Stories
Slash Boxes
Comments

SoylentNews is people

Log In

Log In

Create Account  |  Retrieve Password


Site News

Join our Folding@Home team:
Main F@H site
Our team page


Funding Goal
For 6-month period:
2022-07-01 to 2022-12-31
(All amounts are estimated)
Base Goal:
$3500.00

Currently:
$438.92

12.5%

Covers transactions:
2022-07-02 10:17:28 ..
2022-10-05 12:33:58 UTC
(SPIDs: [1838..1866])
Last Update:
2022-10-05 14:04:11 UTC --fnord666

Support us: Subscribe Here
and buy SoylentNews Swag


We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.

What was highest label on your first car speedometer?

  • 80 mph
  • 88 mph
  • 100 mph
  • 120 mph
  • 150 mph
  • it was in kph like civilized countries use you insensitive clod
  • Other (please specify in comments)

[ Results | Polls ]
Comments:43 | Votes:94

posted by Fnord666 on Sunday August 09 2020, @09:59PM   Printer-friendly
from the getting-involved dept.

US voting hardware maker's shock discovery: Security improves when you actually work with the community:

Just hours after Professor Matt Blaze today discussed the state of election system security in America, one of the largest US voting machine makers stepped forward to say it's trying to improve its vulnerability research program.

Election Systems and Software (ES&S), whose products include electronic ballot boxes and voter registration software, said it is working with infosec outfits and bug-finders to improve the security of its products.

Speaking at this year's online Black Hat USA conference, CISO Chris Wlaschin outlined a number of steps his biz has already or will soon take to overhaul its relationship with bug-bounty hunters.

In addition to its ongoing vulnerabilities rewards program, ES&S said it will employ the services of security house Synack to bridge the gap with bounty hunters, and make its products better able to withstand attacks from the likes of state-sponsored groups.

Most notably, ES&S will beef up said rewards program. With the help of ethical hackers at Synack, testers will be able to hammer on devices like the ES&S ExpressPoll without fear of legal reprisal.

[...] One of the bounty hunters who has worked with ES&S, industry veteran Jack Cable, issued his seal of approval to the expanded program.

Today, the nation's largest voting vendor released a vulnerability disclosure policy giving hackers authorization to test their systems. This is a great step towards transparency for election security. I hope that other vendors follow suit and welcome hackers with open arms. 🧵

— Jack Cable (@jackhcable) August 5, 2020


Original Submission

posted by Fnord666 on Sunday August 09 2020, @07:37PM   Printer-friendly
from the limiting-factors dept.

Social Movements Are Pushing Google Sheets to the Breaking Point:

For a brief period, panicking international students across the nation found hope in a Google Sheet.

When the U.S. Immigration and Customs Enforcement (ICE) agency announced on July 6 that international students who weren't enrolled in courses meeting in-person could face deportation in the fall, Sumana Kaluvai — the creator of H-4 Hope, a Facebook group that supports students of varying immigration backgrounds — built a system for connecting international students with peers who were willing to surrender their seats in courses that could grant their classmates the right to stay in the country. She used the closest tool in her reach, Google Sheets, to facilitate these class exchanges and began circulating the resource on social media.

Her spreadsheet quickly went viral, attracting levels of traffic that rendered it unresponsive. McClain Thiel, a data science student at the University of California, Berkeley, eventually reached out and offered to build a website to replace the Google Sheet, and on July 9, they launched Support Our International Students. Though ICE would rescind the policy days later, their new website managed to mitigate the problems the original Google Sheet encountered.

[...] When Stella Nguyen, a UCLA student from Vietnam, came across Kaluvai's spreadsheet, she "found it comforting that many students — international or not — were coming together." Google Docs has helped get us here, to an era where anyone who can create and edit a document can feel empowered to help others and foster hope and connection. Now, we just need tools that are as ambitious as we are.


Original Submission

posted by Fnord666 on Sunday August 09 2020, @05:14PM   Printer-friendly
from the like-swiss-cheese dept.

New Windows Print Spooler Zero-Day Flaws Harken Back to Stuxnet:

Ten years after the game-changing Stuxnet attack was first discovered, a Windows printer program it exploited has been found to contain additional dangerous zero-day flaws that could allow an attacker to gain a foothold in the network as a privileged user.

