SoylentNews

An Anonymous Coward writes:

Since the beginning of 2020 Netflix has been waging a war against its own users to prevent them from using proxy, VPN and unblocker technology to access Netflix content even though this action is legal in many countries. In Australia Netflix has reported "connection errors" to paying customers, advising them to "check their network" including to "restart their router" in order to "fix" a problem accessing Netflix. The issue is that there was no such problem. It was Netflix deliberately blocking paying customers from accessing the service they paid for. As of June 2020 Netflix shows a proper error message and redirects users to a page stating that using a proxy or VPN is disallowed. While Netflix can set the terms of service it can't deceive customers or act fraudulently. Netflix did not post information to its customers that it was blocking VPN, for example, it just cut the connection. This deceptive behaviour could see Netflix run afoul of the ACCC Non-delivery of products & services which states that It is illegal for a business to accept payment for products or services they do not intend to supply.

What would you do if you were paying for a service and the vendor refused to provide the service and did not tell you why?

Original Submission

"exec" writes:

https://securityboulevard.com/2020/06/owners-of-ddos-for-hire-service-vdos-get-6-months-community-service/

The co-owners of vDOS, a now-defunct service that for four years helped paying customers launch more than two million distributed denial-of-service (DDoS) attacks that knocked countless Internet users and websites offline, each have been sentenced to six months of community service by an Israeli court.

A judge in Israel handed down the sentences plus fines and probation against Yarden Bidani and Itay Huri, both Israeli citizens arrested in 2016 at age 18 in connection with an FBI investigation into vDOS.

Until it was shuttered in 2016, vDOS was by far the most reliable and powerful DDoS-for-hire or “booter” service on the market, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most websites offline.

vDOS advertised the ability to launch attacks at up to 50 gigabits of data per second (Gbps) — well more than enough to take out any site that isn’t fortified with expensive anti-DDoS protection services.

The Hebrew-language sentencing memorandum (PDF 379 KB) has redacted the names of the defendants, but there are more than enough clues in the document to ascertain the identities of the accused. For example, it says the two men earned a little more than $600,000 running vDOS, a fact first reported by this site in September 2016 just prior to their arrest, when vDOS was hacked and KrebsOnSecurity obtained a copy of its user database.

In addition, the document says the defendants were initially apprehended on September 8, 2016, arrests which were documented here two days later.

Also, the sentencing mentions the supporting role of a U.S. resident named only as “Jesse.” This likely refers to 23-year-old Jesse Wu, who KrebsOnSecurity noted in October 2016 pseudonymously registered the U.K. shell company used by vDOS, and ran a tiny domain name registrar called NameCentral that vDOS and many other booter services employed.

-- submitted from IRC

Original Submission

darkfeline writes:

As reported on LWN and Ars Technica, iXsystems — the company behind FreeNAS — is creating a new Debian/Linux distribution called TrueNAS SCALE.

FreeNAS is coming to Linux
TrueNAS isn’t abandoning BSD—but it is adopting Linux

FreeNAS is a popular FreeBSD-based FOSS NAS distribution. Recently, it has been merged with TrueNAS into TrueNAS CORE. TrueNAS is iXsystems's enterprise/commercial variant of the FOSS FreeNAS. After the merge, both FOSS and enterprise users will run the same distribution; enterprise users will, however, be able to access the enterprise features via some licensing scheme. (The submitter has not researched the FOSS licensing implications, but assumes it is implemented in a way that doesn't compromise the integrity for FOSS users.)

Moving forward, iXsystems is developing FreeNAS SCALE, which is based on Debian Linux. FreeNAS SCALE will be maintained alongside FreeNAS CORE, the FreeBSD version.

One of the motivations for using Debian could be that ZFS development is now happening primarily on Linux and getting backported/merged into FreeBSD. Also, as a FreeNAS user myself, being able to run Linux containers (which are now in widespread use) is a big advantage. Perhaps iXsystems thinks so as well.

