new concepts that could one-day help advance NASA's space exploration goals.

One concept that was selected for Phase III of development was a breakthrough mission and flight system called Mini Bee. This small, robotic mining craft was designed by the Trans Astronautica (TransAstra) Corporation to assist with deep-space missions. It is hoped that by leveraging this flight system architecture, the Mini-bee will enable the full-scale industrialization of space as well as human settlement.

The Mini-bee concept is essentially a technology-demonstrator for a family of flight system architectures known as Asteroid Provided In-situ Supplies (Apis). These systems range in size from the experimental Mini Bee (which weighs 250 kg or 550 lbs) to the larger Honey Bee and Queen Bee – which would be capable of capturing asteroids measuring 10 and 40 m (33 and 130 ft) in diameter, respectively.

The Mini Bee utilizes a series of innovative technologies, which includes optical mining method of resource harvesting (aka. laser mining), a spacecraft architecture that relies on sunlight to enable faster spacecraft, and an asteroid containment system similar to the one that was proposed for NASA's now-scrapped Asteroid Redirect Mission (ARM).

Further Reading: NASA, TransAstra Corporation

Previous: https://www.universetoday.com/142543/saltwater-similar-to-the-earths-oceans-has-been-seen-on-europa-another-good-reason-why-we-really-need-to-visit-this-place

Original Submission

upstart writes for SoyCow4463:

SQL Injection Attacks Represent Two-Third of All Web App Attacks

For its "State of the Internet" report, Akamai analyzed data gathered from users of its Web application firewall technology between November 2017 and March 2019. The exercise shows that SQL injection (SQLi) now represents nearly two-thirds (65.1%) of all Web application attacks. That's up sharply from the 44% of Web application layer attacks that SQLi represented just two years ago.

Local File Inclusion (LFI) attacks, which, like SQLi, are also enabled by a Web application's failure to properly validate user input, accounted for another 24.7% of attacks. Together, SQLi and LFI attacks represented 89.8% of all attacks at the Web application layer over the 17-month period of Akamai's study.

[...] SQL injection errors and cross-site scripting (XSS) errors have topped, or nearly topped, the Open Web Application Security Project's (OWASP) list of top 10 Web vulnerabilities for more than a decade. Just this week, in fact, HackerOne published a report showing XSS errors to be by far the most common security vulnerability in Web apps across organizations. Both XSS and SQLi are well understood, and many researchers have catalogued the dangers associated with them for years.

The fact that so many Web apps still have them reflects the relatively scant attention paid to security in the application development stage, says Andy Ellis, chief security officer at Akamai. "It is not that the developers are making errors," he says. "It is system that we put them into that is dangerous."

[...] Akamai's data^[pdf] shows most Web application attacks originate from inside the US and most targets are US-based as well. Of the nearly 4 billion application-layer attacks that Akamai counted over the 17-month period, some 2.7 billion targeted US organizations. Companies in the UK, Germany, Brazil, and India were also relatively heavily targeted. though nowhere nearly as much as US companies.

Original Submission

takyon writes:

Efforts To Decriminalize Magic Mushrooms Beginning To Sprout Nationally

Denver and Oakland recently passed measures decriminalizing magic mushrooms, and it appears to be part of a larger, slow-moving movement to make psilocybin (the mushrooms' psychedelic ingredient) available for treatments for depression and other medicinal purposes, and, of course, recreational purposes.

• Oregon: The Pacific Northwest is considering a 2020 ballot measure to allow Oregonians to use "guided psilocybin services" for therapeutic purposes. The Psilocybin Service Initiative is the organization behind the measure, and it is working to get the 100,000 petition signatures needed to secure a place on the state's 2020 election ballot.
• California: After the Oakland measure passed, an organization called Decriminalize California is working on a statewide decriminalization measure for the 2020 election. (A similar measure failed to garner enough petition signatures last year.) According to the organization's strategy timeline, it is fundraising in advance of its fall campaign for petition signatures and promotion.
• Iowa: State Representative Jeff Shipley, a Republican with a libertarian streak, introduced two magic mushroom-focused bills in February. One bill would remove psilocybin from Iowa's list of controlled substances, and the second would allow medical usage of the substance. Since their introduction, the bills have languished in Iowa's house.

Oakland's decriminalization covers hallucinogens derived from plants or fungi, including but not limited to psilocybin-containing mushrooms and mescaline-containing peyote.

