SoylentNews

upstart from IRC writes:

Microsoft will now pay up to $20k for Xbox Live security exploits – TechCrunch:

Think you’ve found a glaring security hole in Xbox Live? Microsoft is interested.

The company announced a new bug bounty program today, focused specifically on its Xbox Live network and services. Depending on how serious the exploit is and how complete your report is, they’re paying up to $20,000.

Like most bug bounty programs, Microsoft is looking for pretty specific/serious security flaws here. Found a way to execute unauthorized code on Microsoft’s servers? They’ll pay for that. Keep getting disconnected from Live when you play as a certain legend in Apex? Not quite the kind of bug they’re looking for.

Microsoft also specifically rules out a few types of vulnerabilities as out-of-scope, including DDoS attacks, anything that involves phishing Microsoft employees or Xbox customers, or getting servers to cough up basic info like server name or internal IP. You can find the full breakdown here.

Original Submission

upstart from IRC writes:

How a $300 projector can fool Tesla's Autopilot:

Six months ago, Ben Nassi, a PhD student at Ben-Gurion University advised by Professor Yuval Elovici, carried off a set of successful spoofing attacks against a Mobileye 630 Pro Driver Assist System using inexpensive drones and battery-powered projectors. Since then, he has expanded the technique to experiment—also successfully—with confusing a Tesla Model X and will be presenting his findings at the Cybertech Israel conference in Tel Aviv.

The spoofing attacks largely rely on the difference between human and AI image recognition. For the most part, the images Nassi and his team projected to troll the Tesla would not fool a typical human driver—in fact, some of the spoofing attacks were nearly steganographic, relying on the differences in perception not only to make spoofing attempts successful but also to hide them from human observers.

Nassi created a video outlining what he sees as the danger of these spoofing attacks, which he called "Phantom of the ADAS," and a small website offering the video, an abstract outlining his work, and the full reference paper itself. We don't necessarily agree with the spin Nassi puts on his work—for the most part, it looks to us like the Tesla responds pretty reasonably and well to these deliberate attempts to confuse its sensors. We do think this kind of work is important, however, as it demonstrates the need for defensive design of semi-autonomous driving systems.

Original Submission

Coward, Anonymous writes:

In a change that will cause mixed reactions, UK research funding proposals no longer need "impact" statements.

UK researchers will, however, benefit from no longer having to submit a "Pathways to Impact" plan or complete an "Impact Summary" when applying for cash from UKRI – the umbrella organization for the UK's seven research councils. The Pathways to Impact requirement, which had been in place for around a decade, was controversial. But for grant applications made from 1 March 2020, researchers will not have to submit. The UKRI currently invest a total of £7bn into British science each year

"The removal of 'Pathways to Impact' will be broadly welcomed by the many grant-writing physicists whose heart sank at the thought of churning out two pages of boilerplate on the ill-defined socioeconomic impact of their proposed research," says Physicist Philip Moriarty from the University of Nottingham. "Yet despite being a vocal opponent of it for many years, I feel it's important to recognise that it played a role in shifting attitudes regarding the broader implications of academic research. For one thing, the 'impact agenda' led to a greater – albeit, often rather opportunistic – interaction between science and the arts and humanities. Hopefully this interdisciplinary activity will continue in its absence".

The US National Science Foundation requires a "Broader Impacts" statement in its grant applications.

Grant proposals are generally a big time sink for scientists, and the "impact" statement seems like it needs the thickest helping of buzzwords, exaggerations, meaningless generalities, and unfounded optimism. But society legitimately wants to know what it's getting out of the research. Maybe cool results, publications, and productivity metrics are enough?

Original Submission

canopic jug writes:

DMA attacks have never really gone out of fashion and, contrary to popular belief, do not necessarily require physical access. DMA is a misfeature designed provide peripherals with direct, unconstrained, high-speed read-write access to the whole of a system's RAM. Firewire (IEEE-1394) and Thunderbolt are two of the more infamous avenues for attacks, but network cards and other peripherals can also have this capability. One example of abuse would for the peripheral to read and exfiltrate private encryption keys as they rest in memory.