The researchers who discovered the new flaws in Microsoft's ubiquitous Windows Print Spooler service say they wanted to see if there still was a way to game Print Spooler for a Stuxnet 2.0-style attack 10 years after the first known cyberweapon attack was unearthed. "We started digging in, looking at the original Stuxnet propagation, and then we found out there were problems. ... We decided to take the Spooler service to the next level, and eventually we found it was not fully patched," explains Tomer Bar, research team leader at Safe Breach, who along with his colleague Peleg Hadar found the flaws that they plan to detail today at Black Hat USA.

Bar and Hadar found three zero-day vulnerabilities in the 20-year-old Windows Print Spooler program, which serves as the interface between a printer and the Windows operating system, loading the print driver, setting up print jobs, and printing. The new, post-Stuxnet vulns include a memory corruption bug that could be used to wage a denial-of-service (DoS) attack and two local privilege escalation bugs. One of the local privilege escalation flaws was patched by Microsoft in May (CVE-2020-1048), but Bar and Hadar found another similar flaw that bypasses that patch. All three vulnerabilities affect all versions of the Windows operating system.

"They're using the same function [as Stuxnet did] but with a little twist," Bar says of the two local privilege-escalation zero-days.

While Stuxnet used a Print Spooler exploit to gain remote access, the local vulnerability found by Bar and Hadar could allow any user to gain the highest privileges on the machine — either as a malicious insider who has physical access to the machine or via an existing remote-access foothold previously obtained by an attacker.

Hadar says while Microsoft's patch for the Stuxnet vulnerability (MS10-061) fixed the remote-attack hole, it didn't address the local privilege-escalation holes. "That's what we focused on and were able to exploit," he says. They found the flaws using good old-fashioned reverse engineering and fuzzing techniques.

Exploiting the flaws is fairly simple, too, the researchers say. They were able to employ PowerShell commands to exploit the vulns.


Original Submission

posted by Fnord666 on Sunday August 09 2020, @02:51PM   Printer-friendly
from the chilling-effect dept.

New Jersey prosecutors drop charges over tweeting a cop's photo [Updated]:

Update (~4pm ET): Mid-afternoon on Friday, August 7, the Essex County Prosecutor's Office dropped its cyber harassment charges against all five defendants, the Asbury Park Press reports. These charges stemmed from an incident involving a Tweet attempting to identify a New Jersey police officer. Our original story on the situation appears unchanged below.

A New Jersey man is facing felony charges for a tweet seeking to identify a police officer. Four others are facing felony charges for retweeting the tweet, the Washington Post reports.

[...] The complaint against Sziszak claims that the tweet caused the officer to "fear that harm will come to himself, family, and property."

"As a 20 year old that simply retweeted a tweet to help my friend, I am now at risk of giving up my career, serving time, and having a record," Sziszak wrote.


Original Submission

posted by Fnord666 on Sunday August 09 2020, @12:27PM   Printer-friendly
from the you-wouldn't-download-a-windmill-would-you? dept.

HAWT Wind Turbine Is Mostly 3D Printed:

Wind turbines are a great source of renewable energy, and a great DIY project, too. They can be built with all kinds of materials and the barrier for entry is low for the beginner. [Fab] has built just such a device, taking advantage of modern construction techniques, and dubbed it the WinDIY.

[...] [Fab]'s writeup goes into great detail on topics like the design of the pitch control systems and other minutae, which should serve as a great reference for anyone else working on a similar project. If you're looking for something with more of a sci-fi future vibe, consider attempting a vertical-axis build instead.

[HAWT - Horizontal Axis Wind Turbine]


Original Submission

posted by martyb on Sunday August 09 2020, @10:04AM   Printer-friendly
from the passing-interest dept.

Frog eats beetle, beetle escapes alive through frog's butt:

We've all eaten something that seems to run right through us, but rarely do our meals get to live another day once they leave our bodies. Yet that's exactly what happens when frogs snack on the aquatic beetle Regimbartia attenuata.

In a new study published Monday in the journal Current Biology, Kobe University ecologist Shinji Sugiura reveals more about the evolution of escape behavior in prey animals, most notably the aquatic beetle.

[...] When the Pelophylax nigromaculatus frog gulps the beetle, it can survive by swimming through the frog's digestive tract to later be pooped out intact and alive. Previously, it was suspected frogs spit out beetles that moved so erratically.

