SoylentNews

upstart writes in with an IRC submission:

~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet:

Criminals are upping the potency of distributed denial-of-service attacks[*] with a technique that abuses a widely used Internet protocol that drastically increases the amount of junk traffic directed at targeted servers.

DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections that allow targets to withstand ever-larger torrents of traffic, the criminals respond with new ways to make the most of their limited bandwidth.

[...] DDoS mitigation provider Netscout said on Wednesday that it has observed DDoS-for-hire services adopting a new amplification vector. The vector is the Datagram Transport Layer Security, or D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. Just as TLS prevents eavesdropping, tampering, or forgery of TLS packets, D/TLS does the same for UDP data.

DDoSes that abuse D/TLS allow attackers to amplify their attacks by a factor of 37. Previously, Netscout saw only advanced attackers using dedicated DDoS infrastructure abusing the vector. Now, so-called booter and stressor services—which use commodity equipment to provide for-hire attacks—have adopted the technique. The company has identified almost 4,300 publicly reachable D/LTS servers that are susceptible to the abuse.

The biggest D/TLS-based attacks Netscout has observed delivered about 45Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207Gbps.

Skilled attackers with their own attack infrastructure typically discover, rediscover, or improve amplification vectors and then use them against specific targets. Eventually, word will leak into the underground through forums of the new technique. Booter/stressor services then do research and reverse-engineering to add it to their repertoire.

Original Submission

upstart writes in with an IRC submission:

After Cracking the "Sum of Cubes" Puzzle for 42, Mathematicians Solve Harder Problem That Has Stumped Experts for Decades:

The 21-digit solution to the decades-old problem suggests many more solutions exist.

What do you do after solving the answer to life, the universe, and everything? If you're mathematicians Drew Sutherland and Andy Booker, you go for the harder problem.

In 2019, Booker, at the University of Bristol, and Sutherland, principal research scientist at MIT, were the first to find the answer to 42. The number has pop culture significance as the fictional answer to "the ultimate question of life, the universe, and everything," as Douglas Adams famously penned in his novel "The Hitchhiker's Guide to the Galaxy." The question that begets 42[*], at least in the novel, is frustratingly, hilariously unknown.

In mathematics, entirely by coincidence, there exists a polynomial equation for which the answer, 42, had similarly eluded mathematicians for decades. The equation x³+y³+z³=k is known as the sum of cubes problem. While seemingly straightforward, the equation becomes exponentially difficult to solve when framed as a "Diophantine equation" — a problem that stipulates that, for any value of k, the values for x, y, and z must each be integers.

When the sum of cubes equation is framed in this way, for certain values of k, the integer solutions for x, y, and z can grow to enormous numbers. The number space that mathematicians must search across for these numbers is larger still, requiring intricate and massive computations.

upstart writes in with an IRC submission:

Judge grants class-action status to MacBook butterfly-keyboard suit:

A judge has granted class-action status to a suit against Apple over its controversial, allegedly defective MacBook "butterfly" keyboard design, agreeing that owners of any affected model in seven states qualify for the class.

Beginning in 2018, several MacBook owners in seven states filed suits against Apple, claiming that the company knew the butterfly-style switches were defective. In an order (PDF), made public on Friday, Judge Edward J. Davila of US District Court for the Northern District of California agreed to grant class-action status to the suit. All customers residing in California, New York, Florida, Illinois, New Jersey, Michigan, or Washington state who purchased a 2015-2017 MacBook, a 2016-2019 MacBook Pro, or a 2018-2019 MacBook Air now qualify for the class.

[...] The plaintiffs in the suit allege that Apple's actions, as well as internal documents from the company, show that Apple knew the design was defective. They argue that the company violated several states' consumer protection laws when it kept selling the defective products to consumers.

[...] In June 2018, Apple acknowledged the butterfly-style switches were causing problems, and the company launched a keyboard service program specifically to address those issues. The program allowed for affected MacBook owners to have their keyboards repaired or replaced at no charge for the next four years, and some customers who had previously paid for those repairs became eligible to request refunds.

