2020-01-01 00:00:00 ..
2020-06-02 11:21:59 UTC
2020-06-02 11:25:04 UTC
We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.
UK budget airline EasyJet reported on Tuesday that hackers accessed the email addresses and travel details of more than 9 million customers in a "highly sophisticated" cyberattack. The hackers also accessed the credit card details of 2,208 customers.
The airline in the coming days will contact customers whose details were exposed in the breach. It has already contacted, and offered support to, those whose credit card information was accessed.
[...] As soon as the airline became aware of the attack, it took steps to respond to and manage the incident and engaged forensic experts to investigate the issue, EasyJet said. It also notified the National Cyber Security Centre and the ICO, the UK's data protection watchdog.
"We have a live investigation into the cyber attack involving easyJet," said a spokeswoman for the ICO in a statement. "People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn't happen, we will investigate and take robust action where necessary."
The ICO will be able to examine whether EasyJet should be fined under Europe's General Data Protection Regulation (GDPR), which is part of UK law.
EasyJet has admitted that a "highly sophisticated cyber-attack" has affected approximately nine million customers.
It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit card details "accessed".
The firm has informed the UK's Information Commissioner's Office while it investigates the breach.
EasyJet first became aware of the attack in January.
It told the BBC that it was only able to notify customers whose credit card details were stolen in early April.
"This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted," the airline told the BBC.
"We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed."
Stolen credit card data included the three digital security code - known as the CVV number - on the back of the card itself.
EasyJet added that it had gone public now in order to warn the nine million customers whose email addresses had been stolen to be wary of phishing attacks.
It said that it would notify everyone affected by 26 May.
As outlined in a whitepaper [PDF] this month, the new spec will let existing SD Express and microSD Express cards employ PCIe 4.0 and NVMe to deliver a top speed data transfer speed of [3938 MB/s].
While the new spec is backwards-compatible, the latest top speed will only come with a card reader capable of connecting to the extra row of pins present on SD Express cards that support dual PCIe lanes.
[...] The good news is that SD Express and microSD Express cards can still get to 1970 MB/s on a device with a single PCIe 4.x lane under version 8 of the specification, and SD Express can get there with a pair of 3.x lanes. Which is rather faster than many SSDs and, as SD Express can climb to 128TB on a single card, a rather tasty storage option.
On Tuesday, NASA announced that its chief of human spaceflight had resigned from the space agency. The timing of Doug Loverro's departure is terrible, with NASA's first launch of humans in nearly nine years due to occur in just eight days.
[...] "Associate Administrator for Human Exploration and Operations Doug Loverro has resigned from his position effective Monday, May 18," the statement said. "Loverro hit the ground running this year and has made significant progress in his time at NASA. His leadership of HEO has moved us closer to accomplishing our goal of landing the first woman and the next man on the Moon in 2024. Loverro has dedicated more than four decades of his life in service to our country, and we thank him for his service and contributions to the agency."
Loverro's resignation set off a firestorm of speculation after it was announced. He was due to chair a Flight Readiness Review meeting on Thursday to officially clear SpaceX's Crew Dragon spacecraft for the first flight of humans to the International Space Station. The final go or no-go decision for that mission was to be his. That launch is presently scheduled for May 27.
However, his departure does not seem to be directly related to his work on Crew Dragon. Rather it seems to stem from the recent process during which NASA selected three bids—led by Blue Origin, Dynetics, and SpaceX—from among five bidders. In an email to the human exploration staff at NASA on Tuesday, Loverro admitted that he made a mistake earlier this year.
"Our mission is certainly not easy, nor for the faint of heart, and risk-taking is part of the job description," Loverro wrote. "The risks we take, whether technical, political, or personal, all have potential consequences if we judge them incorrectly. I took such a risk earlier in the year because I judged it necessary to fulfill our mission. Now, over the balance of time, it is clear that I made a mistake in that choice for which I alone must bear the consequences. And therefore, it is with a very, very heavy heart that I write to you today to let you know that I have resigned from NASA effective May 18th, 2020."
Academic researchers have uncovered security vulnerabilities in Bluetooth Classic that allows attackers to spoof paired devices: They found that the bugs allow an attacker to insert a rogue device into an established Bluetooth pairing, masquerading as a trusted endpoint. This allows attackers to capture sensitive data from the other device.