See also: Oakland City Council looks to decriminalize 'magic mushrooms' after Denver vote
Oakland Second US City to Legalize Magic Mushrooms
Oakland Decriminalizes Hallucinogenic 'Magic Mushrooms' And Peyote

Previously: Denver, Colorado Will Vote on Psilocybin Decriminalization Initiative on May 7
Psilocybin Mushroom Decriminalization Narrowly Approved in Denver, Colorado

Original Submission

RandomFactor writes:

Industrial-control system security firm Dragos reported on its blog Friday that the group XENOTIME has been scanning the electric grids in the US and Asia-Pacific regions since late last year.

[XENOTIME are the] attackers behind the epic Triton/Trisis attack that in 2017 targeted and shut down a physical safety instrumentation system at a petrochemical plant in Saudi Arabia

Dragos notes that there is currently no evidence that the attackers successfully penetrated and

could actually wage a cyberattack that would result in "a prolonged disruptive or destructive event on electric utility operations," but that the hacking group's newly discovered activity around power grid providers is concerning.

This is an expansion of XENOTIME's targeting from Oil and Gas to include the electric sector and the group has "successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals."

Original Submission

RandomFactor writes:

Researchers from Jülich, Germany and the University of Magdeburg have developed a method of measuring the electric potentials of individual atoms using quantum dots.

Until now, it has been nearly impossible to record electric potentials of individual molecules or atoms. All available methods have difficulty distinguishing from other forces at that scale.

The new scanning quantum dot microscopy method, which was recently presented in the journal Nature Materials by scientists from Forschungszentrum Jülich together with partners from two other institutions, could open up new opportunities for chip manufacture or the characterization of biomolecules such as DNA.

Scanning quantum dot microscopy involves attaching a single organic molecule—the quantum dot—to the tip of an atomic force microscope. This molecule then serves as a probe. "The molecule is so small that we can attach individual electrons from the tip of the atomic force microscope to the molecule in a controlled manner," explains Dr. Christian Wagner, head of the Controlled Mechanical Manipulation of Molecules group at Jülich's Peter Grünberg Institute (PGI-3).

The microscope tip acts as a shield dampening effects from fields from the sample that are further away, allowing for the precise quantization of the electric fields of individual atoms.

"An atomic force microscope works a bit like a record player," says Wagner. "The tip moves across the sample and pieces together a complete image of the surface. In previous scanning quantum dot microscopy work, however, we had to move to an individual site on the sample, measure a spectrum, move to the next site, measure another spectrum, and so on, in order to combine these measurements into a single image. With the Magdeburg engineers' controller, we can now simply scan the whole surface, just like using a normal atomic force microscope. While it used to take us 5-6 hours for a single molecule, we can now image sample areas with hundreds of molecules in just one hour."

This approach works at an increased distance from the target (2-3nm) making it superior on 'rough' surfaces such as DNA molecules.

Journal Reference
Christian Wagner et al, Quantitative imaging of electric surface potentials with single-atom sensitivity, Nature Materials (2019). DOI: 10.1038/s41563-019-0382-8

Original Submission

takyon writes:

SD Express will allow SD cards to reach read/write speeds of up to 985 MB/s. Now controllers for the standard are starting to appear:

Last year the SD Association published its Secure Digital 7.0 standard that defines SD Express cards. At this year's Computex, Realtek demonstrated one of the industry's first SD Express controllers for appropriate card readers. The RTS5261 chip already exists in silicon, so it is a matter of time before it is used for actual products.

[...] Realtek's RTS5261 supports everything mandated by the SD 7.0 specification and connects to hosts using a PCIe 3.0 interface. The controller can work with SDUC cards featuring capacities of up to 128 TB at sequential read/write speeds of up to 985 MB/s. Actual prototypes of SD Express cards from Western Digital/SanDisk seem to be slightly slower than that, yet still considerably faster when compared to existing SD UHS-II cards.

SD 7.1 extended Express speeds to microSD cards. Phison showed off a controller for capacities up to 512 GB:

Phison's PS5017 controller is compliant with the SD 7.1 specification, so it can be used both for SD Express and microSD Express cards. The chip supports various types of 3D TLC and 3D QLC NAND memory featuring ONFI or Toggle 2.0 interfaces, but total capacity is limited to 512 GB for some reason. Performance wise, the controller promises up to 900 MB/s sequential read speed as well as up to 500 MB/s sequential write speed, which is good enough considering types of memory that it will be used with.

