Businesses

A Hacker 'Hero' Has Been Banned From Cyber Conferences After Decades Of Inappropriate Behavior (buzzfeed.com) 307

Several readers share a report: John Draper, a prankster hero to an early generation of hackers, used his status at cybersecurity conferences to arrange private meetings with teenage fans and a reporter where he touched them inappropriately, multiple men have told BuzzFeed News. The allegations are the latest in what has become in recent weeks an explosion of sexual misconduct reports that have roiled a seemingly endless list of industries, from Hollywood to the news media to the Alabama Senate race. As in many of those other cases, Draper's actions were well known to at least a core of people who had regular contact with him. Apple cofounder Steve Wozniak told BuzzFeed News that Steve Jobs once told him that Draper, an early associate, once asked Jobs to sit on Draper's back in the 1970s, an offer Wozniak said Jobs declined as being "out of the ordinary." But in the hacking world, where unusual behavior is accepted and often celebrated, there were few official steps taken to prevent Draper's overtures to unsuspecting fans. Volunteers who worked the annual DEF CON hacking conventions in Las Vegas recalled that one of their responsibilities was to separate Draper from his teenage followers. Draper's behavior drew attention at other conventions as well, where he was a frequent presence. Brandon Creighton, a long-standing volunteer at hacker conferences who was familiar with rumors about Draper, recalled escorting him from a private party after ToorCon in San Diego in 2007, though exactly why was not clear.
Government

Pentagon To Make a Big Push Toward Open-Source Software Next Year (theverge.com) 98

"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose. According to The Verge, the Pentagon is going to make a big push for open-source software in 2018. "Thanks to an amendment introduced by Sen. Mike Rounds (R-SD) and co-sponsored by Sen. Elizabeth Warren (D-MA), the [National Defense Authorization Act for Fiscal Year 2018] could institute a big change: should the bill pass in its present form, the Pentagon will be going open source." From the report: We don't typically think of the Pentagon as a software-intensive workplace, but we absolutely should. The Department of Defense is the world's largest single employer, and while some of that work is people marching around with rifles and boots, a lot of the work is reports, briefings, data management, and just managing the massive enterprise. Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine. Besides cost, there are two other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process. Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
Security

The Computer Scientist Who Prefers Voting With Paper (theatlantic.com) 219

Geoffrey.landis writes: The Atlantic profiles a computer scientist: Barbara Simons, who has been on the forefront of the pushback against electronic voting as a technology susceptible to fraud and hacking. When she first started writing articles about the dangers of electronic voting with no paper trail, the idea that software could be manipulated to rig elections was considered a fringe preoccupation; but Russia's efforts to influence the 2016 presidential election have reversed Simons's fortunes. According to the Department of Homeland Security, those efforts included attempts to meddle with the electoral process in 21 states; while a series of highly publicized hacks -- at Sony, Equifax, the U.S. Office of Personnel Management -- has driven home the reality that very few computerized systems are truly secure. Simons is a former President of the Association for Computing Machinery (ACM); and the group she helps run, Verified Voting, has been active in educating the public about the dangers of unverified voting since 2003.
Bitcoin

The Bitcoin Bubble (economist.com) 284

A reader shares an Economist article: More people will trade in Bitcoin and that means more demand, and thus the price should go up. But what is the appeal of Bitcoin? There are really three strands; the limited nature of supply; fears about the long-term value of fiat currencies in an era of quantitative easing; and the appeal of anonymity. The last factor makes Bitcoin appealing to criminals creating this ingenious valuation method for the currency of around $570. These three factors explain why there is some demand for Bitcoin but not the recent surge. The supply details have if anything deteriorated (rival cryptocurrencies are emerging); the criminal community hasn't suddenly risen in size; and there is no sign of general inflation. A possible explanation is the belief that blockchain, the technology that underlines Bitcoin, will be used across the finance industry. But you can create blockchains without having anything to do with Bitcoin; the success of the two aren't inextricably linked. A much more plausible reason for the demand for Bitcoin is that the price is going up rapidly. People are not buying Bitcoin because they intend to use it in their daily lives (Editor's note: the link could be paywalled; alternative source). People are buying Bitcoin because they expect other people to buy it from them at a higher price; the definition of the greater fool theory.
United States

