Building hardware is fun but tough. We worked on Pebble for a full four years before we launched on Kickstarter in 2012. We went on to sell over $230 million worth of Pebbles, or just over 2 million watches. While it wasn’t our top goal to sell to Fitbit last year, I’m grateful that they’re continuing to work on low-power, fun, hackable smartwatches. Startups in general are… Read More
New submitter Frobnicator writes: Four years ago, the W3C began standardizing Encrypted Media Extensions, or EME. Several organizations, including the EFF, have argued against DRM within web browsers. Earlier this year, after the W3C leadership officially recommended EME despite failing to reach consensus, the EFF filed the first-ever official appeal that the decision be formally polled for consensus. That appeal has been denied, and for the first time the W3C is endorsing a standard against the consensus of its members. In response, the EFF published their resignation from the body: "The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew -- and the large corporate members continued to reject any meaningful compromise -- the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. [...] Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. Effective today, EFF is resigning from the W3C." Jeff Jaffe, CEO of W3C said: "I know from my conversations that many people are not satisfied with the result. EME proponents wanted a faster decision with less drama. EME critics want a protective covenant. And there is reason to respect those who want a better result. But my personal reflection is that we took the appropriate time to have a respectful debate about a complex set of issues and provide a result that will improve the web for its users. My main hope, though, is that whatever point-of-view people have on the EME covenant issue, that they recognize the value of the W3C community and process in arriving at a decision for an inherently contentious issue. We are in our best light when we are facilitating the debate on important issues that face the web."
Read more of this story at Slashdot.
The Verge reports that Google has added local library ebook listings to its standard search interface when searching on books.
It works, too. When I search on a book I know that my local public library does carry in ebook format on my phone (that being Grumpy Old Rock Star, a frequently hilarious book of anecdotes by Yes keyboard player Rick Wakeman), it shows right up—along with about two screens’ worth of links to various stores that carry the book in different formats, an option to “follow” the book so that stories about it appear in my swipe-left-from-homescreen Google Feed, and a link to its listing on Google Books.
The results are also there on the desktop, though organized a little differently—instead of being in line with the results, the links are in a small sidebar at the right. It’s the sort of thing you might not immediately notice because your eye skips over it, assuming it to be an ad of some kind. (Which, in part, it is.)
When I click the link, it takes me to the book’s page on my local library’s Overdrive subdomain, with the option to borrow (or place a hold if all the library’s copies are already checked out).
In any case, it’s nice that Google’s directing people to local libraries along with all the local ebook stores. It’s good to remind people that a free alternative to ebook stores exists, even if they could have done a bit more to make that option stand out than just dropping it in as a fairly inobvious text link.
Every time you wash your fleece jacket or other synthetic clothing, microscopic synthetic fibres are released and end up in our food supply and drinking water. From a report: These microfibres are so small -- visible only under a microscope -- that they bypass municipal filtration systems and are consumed by fish and other marine life. A team of women from Waterloo, Ontario is looking to solve that problem. They've designed something that looks a lot like a dryer sheet for your laundry machine. You'd be able to drop this reusable sheet, called PolyGone, into the laundry machine with your dirty clothes. It attracts and traps the microfibres so they can be recycled. They presented their work at the annual AquaHacking conference at the University of Waterloo on Wednesday. "With these fibres entering our food system and ending up on our plates, we are essentially eating polluted laundry," said co-founder Lauren Smith at the conference. The event saw five teams, including hers, compete for tens of thousands of dollars and entry into several local incubators and accelerator centres. Smith has a Masters degree in sustainability management from UW, specializing in water.
Read more of this story at Slashdot.
NASA's Cassini probe has bid farewell to Titan and is now on its way to a fatal encounter with Saturn. At 12:04 pm PDT (3:04 pm EDT), the unmanned orbiter flew by Saturn's largest moon at an altitude of 73,974 mi (119,049 km), altering Cassini's trajectory so it will plunge into Saturn's atmosphere on September 15, marking the dramatic end to the spacecraft's 20-year mission... Continue Reading Cassini on course for destruction after final Titan flyby
An anonymous reader shares a report: One of the main reasons RSS is so beloved of news gatherers is that it catches everything a site publishes -- not just the articles that have proved popular with other users, not just the articles from today, not just the articles that happened to be tweeted out while you were actually staring at Twitter. Everything. In our age of information overload that might seem like a bad idea, but RSS also cuts out everything you don't want to hear about. You're in full control of what's in your feed and what isn't, so you don't get friends and colleagues throwing links into your feeds that you've got no interest in reading. Perhaps most importantly, you don't need to be constantly online and constantly refreshing your feeds to make sure you don't miss anything. It's like putting a recording schedule in place for the shows you know you definitely want to catch rather than flicking through the channels hoping you land on something interesting. There's no rush with RSS -- you don't miss out on a day's worth of news, or TV recaps, or game reviews if you're offline for 24 hours. It's all waiting for you when you get back. And if you're on holiday and the unread article count starts to get scarily high, just hit the mark all as read button and you're back to a clean slate.
Read more of this story at Slashdot.