The bugs allow Bluetooth Impersonation Attacks (BIAS) on everything from internet of things (IoT) gadgets to phones to laptops, according to researchers at the École Polytechnique Fédérale de Lausanne (EPFL) in France. The flaws are not yet patched in the specification, though some affected vendors may have implemented workarounds.
"We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking 30 different devices)," the researchers said. "At the time of writing, we were able to test chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack."
The issue lies in the pairing/bonding protocols used in the specification. When two Bluetooth devices are paired for the first time, they exchange a persistent encryption key (the "long-term key") that will then be stored, so that the endpoints are thereafter bonded and will connect to each other without having to perform the lengthier pairing process every time.
For the attacks to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device that has previously established bonding with a remote device with a Bluetooth address known to the attacker.
The post-pairing connections are enabled because the devices – let's call them Alice and Bob – perform a background check to make sure both possess the long-term key. This is done using the Legacy Secure Connections or Secure Connections protocols inside the Bluetooth specification, which verify three things: Alice's Bluetooth address, Bob's Bluetooth address and the shared long-term key.
As the researchers explained in their paper released on Monday, an attacker (let's call him Charlie) can change his Bluetooth address to mimic either Alice or Bob's address (uncovered via simple eavesdropping), but he cannot prove the ownership of [the long-term key]." The researchers explained, "this is the fundamental assumption behind Bluetooth's authentication guarantees, and this assumption should protect against impersonation attacks."
They added, "Both procedures authenticate [the long-term key] using a challenge-response protocol, and the procedure selection depends on Alice and Bob' supported features. The standard claims that both procedures protect secure connection establishment against impersonation attacks, as an attacker who does not know [the long-term key] cannot provide a correct response to a challenge."
However, several bugs exist in these processes, they found, opening the door for BIAS gambits while that post-pairing connection is being carried out. The problems include: The Bluetooth secure connection establishment is neither encrypted nor integrity-protected; Legacy Secure Connections secure connection establishment does not require mutual authentication; a Bluetooth device can perform a role switch anytime after baseband paging; and devices who paired using Secure Connections can use Legacy Secure Connections during secure connection establishment.
Severe flooding struck central Michigan on Wednesday after two dams were breached and days of heavy rainfall, forcing the evacuation of thousands of residents and prompting officials to warn of life-threatening danger.
The failures on Tuesday of the Edenville Dam and the Sanford Dam, about 140 miles northwest of Detroit, led the National Weather Service to issue a flash flood warning for areas near the Tittabawassee River, with downstream effects expected from Midland to Saginaw overnight. Residents in nearby towns, including Edenville, Sanford and Midland, were evacuated.
Gov. Gretchen Whitmer said at a news conference on Tuesday that downtown Midland, with a population of more than 41,000, could be under nine feet of water by Wednesday morning.
[...] The Tittabawassee River was expected to crest at 38 feet by 8 a.m. Wednesday, more than four feet higher than its record of 34 feet set in 1986. The flood stage is at 24 feet.
Dow Chemical Company, based in Midland, has activated its emergency operations center and will be adjusting operations, Rachelle Schikorra, a spokeswoman, told The Associated Press.
According to Detroit Free Press:
In 2018, the Federal Energy Regulatory Commission revoked the license of the company that operated the Edenville Dam due to non-compliance issues that included spillway capacity and the inability to pass the most severe flood reasonably possible in the area.
The Edenville Dam, which was built in 1924, was rated in unsatisfactory condition in 2018 by the state. The Sanford Dam, which was built in 1925, received a fair condition rating.
King penguins are big birds. The Antarctica residents eat a lot of seafood and make a lot of guano. It's all part of the circle of life, but it's created some challenges for scientists researching the birds.
University of Copenhagen professor Bo Elberling contributed to a penguin-poop study published this week in the journal Science of the Total Environment. The paper investigated the relationship between the bird guano and fluxes in soil greenhouse gases. Nitrous oxide[*], widely known as laughing gas, is one of those gases.
"Penguin guano produces significantly high levels of nitrous oxide around their colonies. The maximum emissions are about 100 times higher than in a recently fertilized Danish field," Elberling said in a University of Copenhagen release.
[...] The research team analyzed soil and feces samples collected in Antarctica. The king penguin diet is high in nitrogen. What goes in one end comes out the other. Once on the ground, soil bacteria goes to work turning the nitrogen into laughing gas.
"After nosing about in guano for several hours, one goes completely cuckoo," Elberling said. "One begins to feel ill and get a headache."