America's 'Retail Apocalypse' Is Really Just Beginning (bloomberg.com) 398

An anonymous reader quotes a report from Bloomberg: The so-called retail apocalypse has become so ingrained in the U.S. that it now has the distinction of its own Wikipedia entry. The industry's response to that kind of doomsday description has included blaming the media for hyping the troubles of a few well-known chains as proof of a systemic meltdown. There is some truth to that. In the U.S., retailers announced more than 3,000 store openings in the first three quarters of this year. But chains also said 6,800 would close. And this comes when there's sky-high consumer confidence, unemployment is historically low and the U.S. economy keeps growing. Those are normally all ingredients for a retail boom, yet more chains are filing for bankruptcy and rated distressed than during the financial crisis. That's caused an increase in the number of delinquent loan payments by malls and shopping centers. The reason isn't as simple as Amazon.com Inc. taking market share or twenty-somethings spending more on experiences than things. The root cause is that many of these long-standing chains are overloaded with debt -- often from leveraged buyouts led by private equity firms. There are billions in borrowings on the balance sheets of troubled retailers, and sustaining that load is only going to become harder -- even for healthy chains. The debt coming due, along with America's over-stored suburbs and the continued gains of online shopping, has all the makings of a disaster. The spillover will likely flow far and wide across the U.S. economy. There will be displaced low-income workers, shrinking local tax bases and investor losses on stocks, bonds and real estate. If today is considered a retail apocalypse, then what's coming next could truly be scary.
Wikipedia

Nearly All of Wikipedia Is Written By Just 1 Percent of Its Editors (vice.com) 224

From a report on Motherboard: According to the results of a recent study that looked at the 250 million edits made on Wikipedia during its first ten years, only about 1 percent of Wikipedia's editors have generated 77 percent of the site's content. "Wikipedia is both an organization and a social movement," Sorin Matei, the director of the Purdue University Data Storytelling Network and lead author of the study, told me on the phone. "The assumption is that it's a creation of the crowd, but this couldn't be further from the truth. Wikipedia wouldn't have been possible without a dedicated leadership." At the time of writing, there are roughly 132,000 registered editors who have been active on Wikipedia in the last month (there are also an unknown number of unregistered Wikipedians who contribute to the site). So statistically speaking, only about 1,300 people are creating over three-quarters of the 600 new articles posted to Wikipedia every day.
Encryption

Flaw Crippling Millions of Crypto Keys Is Worse Than First Disclosed (arstechnica.com) 76

An anonymous reader quotes a report from Ars Technica: A crippling flaw affecting millions -- and possibly hundreds of millions -- of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents. The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key. Organizations known to use keys vulnerable to ROCA—named for the Return of the Coppersmith Attack the factorization method is based on—have largely downplayed the severity of the weakness.

On Sunday, researchers Daniel J. Bernstein and Tanja Lange reported they developed an attack that was 25 percent more efficient than the one created by original ROCA researchers. The new attack was solely the result of Bernstein and Lange based only on the public disclosure information from October 16, which at the time omitted specifics of the factorization attack in an attempt to increase the time hackers would need to carry out real-world attacks. After creating their more efficient attack, they submitted it to the original researchers. The release last week of the original attack may help to improve attacks further and to stoke additional improvements from other researchers as well.

Businesses

Tech Companies Have a History of Giving Low-Level Employees High-Level Access (theoutline.com) 102

A reader shares a report (condensed for space): In the summer of 2010, Google fired a 27-year-old site reliability engineer named David Barksdale after it discovered that Barksdale had been accessing the Google accounts of four teens he met through a local Seattle tech group. The spying went on for months before it was reported, Gawker's Adrian Chen wrote at the time. In one incident Chen described, a 15-year-old refused to tell Barksdale the name of his new girlfriend; Barksdale broke into the teen's Google Voice account, listened to messages to get the name, then taunted him with it and threatened to call her. Google was contrite, saying publicly that it "carefully control[s] the number of employees who have access to our systems" and monitors for abuses by rogue employees. [...] The rogue Twitter customer service employee who momentarily deactivated President Trump's account on Thursday night brought this issue to mind. Twitter has 3,898 employees, according to Wikipedia, for 330 million monthly users, a ratio of one employee for every 84,658 users. This means that a single employee may have a ton of power over loads of users, but the value of a single user is low. Their privacy may seem insignificant in light of the greater mob. [...] At Uber, employees regularly abused its "God View" mode to spy on the movements of celebrities, politicians, and even ex-spouses.
Botnet