From the announcement FreeNAS and TrueNAS are Unifying - iXsystems, Inc. - Enterprise Storage & Servers:

An Anonymous Coward writes:

Just a few weeks ago, we had a story about how SpaceX released a docking simulator that lets anyone try to safely connect the crew capsule with the ISS. SpaceX had a history of not taking itself too seriously. The drone ships for landing the Falcon-9 boosters are named Just Read the Instructions and Of Course I Still Love You (from Iain M. Banks' Culture fictional universe)... knowing full-well the ships' names would be announced every time there was a landing attempt. Then came the names of the fairing recovery ships: Ms. Tree and Ms. Chief. And, of course, there was the time Elon Musk launched his bright red Tesla Roadster (and star man) on as the payload the inaugural launch of the Falcon Heavy.

So, it should come as no surprise that an Anonymous Coward wrote in to tell us that SpaceX had been at it again; the docking simulator had an Easter Egg embedded in it! Here's a link to the simulator again:https://iss-sim.spacex.com/

Apparently, if you do a 180 and pitch down you can see Elons' Roadster. Extra points if you bump it into the atmosphere for burn up. Is this for real? Who will be the first Soylentil to achieve and confirm these?

Previously:
(2020-05-13) SpaceX Crew Dragon Simulator Challenges You to Dock with the ISS, and It's Not Easy

Original Submission

As promised, here's the round-table discussion post that I said on Wednesday was coming. We have a long history at SoylentNews of listening and responding to our community; I genuinely hope that never changes. I also recognize that I may have ruffled some feathers in the last few weeks with original content postings so here's the best place to get this all out.

I am mindful of the community's support and goodwill; I don't want to squander any of it. Yes, there are times where my hand may be forced (e.g., DCMA takedowns). Still, I'm always a bit hesitant whenever I post on the main site for anything that isn't site update news or similar. I may be the de facto site leader, but I want my submissions to be treated like anyone else's — I want no favoritism. The editorial team does review my stories and signs off before they go live (unless it's an "emergency" situation such as the last time we blew up the site). However, as the saying goes, the buck stops with me.

SoylentNews accepts original content. I'm also aware that I've probably submitted the most original content so far (See "Previously", below for some examples). I'm grateful for the community's apparent acceptance of my submissions and the positive responses to them. What I don't know is if there is an undercurrent of displeasure with these. Maybe everyone thinks these are all fine. Then again, maybe somebody has an issue with them. Rather than assume anything, let's get it all out in the open.

What I want to cover in this round-table discussion is original content and having images in posts as well as topics such as yesterday's Live Show on Improving Your Security -- Wednesday June 3rd, 2020.

So, contributors and commenters to SoylentNews, get that Reply button hot and let me hear your feedback. As usual, either a member of staff or I will respond to your comments below,

73 de NCommander

Previously:
(2020-06-03) Live Show on Improving Your Security -- Wednesday June 3rd, 2020
(2020-05-24) Retrotech: The Novell NetWare Experience
(2020-05-14) Exploring Windows for Workgroups 3.11 - Early 90s Networking
(2020-05-10) Examining Windows 1.0 HELLO.C - 35 Years of Backwards Compatibility
(2020-05-15) Meta: Having a Chat about SoylentNews' Internet Relay Chat
(2018-10-25) My Time as an ICANN Fellow
(2017-10-09) soylentnews.org experiencing DNSSEC issues
(2017-04-20) Soylentnews.org is Moving to Gentoo...
(2017-04-17) SN Security Updates: CAA, LogJam, HTTP Method Disable, and 3DES
(2017-03-13) Xenix 2.2.3c Restoration: Xrossing The X (Part 4)

upstart writes in with an IRC submission:

Patterned Optical Chips That Emit Chaotic Light Waves Keep Secrets Perfectly Safe:

The one-time pad has proven absolutely unbreakable. Its secrecy rests on a random, single-use private key that must be shared ahead of time between users. However, this key, which needs to be at least as long as the original message, remains difficult to produce randomly and to send securely.

Fratalocchi's team has developed an approach to implement this encryption technique in existing classical optical networks using patterned silicon chips. The researchers patterned the chips with fingerprints to obtain fully chaotic scatterers that cause mixed light waves to travel in a random fashion through these networks. Any modification, even infinitesimal, of the chips generates a scattering structure that is completely uncorrelated to and different from any previous one. Therefore, each user can permanently change these structures after each communication, preventing an attacker from replicating the chips and accessing the exchanged information.

