Alterslash

the unofficial Slashdot digest for 2021-Sep-15 today archive
 

Alterslash picks up to the best 5 comments from each of the day’s Slashdot stories, and presents them on a single page for easy reading.

Travis CI Flaw Exposed Secrets of Thousands of Open Source Projects

Posted by BeauHDView on SlashDotShareable Link
An anonymous reader quotes a report from Ars Technica: Travis CI is a popular software-testing tool due to its seamless integration with GitHub and Bitbucket. As the makers of the tool explain: "When you run a build, Travis CI clones your GitHub repository into a brand-new virtual environment and carries out a series of tasks to build and test your code. If one or more of those tasks fail, the build is considered broken. If none of the tasks fail, the build is considered passed and Travis CI can deploy your code to a web server or application host." But this month, researcher Felix Lange found a security vulnerability that caused Travis CI to include secure environment variables of all public open source repositories that use Travis CI into pull request builds. Environment variables can include sensitive secrets like signing keys, access credentials, and API tokens. If these variables are exposed, attackers can abuse the secrets to obtain lateral movement into the networks of thousands of organizations.

Tracked as CVE-2021-41077, the bug is present in Travis CI's activation process and impacts certain builds created between September 3 and September 10. As a part of this activation process, developers are supposed to add a ".travis.yml" file to their open source project repository. This file tells Travis CI what to do and may contain encrypted secrets. Another place encrypted secrets may be defined is Travis' web UI. But, these secrets are not meant to be exposed. In fact, Travis CI's docs have always stated, "Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code." Ideally, Travis is expected to run in a manner that prevents public access to any secret environment variables specified. [...] This vulnerability caused these sorts of secrets to be unexpectedly exposed to just about anyone forking a public repository and printing files during a build process. Fortunately, the issue didn't last too long -- around eight days, thanks to Lange and other researchers who notified the company of the bug on September 7. But out of caution, all projects relying on Travis CI are advised to rotate their secrets.

The presence and relatively quick patching of the flaw aside, Travis CI's concise security bulletin and overall handling of the coordinated disclosure process has infuriated the developer community. In a long Twitter thread, Peter Szilagyi details the arduous process that his group endured as it waited for Travis CI to take action and release a brief security bulletin on an obscure webpage. "After 3 days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th. No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen," tweeted Szilagyi. After Szilagyi and Lange asked GitHub to ban Travis CI over its poor security posture and vulnerability disclosure processes, an advisory showed up. "Finally, after multiple ultimatums from multiple projects, [they] posted this lame-ass post hidden deep where nobody will read it... Not even a single 'thank you.' [No] acknowledgment of responsible disclosure. Not even admitting the gravity of it all," said Szilagyi, while referring to the security bulletin -- and especially its abridged version, which included barely any details. Szilagyi was joined by several members of the community in criticizing the bulletin. Boston-based web developer Jake Jarvis called the disclosure an "insanely embarrassing 'security bulletin.'"
"Travis CI implemented a series of security patches starting on Sept 3rd that resolves this issue," concluded Mendy on behalf of the Travis CI team. "As a reminder, cycling your secrets is something that all users should do on a regular basis. If you are unsure how to do this, please contact Support."

Open Source Secrets

By zenlessyank • Score: 4, Insightful • Thread

That almost sounds like an oxymoron.

Example of Cognative Dissonance

By theshowmecanuck • Score: 3 • Thread
So many who talk about the cloud not really being secure because cloud really just means 'somebody else's computer'. And then you have to trust them not to fuck it up and/or leave security holes. Then they use Github... on somebody else's computer. And then automated tools to write/commit your code, build it, test it, that need to be secure, especially if you are building proprietary shit... running on somebody else's computer. I know it works OK most of the time, but risk is two parts, yeah. Likelihood and consequences. I guess if the risk is acceptable, fill yer boots. Deploying a final product on Amazon or some other infrastructure is definitely not as worrisome to me than storing the intellectual property that made it in the cloud. Single point of failure with a high enough potential value to make it a target, as opposed to hacker groups having to hit tens of thousands of IP addresses individually.