Eclypsium's latest research shows that enterprise laptops, servers, and cloud environments continue to be vulnerable to powerful Direct Memory Access (DMA) attacks, even in the presence of protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security.

DMA attacks are a particularly powerful class of attacks for any adversary who has compromised firmware locally or remotely on peripheral hardware such as network cards, or who has physical access to a system. As the name suggests, DMA attacks enable a potential attacker to read and write memory off a victim system directly, bypassing the main CPU and OS. By overwriting memory, attackers can gain control over kernel execution to perform virtually any manner of malicious activity. We collectively refer to these as Memory Lane attacks.

Earlier on SN:
Thunderbolt Enables Severe Security Threats (2019)
$300 Device Can Steal Mac FileVault2 Passwords (2016)

Original Submission

Arthur T Knackerbracket has found the following story:

On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).

[...] Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, "tailgate" employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.

When the duo's early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county's sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they'd obtained entry to the premises via an unlocked door.

upstart from IRC writes:

UPS is buying thousands of electric vans and teaming up with Waymo to accelerate the future of delivery:

For years, UPS has been gesturing toward a future where some of its delivery vehicles are electric, autonomous, or drones. Now, the delivery giant is taking steps to make that happen with a trio of announcements designed to boost the company's profile — and maybe its stock, too — ahead of its quarterly earnings report. It's the latest sign of UPS's ambition to future-proof its business, especially as Amazon builds out its own delivery infrastructure.

The first announcement concerns a pilot project with Waymo, the Alphabet subsidiary and leading operator of self-driving vehicles. UPS will use some of Waymo's self-driving Chrysler Pacifica minivans to shuttle packages between some of its stores in the Metro Phoenix area and its hub in Tempe, Arizona. The minivans won't be fully driverless; Waymo says it will keep trained safety drivers in the front seat to monitor operations. Despite the limited nature of the pilot, both Waymo and UPS say a "long-term plan" between the companies remains possible.

[...] The second announcement relates to electric vehicles. UPS says it will purchase 10,000 electric delivery vans from a UK startup called Arrival, which it will then add to its fleet in the UK, Europe, and North America over the next four years. UPS's venture capital arm will also make an investment in Arrival of an undisclosed amount.

Arrival only just emerged out of quasi-stealth in recent weeks after announcing a $110 million investment from Hyundai and Kia. Arrival has been working with UPS for several years, first announcing their partnership in 2016. Arrival says that today's vehicle order and investment will "accelerate deployment of fit-for-purpose electric fleets at scale."

[...] Lastly, UPS says it will bring its drone delivery testing to San Diego. The company has been delivering pharmaceuticals and other lightweight cargo to people's homes in North Carolina in partnership with CVS Pharmacy as well as Matternet, a drone logistics company. Now, it will start test deliveries with the University of California San Diego health system.

Original Submission

upstart from IRC writes:

FCC wants to fine one man almost $13 million for making 6,000 robocalls:

When the Federal Communications Commission (FCC) typically fines robocallers, they're usually operations that involve shady companies. Not so with the agency's latest proposed action, which targets a single individual. On Thursday, the FCC said it wants to fine one man $12,910,000 for carrying out massive robocalling campaigns in six states. In all, the person made more than 6,000 calls in California, Flordia, Georgia, Idaho, Iowa and Virginia using an online tool that allowed them to mask their calls as coming from a local number.

[...] In one campaign, for instance, the person made 827 calls to people in the town of Brooklyn, Iowa, "following the murder of a local college student and the arrest of an illegal alien from Mexico for the crime." [...]The agency says the robocaller's racist messages talked about a "brown horde" that the murder victim would have wanted the town to "kill them all." The robocaller even went so far as to phone the parents of the victim.