Moreover, these scatterers are in thermodynamic equilibrium with their environment. Consequently, an ideal attacker with an unlimited technological power and abilities to control the communication channel and access the system before or after the communication cannot copy any part of the system without reproducing the surroundings of the chips at the time of the communication.

"Our new scheme is completely unbreakable regardless of the time or the resources available, today or tomorrow," Mazzone says.

Journal Reference: A. Di Falco, V. Mazzone, A. Cruz and A. Fratalocchi, Perfect secrecy cryptography via mixing of chaotic waves in irreversible time-varying silicon chips Nature Communications.
DOI: 10.1038/s41467-019-13740-y

Original Submission

upstart writes in with an IRC submission:

How psychedelic drug psilocybin works on brain:

What is known is that this region contains a large number of receptors targeted by psychedelic drugs such as LSD or psilocybin ¾ the hallucinogenic chemical found in certain mushrooms. To see what happens in the claustrum when people are on psychedelics, Johns Hopkins Medicine researchers compared the brain scans of people after they took psilocybin with their scans after taking a placebo.

Their findings were published online on May 23, 2020, in the journal NeuroImage.

The scans after psilocybin use showed that the claustrum was less active, meaning the area of the brain believed responsible for setting attention and switching tasks is turned down when on the drug. The researchers say that this ties in with what people report as typical effects of psychedelic drugs, including feelings of being connected to everything and reduced senses of self or ego.

"Our findings move us one step closer to understanding mechanisms underlying how psilocybin works in the brain," says Frederick Barrett, Ph.D., assistant professor of psychiatry and behavioral sciences at the Johns Hopkins University School of Medicine and a member of the school's Center for Psychedelic and Consciousness Research. "This will hopefully enable us to better understand why it's an effective therapy for certain psychiatric disorders, which might help us tailor therapies to help people more."

Frederick S. Barrett, Samuel R. Krimmel, Roland Griffiths, David A. Seminowicz, Brian N. Mathur. Psilocybin acutely alters the functional connectivity of the claustrum with brain networks that support perception, memory, and attention. NeuroImage, 2020; 116980 DOI: 10.1016/j.neuroimage.2020.116980

Original Submission

upstart writes in with an IRC submission:

Nature's cosmic hard drive? Black holes could store information like holograms:

Nearly 30 years ago, theoretical physicists introduced the "holographic principle," a mind-bending theory positing that our three-dimensional universe is actually a hologram. Now physicists are applying that same principle to black holes, arguing in a new paper published in Physical Review X that a black hole's information is contained within a two-dimensional surface, which is able to reproduce an image of the black hole in three dimensions—just like the holograms we see in everyday life.

Black holes as described by general relativity are simple objects. All you need to describe them mathematically is their mass and their spin, plus their electric charge. So there would be no noticeable change if you threw something into a black hole—nothing that would provide a clue as to what that object might have been. That information is lost.

But problems arise when quantum gravity enters the picture because the rules of quantum mechanics hold that information can never be destroyed. And in quantum mechanics, black holes are incredibly complex objects and thus should contain a great deal of information. As we reported previously, Jacob Bekenstein realized in 1974 that black holes also have a temperature. Stephen Hawking tried to prove him wrong but wound up proving him right instead, concluding that black holes therefore had to produce some kind of thermal radiation.

So black holes must also have entropy—technically, a means of determining how many different ways you can rearrange the atoms of an object and still have it look pretty much the same. Hawking was the first to calculate that entropy. He also introduced the notion of "Hawking radiation": the black hole will emit a tiny bit of energy, decreasing its mass by a corresponding amount. Over time, the black hole will evaporate. The smaller the black hole, the more quickly it disappears. But what then happens to the information it contained? Is it truly destroyed, thereby violating quantum mechanics, or is it somehow preserved in the Hawking radiation?

Original Submission

upstart writes in with an IRC submission:

Exploit code for wormable flaw on unpatched Windows devices published online:

A researcher has published exploit code for a Microsoft Windows vulnerability that, when left unpatched, has the potential to spread from computer to computer with no user interaction.

So-called wormable security flaws are among the most severe, because the exploit of one vulnerable computer can start a chain reaction that rapidly spreads to hundreds of thousands, millions, or tens of millions of other vulnerable machines. The WannaCry and NotPetya exploits of 2017, which caused worldwide losses in the billions and tens of billions of dollars respectively, owe their success to CVE-2017-0144, the tracking number for an earlier wormable Windows vulnerability.