Two things

By phantomfive • Score: 5, Insightful • Thread

1) Don't check secrets into source control, even if they are encrypted. The encryption you used might already be broken, and you don't follow the right crypto forums to be notified when it does get broken.

2) Don't make your CI tools accessible on the public internet. Put it behind a VPN because they all have security bugs.

Physicists Make Square Droplets and Liquid Lattices

Posted by BeauHDView on SlashDotShareable Link
Aalto University reports via Phys.Org: When two substances are brought together, they will eventually settle into a steady state called thermodynamic equilibrium; examples include oil floating on top of water and milk mixing uniformly into coffee. Researchers at Aalto University in Finland wanted to disrupt this sort of state to see what happens -- and whether they can control the outcome. In their work, the team used combinations of oils with different dielectric constants and conductivities. They then subjected the liquids to an electric field. "When we turn on an electric field over the mixture, electrical charge accumulates at the interface between the oils. This charge density shears the interface out of thermodynamic equilibrium and into interesting formations," explains Dr. Nikos Kyriakopoulos, one of the authors of the paper. As well as being disrupted by the electric field, the liquids were confined into a thin, nearly two-dimensional sheet. This combination led to the oils reshaping into various completely unexpected droplets and patterns.

The droplets in the experiment could be made into squares and hexagons with straight sides, which is almost impossible in nature, where small bubbles and droplets tend to form spheres. The two liquids could be also made to form into interconnected lattices: grid patterns that occur regularly in solid materials but are unheard of in liquid mixtures. The liquids can even be coaxed into forming a torus, a donut shape, which was stable and held its shape while the field was applied -- unlike in nature, as liquids have a strong tendency to collapse in and fill the hole at the center. The liquids can also form filaments that roll and rotate around an axis. One of the exciting results of this work is the ability to create temporary structures with a controlled and well-defined size which can be turned on and off with voltage, an area that the researchers are interested in exploring further for creating voltage-controlled optical devices. Another potential outcome is the ability to create interacting populations of rolling microfilaments and microdroplets that, at some elementary level, mimic the dynamics and collective behavior of microorganisms like bacteria and microalgae that propel themselves using completely different mechanisms.
The research has been published in the journal Science Advances.

iPhone 13 and iPhone 13 Pro Feature Dual eSIM Support

Posted by msmashView on SlashDotShareable Link
Apple introduced eSIM support on iPhone with iPhone XR and iPhone XS in 2018. However, while you can use a regular SIM and an eSIM simultaneously, there was no way to use two eSIMs simultaneously -- until now. iPhone 13 and iPhone 13 Pro feature dual eSIM support for the first time. From a report: The new capability was confirmed by Apple on the iPhone 13 specs webpage. There, Apple says that iPhone 13 models support Dual SIM using both regular SIM and eSIM and "Dual eSIM," as the company calls it. If you check the webpage of the iPhone 12 or previous generations, only combined Dual SIM support is mentioned. These are the SIM support specifications for iPhone 13 mini, iPhone 13, iPhone 13 Pro, and iPhone 13 Pro Max: Dual SIM (nanoâ'SIM and eSIM), and dual eSIM support. During the event, Apple also mentioned that iPhone 13 models have support for more 5G bands, which should enable the new faster network in more countries.

Why only 2?

By dgatwood • Score: 4, Interesting • Thread

The only reason for special hardware for the SIM card is so they can hide the keys from the user. With the secure enclave, I don't understand why this isn't 100% software by now, with the baseband just sending the data through the lowest-power core on the CPU or whatever, and getting the crypto done using the enclave processor. In principle, there shouldn't even be a limit to the number of "eSIM cards" that a device supports, at least up to the capacity of the secure enclave (at 256 to 512 bits per SIM key pair, that would allow 65536–131072 eSIM cards if the secure enclave were otherwise empty).

So why only 2? Seems like an unnecessary restriction. Maybe after Apple starts building their own LTE radios, things will get better.