In light of the Equifax breach that exposed personal information of over 143 million US citizens, a handful of senators have reintroduced legislation that would put more power in the hands of consumers when it comes to their credit reports. Senators...
The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.
Read more of this story at Slashdot.
An anonymous reader quotes a report from Ars Technica: The manufacturer of EpiPen devices failed to address known malfunctions in its epinephrine auto-injectors even as hundreds of customer complaints rolled in and failures were linked to deaths, according to the Food and Drug Administration. The damning allegations came to light today when the FDA posted a warning letter it sent September 5 to the manufacturer, Meridian Medical Technologies, Inc. The company (which is owned by Pfizer) produces EpiPens for Mylan, which owns the devices and is notorious for dramatically raising prices by more than 400 percent in recent years. The auto-injectors are designed to be used during life-threatening allergic reactions to provide a quick shot of epinephrine. If they fail to fire, people experiencing a reaction can die or suffer serious illnesses. According to the FDA, that's exactly what happened for hundreds of customers. In the letter, the agency wrote: "In fact, your own data show that you received hundreds of complaints that your EpiPen products failed to operate during life-threatening emergencies, including some situations in which patients subsequently died." The agency goes on to lambast Meridian Medical for failing to investigate problems with the devices, recall bad batches, and follow-up on problems found. For instance, a customer made a complaint in April 2016 that an EpiPen failed. When Meridian disassembled the device, it found a deformed component that led to the problem -- the exact same defect it had found in February when another unit failed.
Read more of this story at Slashdot.
I was recently looking for a way to extract many attachments from a series of emails. I first had a look at the AttachmentExtractor thunderbird plugin, but it seems very old and not maintained anymore. So I've come up with another very simple solution that also works with any other mail client.
Just copy all the mails you want to extract attachments from to a single (temporary) mail folder, find out which file holds the mail folder and use ripmime on that file (ripmime is packaged for Debian). For my case, it looked like:
~ ripmime -i .icedove/XXXXXXX.default/Mail/pop.xxxx/tmp -d target-directory
Simple solution, but it saved me quite some time. Hope it helps !
A new bill is working its way through Congress that could be disastrous for free speech online. EFF is proud to be part of the coalition fighting back.
We all rely on online platforms to work, socialize, and learn. They’re where we go to make friends and share ideas with each other. But a bill in Congress could threaten these crucial online gathering places. The Stop Enabling Sex Traffickers Act (SESTA) might sound virtuous, but it’s the wrong solution to a serious problem.
The Electronic Frontier Foundation, R Street Institute, and over a dozen fellow public interest organizations are joining forces to launch a new website highlighting the problems of SESTA. Together, we’re trying to send a clear message to Congress: Don’t endanger our online communities. Stop SESTA.
SESTA would weaken 47 U.S.C. § 230 (commonly known as "CDA 230" or simply “Section 230”), one of the most important laws protecting free expression online. Section 230 protects Internet intermediaries—individuals, companies, and organizations that provide a platform for others to share speech and content over the Internet. This includes social networks like Facebook, video platforms like YouTube, news sites, blogs, and other websites that allow comments. Section 230 says that an intermediary cannot be held legally responsible for content created by others (with a few exceptions). And that’s a good thing: it’s why we have flourishing online communities where users can comment and interact with one another without waiting for a moderator to review every post.
SESTA would change all of that. It would shift more blame for users’ speech to the web platforms themselves. Under SESTA, web communities would likely become much more restrictive in how they patrol and monitor users’ contributions. Some of the most vulnerable platforms would be ones that operate on small budgets—sites like Wikipedia, the Internet Archive, and small WordPress blogs that play a crucial role in modern life but don’t have the massive budgets to defend themselves that Facebook and Twitter do.
Experts in human trafficking say that SESTA is aiming at the wrong target. Alexandra Levy, adjunct professor of human trafficking and human markets at Notre Dame Law School, writes, “Section 230 doesn’t cause lawlessness. Rather, it creates a space in which many things — including lawless behavior — come to light. And it’s in that light that multitudes of organizations and people have taken proactive steps to usher victims to safety and apprehend their abusers.”
Chinese researchers have discovered a vulnerability in voice assistants from Apple, Google, Amazon, Microsoft, Samsung, and Huawei. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon's Alexa assistant. From a report: Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear. The researchers didn't just activate basic commands like "Hey Siri" or "Okay Google," though. They could also tell an iPhone to "call 1234567890" or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to "open the backdoor." Even an Audi Q3 could have its navigation system redirected to a new location. "Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user," the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.
Read more of this story at Slashdot.
Here’s another innovative use case Apple can mention when they announce the next Apple Watch: The device has reportedly played a key role in a baseball sign-stealing scheme run by the Boston Red Sox. Read More
Movie composer Mark Korven (The Cube and The Witch) wanted a musical instrument that made terrifying sounds so he asked his luthier friend, Tony Duggan-Smith, to make something that fit the bill. Behold the "Apprehension Engine."