Malware Developer Who Used Spam Botnet To Pay For College Gets No Prison Time (bleepingcomputer.com) 57

An anonymous reader writes: The operator of a 77,000-strong spam botnet was sentenced to two years probation and no prison time after admitting his crime and completely reforming his life. The former botnet operator is now working for a cybersecurity company, and admitted his actions as soon as the FBI knocked on his door back in 2013. The botnet operator, a 29-year-old from Santa Clara, California, says he was tricked by fellow co-schemers who told him they were not doing anything wrong by infecting computers with malware because they were not accessing private information such as banking or financial records. Furthermore, the botnet operator escaped prison time because he used all the money he earned in getting a college degree at Cal Poly instead of using it on a lavish lifestyle or drugs. This case is similar to the one that MalwareTech (aka Marcus Hutchins) now faces in the U.S. for his role in developing the Kronos trojan, but also after turning his life around and working as a cybersecurity researcher for years.
Wikipedia

Jimmy Wales' WikiTribune is Already Biased (theoutline.com) 164

Earlier this year, Jimmy Wales, the founder of Wikipedia, said he would be launching a neutral news service with "no other agenda than this: the ultimate arbiter of the truth is the facts of reality." On Monday, a pilot version of WikiTribune went live. Adrianne Jeffries of The Outline argues that WikiTribune is already doing things that it said it wouldn't: As of this writing, WikiTribune's homepage featured a hodgepodge of news aggregation. The "editor's choice" module points to a news roundup that includes Paul Manafort's indictment, the Catalonian independence movement. [...] These stories are all sourced to fairly mainstream news outlets, including some that are on Wikipedia's preferred sources list such as CNN and Reuters, and some that are not, such as Politifact and "Spanish media." I admire what Wales is trying to do here. [...] But WikiTribune is bullshit. It's not new -- it is the same kind of news aggregation that exists all over the web. It is not better -- comparable summarizing and linking can be found on many websites, while original reporting of those same stories, often supplemented by linking to other reporting, can be found at CNN, Reuters, The New York Times, and the BBC, which WikiTribune uses as its primary sources. And finally, and most importantly, it is not neutral. The existence of the "Editor's choice" module, which highlights some stories over others, is not neutral; neither is the "Good reads" section, which does the same thing. The Manafort story includes a section, "Highlights from the indictment," which is not neutral -- someone had to decide which parts of the indictment were more significant than others. There is no such thing as an objective highlight. It is true that the wording of the story does not include adjectives, except when it quotes from the indictment ("lavish lifestyle," "false and misleading statements"), but this is standard newswriting, as one would get from the AP or the New York Times.
Media

Is the Optical Cable Dying? (cnet.com) 299

Geoffrey Morrison from CNET explains how the optical cable is "dying a very slow death": The official term for optical audio cable is "Toslink," short for Toshiba Link. Developed in the early '80s to connect their CD players to their receivers, it was a red laser optical version of the Sony/Phillips "Digital Interconnect Format" aka S/PDIF standard. You've seen standard S/PDIF connections a bunch too; they're often called "coax digital." Optical had certain benefits over copper cables, but they were also more fragile, and for a long time, more expensive. Though glass cables were available, for even more money, most optical cables were made from cheap plastic. This limited their range to in-room use, primarily. Through the '90s and 2000's, the optical cable was near-ubiquitous: The easiest way to get Dolby Digital and DTS from your cable/satellite box, TiVo, or DVD player to your receiver. Even in the early days of HDMI, right next to it would be the lowly optical cable, ready in case someone's receiver didn't accept HDMI. But now more and more gear are dropping optical. It's gone completely on the latest Roku and Apple TV 4K, for example. It's also disappeared from many smaller TVs, though it lingers on in larger ones, a potentially redundant backup to HDMI with ARC. The reason for this? Soundbars...
Canada

Calgary Police Cellphone Surveillance Device Must Remain Top Secret, Judge Rules (www.cbc.ca) 89

Freshly Exhumed writes from a report via CBC.ca: To protect police investigative techniques that may or may not have been used in a Calgary Police Service investigation, their controversial cellphone surveillance device will remain so secretive not even the make and model can be released to the public, according to a court ruling released Monday. The MDI (Mobile Device Identifier) technology -- colloquially called a StingRay after Harris Corporation's IMSI device, which mimics cell towers and intercepts data from nearby phones -- is controversial in part because in at least one Canadian case, prosecutors have taken watered down plea deals rather than disclose information related to the device.
Google