Original Submission

upstart from IRC writes:

MoviePass is deader than ever as parent company officially files for bankruptcy:

In case you thought the MoviePass saga would remain a smoldering heap of yesterday's news from here on out, guess again. Helios and Matheson Analytics, the theater subscription service's parent company, has at last filed for bankruptcy, according to The Wrap.

[...] "As a result of filing the Petition, a Chapter 7 trustee will be appointed by the Bankruptcy Court to administer the estate of the Company and to perform the duties set forth in Section 704 of the Code," reads a filing with the US Securities and Exchange Commission. That means MoviePass' assets will all likely be sold off in an attempt to pull together the money it owes customers for unused services, as MoviePass was actively charging users up until it suddenly shut down last September.

According to The Wrap, MoviePass may owe $1.2 million to roughly 12,000 subscribers, or $100 each. It's not clear if that group includes a certain class of MoviePass subscriber, like an annual user that was precharged for the service prior to its shutdown, or if that was the total user base of MoviePass at the time it closed its doors.

At one point, after dropping its price to a dangerously low $9.95 a month in the summer of 2017, MoviePass amassed around 3 million subscribers. But many of those users (myself included) fled after the company began doing everything it could to restrict how its service could be used, because its unlimited plan in its original form was directly contributing to immense company-killing quarterly losses. According to separate filings with the SEC last year, MoviePass and its various other businesses, including a film production and distribution arm, cost Helios and Matheson more than half a billion dollars.

Original Submission

Multiple Soylentils have submitted stories regarding the 2019-nCoV coronavirus which is believed to have originated in the city of Wuhan, China in December 2019. Rather than have a smattering of stories appear on the site, they have been gathered here in one story. Read on if you are interested; otherwise another story will be along presently.

upstart from IRC writes:

Apple is officially done rebuilding its maps in the US:

To say Apple Maps stumbled out of the gate is putting it mildly; it quickly became an internetpunchline when it launched in 2012, and left the company with the unenviable job of fixing it. Since then, Apple has been rebuilding the most fundamental part of the experience -- the base maps themselves -- and today the company says it's finally done. Well, in the United States, anyway.

Getting to this point was no small feat. It's been nearly a year and a half since Apple announced its plans, but even before that, a fleet of LIDAR-equipped vans was criss-crossing the United States to capture as much detailed location data as possible. To gather even more geographical context, Apple also captured map data from the air, though it's not clear how many planes the company employed for this work. While Apple wouldn't confirm any increases in budget or staff to make all of this possible, the company's investment in the project seems significant, and there's still more to come. The big push to re-map the United States is now officially done, but Apple has earmarked some of its LIDAR vans for maintenance runs -- that is, they'll continue to roam on roads to make sure that hard-won data remains up to date.

The end result is a more accurate set of maps that you might have already been looking at -- the company has been pushing them live around the country for at least the past six months. There are a few telltale signs to look out for if you're not sure: Coastlines are more accurately represented, as are buildings like airports and malls. When we reviewed iOS 13, we also noticed more nuanced street-level data; there were more street labels on-screen compared to Google Maps, and more streets had traffic direction indicators. That might not sound like a big deal, but it's really helpful when trying to orient yourself when you're emerging from the subway.

Original Submission

An Anonymous Coward writes:

UK set for Brexit, as PM promises 'new dawn'

The UK [officially left] the European Union at 23:00 GMT, ending 47 years of membership.

[...] Pro and anti-Brexit demonstrations and marches are being held across the country, as the UK flag is taken down from EU institutions in Brussels.

Little will change immediately, as the UK begins a "transition period".

Most EU laws will continue to be in force - including the free movement of people - until the end of December, by which time the UK aims to have reached a permanent free trade agreement with the EU.

[...] The prime minister held a cabinet meeting at the National Glass Centre, a museum and arts centre in Sunderland, the city that was the first to back Brexit when results were announced after the referendum.

The meeting was held amid tight security.

[...] Mr Johnson told the Cabinet it was time to start a "new chapter in the United Kingdom's story" and end the division of the past three and a half years, according to a Downing Street spokesman.