Re:Dual SIM

By Brymouse • Score: 4, Interesting • Thread

Stuff like this is why I always buy the phone for any carrier, and just activate it myself. It costs exactly the same (well apart from your time).

Have you ever tried to setup eSIM with a US carrier? It's Kafkaesque.

First you will be told "no we don't support that"

Then "why would you want to do that, physical SIM is easier".
I want to keep the physical slot open for travel when I go out side of the USA
"OK but just enable roaming at our Insane 25USD/MB and .50/SMS data rates!"
Ok, that's stupid, I'd just get a local SIM.
"use the eSIM for that!"
No, if it's this hard to get get eSIM setup with a carrier where I speak the language, it's impossible where I don't.

So this continues back and forth and I get transferred yet again, and am told "eSIM isn't supported by Verizon".

Recently I upgraded my iPhone 8 to a newer device. It took 4 hours on the phone (3-7:30pm) with Verizon to get them to issue the right QR code to provision the new device. Each time they would send a code and you'd have to try and it wouldn't work. Finally I was able to figure out that even though I'd given them my new IMEI every single time they reset the code, they still were using the old IMEI!

No way in fuck I want multiple eSIM's; physical devices are much easier.

Re:Why only 2?

By DamnOregonian • Score: 4, Insightful • Thread

Qualcomm SoCs contain the modem processor on the main SoC chip itself, and thus boot it after the main processor boots (there are lots of daemons running on Linux o manage both firmware loading and data storage for the modem processor). For these , I suspect a modem tweak would allow the SIM to be simulated by the main processor code.

Backwards, actually.
The baseband processor is responsible for bootstrapping the application processor. The baseband processor is highly protected, and the application processor can only interact with it via mailboxes, while the baseband processor can touch all of main memory.

What you describe is how external basebands work- they're managed by the application processor.

DoorDash Sues NYC Over Customer Data Law

Posted by BeauHDView on SlashDotShareable Link
DoorDash sued New York City on Wednesday over a new law requiring food delivery companies to share customer data with restaurants, saying it violates customer privacy and lets restaurants compete unfairly. Reuters reports: It was filed in federal court in Manhattan six days after DoorDash, Grubhub and Uber Eats sued the United States' most populous city over a separate law capping fees that delivery companies charge restaurants. [...] In Wednesday's lawsuit, San Francisco-based DoorDash said New York exhibited "naked animus" by requiring food delivery companies to provide customers' names, phone numbers, email addresses and delivery addresses to restaurants. DoorDash said this would let restaurants "free-ride" on the data in a "shocking and invasive intrusion of consumers' privacy," saying restaurants would not demand the same information from in-person diners. It also said "more vulnerable populations, especially undocumented customers" could be harmed if data were mishandled, and shared with immigration authorities or hate groups.

DD already sells your data

By Somervillain • Score: 5, Informative • Thread

But keeping their customers' data private is something all corporations should be doing, the opposite of which is happening everywhere when it comes to tracking people, where they go, what they spend money on, and what web sites they visit. Glad DD is taking a stand on this.

DoorDash already sells your info to marketing firms. Once you order from them, you get a ton of ads and mailers. They're not protecting your data from spammers. They're just upset that NYC is forcing them to give it away for free to the business you're actually doing business with. They have no problem selling as much details about you as they can to those who pay the right price.

May I suggest that if you don't trust the local restaurant with your name and address, maybe you shouldn't trust their cooking as well? :) After all, it's something you are literally going to put in your body and has a high chance of making you sick if mishandled.

Doordash sells your data.

By SNRatio • Score: 5, Informative • Thread
This isn't about preserving anyone's privacy. Doordash says they sell your data right in their policy: https://help.doordash.com/cons... This lawsuit is only about preserving doordash's competitive advantage over the restaurants they use.

Re:Good on them

By Opportunist • Score: 4, Insightful • Thread

Your data? You mean their data they have about you.

Your data would somehow imply that they, or anyone, thinks that data about you is your property.