From YouTube description:
What happens when a horror movie composer and a guitar maker join forces? They create the world’s most disturbing musical instrument. Affectionately known as "The Apprehension Engine," this one-of-a-kind instrument was commissioned by movie composer Mark Korven. Korven wanted to create spooky noises in a more acoustic and original way—but the right instrument didn't exist. So his friend, guitar maker Tony Duggan-Smith, went deep into his workshop and assembled what has to be the spookiest instrument on Earth.https://vimeo.com/184366394
An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems. Mo said that all a hacker needs "is a web browser." "I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability. The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability." It's now a waiting game for companies to patch their systems.
Read more of this story at Slashdot.
<+Meow> what's the alternative to html tables?
<+slew> html chairs
Comment: irc.p2p-network.net / #zomgwtfbbq
The huge cache of addresses was discovered on a server based in the Netherlands - and the researchers are trying to get it taken down
San Francisco, California—The Electronic Frontier Foundation (EFF) and the ACLU won a decision by the California Supreme Court that the license plate data of millions of law-abiding drivers, collected indiscriminately by police across the state, are not “investigative records” that law enforcement can keep secret.
California’s highest court ruled that the collection of license plate data isn’t targeted at any particular crime, so the records couldn’t be considered part of a police investigation.
“This is a big win for transparency in California,” attorney Peter Bibring, director of police practices at the ACLU of Southern California, which joined EFF in a lawsuit over the records. “The Supreme Court recognized that California’s sweeping public records exemption for police investigations doesn’t cover mass collection of data by police, like the automated scanning of license plates in this case. The Court also recognized that mere speculation by police on the harms that might result from releasing information can’t defeat the public’s strong interest in understanding how police surveillance impacts privacy."
The ruling sets a precedent that mass, indiscriminate data collection by the police can’t be withheld just because the information may contain some criminal data. This is important because police are increasingly using technology tools to surveil and collect data on citizens, whether it’s via body cameras, facial recognition cameras, or license plate readers.
The panel sent the case back to the trial court to determine whether the data can be made public in a redacted or anonymized form so drivers’ privacy is protected.
“The court recognized the huge privacy implications of this data collection,” said EFF Senior Staff Attorney Jennifer Lynch. “Location data like this, that’s collected on innocent drivers, reveals sensitive information about where they have been and when, whether that’s their home, their doctor’s office, or their house of worship.”
Automated License Plate Readers or ALPRs are high-speed cameras mounted on light poles and police cars that continuously scan the plates of every passing car. They collect not only the license plate number but also the time, date, and location of each plate scanned, along with a photograph of the vehicle and sometimes its occupants. The Los Angeles Police Department (LAPD) and the Los Angeles County Sheriff's Department (LASD) collect, on average, three million plate scans every week and have amassed a database of half a billion records.
EFF filed public records requests for a week’s worth of ALPR data from the agencies and, along with American Civil Liberties Union-SoCal, sued after both agencies refused to release the records.
EFF and ACLU SoCal asked the state supreme court to overturn a lower court ruling in the case that said all license plate data—collected indiscriminately and without suspicion that the vehicle or driver was involved in a crime—could be withheld from disclosure as “records of law enforcement investigations.”
EFF and the ACLU SoCal argued the ruling was tantamount to saying all drivers in Los Angeles are under criminal investigation at all times. The ruling would also have set a dangerous precedent, allowing law enforcement agencies to withhold from the public all kinds of information gathered on innocent Californians merely by claiming it was collected for investigative purposes.
EFF and ACLU SoCal will continue fighting for transparency and privacy as the trial court considers how to provide public access to the records so this highly intrusive data collection can be scrutinized and better understood.
For more on this case:
It’s almost too strange to believe, but a federal court ruled earlier this year that copyright can be used to control access to parts of our state and federal laws—forcing people to pay a fee or sign a contract to read and share them. On behalf of Public.Resource.Org, a nonprofit dedicated to improving public access to law, yesterday EFF challenged that ruling in the United States Court of Appeals for the District of Columbia Circuit.
Public.Resource.Org acquires and posts a wide variety of public documents, including regulations that have become law through what’s called “incorporation by reference.” That means that they were initially created at private standards organizations before being adopted into law by cities, states, and federal agencies. By posting these documents online, Public Resource wants to make these requirements more available to the public that must abide by them. But six standards development organizations sued Public Resource, claiming that they have copyright in the regulations, and that Public Resource shouldn’t be allowed to post them at all.
Laws and regulations incorporated by reference include some of our most important protections for health, safety, and fairness. They include fire safety rules for buildings, rules that ensure safe consumer products, rules for energy efficient buildings, and rules for designing fair and accurate standardized tests for students and employees. Once adopted by a legislature or agency, these rules are laws that can carry civil or criminal penalties. For example, a person was charged with manslaughter this year in connection with the deadly Ghost Ship fire in Oakland, California for violating a fire code that became law through incorporation by reference.
According to the district court decision issued in February, the standards development organizations that convene the committees that write these codes and standards can continue to decide who can print them, who can access and post them online, and the price and conditions of that access. It’s as if a lobbyist who submitted a draft bill to Congress could charge fees for access to that bill after Congress and the president pass it into law.