It's only a matter of time before capacities hit 2 TB and above, and higher sustained read/write speeds would be appreciated.

Related: Western Digital Demos SD Card Using PCIe Gen 3 x1 Interface for 880 MB/s Read Speed
SD Association Raises Max Capacity to 128 TB, Speed to 985 MB/s Using PCIe and NVMe
Lexar Beats Others to Market with a 1 TB SD Card
Micron and SanDisk (Western Digital) Announce 1 TB MicroSD Cards (available)

Original Submission

RandomFactor writes:

A flaw in versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) on Linux systems is being actively exploited in the wild. Exim version 4.92 is not vulnerable.

Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet's email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.

The vulnerability being exploited is an input validation failure on the recipient address on an incoming message.

An initial attack was detected by researcher Freddie Leeman on June 9th.

The more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the attacker then deploys a port scanner, to sniff out other vulnerable servers and installs a coin-miner.

In addition, the campaign appears to be "highly pervasive" with extra measures – such as installing several payloads at different stages including the port scanner and coin-miner – for persistence on the infected system.

It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm," researchers said. "They used hidden services on the TOR network to host their payloads and created deceiving windows ivulnerable exim serverscon files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs."

The attack is still being researched and users of vulnerable versions of Exim are being urged to patch their systems.

Related
400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks

Original Submission

RandomFactor writes:

Planned for unveiling next week, Facebook plans to launch a new crypocurrency dubbed 'Libra' in 2020.

Facebook has secured the backing of over a dozen companies for its upcoming Libra cryptocurrency set to be announced next week, The Wall Street Journal reports. These companies include major financial organizations like Visa and Mastercard, and internet darlings like PayPal, Uber, Stripe, and Booking.com. Each will invest around $10 million to fund development of the currency, and will become part of the Libra Association, an independent consortium that will govern the digital coin independently of Facebook.

Backing from major financial entities such as Paypal, Mastercard and VISA is a new twist.

The new cryptocurrency is intended to function as a "stablecoin" to improve stability and make it more attractive to users in developing countries. A stablecoin is

designed to minimize the volatility of the price of the stablecoin, relative to some 'stable' asset or basket of assets. A stablecoin can be pegged to a currency, or to exchange traded commodities (such as precious metals or industrial metals). Stablecoins redeemable in commodities are said to be backed[.]

The plan for Libra is to

[allow] users to send money over Facebook's messaging products like WhatsApp and Messenger, Facebook hopes that its partnerships with e-commerce firms will allow users to spend the currency online. The company is reportedly also looking into developing ATM-like physical terminals for people to convert their money into Libra.

Is privacy considered a social norm in financial dealings?

Original Submission

An Anonymous Coward writes:

On our current trajectory, the report warns, "planetary and human systems [are] reaching a 'point of no return' by mid-century, in which the prospect of a largely uninhabitable Earth leads to the breakdown of nations and the international order."

The only way to avoid the risks of this scenario is what the report describes as "akin in scale to the World War II emergency mobilization"—but this time focused on rapidly building out a zero-emissions industrial system to set in train the restoration of a safe climate.

https://www.vice.com/en_us/article/597kpd/new-report-suggests-high-likelihood-of-human-civilization-coming-to-an-end-in-2050

Original Submission

upstart writes:

Submitted via IRC for Bytram

Opinion | We Read 150 Privacy Policies. They Were an Incomprehensible Disaster.

[...] here are several privacy policies from major tech and media platforms. Like most privacy policies, they’re verbose and full of legal jargon — and opaquely establish companies’ justifications for collecting and selling your data. The data market has become the engine of the internet, and these privacy policies we agree to but don't fully understand help fuel it.

To see exactly how inscrutable they have become, I analyzed the length and readability of privacy policies from nearly 150 popular websites and apps. Facebook’s privacy policy, for example, takes around 18 minutes to read in its entirety – slightly above average for the policies I tested.

Then I tested how easy it was to understand each policy using the Lexile test developed by the education company Metametrics. The test measures a text’s complexity based on factors like sentence length and the difficulty of vocabulary.

[...] The vast majority of these privacy policies exceed the college reading level. And according to the most recent literacy survey conducted by the National Center for Education Statistics, over half of Americans may struggle to comprehend dense, lengthy texts. That means a significant chunk of the data collection economy is based on consenting to complicated documents that many Americans can’t understand.