Sugiura revealed that 93 percent of the beetles fed to a frog during the study escaped the frog's "vent" (anus) within four hours, "frequently entangled in fecal pellets." The quickest beetle escape was an impressive six minutes.

Because the aquatic beetle has evolved to become a better swimmer by kicking its legs and can breathe underwater by trapping a small pocket of air under its wing covers, the beetle may have also evolved to survive inside a frog's intestines long enough to escape through its captor's tush.

A short video is available on Twitter and YouTube.

Journal Reference:
Shinji Sugiura. Active escape of prey from predator vent via the digestive tract, Current Biology (DOI: 10.1016/j.cub.2020.06.026)


Original Submission

posted by martyb on Sunday August 09 2020, @07:41AM   Printer-friendly
from the winning-battles-while-losing-the-war? dept.

Huawei to stop making flagship chipsets as U.S. pressure bites, Chinese media say:

Huawei Technologies Co will stop making its flagship Kirin chipsets next month, financial magazine Caixin said on Saturday, as the impact of U.S. pressure on the Chinese tech giant grows.

U.S. pressure on Huawei's suppliers has made it impossible for the company's HiSilicon chip division to keep making the chipsets, key components for mobile phone, Richard Yu, CEO of Huawei's Consumer Business Unit was quoted as saying at the launch of the company's new Mate 40 handset.

[...] "From Sept. 15 onward, our flagship Kirin processors cannot be produced," Yu said, according to Caixin. "Our AI-powered chips also cannot be processed. This is a huge loss for us."

Huawei's HiSilicon division relies on software from U.S. companies such as Cadence Design Systems Inc or Synopsys Inc to design its chips and it outsources the production to Taiwan Semiconductor Manufacturing Co (TSMC), which uses equipment from U.S. companies.

Also at PhoneArena.

Previously: Arrest of Huawei Executive Causing Discontent Among Chinese Elites
Huawei Soldiers on, Announces Nova 5 and Kirin 810
U.S. Attempting to Restrict TSMC Sales to Huawei
TSMC Dumps Huawei
Huawei on List of 20 Chinese Companies that Pentagon Says are Controlled by People's Liberation Army


Original Submission

posted by on Sunday August 09 2020, @05:51AM   Printer-friendly
from the SNAFU dept.

The Mighty Buzzard writes:

Yeah, so, failure to babysit the db node that was scheduled for a reboot on the 5th resulted in a bit of database FUBAR that left us temporarily losing everything from then to now. Fortunately we had a backup less than six hours old, restored from it, and appear to be copacetic now. Except for the missing five hours and change.

I'd usually make some sort of dumb joke here but it was already four hours past my bedtime when I found out about the problem. My brain is no work good anymore. Fill in whatever dad joke or snark about getting a do-over for a change strikes your fancy.

posted by martyb on Sunday August 09 2020, @05:17AM   Printer-friendly
from the counting-where-it-counts dept.

England to revise DOWN its Covid-19 death toll by up to 10 percent after bizarre 'counting mishap':

Public Health England [(PHE)] currently counts the deaths of all people who have tested positive for Covid-19 among the coronavirus fatality total whether their death was related to the disease or not, an error which was noted in July, prompting the suspension of the daily death toll and an "urgent review" of protocol.

In other words, as many as 4,170 fatalities could be wiped off England's current Covid-19 death toll of 41,686.

According to reports in UKmedia, Secretary of State for Health and Social Care Matt Hancock will bring all coronavirus fatality reporting in line with Scotland and Northern Ireland public health models, wherein a death is marked as Covid-19-related only if it occurs within 28 days of a positive test.

[...]

In England, of all deaths that occurred up to 24 July (registered up 1 August), 49,017 involved #COVID19. For the same period, @DHSCgovuk reported 41,143 COVID-19 deaths https://t.co/hKH0tTRb2W

— Office for National Statistics (ONS) (@ONS) August 4, 2020

If the system is not updated, the total of roughly 265,000 confirmed cases in England would all eventually be counted as Covid-19 fatalities regardless of the actual cause of death.


Original Submission

posted by martyb on Sunday August 09 2020, @02:56AM   Printer-friendly
from the what-you-don't-know-won't-hurt-us dept.