Re:Very Sensible Lawsuit

By ytene • Score: 4, Insightful • Thread
I suspect that in the eyes of the law, you are incorrect when you make the following statement:-

"When I order from a restaurant through a delivery service, we have two options. I paid the delivery service, so DD is saying that I'm their customer. But I'm ordering food from the restaurant (which I chose), so I'm also the restaurant's customer."

In this scenario, I believe that you are the customer of the delivery service, while the delivery service is the customer of the restaurant. I make this suggestion without full knowledge of the transaction details (because I've never used such a service), but would suggest that you can determine the truth of this in a very simple way. If you see two deductions from your credit card, or if your invoice from the delivery service is broken in to two (a fee to them and a fee to the restaurant) then I would agree that you are a customer of the restaurant. But if you only pay the delivery service, then I suspect that you are only a customer of the delivery service.

Here's a poor-quality analogy for you... If you go to a Ford dealership and buy an F-150, you are a customer of Ford. You're not a customer of Goodyear, who makes the factory-fit tires the F-150 comes with. If you had an issue with a tire on a new F-150, Goodyear would send you back to the dealer.

"The problem here is that I didn't order delivery. I ordered food. Food is a special kind of product around here -- it's heavily regulated. You can't just start selling food. You need to have a food-selling licence, and be subject to inspections and such.

So if DD isn't subject to standard food-safety inspections, then they aren't the ones selling the food. And if they aren't the ones selling the food, then I'm not their customer.
"

Now, this is much more interesting. If my previous assertion is right - i.e. if you are buying from the delivery company, then the delivery company are selling food. So your observation about food-safety inspections should apply. In this case, I believe you are entirely correct to observe that "if DD isn't subject to standard food-safety inspections, then they aren't the ones selling the food", but I'd just re-express your observation a slightly different way:-

"Because the delivery service have placed themselves in the supply chain between you and the restaurant and are therefore (re)selling food to you, then they must be subject to standard food-safety inspections." I would suggest that this is a failure of the various Health Departments around the country that are charged with food safety inspections at restaurants. They need to start inspecting the delivery services.

If you think about this a bit more, you can see other reasons why this should be the case. For example, the delivery agent will be handling both food and cash. A prime scenario for germ transfer. Now, the delivery company is going to argue that all food is placed in sealed packages before it leaves the source restaurant - and that might be an entirely fair claim. But that's the claim that the Health Department needs to be inspecting.

So by all means let the delivery companies try this on... and let's see NYC counter with a much more detailed inspection regime for all their agents... and see how they like that.

Free ride you say?

By quonset • Score: 5, Informative • Thread

DoorDash said this would let restaurants "free-ride" on the data

Isn't DoorDash the same company which was illegally signing up restaurants and delivering the food without telling the restaurant? The same company which admitted to the SEC it can't survive without taking advantage of both customers and workers?

Why yes, yes it is. Kettle, meet pot.

SpaceX Launches First All-Tourist Crew Into Orbit

Posted by BeauHDView on SlashDotShareable Link
SpaceX has successfully launched the crew of Inspiration4 into orbit. It's the first-ever orbital flight crewed entirely by tourists. From a report: The SpaceX rocket blasted off from NASA's Kennedy Space Center just after 8 p.m. ET. The crew includes 38-year-old billionaire Jared Isaacman, who personally financed the trip; Hayley Arceneux, 29, a childhood cancer survivor and current St. Jude physician assistant; Sian Proctor, 51, a geologist and community college teacher with a PhD; and Chris Sembroski, a 42-year-old Lockheed Martin employee and lifelong space fan who claimed his seat through an online raffle. The passengers will now spend three days aboard their 13-foot-wide Crew Dragon capsule in orbit at a 350-mile altitude.

Lack of excitement is impressive

By mykepredko • Score: 5, Insightful • Thread

The very routine launch with recovery of the first stage along with the great quality video (with the exception of the first stage landing) is very impressive and really showed a level of maturity in the SpaceX hardware that I don't think is matched by any other company. It should also be noted that a Falcon 9 (with Starlink) was launched two days ago so the team is well practiced.