Today, while most laws and regulations in the U.S. can be searched and read on the Web, laws incorporated by reference are locked behind paywalls, or cannot be found online at all. Many are available only in expensive printed books, or in a single office in Washington, D.C. that requires an appointment on several weeks’ notice. Public Resource’s website was designed to fill this gap, which is why it was targeted in a lawsuit.
In our opening brief, EFF, along with co-counsel at Fenwick & West and attorney David Halperin, argued that giving private organizations the power to limit access violates the First Amendment’s guarantee of free speech, and the due process protections of the Fifth and Fourteenth Amendments and contradicts copyright law.
We’re asking the appeals court to fix these errors and uphold the rights of everyone to know the law, and to share it.
A half dozen technology and security companies — some of them competitors — issued the exact same press release today. This unusual level of cross-industry collaboration caps a successful effort to dismantle ‘WireX,’ an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks.
Experts involved in the takedown warn that WireX marks the emergence of a new class of attack tools that are more challenging to defend against and thus require broader industry cooperation to defeat.
This graphic shows the rapid growth of the WireX botnet in the first three weeks of August 2017.
News of WireX’s emergence first surfaced August 2, 2017, when a modest collection of hacked Android devices was first spotted conducting some fairly small online attacks. Less than two weeks later, however, the number of infected Android devices enslaved by WireX had ballooned to the tens of thousands.
More worrisome was that those in control of the botnet were now wielding it to take down several large websites in the hospitality industry — pelting the targeted sites with so much junk traffic that the sites were no longer able to accommodate legitimate visitors.
Experts tracking the attacks soon zeroed in on the malware that powers WireX: Approximately 300 different mobile apps scattered across Google‘s Play store that were mimicking seemingly innocuous programs, including video players, ringtones or simple tools such as file managers.
“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” Google said in a written statement. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”
Perhaps to avoid raising suspicion, the tainted Play store applications all performed their basic stated functions. But those apps also bundled a small program that would launch quietly in the background and cause the infected mobile device to surreptitiously connect to an Internet server used by the malware’s creators to control the entire network of hacked devices. From there, the infected mobile device would await commands from the control server regarding which Websites to attack and how.
A sampling of the apps from Google’s Play store that were tainted with the WireX malware.
Experts involved in the takedown say it’s not clear exactly how many Android devices may have been infected with WireX, in part because only a fraction of the overall infected systems were able to attack a target at any given time. Devices that were powered off would not attack, but those that were turned on with the device’s screen locked could still carry on attacks in the background, they found.
“I know in the cases where we pulled data out of our platform for the people being targeted we saw 130,000 to 160,000 (unique Internet addresses) involved in the attack,” said Chad Seaman, a senior engineer at Akamai, a company that specializes in helping firms weather large DDoS attacks (Akamai protected KrebsOnSecurity from hundreds of attacks prior to the large Mirai assault last year).
The identical press release that Akamai and other firms involved in the WireX takedown agreed to publish says the botnet infected a minimum of 70,000 Android systems, but Seaman says that figure is conservative.
“Seventy thousand was a safe bet because this botnet makes it so that if you’re driving down the highway and your phone is busy attacking some website, there’s a chance your device could show up in the attack logs with three or four or even five different Internet addresses,” Seaman said in an interview with KrebsOnSecurity. “We saw attacks coming from infected devices in over 100 countries. It was coming from everywhere.”
Security experts from Akamai and other companies that participated in the WireX takedown say the basis for their collaboration was forged in the monstrous and unprecedented distributed denial-of-service (DDoS) attacks launched last year by Mirai, a malware strain that seeks out poorly-secured “Internet of things” (IoT) devices such as security cameras, digital video recorders and Internet routers.
The first and largest of the Mirai botnets was used in a giant attack last September that knocked this Web site offline for several days. Just a few days after that — when the source code that powers Mirai was published online for all the world to see and use — dozens of copycat Mirai botnets emerged. Several of those botnets were used to conduct massive DDoS attacks against a variety of targets, leading to widespread Internet outages for many top Internet destinations.
Allison Nixon, director of security research at New York City-based security firm Flashpoint, said the Mirai attacks were a wake-up call for the security industry and a rallying cry for more collaboration.
“When those really large Mirai DDoS botnets started showing up and taking down massive pieces of Internet infrastructure, that caused massive interruptions in service for people that normally don’t deal with DDoS attacks,” Nixon said. “It sparked a lot of collaboration. Different players in the industry started to take notice, and a bunch of us realized that we needed to deal with this thing because if we didn’t it would just keep getting bigger and rampaging around.”
Mirai was notable not only for the unprecedented size of the attacks it could launch but also for its ability to spread rapidly to new machines. But for all its sheer firepower, Mirai is not a particularly sophisticated attack platform. Well, not in comparison to WireX, that is.
According to the group’s research, the WireX botnet likely began its existence as a distributed method for conducting “click fraud,” a pernicious form of online advertising fraud that will cost publishers and businesses an estimated $16 billion this year, according to recent estimates. Multiple antivirus tools currently detect the WireX malware as a known click fraud malware variant.