Techdirt has a story that is quite disturbing on many levels:

Forget banning TikTok, the Trump State Department just suggested it wants to basically ban China from the internet. Rather than promoting an open internet and the concept of openness, it appears that under this administration we're slamming the gates shut and setting up the Great American Firewall for the internet. Under the guise of what it calls the Clean Network to Safeguard America, last night Secretary of State Mike Pompeo announced a program that is full of vague statements, that could, in practice, fragment the internet.

This is incredibly disappointing on multiple levels. While other countries -- especially China, but also Iran and Russia -- have created their own fragmented internet, the US used to stand for an open internet across the globe. Indeed, for whatever complaints we had about the State Department during the Obama administration (and we had many complaints), its commitment to an open internet was very strong and meaningful. That's clearly now gone. The "Clean Network to Safeguard America" consists of five programs that can be summed up as "fuck you China."

So much for Internet openness.

Also At:
USA decides to cleanse local networks of anything Chinese under new five-point national data security plan


Original Submission

posted by martyb on Sunday August 09 2020, @12:35AM   Printer-friendly
from the freedumbs? dept.

Pupils who shared photos of packed corridor of maskless Georgia students suspended:

At least two high school students in Georgia have allegedly been suspended after sharing a video of school hallway crowded with largely maskless students, according to reports.

North Paulding High School in Dallas went viral after it reopened on Monday when two students shared photos of the school corridors with apparently no social distancing and barely any wearing masks.

Paulding County Schools Superintendent Brian Otott reportedly released a statement saying that the images were taken out of context, that masks were a personal choice for students and reopening was in line with Georgia Department of Education's health recommendations.

[...] "Students are in this hallway environment for just a brief period as they move to their next class. ... There is no question that the photo does not look good," Mr Otott said according to CNN.

"Wearing a mask is a personal choice, and there is no practical way to enforce a mandate to wear them."

Following the alleged suspension 15-year-old Hannah Watters who posted one of the photos and a video on Twitter told Buzzfeed News she received a five-day, out-of-school suspension for posting one photo and one video on Twitter.


Original Submission

posted by Fnord666 on Saturday August 08 2020, @10:16PM   Printer-friendly
from the another-tool-in-the-toolbox dept.

PE Tree: Free open source tool for reverse-engineering PE files - Help Net Security:

PE Tree, a malware reverse-engineering, open source tool developed by the BlackBerry Research and Intelligence team, has been made available for free to the cybersecurity community.

PE Tree allows malware analysts to view Portable Executable (PE) files in a tree-view using pefile – a multi-platform Python module that parses and works with PE files – and PyQt5, a module that can be used to create graphical user interfaces.

[...] The Python-based tool parses PE files and maps them into a tree view, them provides a summery of various headers. Suspicious findings are highlighted, and analysts can deepen their research by doing a VirusTotal search, export portions of the PE file to CyberChef for further processing, finding and dumping PE files from an IDA database and reconstruct imports, etc.

[...] "The BlackBerry Research and Intelligence team initially developed this open source tool for internal use and is now making it available to the malware reverse engineering community."

[...] [Tom] Bonner noted that this free tool for reverse-engineering is under active development and new features will be added frequently.


Original Submission

posted by Fnord666 on Saturday August 08 2020, @08:55PM   Printer-friendly
from the all-your-info-are-belong-to-us dept.

Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims:

In June, KrebsOnSecurity was contacted by a cybersecurity researcher who discovered that a group of scammers was sharing highly detailed personal and financial records on Americans via a free web-based email service that allows anyone who knows an account's username to view all email sent to that account — without the need of a password.

The source, who asked not to be identified in this story, said he's been monitoring the group's communications for several weeks and sharing the information with state and federal authorities in a bid to disrupt their fraudulent activity.

The source said the group appears to consist of several hundred individuals who collectively have stolen tens of millions of dollars from U.S. state and federal treasuries via phony loan applications with the U.S. Small Business Administration (SBA) and through fraudulent unemployment insurance claims made against several states.

KrebsOnSecurity reviewed dozens of emails the fraud group exchanged, and noticed that a great many consumer records they shared carried a notation indicating they were cut and pasted from the output of queries made at Interactive Data LLC, a Florida-based data analytics company.