The Meaning of AMP (adactio.com) 95

Last week, Ethan Marcotte, an independent web designer, shared how Google describes AMP (Accelerated Mobile Pages). People at Google says AMP "isn't a 'proprietary format'; it's an open standard that anyone can contribute to." But that definition, Marcotte argues, isn't necessarily an honest one. He writes: On the face of it, this statement's true. AMP's markup isn't proprietary as such: rather, all those odd-looking amp- tags are custom elements, part of the HTML standard. And the specification's published, edited, and distributed on GitHub, under one of the more permissive licenses available. So, yes. The HTML standard does allow for the creation of custom elements, it's true, and AMP's license is quite liberal. But spend a bit of time with the rules that outline AMP's governance. Significant features and changes require the approval of AMP's Technical Lead and one Core Committer -- and if you peruse the list of AMP's Core Committers, that list seems exclusively staffed and led by Google employees. Now, there's nothing wrong with this. After all, AMP is a Google-backed project, and they're free to establish any governance model they deem appropriate. But when I hear AMP described as an open, community-led project, it strikes me as incredibly problematic, and more than a little troubling. AMP is, I think, best described as nominally open-source. It's a corporate-led product initiative built with, and distributed on, open web technologies. Jeremy Keith, a web developer, further adds: If AMP were actually the product of working web developers, this justification would make sense. As it is, we've got one team at Google citing the preference of another team at Google but representing it as the will of the people. This is just one example of AMP's sneaky marketing where some finely-shaved semantics allows them to appear far more reasonable than they actually are. At AMP Conf, the Google Search team were at pains to repeat over and over that AMP pages wouldn't get any preferential treatment in search results ... but they appear in a carousel above the search results. Now, if you were to ask any right-thinking person whether they think having their page appear right at the top of a list of search results would be considered preferential treatment, I think they would say hell, yes! This is the only reason why The Guardian, for instance, even have AMP versions of their content -- it's not for the performance benefits (their non-AMP pages are faster); it's for that prime real estate in the carousel. The same semantic nit-picking can be found in their defence of caching. See, they've even got me calling it caching! It's hosting. If I click on a search result, and I am taken to page that has a URL beginning with https://www.google.com/amp/s/... then that page is being hosted on the domain google.com. That is literally what hosting means. Now, you might argue that the original version was hosted on a different domain, but the version that the user gets sent to is the Google copy. You can call it caching if you like, but you can't tell me that Google aren't hosting AMP pages. That's a particularly low blow, because it's such a bait'n'switch.
Social Networks

TechCrunch Argues Social Media News Feeds 'Need to Die' (techcrunch.com) 154

"Feeds need to die because they distort our views and disconnect us from other human beings around us," argues TechCrunch's Romain Dillet: At first, I thought I was missing out on some Very Important Content. I felt disconnected. I fought against my own FOMO. But now, I don't feel anything. What's going on on Instagram? I don't care. Facebook is now the worst internet forum you can find. Twitter is filled with horrible, abusive people. Instagram has become a tiny Facebook now that it has discouraged all the weird, funny accounts from posting with its broken algorithm. LinkedIn's feed is pure spam.

And here's what I realized after forgetting about all those "social" networks. First, they're tricking you and pushing the right buttons to make you check your feed just one more time. They all use thirsty notifications, promote contrarian posts that get a lot of engagement and play with your emotions. Posting has been gamified and you want to check one more time if you got more likes on your last Instagram photo. Everything is now a story so that you pay more attention to your phone and you get bored less quickly -- moving pictures with sound tend to attract your eyes... [F]inally, I realized that I was missing out by constantly checking all my feeds. By putting my phone on 'Do Not Disturb' for days, I discovered new places, started conversations and noticed tiny little things that made me smile.

He concludes that technology has improved the way we learn, communicate, and share information, "But it has gone too far...

"Forget about your phone for a minute, look around and talk with people next to you."
Chrome

Google To Remove Public Key Pinning (PKP) Support In Chrome (bleepingcomputer.com) 51

An anonymous reader writes: Late yesterday afternoon, Google announced plans to deprecate and eventually remove PKP support from the Chromium open-source browser, which indirectly means from Chrome... According to Google engineer Chris Palmer, low adoption and technical difficulties are among the reasons why Google plans to remove the feature from Chrome.