[...] Despite efforts like the General Data Protection Regulation to make policies more accessible, there seems to be an intractable tradeoff between a policy’s readability and length. Even policies that are shorter and easier to read can be impenetrable, given the amount of background knowledge required to understand how things like cookies and IP addresses play a role in data collection.

“You’re confused into thinking these are there to inform users, as opposed to protect companies,” said Albert Gidari, the consulting director of privacy at the Stanford Center for Internet and Society.

Original Submission

Phoenix666 writes:

RT:

WhatsApp is threatening users who violate its rules with lawsuits, even if the only evidence of “rule-breaking” exists outside of the Facebook-owned messaging app and the only judge is an AI.

“WhatsApp will take legal action against those we determine are engaged in or assisting others in abuse… even if that determination is based on information solely available to us off our platform,” the company warned in an ominous FAQ entry posted on Monday.

The source is RT, but the FAQ linked in the excerpt does say that. Would we want Kellogg's surveilling us to make sure we're using their corn flakes properly?

Original Submission

takyon writes:

China Is Still Multiple Generations Behind In Chip Manufacturing

When it comes to the actual foundries China has within its borders, the picture isn't good for the country. Perhaps the most advanced foundry there is owned by Semiconductor Manufacturing International Corporation (SMIC). A company spokesperson late last year said, "Our 14nm technology will start risk production by 2019, 12nm process development is completed and under customer verification."

Keep in mind how much further along the rest of the world is: TSMC (Taiwan) is already producing high performance AMD CPUs on its 7nm process with low power Apple parts having shipped in 2018, Samsung is readying advanced EUV production lines for NVIDIA's next generation of graphics chips, and Intel is rolling out its 7nm-equivalent this year as well. We even reported yesterday that TSMC is now actively developing its 2nm node!

If China's most advanced foundry is only beginning low-volume 14nm production this year, that would put them about four or five years behind the rest of the world. An eternity in the world of semiconductors.

For now, Huawei is building their world-class and cutting edge SoC, Kirin 980 on TSMC's 7nm process. If they were forced to use SMIC's 14nm process it would force them to regress in both performance and efficiency which would be a death-knell. Currently the Kirin 980 can compete with Qualcomm's Snapdragon 855, but should Huawei be forced to fab its chips within its own countries[sic] borders this wouldn't be the case.

[...] It seems Chinese companies will have to do things the old fashioned way and grit their way through the learning curve with using these chip-production tools. One way around this would be to hire talent away from companies with a mature understanding of the technology, but even this is proving difficult.

For instance a Chinese DRAM company CXMT attempted to hire away a top Samsung engineer who had expertise in his field, but a South Korean court blocked the move. Kim Chi-wook headed the company's DRAM design team and would be a home-run hire for any DRAM company lacking knowledge. The court made no qualms about the fact that the engineer getting hired by CXMT would potentially hurt Samsung's competitive edge. They wrote, "Chinese semiconductor companies are estimated to be three years to 10 years behind in technology gap regarding DRAM designing technique."

Original Submission

takyon writes:

House holds hearing on "deepfakes" and artificial intelligence amid national security concerns

The House Intelligence Committee heard from experts on the threats that so-called "deep fake" videos and other types of artificial intelligence-generated synthetic data pose to the U.S. election system and national security at large. Witnesses at Thursday's hearing included professors from the University of Maryland, University at Buffalo and other experts on AI and digital policy.

In a statement, the committee says it aims to "examine the national security threats posed by AI-enabled fake content, what can be done to detect and combat it, and what role the public sector, the private sector, and society as a whole should play to counter a potentially grim, 'post-truth' future," during Thursday's hearing.

[...]In his opening remarks, Committee chair Rep. Adam Schiff said the spread of manipulated videos presents a "nightmarish" scenario for the 2020 presidential elections -- leaving lawmakers, members of the news media and public "struggling to discern what is real and what is fake."

Schiff urged that "now is the time for social media companies to put in place policies to protect users from misinformation, not in 2021 after viral deepfakes have polluted the 2020 elections. By then, it will be too late."

See also: Deepfake videos could 'spark' violent social unrest
Lawmakers grapple with deepfake threat at hearing
'AI is not the cause, it's an accelerant. The pace of change is challenging' Experts give Congress deepfakes straight dope
Deepfake Video of Mark Zuckerberg Goes Viral on Eve of House A.I. Hearing

Previously: House Intelligence Committee to Hold Hearing on "Deepfakes"

Original Submission