Also key to the destruction was reliable code developed by and later stolen from the National Security Agency and finally published online. Microsoft patched the flaw in March 2017, two months before the first exploit took hold.

Proof-of-concept exploit code for the new wormable Windows vulnerability was published on Monday by a Github user with the handle Chompie1337. The exploit isn't reliable and frequently results in crashes that present a BSOD, shorthand for the "blue screen of death" Windows displays during system failures. Regardless, the code still serves as a blueprint that, with more work, could be used to remotely compromise vulnerable machines and then spread.

"This has not been tested outside of my lab environment," the Github user wrote. "It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die."

[...] Reports of the vulnerability were disclosed and then quickly depublished by security firm Fortinet and Cisco security group Talos on March 10, the regularly scheduled Update Tuesday for that month. No one ever explained why the flaw details were released and then pulled. Two days later, Microsoft issued an unscheduled update that patched the vulnerability.

"We recommend customers install updates as soon as possible as publicly disclosed vulnerabilities have the potential to be leveraged by bad actors," Microsoft officials wrote in a statement on Friday. "An update for this vulnerability was released in March, and customers who have installed the updates, or have automatic updates enabled, are already protected."

Original Submission

upstart writes in with an IRC submission:

Instagram just threw users of its embedding API under the bus:

Instagram does not provide users of its embedding API a copyright license to display embedded images on other websites, the company said in a Thursday email to Ars Technica. The announcement could come as an unwelcome surprise to users who believed that embedding images, rather than hosting them directly, provides insulation against copyright claims.

"While our terms allow us to grant a sub-license, we do not grant one for our embeds API," a Facebook company spokesperson told Ars in a Thursday email. "Our platform policies require third parties to have the necessary rights from applicable rights holders. This includes ensuring they have a license to share this content, if a license is required by law."

In plain English, before you embed someone's Instagram post on your website, you may need to ask the poster for a separate license to the images in the post. If you don't, you could be subject to a copyright lawsuit.

Professional photographers are likely to cheer the decision, since it will strengthen their hand in negotiations with publishers. But it could also significantly change the culture of the Web. Until now, people have generally felt free to embed Instagram posts on their own sites without worrying about copyright concerns. That might be about to change.

Original Submission

upstart writes in with an IRC submission:

Small ISP cancels data caps permanently after reviewing pandemic usage:

The coronavirus pandemic caused big ISPs to put data caps on hold for a few months, but one small ISP is going a big step further and canceling the arbitrary monthly limits permanently. Antietam Broadband, which serves Washington County in Maryland, announced Friday that it "has permanently removed broadband data usage caps for all customers," retroactive to mid-March when the company first temporarily suspended data-cap overage fees.

The decision to permanently drop the cap was made partly because of "learnings from the COVID-19 pandemic as more people worked and learned remotely," Antietam explained. "During this period customers moved into broadband packages that more accurately reflected their broadband needs." Like most other ISPs, Antietam charges different prices based on speed tiers as measured in bits per second, with Antietam's advertised download speeds ranging up to 1Gbps.

"These are uncertain times. We felt a need to give customers as much certainty over their bill as possible," Antietam President Brian Lynch said in the press release. "Eliminating data usage caps means that customers will know the exact amount of their broadband bill every month."

[...] Antietam imposed its data cap in 2015, charging a $10 overage fee for each additional block of 50GB. The monthly data caps ranged from 500GB to 1.5TB per month, except for a gigabit fiber plan that already included unlimited data, according to a Stop the Cap article.

[...] ISPs enforce data caps primarily to boost revenue rather than to manage congestion. Comcast says it imposes a data cap to ensure "fairness" among its customers but coincidentally does not impose the data cap in the Northeast United States, where Comcast faces strong competition from Verizon's un-capped fiber-to-the-home FiOS service.

Original Submission

upstart writes in with an IRC submission:

Americans are drinking bleach and dunking food in it to prevent COVID-19:

Americans are doing more housecleaning and disinfecting amid the COVID-19 pandemic and many are turning to wild and dangerous tactics—like drinking and gargling bleach solutions.