Peiyan Wang, Ludovica D'Imperio, Elisabeth M. Biersma, et al. Combined effects of glacial retreat and penguin activity on soil greenhouse gas fluxes on South Georgia, sub-Antarctica, Science of The Total Environment (DOI: 10.1016/j.scitotenv.2019.135255)
[*] Wikipedia entry on Nitrous Oxide (N2O)
US warns carriers to boost security, citing reports of attacks in several states.
The Department of Homeland Security is reportedly issuing alerts to wireless telecom providers and law enforcement agencies about potential attacks on cell towers and telecommunications workers by 5G/coronavirus conspiracy theorists. The DHS warned that there have already been "arson and physical attacks against cell towers in several US states."
The preposterous claim that 5G can spread the coronavirus, either by suppressing the immune system or by directly transmitting the virus over radio waves, led to dozens of tower burnings in the UK and mainland Europe. Now, the DHS "is preparing to advise the US telecom industry on steps it can take to prevent attacks on 5G cell towers following a rash of incidents in Western Europe fueled by the false claim that the technology spreads the pathogen causing COVID-19," The Washington Post reported last week.
FACT: 5G mobile networks DO NOT spread COVID-19!
Researchers from Ledger—a firm that makes hardware wallets itself—have demonstrated attacks against products from manufacturers Coinkite and Shapeshift that could have allowed an attacker to figure out the PIN that protects those wallets. The vulnerabilities have been fixed, and both hacks would have required physical access to the devices, which minimizes the danger to begin with. But Ledger argues that it's still worth holding hardware wallets to the highest standards, just as you would a closet safe.
[..] Shapeshift fixed a vulnerability in its KeepKey wallet with a firmware update in February. If you haven't already, connect your KeepKey wallet to the desktop app to download the update onto your device. A hardware flaw in Coinkite's Coldcard Mk2 wallet persists, but it is fixed in the company's current Coldcard model Mk3, which started shipping in October. The researchers will present their attack on the Mk2 at the French security conference SSTIC in June.
[...] In examining the KeepKey memory chip that stores a user's authentication PIN, the Donjon researchers found that they could monitor voltage output changes as the chip received PIN inputs to determine the PIN itself.
[...] ShapeShift patched the vulnerability in a firmware update that enhanced the security of the PIN verification function. The fix makes it more difficult to develop a reliable catalog of power consumption outputs that map to PIN values. Even if a wallet hasn't received the update, though, KeepKey owners can still add a passphrase—preferably over 37 characters long—to their wallets that acts as a second layer of authentication.
[...] The other new findings from Donjon focus on the Coldcard Mk2 wallet. The attack would be difficult for a hacker to carry out, because Coldcard uses special secure memory that blocks the type of side-channel attack the researchers launched against the KeepKey wallet and strictly limits PIN guessing. Coldcard manufacturer Coinkite outsources the chip from the microcontroller company Microchip. But the researchers still found that they could use what's called a "fault injection attack"—a hack that causes a strategic glitch triggering unintended, exploitable computer behavior—to force the chip into an insecure debugging mode. In this state, the chip's PIN guess limit isn't in effect, meaning an attacker could "brute force" the PIN by trying every possible combination until the wallet unlocks.
To trigger the special glitch, the researchers used an impressively outlandish attack, though one that is not inconceivable for a motivated and well-funded adversary. The fault injection comes from carefully opening the physical case of the Coldcard wallet, exposing the secure chip, physically grinding down its silicon without damaging it, and shining a high-powered, targeted laser on the chip in exactly the right location with precise timing. Laser fault injection rigs cost roughly $200,000 and require special skills to operate. They are typically used for security and performance testing in smart cards, like those in your credit card or passport.
[English and Welsh] Courts will have the power to order those convicted of drink-related crimes to wear an ankle monitor for up to 120 days. It assesses whether there is any alcohol in their sweat.
[...] Keith Hunter, the police and crime commissioner (PCC) for Humberside, said: "During the trial in our area they provided rehabilitation agencies a real opportunity to work with the individual and get them to recognise and change their behaviour.
[...] The tough community sentences not only punish offenders, according to the Ministry of Justice, but also help their rehabilitation by forcing them to address the causes of their harmful behaviour.
They will not be used on people who are alcohol-dependent or have certain medical conditions. Judges have been calling for many years for tougher non-custodial sentences.
An unidentified offender, who wore one of the tags in the Humberside, Lincolnshire and North Yorkshire pilot scheme, said: "Since I had the tag removed I feel 100% in control of my drinking. I was worried to begin with that when I had the tag taken off I might go back to drinking again but the process gave me a better understanding of alcohol. I also didn't want to go back to court.