I'm sure that there was nervousness and cross fingers behind the scenes but a very smooth start to the flight.

unusually beautiful launch

By RhettLivingston • Score: 5, Interesting • Thread
Watched this from the Orlando area. That was far and away the most beautiful and unusual launch I've ever seen. The atmosphere and sun angle were perfect for showing every detail including the blooming of the exhaust as it transitioned to space, shock waves, etc. It was so unusual I thought something was wrong. Hopefully some video will come out that really shows what the human eye could see. I haven't found one yet though.

Re: "All tourist" is derogatory

By Ol Olsoc • Score: 5, Insightful • Thread

The commander of the flight is an accomplished person. The other 3 are basically regular civilians. IMO this completely redefines the elite astronaut requirements for space flight. JJustto add to how ground breaking this is, they will be up there for multiple days and at a distance quite a bit further that the international space station orbit.

I think that was pretty well redefined when Old man John Glenn went to orbit on the shuttle. Just like this, it was pretty much a publicity stunt.

I mean this is fine, I suppose, but At least for me, all these "firsts" seem kind of made up. Reminds me of when everyone went insane over 2 women doing a spacewalk at the same time, like it was an incredible feat, the very pinnacle of the Space program. Which was strange because by that time, women were spacewalking as a regular and expected occurrence, and I challenged many to name the first spacewalking women, Russian and American, without looking it up.

No one could.

Just this once...

By stikves • Score: 4, Interesting • Thread

Just this once, let us be happy for our fellow humans' achievement, and not try to downplay it saying they were "tourists". Add in Branson, and "as much as I have no personal love for" Bezos, to the list.

We have achieved something nice in 2021. Spaceflight is once again possible for us measly humans, and let's celebrate this.

Re:Lack of excitement is impressive

By NormalVisual • Score: 4, Interesting • Thread

Having seen hundreds of launches in person over my lifetime, I think this was one of the most spectacular, given the combination of dark, clear skies yet being soon enough after sunset where the Sun could still illuminate things once it got high enough. I mostly watched the launch through binoculars, but the returning first stage was still clearly visible with the naked eye, even the pulsing of the thrusters. Way cool.

ExpressVPN Knew 'Key Facts' of Executive Who Worked For UAE Spy Unit

Posted by BeauHDView on SlashDotShareable Link
An anonymous reader quotes a report from Motherboard: ExpressVPN, a popular VPN company, said it was aware of the "key facts" of its chief information officer Daniel Gericke's previous employment before hiring him. On Wednesday, the Department of Justice disclosed in court records that Gericke worked on Project Raven, a surveillance operation for the United Arab Emirates government that involved hacking of Americans, activists, and heads of state. "We've known the key facts relating to Daniel's employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users' privacy and security," ExpressVPN told Motherboard in a statement. "Daniel has a deep understanding of the tools and techniques used by the adversaries we aim to protect users against, and as such is a uniquely qualified expert to advise on defense against such threats. Our product and infrastructure have already benefited from that understanding in better securing user data," the statement continued.

On Tuesday, unsealed court filings described how Gericke as well as Marc Baier and Ryan Adams faced charges for their part in working on Project Raven. The court records say that the three violated the International Traffic in Arms Regulations and conspired to commit access device fraud and computer hacking offenses. The court records say that the three took a zero-click exploit, which allows takeover of a device without any user interaction, and implemented that into Karma, the hacking system used by the UAE's Project Raven. Project Raven involved the hiring of former U.S. intelligence hackers who then worked on behalf of the UAE government, Reuters reported in 2019. The court records also describe other uses and purchases of exploits by the group. The court filings detailed that prosecutors will drop the charges if the three men cooperate with U.S. authorities, pay a financial penalty, and agree to a list of unspecified restrictions on their employment.
Earlier this week, ExpressVPN was sold to Kape Technologies in a deal worth $936 million.