The researchers believe that at some point the click-fraud botnet was repurposed to conduct DDoS attacks. While DDoS botnets powered by Android devices are extremely unusual (if not unprecedented at this scale), it is the botnet’s ability to generate what appears to be regular Internet traffic from mobile browsers that strikes fear in the heart of experts who specialize in defending companies from large-scale DDoS attacks.
DDoS defenders often rely on developing custom “filters” or “signatures” that can help them separate DDoS attack traffic from legitimate Web browser traffic destined for a targeted site. But experts say WireX has the capability to make that process much harder.
That’s because WireX includes its own so-called “headless” Web browser that can do everything a real, user-driven browser can do, except without actually displaying the browser to the user of the infected system.
Also, Wirex can encrypt the attack traffic using SSL — the same technology that typically protects the security of a browser session when an Android user visits a Web site which requires the submission of sensitive data. This adds a layer of obfuscation to the attack traffic, because the defender needs to decrypt incoming data packets before being able to tell whether the traffic inside matches a malicious attack traffic signature.
Translation: It can be far more difficult and time-consuming than usual for defenders to tell WireX traffic apart from clicks generated by legitimate Internet users trying to browse to a targeted site.
“These are pretty miserable and painful attacks to mitigate, and it was these kinds of advanced functionalities that made this threat stick out like a sore thumb,” Akamai’s Seaman said.
Traditionally, many companies that found themselves on the receiving end of a large DDoS attack sought to conceal this fact from the public — perhaps out of fear that customers or users might conclude the attack succeeded because of some security failure on the part of the victim.
But the stigma associated with being hit with a large DDoS is starting to fade, Flashpoint’s Nixon said, if for no other reason than it is becoming far more difficult for victims to conceal such attacks from public knowledge.
“Many companies, including Flashpoint, have built out different capabilities in order to see when a third party is being DDoS’d,” Nixon said. “Even though I work at a company that doesn’t do DDoS mitigation, we can still get visibility when a third-party is getting attacked. Also, network operators and ISPs have a strong interest in not having their networks abused for DDoS, and many of them have built capabilities to know when their networks are passing DDoS traffic.”
Just as multiple nation states now employ a variety of techniques and technologies to keep tabs on nation states that might conduct underground tests of highly destructive nuclear weapons, a great deal more organizations are now actively looking for signs of large-scale DDoS attacks, Seaman added.
“The people operating those satellites and seismograph sensors to detect nuclear [detonations] can tell you how big it was and maybe what kind of bomb it was, but they probably won’t be able to tell you right away who launched it,” he said. “It’s only when we take many of these reports together in the aggregate that we can get a much better sense of what’s really going on. It’s a good example of none of us being as smart as all of us.”
According to the WireX industry consortium, the smartest step that organizations can take when under a DDoS attack is to talk to their security vendor(s) and make it clear that they are open to sharing detailed metrics related to the attack.
“With this information, those of us who are empowered to dismantle these schemes can learn much more about them than would otherwise be possible,” the report notes. “There is no shame in asking for help. Not only is there no shame, but in most cases it is impossible to hide the fact that you are under a DDoS attack. A number of research efforts have the ability to detect the existence of DDoS attacks happening globally against third parties no matter how much those parties want to keep the issue quiet. There are few benefits to being secretive and numerous benefits to being forthcoming.”
Identical copies of the WireX report and Appendix are available at the following links:
Game studios normally bend over backwards to discourage pirates and keep titles off of any piracy sites, but don't tell that to Acid Wizard. When the studio saw that a young player asked for a refund for its horror game Darkwood out of a fear that hi...
by Jason Chan
This summer marks three years of releasing open source software for the Netflix Cloud Security team. It’s been a busy three years — our most recent release marks 15 open source projects — so we figured a roundup and recap would be useful.
Penetration testing tools, vulnerabilities, and offensive security techniques have dominated security conferences and security-related open source for some time. However, in recent years, more individuals and organizations have been publishing “blue team” and defensive security tools and talks. We’re thrilled that the security industry has become more supportive of sharing these tools and techniques, and we’re more than happy to participate through the release of open source.
Our security-related OSS tends to be reflective of the unique Netflix culture. Many of the tools we’ve released are aimed at facilitating security in high-velocity and distributed software development organizations. Automation is a big part of our approach, and we seek to keep our members, employees, data, and systems safe and secure while enabling innovation. For our team, scale, speed, and integration with the culture are the keys to enabling the business to move fast.
Without further ado, here’s a look back at the OSS we’ve released.
We’ve enjoyed contributing to the OSS security community and have learned a lot from the feedback and collaboration. It’s always instructive to see how software evolves over its lifecycle and to see how others extend it in novel and creative ways. And going forward, we’ll look to make more use of our Skunkworks project to share projects that are experimental or that we don’t necessarily envision supporting long term. We have a few projects we’re considering open sourcing in the near future — if you’re interested, keep an eye on this space, our GitHub site, and @NetflixOSS on Twitter, and check out our YouTube channel for more talks from our team.
A Brief History of Open Source from the Netflix Cloud Security Team was originally published in Netflix TechBlog on Medium, where people are continuing the conversation by highlighting and responding to this story.
