schwit1 writes: A private DNA ancestry database that's been used by police to catch criminals is a security risk from which a nation-state could steal DNA data on a million Americans, according to security researchers. Security flaws in the service, called GEDmatch, not only risk exposing people's genetic health information but could let an adversary such as China or Russia create a powerful biometric database useful for identifying nearly any American from a DNA sample. GEDMatch, which crowdsources DNA profiles, was created by genealogy enthusiasts to let people search for relatives and is run entirely by volunteers. It shows how a trend toward sharing DNA data online can create privacy risks affecting everyone, even people who don't choose to share their own information.

"You can replace your credit card number, but you can't replace your genome," says Peter Ney, a postdoctoral researcher in computer science at the University of Washington. Ney, along with professors and DNA security researchers Luis Ceze and Tadayoshi Kohno, described in a report posted online how they developed and tested a novel attack employing DNA data they uploaded to GEDmatch. Using specially designed DNA profiles, they say, they were able to run searches that let them guess more than 90% of the DNA data of other users. The founder of GEDmatch, Curtis Rogers, confirmed that the researchers alerted him to the threat during the summer. "The same attack wouldn't work on other genealogy sites, like 23andMe, because they don't permit data uploads," the report notes. "Others, like MyHeritage, do allow uploads but don't give users as much information about their matches."

"The problem with GEDmatch is the browser is too good, and searches too deeply," says Erlich. "If I were them, I would remove it, fix it, then put it back."

An anonymous reader quotes ISP Review: The RIPE Network Coordination Centre (RIPE NCC), which manages regional distribution of internet addresses for the UK, Europe, Middle East and parts of Central Asia, has confirmed that their final reserve pool of Internet Protocol v4 (IPv4) addresses will completely run out in November 2019. Strictly speaking the Regional Internet Registry (RIR) started running out of address space in 2012 and began rationing the little they had left. Fast forward a few years and at the start of October 2019 it was confirmed that they only had 1 million IPv4 addresses left in their available pool (out of 4 billion addresses total), "which we expect to run out in November 2019...."

Thankfully many ISPs, devices and services have now introduced "newer" IPv6 addresses, although some still have a lot of work to do (e.g. TalkTalk)... A Spokesperson for RIPE NCC told ISPreview.co.uk "... IPv4 'run-out' has long been anticipated and planned for by the technical community and no one needs to worry about the Internet suddenly breaking. But it does mean that the pressure will continue to build for many networks, necessitating the use of complex and expensive workarounds.

"Our advice to network operators is to take stock of their IP resources and to make sure their IPv6 plans are making progress."

nickwinlund77 shares this story from ZDNet: A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets. The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.

Software engineer Kieran Potts asks: does JavaScript need to be renamed? There's no doubt there are problems with JavaScript's branding...

- Correctly, "JavaScript" refers to a subset of ECMAScript specified by Mozilla, but the word is used interchangeably to refer to multiple different ECMAScript supersets, depending on context.

- JavaScript is a trademark of Oracle Corporation, which doesn't fit comfortably with the language's position as a central component of the web platform, which is meant to be built entirely from open technologies and standards.

- There isn't even an official logo for JavaScript, let alone a cute mascot like Go's gopher or PHP's elephant.

- And famously, JavaScript is unrelated to Java. This has confused the hell out of non-technical managers and recruiters for decades.
The article also suggests "a standard convention" to identify the runtime's host system (for example, "WebJS" or "ServerJS").

But in response to the question of rebranding JavaScript, "the most common, knee jerk reaction was a quick guffaw and an exclaimed 'no!'" notes tech columnist Mike Melanson, "while others offered that the simple contraction to JS would suffice."

California's largest power utility began power shut-offs today for an estimated 2.35 million people -- expected to last two days -- after weather forecasts predicted extreme fire danger due to exceptionally dry weather and severe winds, according to the Washington Post. "Some gusts this weekend might reach 75 mph (120 kph) or higher as part of a 'historic' wind event, the National Weather Service said. The winds could lead to 'erratic fire behavior,' warned the California Department of Forestry and Fire Protection..."