Original Submission

upstart writes in with an IRC submission:

$16 attack shows how easy carriers make it to intercept text messages:

In a new article titled "A Hacker Got All My Texts for $16," Vice reporter Joseph Cox detailed how the white-hat hacker—an employee at a security vendor—was able to redirect all of his text messages and then break into online accounts that rely on texts for authentication.

This wasn't a SIM swap scam, in which "hackers trick or bribe telecom employees to port a target's phone number to their own SIM card," Cox wrote. "Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him."

This method tricked T-Mobile into redirecting Cox's text messages in a way that might not have been readily apparent to an unsuspecting user. "Unlike SIM jacking, where a victim loses cell service entirely, my phone seemed normal," Cox wrote. "Except I never received the messages intended for me, but he did."

The hacker, who goes by the mononym "Lucky225," is director of information at Okey Systems, a security vendor. "I used a prepaid card to buy [Sakari's] $16-per-month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info," the Okey employee told Cox. The "LOA" is "a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers," Cox wrote.

"A few minutes after they entered my T-Mobile number into Sakari, [the hacker] started receiving text messages that were meant for me," Cox wrote. "I received no call or text notification from Sakari asking to confirm that my number would be used by their service. I simply stopped getting texts."

[...] Cox's story is not the first reminder about the insecurity of text messages. SIM-swapping attacks and flaws in the SS7 telephone protocols already made it risky to use text messages for authentication, but many websites and other online services still rely on texts to verify users' identities. Customers can set up account PINs with T-Mobile and other carriers to prevent unauthorized access to their cellular accounts, but it isn't clear whether doing so would have prevented the type of attack that redirected Cox's text messages.

Original Submission

upstart writes in with an IRC submission:

Attackers are trying awfully hard to backdoor iOS developers' Macs:

Researchers said they've found a trojanized code library in the wild that attempts to install advanced surveillance malware on the Macs of iOS software developers.

It came in the form of a malicious project the attacker wrote for Xcode, a developer tool that Apple makes freely available to developers writing apps for iOS or another Apple OS. The project was a copy of TabBarInteraction, a legitimate open source project that makes it easier for developers to animate iOS tab bars based on user interaction. An Xcode project is a repository for all the files, resources, and information needed to build an app.

Alongside the legitimate code was an obfuscated script, known as a "Run Script." The script, which got executed whenever the developer build was launched, contacted an attacker-controlled server to download and install a custom version of EggShell, an open source back door that spies on users through their mic, camera, and keyboard.

Researchers with SentinelOne, the security firm that discovered the trojanized project, have named it XcodeSpy. They say they've uncovered two variants of the customized EggShell dropped by the malicious project. Both were uploaded to VirusTotal using the web interface from Japan, the first one on August 5 and the second one on October 13.

"The later sample was also found in the wild in late 2020 on a victim's Mac in the United States," SentinelOne researcher Phil Stokes wrote in a blog post Thursday. "For reasons of confidentiality, we are unable to provide further details about the ITW [in the wild] incident. However, the victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities."

So far, company researchers are aware of only one in-the-wild case, from a US-based organization. Indications from the SentinelOne analysis suggest the campaign was "in operation at least between July and October 2020 and may also have targeted developers in Asia."

Original Submission

upstart writes in with an IRC submission:

Someone defeated the anti-crypto-coin-mining protection for Nvidia's 'gamers only' RTX 3060 ... It was Nvidia:

Cryptocurrency miners found a way to sidestep Nvidia's anti-mining protections for its RTX 3060 graphics card, and craft coins to their hearts' content.

A day before its 3060 went on sale, Nvidia announced the GPU would require a GeForce driver designed to detect whether the hardware was running proof-of-work algorithms used to mine Ethereum. If this code was observed, the driver would force the chipset to slash its mining efficiency, or hash rate, crippling its ability to produce digital currency.