Original release date: August 21, 2017
On October 11, 2017, the Internet Corporation for Assigned Names and Numbers (ICANN) will be changing the Root Zone Key Signing Key (KSK) used in the domain name system (DNS) Security Extensions (DNSSEC) protocol.
DNSSEC is a set of DNS protocol extensions used to digitally sign DNS information, which is an important part of preventing domain name hijacking. Updating the DNSSEC KSK is a crucial security step, similar to updating a PKI Root Certificate. Maintaining an up-to-date Root KSK as a trust anchor is essential to ensuring DNSSEC-validating DNS resolvers continue to function after the rollover. While DNSSEC validation is mandatory for federal agencies, it is not required of the private sector. Systems of organizations that do not use DNSSEC validation will be unaffected by the rollover.
Some people might assume that Gen Con would only be of interest to gamers—but that couldn’t be farther from the truth. Wednesday was the third Gen Con Trade Day I’ve attended, in which librarians and educators give presentations to other librarians and educators on how they make use of games and gaming in their curricula or programming. (There are also panels focused on retailers, but I didn’t attend any of those.) Here are my reports on Trade Day 2015 and 2016.
I missed out on the first hour due to arriving late, but I was still able to catch five out of the six hours of programming. Here are my reports on the panels I attended.
This panel was a roundtable discussion focusing on various games that could be useful in a classroom setting. Teachers and others swapped stories, tips, and suggestions about games that could be useful in teaching, and how they could be used.
One teacher shared the story of a 5th grade teacher doing a unit on advertising, and some kids had trouble coming up with fictitious products to make up ads about. But it turned out there was a game called Snake Oil, which involved coming up with products to sell, that helped those students get past that problem.
Games that the moderators or other attendees shared included Rory’s Story Cubes (which I previously covered for TeleRead), Dixit, Word on the Street, Word Teasers, Love Letter, Ticket to Ride, Qwirkle, In a Pickle, Verbal Volley, and Apples to Apples. I offered up The Storymatic (which I also covered in that piece about Story Cubes) and Storium.
This event was put on by panelists from the Chicago Public Library, using a problem-solving technique called “Design Thinking” that the library has developed in partnership with IDEO and the Bill & Melinda Gates Foundation.
The library walked through how it used the process to come up with a way of implementing a gaming program that would appeal to adults as well as children. The process involves a three-step cycle of inspiration, ideation, and iteration. As the Wikipedia article on Design Thinking explains:
Inspiration is the initial problem or opportunity that leads you to the finding of the solution; ideation is the core of the development process where the idea is better defined; and implementation is the final step where the solution comes in contact with the outer world. Projects may loop back through inspiration, ideation, and implementation more than once as the team refines its ideas and explores new directions.
The presentation went step by step through how the library applied these stages, in more detail than I really have time to lay out here. Suffice it to say that their experimentation and analysis led them to have a kiosk they could set up at local events and expositions at which they would offer a set number of games for people to check out and play. The number of games varied from just a few at most events, to many at specific events like a movies-in-the-park program in which a large number of people would show up hours early and then need ways to pass the time.
The process seemed interesting, though the presentation seemed more about how to use design thinking than about gaming specifically. Still, librarians with an interest might want to check out the link in the first paragraph of this section; the site offers a toolkit that librarians can study for “5-8 hours a week for the next six weeks,” depending on how much time they have available.
This panel was put on by staff from the Ukiah Mendocino County Public Library from Ukiah, California. This seems to be a pretty small library as libraries go—small enough that it doesn’t even have a web site of its own, but has to make do with a section of the Mendocino County Government web site and a Facebook page.
But this panel was proof that even small libraries can come up with great ideas for interacting with their community. The librarians discussed how an arts-and-crafts day for teenagers to make their own padded LARP (Live-Action Role-Playing) “boffa” swords turned into a “LARPspedition” game day in which area businesses participated in a “treasure hunt,” followed by a LARP combat event at the library itself and an ice cream social.
The librarians went over how they ran the program step by step, including crafting the swords, coming up with clues to direct people to participating businesses, and—not least importantly—getting in touch with their local police department to make sure that people running around the community with padded “LARP swords” would be all right that day.
This panel, and the event it described, are a great example of the way librarians can build relations with the community through means that go beyond just recommending good books. Perhaps more libraries should consider hosting similar game-related events.
This panel had more to do with game design than with education or libraries, but it still taught some lessons that are worth remembering. This panel was presented by a pair of game designers from Thorny Games, discussing how to navigate the potentially thorny (pun not intended) problem of basing games on cultures not one’s own.
They used as an example their game Sign, which was based on the birth of the unique Nicaraguan Sign Language in the 1970s. This language, they explained, was created spontaneously when hundreds of deaf Nicaraguan children were brought together in special schools for the purpose of trying to teach them to read lips. Instead of learning to read lips, they effectively negotiated their own language to use to talk to each other. This was such a fascinating idea that the game developers wanted to base a game on it.