Back in April, the agency noted an unusual spike in poison control center calls over harmful exposures to household cleaning products, such as bleach. The timing linked it to the spread of the pandemic coronavirus, SARS-CoV-2 (not statements by President Trump). But to get a clearer idea of what was behind the rise, CDC researchers set up an online survey of household cleaning and disinfection knowledge and practices.

In all, they surveyed 502 US adults and used statistical weighting to make it representative of the country's population. The findings—published Friday in the CDC's Morbidity and Mortality Weekly Report—are stunning.

Overall, 60 percent said they were doing more cleaning and disinfecting amid the pandemic and 39 percent admitted to doing at least one non-recommended cleaning practice the CDC considers high risk.

The questions and responses are fully available (NO paywall); read it here:

Journal Reference
Gharpure R, Hunter CM, Schnall AH, et al. Knowledge and Practices Regarding Safe Household Cleaning and Disinfection for COVID-19 Prevention, [OPEN] MMWR. Morbidity and Mortality Weekly Report (DOI: 10.15585/mmwr.mm6923e2)

RandomFactor writes:

Beginning around June 1, A wave of eCh0raix/QNAPCrypt ransomware attacks has been observed targeting QNAP NAS devices. Vectors employed to compromise the devices are exploiting known vulnerabilities and brute-force attacks on weak passwords.

QNAP already addressed the vulnerabilities issues in the following QTS versions:

• QTS 4.4.2.1270 build 20200410 and later
• QTS 4.4.1.1261 build 20200330 and later
• QTS 4.3.6.1263 build 20200330 and later
• QTS 4.3.4.1282 build 20200408 and later
• QTS 4.3.3.1252 build 20200409 and later
• QTS 4.2.6 build 20200421 and later

--- QNAP Advisory: Multiple Vulnerabilities in File Station. (June 5, 2020)

As would be expected, "QNAP strongly recommends updating your QTS to the latest available version for your NAS model."

The ransomware is attributed to the financially motivated Russian cybercrime group 'FullofDeep', the attackers are demanding $500 in bitcoin to decrypt files, which are encrypted with AES CFB.

upstart writes in with an IRC submission:

Google fixes Android flaws that allow code execution with high system rights:

Google has shipped security patches for dozens of vulnerabilities in its Android mobile operating system, two of which could allow hackers to remotely execute malicious code with extremely high system rights.

In some cases, the malware could run with highly elevated privileges, a possibility that raises the severity of the bugs. That's because the bugs, located in the Android System component, could enable a specially crafted transmission to execute arbitrary code within the context of a privileged process. In all, Google released patches for at least 34 security flaws, although some of the vulnerabilities were present only in devices available from manufacturer Qualcomm.

Google's June security bulletin. DHS advisory.

You know wireless branded phones won't get these updates.

Original Submission

upstart writes in with an IRC submission:

How CNET got banned by Google:

This story is part of CNET at 25, celebrating a quarter century of industry tech and our role in telling you its story.

[...] [Elinor Mills] started [at CNET] in 2005 with arguably the hottest beat: internet companies, primarily rising star Google, and Yahoo, which was losing the internet search battle. I'd met Google co-founder Sergey Brin in 1999 when he gave me a desk-side demo of the simple and fast Google search site. By the mid-aughts, the company had come a long way, going public in 2004. The hugely popular Google search was raking in ad revenue, but the fact that Google knew all of our web searches and the content of Gmails had some people worried about privacy risks. I decided that for my first big feature in my new job I'd do a deep dive into Google's services to see if the concerns were justified. The resulting article -- published Aug. 3, 2005, under the headline Google balances privacy, reach -- would be the high-water mark of my journalism career. It certainly wasn't a wash for Google, either. The company's extreme reaction to my story prompted widespread criticism, led to a mini backlash and served as a case study in how not to deal with the media over perceived bad press.

[...] After I pitched the story to my editor, Jim Kerstetter, I spent a month researching and reporting the ins and outs of Google's products and policies, trying to understand what data the company collected and how that info was used. [...] As I was starting to write the article, News Editor Scott Ard stopped by my desk. With a mischievous glint in his eye, he suggested that I google Schmidt to see what types of information I could find.

The linked article is well worth reading, especially on how NOT to deal with the press!

Original Submission