The San Jose Mercury News reports: PG&E won't restore power until inspections of de-energized lines are completed and any damage to the system is repaired. The utility also has requested mutual aid from 1,000 workers from other energy companies, including ATCO Energy in Alberta, Canada; Xcel Energy in Minnesota; and Florida Power & Light. Those crews are expected to be staged and in place to do repairs by Sunday, according to the company.
50,000 people living near Northern California's wine country were also ordered to evacuate, as firefighters struggled to contain an already-burning 25,955-acre wildfire nearby which is only 10% contained. And 40,000 people were ordered to evacuate homes in Southern California near Santa Clarita, where the 4,600-acre Tick Fire is now 25% contained.

mpol writes: Phoronix published an interview with former Purism CTO Zlatan Todoric who left Purism in September 2018. The story hints quite strongly at chaotic situations over at Purism. He started at the company in 2015, when it was a small outfit, and steered it into the bigger company that it is now. To him the smartphone development for the Librem 5 was a mistake and way too early. He has high hopes for the Pinephone, who according to him are doing things right. The first "Aspen" batch of the Purism Librem 5 are supposed to be shipping, though seemingly only people related to Purism are showing off their devices.

Google appears to be removing apps that have donation links, including open-source apps where donations are one of the main sources of revenue. WireGuard, a free and open-source VPN, has been reportedly dropped over this according to WireGuard lead developer Jason Donenfeld. Phoronix reports: After waiting days for Google to review the latest version of their secure VPN tunnel application, it was approved and then removed and delisted -- including older versions of WireGuard. The reversal comes on the basis of violating their "payments policy." The only bit of possible "payments" within the WireGuard app is a donation link within the program taking the user to the WireGuard website should anyone want to donate to support this promising open-source secure networking tech. An appeal to the situation was also rejected by Google, Donenfeld has confirmed this morning on their mailing list. In trying to make it back into Android's Play Store, Jason has dropped the donation link from the Android app version while it's still awaiting review from Google. UPDATE: WireGuard lead developer Jason Donenfeld says the app "has been relisted on the Play Store in its usual location," adding: "Sorry again for any inconvenience this has caused users, or caused developers who depend on the availability of our app for use by their own users. We won't be making any similar changes unless we're certain that we won't be delisted."

California Attorney General Xavier Becerra released a series of draft regulations this week aimed at getting businesses to comply with the state's landmark data privacy law, scheduled to take effect Jan. 1. From a report: Under the California Consumer Privacy Act, signed into law in June 2018, businesses must disclose to consumers the various kinds of data they collect about them. Companies must stop selling consumer data to third parties if customers ask them to, delete personal data on request, and explicitly seek consent from consumers aged 16 or younger to sell personal information. The bill also states that consumers who exercise their rights under the law cannot be discriminated against. The newly announced rules for businesses require notifying people before or when their data is collected. If notice is not given, data cannot be collected. The attorney general also provided guidelines for how to respond to consumers wanting to opt out, delete and know the data that's collected on them, as well as how to verify the identity of people making such requests and how to maintain relevant records for two years. "Help us get this right," Becerra said. Privacy is a right in California, he said, even as he acknowledged that some businesses may struggle to find the resources to comply. But, he added, "We want companies to understand that ignorance is not an excuse."

An anonymous reader writes: Billy Mitchell is the intense videogamer made famous in the 2007 documentary The King of Kong. Last month he threatened to sue both the Guinness Book of World Records and the videogame record-keepers at Twin Galaxies for defamation after they revoked an entire lifetime's worth of videogame high scores. An online discussion had argued that videotapes of three of Mitchell's performances suggested they'd been achieved using a MAME emulator -- but the organization revoked all of Mitchell's high scores (including his uncontested perfect game of Pac-Man in 1999).

Last week Twin Galaxies finally posted their response to Mitchell's lawsuit. "It is not necessary to hire lawyers and threaten Twin Galaxies out of the blue to get it to review and consider relevant new evidence -- all anyone has to do is simply reach out and directly request an opportunity to present the information...

"There will be no retraction or reinstatement. It should be noted that Twin Galaxies is under no obligation to maintain Mr. Mitchell's scores in its database. He has no divine right to be part of the Twin Galaxies community either. Twin Galaxies has unlimited authority to maintain the integrity of its score database." They also write that any lawsuit will be considered a strategic lawsuit against public participation and countered accordingly, followed by a second suit over malicious prosecution. "Please advise Mr. Mitchell to tread lightly, and choose wisely."