The Cabinet discussed future trade deals, including seeking a a Canada-style free trade agreement with the EU, and Mr Johnson thanked Brexit Secretary Stephen Barclay for the work of his department, which is being wound up.

The PM told ministers the government aimed to have 80% of the UK's trade with other nations covered by free trade agreements within three years.

[...] "This is the moment when the dawn breaks and the curtain goes up on a new act. It is a moment of real national renewal and change."

[...] A new commemorative 50p coin will also come into circulation to mark the UK's withdrawal.

Original Submission

canopic jug writes:

MIDI, a standard for digital music since 1981, has been updated to MIDI 2.0. New MIDI 2.0 is not dependent on any particular hardware implementation such as USB or Ethernet. Some of the main goals of the new protocol are to provide higher resolution, more channels, and improved performance and expressiveness. Another change is a move from a byte stream to data packets.

MIDI 2.0 is designed to "deliver an unprecedented level of nuanced musical and artistic expressiveness," and leans on three key design decisions to do so. Firstly its new 32-bit resolution makes for smoother, continuous, analogue feel - if you want that. Controllers will be easy to use and there will be more of them. Lastly major timing advances are present in the standard.

Also at the MIDI Association's press release, Details about MIDI 2.0™, MIDI-CI, Profiles and Property Exchange.

Original Submission

An Anonymous Coward writes:

Murphy's law has it that bad things will happen at the worst possible time. What could be worse than losing power at a hospital with patients on the tables? One Australian hospital now knows the answer after power was cut to the hospital leaving doctors to complete a surgery using a mobile phone for light. Medical staff had completed the minor surgery and were starting to put stitches in when the lights went out, just before 2:00pm. It goes to show what ingenuity can bring when a need calls for it.

Original Submission

Arthur T Knackerbracket has found the following story:

LeoLabs estimated that the satellites could pass within 15-30m of one another. Neither satellite could be controlled or moved. All we could do was watch whatever unfolded above us.

Collisions in space can be disastrous and can send high-speed debris in all directions. This endangers other satellites, future launches, and especially crewed space missions.

As a point of reference, NASA often moves the International Space Station when the risk of collision is just one in 100,000. Last year the European Space Agency moved one of its satellites when the likelihood of collision with a SpaceX satellite was estimated at one in 50,000. However, this increased to one in 1,000 when the US Air Force, which maintains perhaps the most comprehensive catalog of satellites, provided more detailed information.

Following LeoLabs' warning, other organizations such as the Aerospace Corporation began to provide similarly worrying predictions. In contrast, calculations based on publicly available data were far more optimistic. Neither the US Air Force nor NASA issued any warning.

This was notable, as the United States had a role in the launch of both satellites involved in the near-miss. The first is the Infrared Astronomical Satellite (IRAS), a large space telescope weighing around a tonne and launched in 1983. It successfully completed its mission later that year and has floated dormant ever since.

Based on an aristarchus submission:

Source: Technology Review

A new study [PDF] suggests what we've suspected for years is right: YouTube is a pipeline for extremism and hate.

How do we know that? More than 330,000 videos on nearly 350 YouTube channels were analyzed and manually classified according to a system designed by the Anti-Defamation League. They were labeled as either media (or what we think of as factual news), "alt-lite" intellectual dark web, or alt-right.

[...] The alt-right is what's traditionally associated with white supremacy, pushing for a white ethnostate. Those who affiliate with the "intellectual dark web" justify white supremacy on the basis of eugenics and "race science." Members of the alt-lite purport to not support white supremacy, though they believe in conspiracy theories about "replacement" by minority groups.

[...] The study's authors hypothesized that the alt-lite and intellectual dark web often serve as a gateway to more extreme, far-right ideologies. So they tested that by tracing the authors of 72 million comments on about two million videos between May and July of last year. The results were worrying. More than 26% of people who commented on alt-lite videos tended to drift over to alt-right videos and subsequently comment there.