It was hoped that these measures would deter crypto-miners from snapping up all of these relatively cheap cards at launch, and leave a few more for gamers. It was a little bit obvious that miners would just buy the RTX 3060s anyway in hope that the driver-level protection would be defeated eventually.

And not only did the miners get their hands on the gear, they discovered a way, in some circumstances, to subvert the driver to successfully mine Ethereum. The trick is surprisingly trivial: use another driver. Nvidia recently released a technology preview driver, compatible with the RTX 3060, that included CUDA support for the latest Windows Subsystem for Linux (WSL 2), allowing applications to tap into the graphics processor to accelerate things like machine-learning algorithms.

This driver also doesn't impose the Ethereum hashing limitations, and so switching to this software evades Nvidia's crackdown, depending on how you've set up your rig. "A developer driver inadvertently included code used for internal development which removes the hash rate limiter on RTX 3060 in some configurations," an Nvidia spokesperson confirmed to The Register on Tuesday. "The driver has been removed."

Previously:
Nvidia Says It Won't Nerf the Ethereum Mining Performance of Existing GPUs
Nvidia Cripples Ethereum Mining Capability for Upcoming RTX 3060, Announces Dedicated Mining Cards
Nvidia GeForce RTX 30 Series Laptop Shortages Likely as Ethereum Hunters Turn to Mobile Mining

Original Submission

AnonTechie writes:

New tool can help predict the next financial bubble:

An international team of interdisciplinary researchers has identified mathematical metrics to characterize the fragility of financial markets. Their paper "Network geometry and market instability" sheds light on the higher-order architecture of financial systems and allows analysts to identify systemic risks like market bubbles or crashes.

With the recent rush of small investors into so-called 'meme stocks' and reemerging interest in cryptocurrencies, talk of market instability, rising volatility, and bursting bubbles is surging. However, "traditional economic theories cannot foresee events like the US subprime mortgage collapse of 2007" according to study author Areejit Samal. He and his colleagues from more than ten mathematics, physics, economics, and complex systems focused institutions around the globe have made a great stride in characterizing stock market instability.

Their paper abstracts the complexity of the financial market into a network of stocks and employs geometry-inspired network measures to gauge market fragility and financial dynamics. They analyzed and contrasted the stock market networks for the USA S&P500 and the Japanese Nikkei-225 indices for a 32-year period (1985-2016) and for the first time were able to show that several discrete Ricci curvatures are excellent indicators of market instabilities. The work was recently published in the Royal Society Open Science journal and allows analysts to distinguish between 'business-as-usual' periods and times of fragility like bubbles or market crashes.

(Source in German: Max Planck Society )

With all this theory, I hoped to gain some insight about the next financial bubble ... no such luck !! I have doubts whether this method is better than so many other sure-fire ways of predicting the stock markets. In the end, a random flip of a coin may be just as good. What are your thoughts ?

Journal Reference:
Network geometry and market instability, Royal Society Open Science (DOI: https://royalsocietypublishing.org/doi/10.1098/rsos.201734)

Original Submission

DannyB writes:

In 2020, Two Thirds of Google Searches Ended Without a Click

In August of 2019, I published research from now-defunct clickstream data provider, Jumpshot, showing that 50.33% of all Google searches ended without a click to any web property in the results. Today, thanks to new data from SimilarWeb, I've got a substantive update to that analysis.

From January to December, 2020, 64.82% of searches on Google (desktop and mobile combined) ended in the search results without clicking to another web property. That number is likely undercounting some mobile and nearly all voice searches, and thus it's probable that more than 2/3rds of all Google searches are what I've been calling "zero-click searches." Some folks have pointed out that "zero-click" is slightly misleading terminology, as a search ending with a click within the Google SERP itself (for example, clicking on the animal sounds here or clicking a phone number to dial a local business in the maps box) falls into this grouping. The terminology seems to have stuck, so instead I'm making the distinction clear.

In TFA and the links above I could not find what CTR meant. I googled for CTR, and got my answer without further needing to click through to any article. Thus only Google, and no other site got my personal information or any ad revenue for some other site's work.