Last week a massive new 16,000-word profile of Mitchell pointed out that after his records were revoked, Mitchell had actually webcast himself playing Donkey Kong on Twitch, "obtaining scores equal to those that had been disputed, broadcast live from public venues.... Mitchell had proven he could earn those scores now. But he hadn't outlined a clear defense to prove he'd achieved them at the time of the original submissions."

Google has been testing the Linux kernel with its "sanitizer" testing software that hunts for memory corruption bugs and undefined behaviors. Now Phoronix reports on Google's newest sanitizer: Kernel Concurrency Sanitizer (KCSAN) is focused on discovering data-race issues within the kernel code. This dynamic data-race detector is an alternative to the Kernel Thread Sanitizer. In their testing just last month, in two days they found over 300 unique data race conditions within the mainline kernel.

There was a recent discussion about the Kernel Concurrency Sanitizer on the LKML.

Scientists have detected new types of organic compounds in the plumes that have been erupting from Saturn's icy moon Enceladus. Space.com reports: NASA's Cassini spacecraft collected invaluable data and images of Saturn and its moons over the approximately 20 years that the mission took place. While the mission ended on Sept. 15, 2017, with the craft diving toward the planet in a "Grand Finale," scientists continue to study the wealth of data that they gathered during the mission. In one new study, scientists looked at the material that Enceladus ejects from its core using hydrothermal vents. The material mixes with water in the moon's subsurface ocean and is then emitted as water vapor and icy grains.

In studying these ejections, the team found organic molecules that are condensed onto these grains and which contain oxygen and nitrogen. This comes after the first discovery of organics on the moon in 2018. Similar compounds on Earth take part in the chemical reactions that form amino acids, which are the organic compounds that combine to form proteins and are essential to life as we know it. On Earth, energy, or heat, from hydrothermal vents on the ocean floor helps to fuel these amino acid-producing reactions. With these findings, scientists have suggested that perhaps something similar is happening on Enceladus and the hydrothermal vents under its subsurface ocean are aiding in the creation of amino acids on the moon. "If the conditions are right, these molecules coming from the deep ocean of Enceladus could be on the same reaction pathway as we see here on Earth. We don't yet know if amino acids are needed for life beyond Earth, but finding the molecules that form amino acids is an important piece of the puzzle," Nozair Khawaja, who led the research team from the Free University of Berlin, said in a statement.

Security researchers at IBM have found evidence that hackers have been working on creating malicious scripts they can deploy on commercial-grade "Layer 7" routers to steal payment card details. From a report: This discovery is a game-changer in what researchers call Magecart attacks, also known as web skimming. These are attacks where hackers plant malicious code on an online store that records and steals payment card details. Until now, Magecart-specific code was only delivered at the website level, hidden inside JavaScript or PHP files. However, this new discovery is an escalation of Magecart attacks to a new level, where the malicious code is injected at the router level, rather than being added by hackers on outdated websites.

Layer 7, or L7, routers are a type of commercial, heavy-duty router that's usually installed on large networks, such as hotels, malls, airports, casinos, government networks, public spaces, and others. They work like any other router, except with the added benefit of being able to manipulate traffic at the seventh layer (application level) of the OSI networking model -- meaning they can react to traffic based on more than just IP addresses, such as cookies, domain names, browser types, and more. In a report published today, researchers with the IBM X-Force Incident Response and Intelligence Services (IRIS) team said they found evidence that a well-known hacker group has been testing Magecart scripts to deploy on L7 routers.

"The US military has been forced to apologise for tweeting that it would use stealth-bombers on 'millenials' who try to storm Area 51," reports Yahoo News UK: More than two million people signed up to a Facebook event recently which encouraged atendees to visit the top secret base in Nevada. But only a few thousand UFO enthusiasts turned up on Friday to the facility, which is rumoured to contain secrets about aliens. As hordes of enthusiasts turned up the PR arm of the US military, called the Defence Visual Information Distribution Service (DVIDS), tweeted: "The last thing #Millennials will see if they attempt the #area51raid today" with a picture of military officers in front of a stealth bomber.