"I no longer need a drink to manage my emotions which is down to the tag and my probation officer – I'm much happier with my life now and pleased that more people can benefit from my experience of wearing the tags."
First they came for the socialists and I did not speak out...
[Editor's Note: Corrected spelling of Welch to Welsh 2-May0515UTC--JR]
Linux on Windows 10 gets a big boost and GPU acceleration
Microsoft is promising to dramatically improve its Windows Subsystem for Linux (WSL) with GUI app support and GPU hardware acceleration. The software giant is adding a full Linux kernel to Windows 10 with WSL version 2 later this month, and it’s now planning to support Linux GUI apps that will run alongside regular Windows apps.
This will be enabled without Windows users having to use X11 forwarding, and it’s mainly designed for developers to run Linux integrated development environments (IDE) alongside regular Windows apps.
While it has been possible to run Linux GUI apps within Windows previously using a third-party X server, poor graphics performance has always been an issue. Microsoft is promising to solve this, too. Windows 10 will soon get added support for GPU hardware acceleration with Linux tools. This is primarily focused on development scenarios involving parallels computation or training machine learning and artificial intelligence models.
So is it the year of Linux on the Desktop?
In a surprising twist, AMD has today announced that it intends to enable Ryzen 4000 and Zen 3 support on its older B450 and X470 Motherboards. This is going to be a 'promise now, figure out the details later' arrangement, but this should enable most (if not all) users running 400 series AMD motherboards to upgrade to the Zen 3 processors set to be unveiled later this year.
[...] AMD came under a lot of fire. The company had originally promised that it would support the AM4 platform from 2016 through 2020 (or 'through to' 2020). A lot of users had assumed that this meant any AM4 platform based motherboard would be able to accept any processor made from 2016 to 2020, including the new Zen 3 processors set to be unveiled later this year. The fact that there was a discrepancy between what the users expected and what AMD had been saying essentially became a miscommunication or a misunderstanding, but one that had a negative effect on a number of users who were expecting to upgrade the system.
Ultimately the reason for the lockout was down to the BIOS size. Each generation of processors require a portion of the BIOS space for compatibility code – normally if you can support one processor from a generation, then you can support them all. We are also in the era of graphical interface BIOSes, and as a result some of the BIOS code was reserved for fancy menus and the ability to adjust fan curves or update the BIOS in a more intuitive way. All of this takes up space, and some vendors ditched the fancy graphics in order to support more processors.
Most AMD motherboards are outfitted with 128 megabit (16 megabyte) BIOS chips. The reason why this is the case is due to a limitation on some of AMD's early AM4 processors – due to design, they can only ever address the first 16 megabytes of a BIOS chip. So even if a motherboard vendor had a larger BIOS chip, say MSI had a 32 megabyte chip, then it would actually operate like two partitioned BIOSes and it would get very complicated. There is no easy way to support every AM4 processor with a simple 16 megabyte BIOS.
A federal judge on Saturday denied Martin Shkreli's request for a "compassionate release" from prison, which was pitched as a way to protect him from contracting the new coronavirus—and to help him work on a cure for COVID-19 so he could save the rest of the world.
Lawyers for the infamous ex-pharmaceutical executive filed an emergency motion April 22 in a bid to free him from the slammer. They argued that Shkreli is at high risk of contracting the virus in the close quarters of federal prison and could possibly become severely ill or die. They also argued that he is in a unique position to work on a cure for the devastating viral illness now sweeping the globe. Shkreli himself publicly made that claim in early April via a scientific document outlining his preliminary efforts to develop an antiviral drug.
In the emergency motion, his lawyers argued that "Current conditions of confinement threaten his health and life and prevent him from doing work that would contribute to the betterment of society worldwide."
Though Shkreli is best known for ruthlessly jacking up the price of a lifesaving generic drug, he is serving an 84-month sentence following his 2017 conviction on two counts of securities fraud and one count of conspiring to commit securities fraud. The charges were in connection with an alleged Ponzi-like scheme involving two hedge funds he previously managed and his former pharmaceutical company, Retrophin. He has served 41 months of his sentence so far.
[...] [federal prosecutors] also noted that, at the time of their court filing, there were no cases of COVID-19 in staff or inmates at the facility in which Shkreli is being held, FCI Allenwood Low.