But basing a game on people of a different culture can be tricky. Developers have to ask themselves if they’re the right persons to be making such a game, and whether it might be better to work with someone else who is in a better position to represent that other culture. They should also reach out to members of that culture and involve them in the process (as the game developers did for Sign by reaching out to members of the Nicaraguan deaf community).
It’s also important to remember that your game makes statements in not just what it says, but also in how it plays. During the design process for Sign, the designers realized at one stage that they were making a potentially destructive statement in terms of how the game was played—implying that sign languages in general were more primitive and simplistic than spoken languages. They had to make some corrections along the way to make sure they weren’t sending that kind of message.
But these problems and challenges aren’t a reason not to try to make these games. They made the point that games are an excellent way to help develop and promote empathy—to get people to put themselves into the positions of people of different cultures and backgrounds, in ways that simply reading or watching a story never could. I think that’s an important message to consider—all the more so given the events of the last week or so.
If you want to see how the developers put these theories into practice, Sign is currently downloadable as a PDF from the Thorny Games web site.
This panel really didn’t have a lot of relevance to libraries, education, or even game retail. It was a professional investment counselor giving a set of tips to remember for overseeing one’s investments in 401Ks, pension plans, the stock market, etc. It seemed like reasonably sound advice, but it’s not exactly topical enough to go over in detail here.
Perhaps the more important thing to take away from this panel is that Gen Con—and Gen Con Trade Day—is a place where you can find a lot more useful advice than you might expect, on more topics than you might expect. If you’re an educator, librarian, or gaming retail industry professional, make the time to arrive a day early for Gen Con so you can take in Gen Con Trade Day first.
If you found this post worth reading and want to kick in a buck or two to the author, click here.
"Don't Be a Sucker" is as timely now as it was back in 1947:
Don't Be a Sucker! is a short educational film produced by the U.S. War Department in 1943 and re-released in 1947. The film depicts the rise of Nazism in Germany and warns Americans against repeating the mistakes of intolerance made in Nazi Germany. It emphasizes that Americans will lose their country if they let themselves be turned into "suckers" by the forces of fanaticism and hatred. The film was made to make the case for the desegregation of the United States armed forces by simply revealing the connection between prejudice and fascism.
This film is not propaganda. To the contrary, it teaches how to recognize and reject propaganda, as was used by the Nazis to promote to bigotry and intimidation. It shows how prejudice can be used to divide the population to gain power. Far more significantly, it then shows how such tactics can be defanged by friendly persuasion; that protection of liberty is a unifying and practical way to live peacefully.
In the summer of 1972, the song "Brandy (You're a Fine Girl) by New Jersey bar band Looking Glass took the charts by surprise. Now considered a classic and one of the best songs ever written, it almost didn't get air time.
Elliot Lurie wrote and composed the number one hit and tells its story in this 2016 interview. In it, he debunks the many rumors surrounding the song, including that it was inspired by the true story of a real spinster named Mary Ellis who had a hot romance with a sailor. It wasn't, Lurie claims. It's a complete work of fiction.
Want to hear the song? Here ya go... https://youtu.be/DVx8L7a3MuE
An open-source, self-hosted search aggregator might be a good way both of avoiding being tracked and getting away from the echo chamber
TLS 1.20 fixes a vulnerability so now's the time to check that the software you use and the software you manage supports it
Long-time Slashdot reader Noryungi writes: NASA will celebrate the 40th anniversary of the launch of the twin Voyager probes next month. So let us celebrate both the probes and the people who are still working on them, and nursing them in their final years. The New York Times fondly profiles Voyager's nine aging flight-team engineers who "may be the last people left on the planet who can operate the spacecraft's onboard computers, which have 235,000 times less memory and 175,000 times less speed than a 16-gigabyte smartphone." NASA reports that now "Voyager 1 is in 'Interstellar space' and Voyager 2 is currently in the 'Heliosheath' -- the outermost layer of the heliosphere where the solar wind is slowed by the pressure of interstellar gas. " But the Times notes that the probes "are running out of fuel. (Decaying plutonium supplies their power.) By 2030 at the latest, they will not have enough juice left to run a single experiment." NASA is now inviting the public to submit positive messages to be considered for beaming into space on September 5th -- the 40th anniversary of Voyager 1's launch. "Messages can have a maximum of 60 characters and be posted on Twitter, Instagram, Facebook, Google+ or Tumblr using the hashtag #MessageToVoyager," until August 15th, after which humanity will vote on which message should be sent.
Read more of this story at Slashdot.