Shortly afterwards the tweet was deleted and the unit apologised saying it "in no way" reflects their stance... "It was inappropriate and we apologize for this mistake."

Around 1,000 people visited the facility's gates on Friday and at least six were arrested by police.

The Storm Area 51 invitation spawned festivals in the tiny nearby towns of Rachel and Hiko, more than two hours' drive from Las Vegas. Lincoln County Sheriff Kerry Lee estimated late on Thursday that about 1,500 people had gathered at the festival sites, and more than 150 made the trip several additional miles on bone-rattling dirt roads to get within selfie distance of the gates.... "It's public land," the sheriff said. "They're allowed to go to the gate as long as they don't cross the boundary."
Most of the arrests were for "misdemeanor trespassing on base property," which carries a $1,000 fine, according to the article. "In the end, no one actually 'stormed' Area 51, although deputies in rural Nye County resorted to 'heated warnings' to disperse as many as 200 people," reports the Associated Press.

In another article the news service also quotes Lincoln County emergency services chief Eric Holt as saying resources had been mustered to handle up to 30,000 people and calling the low turnout a "best-case" scenario... Although there were two car crashes involving cows. "The cows died, but motorists weren't hurt."

The main festival apparently drew 3,000 attendees, while the rival "Area 51 Basecamp" festival sold just 500 tickets for their Friday concert, prompting them to cancel their Saturday concert altogether. Its promoter told the Associated Press, "It was a gamble financially. We lost."

"Debian Project Leader Sam Hartman has shared his August 2019 notes where he outlines the frustrations and issues that have come up as a result of init system diversity with some developers still aiming to viably support systemd alternatives within Debian," reports Phoronix: Stemming from elogind being blocked from transitioning to testing and the lack of clarity into that, Hartman was pulled in to try to help mediate the matter and get to the bottom of the situation with a lack of cooperation between the elogind and systemd maintainers for Debian as well as the release team. Elogind is used by some distributions as an implementation of systemd's logind, well, outside of systemd as a standalone daemon. Elogind is one of the pieces to the puzzle for trying to maintain a modern, systemd-free Linux distribution.

Various issues were raised that are trying to be worked through albeit many Debian developers face time limitations and other factors like emotional exhaustion. Hartman noted in his August notes, "I think we may be approaching a point where we need to poll the project -- to have a GR and ask ourselves how committed we are to the different parts of this init diversity discussion. Reaffirming our support for sysvinit and elogind would be one of the options in any such GR. If that option passed, we'd expect all the maintainers involved to work together or to appoint and empower people who could work on this issue. It would be fine for maintainers not to be involved so long as they did not block progress. And of course we would hold the discussions to the highest standards of respect."

Freshly Exhumed shares a report from Phoronix, detailing a new set of systemd capabilities shown off by lead developer Lennart Poettering at the annual All Systems Go conference: Improving the Linux handling of user home directories is the next ambition for systemd. Among the goals are allowing more easily migratable home directories, ensuring all data for users is self-contained to the home directories, UID assignments being handled to the local system, unified user password and encryption key handling, better data encryption handling in general, and other modernization efforts. Among the items being explored by systemd-homed are JSON-based user records, encrypted LUKS home directories in loop-back files, and other next-gen features to offering secure yet portable home directories. Systemd-homed is currently being developed in Lennart's Git tree but hopes to see it merged for either systemd 244 (the current cycle) or systemd 245.

sciencehabit shares a report from Science Magazine: Physicists have set a new limit on the mass of nature's lightest particle of matter. The neutrino can weigh no more than 1.1 electron volts (eV) -- less than one-500,000th the mass of an electron -- say experimenters with the Karlsruhe Tritium Neutrino (KATRIN) experiment at the Karlsruhe Institute of Technology in Germany. Reported on September 13 at a meeting in Toyama, Japan, the new result halves the previous limit of 2 eV.