ACLU Senior Staff Attorney Brett Max Kaufman responded to [US Attorney General] Barr's comments, saying "Every time there's a traumatic event requiring investigation into digital devices, the Justice Department loudly claims that it needs backdoors to encryption, and then quietly announces it actually found a way to access information without threatening the security and privacy of the entire world. The boy who cried wolf has nothing on the agency that cried encryption." While Barr's push for backdoors and cooperation from phone manufacturers raises concerns, Kaufman's response doesn't address that the DoJ isn't seeking the ability to unlock phones, but to do so as quickly as possible.
Apple's refusal to work with law enforcement has been an issue for years. The company wants to ensure its users feel confident in trusting Apple with their data, yet police and the FBI say that the refusals to cooperate hinder investigations and put lives at risk. It sounds like Barr wants to put a system into law that would oblige Apple to comply in future cases. How realistic this plan is -- or how much buy-in from politicians it will get -- remains to be seen, though it would force Apple to rethink how it approaches user privacy.
According to NYU Grossman School of Medicine researchers who led the study, people with the immune disorder have severe gut reactions, including diarrhea and bloating, to foods containing gluten, a protein found in wheat, rye and barley. The only treatment is a gluten-free diet, with no bread, pasta, or cake, says lead investigator and doctoral student Abigail Gaylord, MPH.
Reporting in the journal Environmental Research online May 12, the NYU Langone team found that children and young adults with high blood levels of pesticides -- and with high levels of pesticide-related chemicals called dichlorodiphenyldichlorethylenes (DDEs) -- were twice as likely to be newly diagnosed with celiac disease as those without high levels.
The study also found that gender differences existed for celiac disease related to toxic exposures. For females, who make up the majority of celiac cases, higher-than-normal pesticide exposure meant they were at least eight times more likely to become gluten intolerant. Young females with elevated levels of nonstick chemicals, known as perflouoroalkyls, or PFAs, including products like Teflon, were five to nine times more likely to have celiac disease.
Young males, on the other hand, were twice as likely to be diagnosed with the disease if they had elevated blood levels of fire-retardant chemicals, polybrominated diphenyl ethers, or PBDEs.
Abigail Gaylord, Leonardo Trasande, Kurunthachalam Kannan, Kristen M. Thomas, Sunmi Lee, Mengling Liu, Jeremiah Levine. Persistent organic pollutant exposure and celiac disease: A pilot study. Environmental Research, 2020; 109439 DOI: 10.1016/j.envres.2020.109439
"One of the major goals of spintronics research is to control the direction of the spin of electrons in materials," explains Andrew Kent, a professor in NYU's Department of Physics and one of the paper's senior authors. "This research shows a new and fundamental mechanism for setting the electron spin direction in a conducting material."
"This advance in spintronics offers a novel way to exert torques on a magnetic layer," adds senior co-author Jonathan Sun of IBM Research and a visiting scholar at NYU. "It's a promising advance that has the potential to reduce energy and space requirements for device data storage."
The work, conducted with Junwen Xu, an NYU graduate student, and Christopher Safranski of IBM Research, is the latest example of a phenomenon central to the transmission of information: altering it from one form to another.
[...] In the Physical Review Letters research, Safranski, Sun, Xu, and Kent focused on demonstrating a novel mechanism for the control of spin direction—the direction that controls the stored bits of information.
Historically, current flow in non-magnetic heavy metals has been shown to lead to spin polarization, or a direction of its net magnetic moment, at the surface of the conductor, an effect known as the spin Hall effect. However, the direction of the spin polarization in the spin Hall effect is always parallel to the surface of the conductor. This limits its applications because it provides only one possible axis of spin polarization, limiting storage density.
In the Physical Review Letters research, the scientists used the planar-Hall effect in a ferromagnetic conductor to control the orientation of the spin-polarization axis.
Specifically, they deployed a ferromagnetic conductor—iron, nickel, and cobalt are examples of such conductors—and found that current flow in the conductor can produce a spin polarization that is in a direction set by its magnetic moment. This is significant because the magnetic moment direction can now be set in just about any desired direction to then set the spin polarization—a flexibility not possible under the contours of the spin Hall effect in non-magnetic heavy metals.
Christopher Safranski, Jonathan Z. Sun, Jun-Wen Xu, et al. Planar Hall Driven Torque in a Ferromagnet/Nonmagnet/Ferromagnet System, Physical Review Letters (DOI: 10.1103/PhysRevLett.124.197204)