"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.

Medicine

NotPetya Outbreak Left Merck Short of HPV Vaccine Gardasil (securityledger.com) 63

chicksdaddy shares a report from The Security Ledger: The NotPetya malware infection shut down pharmaceutical giant Merck's production of the pediatric vaccine GARDASIL last June, forcing the company to borrow the drug from a stockpile maintained by the U.S. Centers for Disease Control and Prevention to meet demand, The Security Ledger reports. The anecdote was contained in a quarterly filing by Merck with the U.S. Securities and Exchange Commission (SEC) on Friday. That filing also showed that the company continues to suffer financial fallout from the outbreak of the NotPetya malware in June, reducing both sales and revenue for the quarter by hundreds of millions of dollars. In its quarterly 8-k filing, Merck said that revenue for the quarter was "unfavorably impacted" by around $135 million due to "lost sales in certain markets related to the cyber-attack." Sales in the third quarter of 2017 were also reduced by around $240 million, which Merck chalked up to production shutdowns resulting from NotPetya. In a chilling insight into the extent of the disruption the malware caused to Merck's operations, the company disclosed that part of its quarterly losses were linked to the interruption of its production of GARDASIL, a vaccine used to prevent Human Papillomavirus (HPV) which is linked to certain cancers and other diseases. To make up for what it described as "overall higher demand than originally planned," Merck was forced to borrow the vaccine from a stockpile maintained by the U.S. Centers for Disease Control (CDC), the company said.
Networking

PCIe 4.0 Specs Revealed: 16GTps Rate and Not Just For Graphics Cards Anymore (tomshardware.com) 62

Freshly Exhumed writes: PCI-SIG has released the specifications for version 4.0 of the PCIe (Peripheral Component Interconnect Express) bus, which, according to Chairman Al Yanes, promises data transfer rates of 16GTps, extended tags and credits for service devices, reduced system latency, lane margining, superior RAS capabilities, scalability for added lanes and bandwidth, improved I/O virtualization and platform integration. Tom's Hardware has posted a slide deck of the new version's specifications.
The Almighty Buck

'The Second Gilded Age Is Upon Us' (theguardian.com) 509

Robotron23 writes: Wealth inequality is at its highest since the turn of the 20th century -- the so-called 'Gilded Age' -- as the proportion of capital held by the world's 1,542 dollar billionaires swells further. The report, commissioned by the Swiss banking giant UBS and UK accounting company PwC, discusses the impacts of technology and globalization on the situation, and arrives weeks after the IMF recommended that the world's richest pay higher taxes to ease the disparity of wealth.
Robotics

Sony Reportedly Announcing New Robot Dog Next Month (wsj.com) 45

Zorro shares a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): Sony Corp. is planning next spring to roll out a dog-shaped pet robot similar to its discontinued Aibo with updated components that could allow it to control home appliances, people familiar with the matter said. Sony is preparing for a media event in November to show off the product, the people said. It is unclear whether the new product will use the Aibo name and how much it will cost. Sony Chief Executive Kazuo Hirai said last year at a strategy briefing that the company was developing "a robot capable of forming an emotional bond with customers, and able to grow to inspire love and affection." He told The Wall Street Journal at the time that the company might make an Aibo-like dog robot. The Nikkei newspaper reported earlier this month that Sony was targeting spring 2018 for the release of a home robot.
Open Source

30-Year-Old Operating System 'PC-MOS/386' Finally Open Sourced (github.com) 173

PC-MOS/386 "was a multi-user, computer multitasking operating system...announced at COMDEX in November 1986," remembers Wikipedia, saying it runs many MS-DOS titles (though it's optimized for the Intel 80386 processor).

Today Slashdot user Roeland Jansen writes: After some tracking, racing and other stuff...PC-MOS/386 v5.01 is open source under GPLv3. Back in May he'd posted to a virtualization site that "I still have the source tapes. I want(ed) to make it GPL and while I got an OK on it, I haven't had time nor managed to get it legalized. E.g. lift the NDA and be able to publish."

1987 magazine ads described it as "the gateway to the latest technology...and your networking future," and 30 years later its release on GitHub includes sources and executables. "In concert with Gary Robertson and Rod Roark it has been decided to place all under GPL v3."

Slashdot Top Deals