Physicists have tried to measure the neutrino's mass for decades. However, the particle barely interacts with ordinary matter. So to deduce its mass, researchers study the radioactive "[Beta] decay" of tritium, in which a nucleus spits out an electron and a neutrino. By precisely measuring the maximum energy of the ejected electrons, physicists can infer the mass of the unobserved neutrinos. KATRIN (above) takes this classic approach to the ultimate limit, employing a 23-meter-long blimplike spectrometer to measure the electron from tritium with unprecedented precision. Cosmological measurements already suggest the neutrino cannot weigh more than about 0.1 eV, but that estimate is based on several assumptions. So KATRIN physicists argue that their better, directly measured limit on neutrino mass is likely to make cosmology models more reliable.

A reporter for SFGate describes what happened when he tried out for the quidditch team at the University of California at Berkeley: The person throwing me what's called a "quaffle" (actually a slightly deflated volleyball) looked at me to make sure I'm ready. I gave them a head nod and grip my "broom" (a PVC pipe), ready to run. "GO!" I run 20 feet and turn back to catch the ball. Success!

But as I take my next step, I get decked by team captain Dara Gaeuman, fall to the ground, drop the quaffle, re-grab the quaffle, get back up, run over to the hoop and score. It's a triumphant moment for my post-healthy, 33-year-old self, regardless of the fact that this a drill. On the first day of practice. Of a sport I'm playing for the first time. With people who likely weren't born when the first Harry Potter book came out....

[I]n 2005, a pair of students at Middlebury College -- Xander Manshel and Alex Benepe -- translated quidditch into a non-flying sport. The game used to be played on wooden brooms until a few years ago when the game got too rough. There are still chasers (offensive players), beaters (defenders), seekers, keepers (like a goalie in hockey or soccer) and quaffles (again the balls, stay with me here) and bludgers (slightly deflated dodgeballs). But here the snitch is actually a person with sock-like pouch attached to their lower back that has to be snatched by the seekers, while the snitch tries to evade them... Almost 15 years after its inception, real-world quidditch has grown into a global phenomenon, with an International Quidditch Association (IQA) that has a World Cup every two years, a couple of semi-pro leagues, several regional and national leagues and more than 150 colleges and universities with club teams.

During practice, Chanun Ong, a sophomore returning for his second year on the team, tells a freshman, "I wasn't a big Harry Potter fan, but this sport is pretty legit."
There's a short video of the quidditch practice, and the the article's author remembers some crucial advice he received from one of the players. "Scrunch your body down if someone is about to throw a bludger at you, so you're a harder target to hit."

Although he also acknowledges that most of the people watching the two-hour practice "were passersby trying to figure out what the hell is going on."

For the better part of a year, Twitter has been trying to rebrand itself as a safe place for healthy conversations -- rather than a social network rife with bullying and racism. But its latest advertising campaign, one that involves stenciling city sidewalks with users' tweets, might brand the site as a scofflaw instead. From a report: Earlier this week, Twitter users started posting pictures of the stencils popping up around the downtown corridor, part of the campaign running in San Francisco and New York through early October. Some were strategically placed. "Twitter is like running up the down escalator," said one, neatly sprayed in front of an escalator leading to a BART station. "Twitter is garbage and I am a raccoon," said another near a trash can.

Apt or not, the stencils, created using a spray-paint-like chalk, are illegal, according to Rachel Gordon, spokeswoman for the Department of Public Works. "That's not the use of the sidewalks," she said. "We can go and document them. If they don't remove them immediately, we'll send a crew to remove them and charge them."

Red Hat developer Matthias Clasen has announced the release of GNOME 3.34, bringing many performance improvements and better Wayland support. Phoronix reports: Making GNOME 3.34 particularly exciting is the plethora of optimizations/fixes in tow with this six-month update. Equally exciting are a ton of improvements and additions around the Wayland support to ensure its performance and feature parity to X11. GNOME 3.34 also brings other improvements like sandboxed browsing with Epiphany, GNOME Music enhancements, GNOME Software improvements, and a ton of other refinements throughout GNOME Shell, Mutter, and the many GNOME applications. More details can be found via release announcement and release notes.

Longtime Slashdot reader Merovech shares a report from ZDNet: Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu). Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned. Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only. The way the Lilocked gang breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.

Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally. According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results. However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results. Why it should scare you:
- affects Linux servers
- so far the vector of infection / vulnerability is unknown
- you can craft a Google search to watch it spread!