*SPOILER* (click to show) *SPOILER* (click to hide)

TFA = The Friendly Article
CTR = Click Through Rate

Original Submission

takyon writes:

Richard Stallman says he has returned to the Free Software Foundation board of directors and won't be resigning again

Richard M Stallman, founder and former president of the Free Software Foundation (FSF), announced at the organisation's LibrePlanet virtual event that he has rejoined the board and does not intend to resign again.

Stallman spoke at the event yesterday on the subject of unjust computing – covering locked-down operating systems, non-free client software, user-restricting app stores, and more.

Before the talk he stated: "I have an announcement to make. I'm now on the Free Software Foundation Board of Directors once again. We were working on a video to announce this with, but that turned out to be difficult, we didn't have experience doing that sort of thing so it didn't get finished but here is the announcement. Some of you will be happy at this, and some might be disappointed, but who knows? In any case, that's how it is, and I'm not planning to resign a second time."

Ars Technica further notes:

Video of Stallman's announcement is available at It's FOSS News. Stallman gave a talk at LibrePlanet yesterday on "growing injustices in computing," including "locked-down operating systems; user-restricting app stores; [and] requiring nonfree client software, including Javascript."

Previously:
Richard M. Stallman Resigns
Richard Stallman Deserved to be Fired, Says Fired GNU Hurd Maintainer

Original Submission

Apple Told To Pay $308.5 Million For Infringing DRM Patent - Bloomberg:

Apple must pay $308.5 million to closely held Personalized Media Communications after a federal jury in Marshall, Texas, decided on Friday that the tech giant infringed a patent related to digital rights management.

Personalized Media had sued claiming Apple infringed its patent with technology including FairPlay, which is used for the distribution of encrypted content from its iTunes, App Store and Apple Music applications.

One expert for Sugar Land, Texas-based Personalized Media had calculated Apple owed $240 million in royalties. After a five-day trial, the jurors in Texas ordered Apple to pay a running royalty, which is generally dependent on the level of sales or usage.

Apple said it was disappointed with the ruling and would appeal.

Also at The Register and MacRumours

Original Submission

Freeman writes:

Facebook Finally Explains Its Mysterious Wrist Wearable:

IT FIRST APPEARED on March 9 as a tweet on Andrew Bosworth's timeline, the tiny corner of the Internet that offers a rare glimpse into the mind of a Facebook executive these days. Bosworth, who leads Facebook's augmented and virtual reality research labs, had just shared a blog post outlining the company's 10-year vision for the future of human-computer interaction. Then, in a follow-up tweet, he shared a photo of an as yet unseen wearable device. Facebook's vision for the future of interacting with computers apparently would involve strapping something that looks like an iPod Mini to your wrist.

Facebook already owns our social experience and some of the world's most popular messaging apps—for better or notably worse. Anytime the company dips into hardware, then, whether that's a very good VR headset or a video chatting device that follows your every move, it gets noticed. And it not only sparks intrigue, but questions too: why does Facebook want to own this new computing paradigm?

In this case, the unanswered questions are less about the hardware itself and more about the research behind it—and whether the new interactions Facebook envisions will only deepen our ties to Facebook. (Answer: probably.)

Also at Ars Technica.

Original Submission

Freeman writes:

LOL Garamond sux, say federal judges:

Fast-forward to this week, when the DC Circuit Court of Appeals came to the same realization that lawyers use Garamond[*] to cram more than is strictly allowed into their legal briefs. Federal Rule of Appellate Procedure 32(a)(5) says only that "a proportionally spaced face must include serifs" and must "be 14-point or larger." But the rules don't say what proportional fonts can be used in legal filings.

As lawyer John Elwood pointed out on Twitter, "Garamond is more compact than most fonts. For most appellate filings, its use will shave several pages off a brief. For that reason, it's long been a last resort for page-limited filings."

As a smaller font, it's also just harder to read at the same size as fonts like Times New Roman. And the court has had just about enough of it.