Interactive Data, also known as IDIdata.com, markets access to a "massive data repository" on U.S. consumers to a range of clients, including law enforcement officials, debt recovery professionals, and anti-fraud and compliance personnel at a variety of organizations.

The consumer dossiers obtained from IDI and shared by the fraudsters include a staggering amount of sensitive data, including:

-full Social Security number and date of birth;
-current and all known previous physical addresses;
-all known current and past mobile and home phone numbers;
-the names of any relatives and known associates;
-all known associated email addresses
-IP addresses and dates tied to the consumer's online activities;
-vehicle registration, and property ownership information
-available lines of credit and amounts, and dates they were opened
-bankruptcies, liens, judgments, foreclosures and business affiliations

Reached via phone, IDI Holdings CEO Derek Dubner acknowledged that a review of the consumer records sampled from the fraud group's shared communications indicates "a handful" of authorized IDI customer accounts had been compromised.


Original Submission

posted by Fnord666 on Saturday August 08 2020, @06:34PM   Printer-friendly
from the deeper-roots dept.

Algorithm finds hidden connections between paintings at the Met:

Art is often heralded as the greatest journey into the past, solidifying a moment in time and space; the beautiful vehicle that lets us momentarily escape the present.

With the boundless treasure trove of paintings that exist, the connections between these works of art from different periods of time and space can often go overlooked. It's impossible for even the most knowledgeable of art critics to take in millions of paintings across thousands of years and be able to find unexpected parallels in themes, motifs, and visual styles.

To streamline this process, a group of researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) and Microsoft created an algorithm to discover hidden connections between paintings at the Metropolitan Museum of Art (the Met) and Amsterdam's Rijksmuseum.

Inspired by a special exhibit "Rembrandt and Velazquez" in the Rijksmuseum, the new "MosAIc" system finds paired or "analogous" works from different cultures, artists, and media by using deep networks to understand how "close" two images are. In that exhibit, the researchers were inspired by an unlikely, yet similar pairing: Francisco de Zurbarán's "The Martyrdom of Saint Serapion"and Jan Asselijn's "The Threatened Swan," two works that portray scenes of profound altruism with an eerie visual resemblance.

"These two artists did not have a correspondence or meet each other during their lives, yet their paintings hinted at a rich, latent structure that underlies both of their works," says CSAIL PhD student Mark Hamilton, the lead author on a paper about "MosAIc."

[...] "Going forward, we hope this work inspires others to think about how tools from information retrieval can help other fields like the arts, humanities, social science, and medicine," says Hamilton. "These fields are rich with information that has never been processed with these techniques and can be a source for great inspiration for both computer scientists and domain experts. This work can be expanded in terms of new datasets, new types of queries, and new ways to understand the connections between works."

Journal Reference:
Mark Hamilton, Stephanie Fu, William T. Freeman, et al. Conditional Image Retrieval (arXiv: 2007.07177)


Original Submission

posted by Fnord666 on Saturday August 08 2020, @04:13PM   Printer-friendly

Peter Dutton confirms Australia could spy on its own citizens under cybersecurity plan:

Peter Dutton has confirmed the government's $1.6bn cyberstrategy will include capability for the Australian Signals Directorate to help law enforcement agencies identify and disrupt serious criminal activity – including in Australia.

By rendering support to the Australian federal police and the Australian Criminal Intelligence Commission, the cybersecurity and intelligence agency would for the first time be able to target Australians, although Dutton maintains ASD won't be able to do so directly.

Dutton said law enforcement agencies would target terrorists, paedophiles and drug traffickers operating in the dark web – promising proposed new powers will apply "to those people and those people only".

Details of the new powers – which will require legislation – are not contained in the strategy, which says only that the government will "ensure law enforcement agencies have appropriate legislative powers and technical capabilities to deter, disrupt and defeat the criminal exploitation of anonymising technology and the dark web".

[...] Dutton said the new capabilities would be exercised only in relation to people "alleged to be committing very serious offences".

"If you're a paedophile you should be worried about these powers, if you're a terrorist ... if you're committing serious offence in relation to trafficking of drugs, of ice, for example, that's being pedalled to children, you should be worried about these powers as well.

"The reality is people are trying their best to groom kids online and ... people are trading gun parts on the dark web and it cannot be a lawless space. This law applies to those people and those people only."


Original Submission