How and to what extent the FCC should regulate the internet has been a hot question for years, and the present administration is proposing to eliminate the 2015 Order that created net neutrality rules. But Congress isn’t going to take that lying down: 10 Representatives who helped craft the law governing the FCC itself have submitted an official comment on the proposal ruthlessly… Read More
The GhanaSat-1―Ghana’s first satellite―began its orbit recently, with a little help from some friends. The cubesat, built by a Ghanaian engineering team at All Nations University, was delivered to NASA’s International Space Station in June on a SpaceX rocket that took off from pad 39a at Kennedy Space Center, a NASA spokesperson confirmed. The GhanaSat-1 deployed into orbit… Read More
An anonymous reader quotes a report from Vox: The art of suppressing dissent has been perfected over the years by authoritarian governments. For most of human history, the solution was simple: force. Punish people severely enough when they step out of line and you deter potential protesters. But in the age of the internet and "fake news," there are easier ways to tame dissent. A new study by Gary King of Harvard University, Jennifer Pan of Stanford University, and Margaret Roberts of the University of California San Diego suggests that China is the leading innovator on this front. Their paper, titled "How the Chinese Government Fabricates Social Media Posts for Strategic Distraction, Not Engaged Argument," shows how Beijing, with the help of a massive army of government-backed internet commentators, floods the web in China with pro-regime propaganda. What's different about China's approach is the content of the propaganda. The government doesn't refute critics or defend policies; instead, it overwhelms the population with positive news (what the researchers call "cheerleading" content) in order to eclipse bad news and divert attention away from actual problems. This has allowed the Chinese government to manipulate citizens without appearing to do so. It permits just enough criticism to maintain the illusion of dissent and only acts overtly when fears of mass protest or collective action arise.
Read more of this story at Slashdot.
As of August 5, 2017, NASA's Curiosity rover will have been cruising the landscape of Mars for five years. This US$2.5 billion-dollar mission landed the largest, and most technologically sophisticated, rover ever to roam the surface of the Red Planet. Over the course of its mission Curiosity has captured more than 200,000 images and drilled over a dozen rock samples, and it isn't done yet... Continue Reading Five years on, Curiosity is still capturing amazing images of Mars
UK home secretary Amber Rudd has called on messaging apps like WhatsApp to ditch end-to-end encryption, arguing that it aids terrorists. From a report: The major technology companies must step up their fight against extremism or face new laws, the home secretary has told the BBC. Amber Rudd said technology companies were not doing enough to beat "the enemy" on the internet. Encryption tools used by messaging apps had become a "problem," she added. Ms Rudd is meeting with representatives from Google, Facebook, Twitter, Microsoft and others at a counter-terrorism forum in San Francisco. Tuesday's summit is the first gathering of the Global Internet Forum to Counter Terrorism, an organisation set up by the major companies in the wake of recent terror attacks. In a joint statement, the companies taking part said they were co-operating to "substantially disrupt terrorists' ability to use the internet in furthering their causes, while also respecting human rights." In an op-ed, she wrote Tuesday: Real people often prefer ease of use and a multitude of features to perfect, unbreakable security ... Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? Companies are constantly making trade-offs between security and 'usability,' and it is here where our experts believe opportunities may lie.
Read more of this story at Slashdot.
Your daily round-up of some of the other stories in the news!
An anonymous reader shares a news post: Following the recent WannaCry and Petya ransomware attacks, Microsoft recommended all Windows 10 users to remove the unused but vulnerable SMBv1 file sharing protocol from their PCs. This is because both variants of the ransomware actually used the same SMBv1 exploit to replicate through network systems, even though it seems that Petya mostly affected Windows PCs in Ukraine. Anyway, if you haven't turned off the protocol on the PC already, you really should: Not only because new WannaCry/Petya variants could once again use the same vulnerability again to encrypt your files, but because another 20-year-old flaw has just been unveiled during the recent DEF CON hacker conference. The SMB security flaw called "SMBLoris" was discovered by security researchers at RiskSense, who explained that it can lead to DoS attacks affecting every version of the SMB protocol and all versions of Windows since Windows 2000. More importantly, a Raspberry Pi and just 20 lines of Python code are enough to put a Windows server to its knees.
Read more of this story at Slashdot.
A new NASA study has poured another bucket of cold water on hopes of one day discovering life on the closest exoplanet ever discovered – the Earth-sized world Proxima b, which is thought to orbit in the habitable zone of the red dwarf Proxima Centauri. A computer model is now asserting that the atmosphere of the exoplanet could have long since been destroyed by the intense levels of radiation emitted by the parent star... Continue Reading Proxima b's chances of hosting life may have just dropped
An anonymous reader shares a BBC report: Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician. The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather "clickstreams." These are detailed records of everywhere that people go online. The researchers argue such data -- which some firms scoop up and use to target ads -- should be protected. The data is supposed to be anonymised, but analysis showed it could easily be tied to individuals. People's browsing history is often used to tailor marketing campaigns. The results of the research by Svea Eckert and Andreas Dewes were revealed at the Def Con hacking conference in Las Vegas this weekend. The pair found that 95% of the data they obtained came from 10 popular browser extensions. "What these companies are doing is illegal in Europe but they do not care," said Ms Eckert, adding that the research had kicked off a debate in Germany about how to curb the data gathering habits of the firms.
Read more of this story at Slashdot.
Humanity’s farthest and longest-lived spacecraft, Voyager 1 and 2, achieve 40 years of operation and exploration this August and September. Despite their vast distance, they continue to communicate with NASA daily, still probing the final frontier.
<martin> "PHP is a minor evil perpetrated and created by incompetent amateurs, whereas Perl is a great and insidious evil, perpetrated by skilled but perverted professionals."
<mking> So what does that make Java?
<zstevens> a DSL for converting XML to stack traces