"The court has determined that certain typefaces, such as Century and Times New Roman, are more legible than others, particularly Garamond, which appears smaller than the other two typefaces," the DC Circuit announced this week. The court, it said, wants to "discourage use of Garamond."

[*] Wikipedia entry for Garamond.

Original Submission

upstart writes in with an IRC submission:

Legal questions linger as governments and companies keep pushing into space:

The Perseverance rover's landing on Mars is still fresh in people's memories, privately owned companies are ferrying people and supplies into orbit, and NASA continues to work on "the most powerful rocket" it has ever built. But as world governments and private enterprises continue to eye the skies for opportunities, a SXSW panel called "Who on Earth should govern Space" makes clear that the laws dealing with space aren't evolving as fast as the technology that gets us there.

"People like to think of space as the Wild Wild West — nothing out there, there's open frontier, we can do whatever we want," said Michelle Hanlon, president of For All Moonkind, a non-profit devoted to preserving mankind's cultural heritage in space. "Unfortunately or fortunately, that's not true at all."

Hanlon was referring to the Outer Space Treaty, which was developed in 1966 and ratified by over 60 countries in early 1967. Considering the treaty was put into effect a full two years before mankind landed on the moon, it's little surprise that the document is heavy on broad principles, but light on specifics. Among its greatest hits: outer space shall be free for exploration and use by all states; states should avoid harmful contamination of space; celestial bodies shall only be used for peaceful purposes; and, perhaps most importantly, the assertion that outer space isn't subject to claims of sovereignty by Earth-bound governments.

upstart writes in with an IRC submission for c0lo:

New York lawmaker wants to ban police use of armed robots:

New York City councilmember Ben Kallos says he "watched in horror" last month when city police responded to a hostage situation in the Bronx using Boston Dynamics' Digidog, a remotely operated robotic dog equipped with surveillance cameras. Pictures of the Digidog went viral on Twitter, in part due to their uncanny resemblance with world-ending machines in the Netflix sci-fi series Black Mirror.

Now Kallos is proposing what may be the nation's first law banning police from owning or operating robots armed with weapons.

"I don't think anyone was anticipating that they'd actually be used by the NYPD right now," Kallos says. "I have no problem with using a robot to defuse a bomb, but it has to be the right use of a tool and the right type of circumstance."

Kallos' bill would not ban unarmed utility robots like the Digidog, only weaponized robots. But robotics experts and ethicists say he has tapped into concerns about the increasing militarization of police: their increasing access to sophisticated robots through private vendors and a controversial military equipment pipeline. Police in Massachusetts and Hawaii are testing the Digidog as well.

Original Submission

upstart writes in with an IRC submission for Runaway1956:

CentOS vs CentOS Stream - LinuxConfig.org:

Up until a late 2020 announcement from Red Hat, CentOS Linux had a longstanding reputation as a dependable and enterprise-class Linux distribution. And now, the main purpose of CentOS is shifting. Along with that comes a name change to CentOS Stream.

In this article, we'll talk about this change of direction for CentOS, and what it means for the huge community of users and businesses that have relied on the distro for years. We'll also see what's next, as many users are left scrambling for a replacement so they can avoid switching to CentOS Stream.

[...] All of this leads users and businesses to one question. Should we continue using CentOS (CentOS Stream, that is), or do we shift to a different distribution? The biggest feature of CentOS was its (free) stability. Without it, many have no reason to continue using it.

[...] In this guide, we went over the shift of CentOS to CentOS Stream. You now know what this shift means for businesses and end users that have been relying on CentOS for years. We also saw alternatives to the "old" CentOS, for those that don't want to use CentOS Stream. Ultimately, the CentOS shift gives its users three options: switch to CentOS Stream, use a CentOS replacement, or distro hop entirely.

Previously:
CentOS Linux 8 Will End in 2021
Red Hat Introduces Free RHEL for Open-Source, Non-Profit Organizations

Original Submission