PS5 Software Update Brings SSD Installation, 3D Audio Wednesday

Posted by BeauHDView on SlashDotShareable Link
Sony has released a new software update for the PlayStation 5 that will let you expand the console's internal storage and use the PS5's 3D audio effects on external speakers. CNET reports: The PS5 update will also let you view PS4 and PS5 versions of the same game separately -- particularly useful after you upgrade to a next-gen version -- plus it gives you more options for customizing the Control Center and lets you use it to write messages to other players. PlayStation Now subscribers will also get the ability to choose between 720p and 1080p streaming options, or use a streaming connection test to identify and fix connection issues. The PS4 is also getting a software update, letting you see PS5 trophies on your profile and those of other players.

great

By MobileTatsu-NJG • Score: 3 • Thread

This is great news, some time in the future when people can actually purchase these things.

Kazakhstan Moves To Restrict Foreign Social Media Usage

Posted by BeauHDView on SlashDotShareable Link
Kazakhstan's parliament approved a bill on Wednesday requiring owners of foreign social media and messaging apps to set up offices in the country or risk being blocked as part of a campaign against cyberbullying. Reuters reports: The draft law, which had passed its first reading in the lower house of parliament, focuses on protecting children's rights but includes provisions regarding social media and messaging software, which some critics regard as a tool to censor online comment. Once the bill is approved by the senate and the president, it will require the owners of such apps to register with authorities and open offices in the Central Asian nation, moves the government says will streamline the handling of official requests to remove illegal content. The local offices must be headed by Kazakh citizens who will be personally responsible for removing illegal content - such as posts deemed to amount to cyberbullying - within 24 hours of being notified, according to the draft.

Congress Will Investigate Claims That Instagram Harms Teens

Posted by BeauHDView on SlashDotShareable Link
Two top lawmakers on the Senate Commerce Committee's panel over consumer protection said they were launching a probe into Facebook after The Wall Street Journal reported Tuesday that the company was aware of the harm Instagram can cause to teenage girls. The Verge reports: Sens. Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) announced their investigation into Facebook in a statement released Tuesday. The senators said that they were in touch with "a Facebook whistleblower" and would seek new documents and witness testimony from the company related to the reporting. "It is clear that Facebook is incapable of holding itself accountable. The Wall Street Journal's reporting reveals Facebook's leadership to be focused on a growth-at-all-costs mindset that valued profits over the health and lives of children and teens," the lawmakers said. "When given the opportunity to come clean to us about their knowledge of Instagram's impact on young users, Facebook provided evasive answers that were misleading and covered up clear evidence of significant harm."

House lawmakers also criticized Facebook over the Journal's new reporting, and Republicans even issued a new amendment to the $3.5 trillion budget reconciliation seeking to address tech's effects on teens. Rep. Gus Bilirakis (R-FL) introduced the measure that would direct the Federal Trade Commission to go after "unfair and deceptive acts or practices targeting our children's mental health and privacy by social media." The amendment failed. Rep. Ken Buck (R-CO), top Republican on the House Judiciary Committee's antitrust subcommittee, said in a tweet, "Big Tech has become the new Big Tobacco. Facebook is lying about how their product harms teens." A group of Democrats, including Sen. Ed Markey (D-MA), Rep. Kathy Castor (D-FL), and Lori Trahan (D-MA), penned a letter to Facebook Wednesday calling on the company to abandon its plans to launch an Instagram app for kids in light of the report.

As bad a cigarettes

By JDAustin • Score: 4, Interesting • Thread

Instagram is as harmful to teenage girls mental state as cigarettes is to there physical state.

Re:As bad a cigarettes

By ravenshrike • Score: 5, Insightful • Thread

All social media harms teens. Much more so teen girls because the female social dynamic is in aggregate more wrapped up in how others see them but it's not particularly healthy for boys either.

Re:As bad a cigarettes

By PolygamousRanchKid • Score: 5, Interesting • Thread

harmful to teenage girls

The most harmful thing to teenage girls . . . is . . . other teenage girls.

Now let's see how Congress manages to regulate teenage girls.

A pair made in heaven

By The Wily Coyote • Score: 4, Funny • Thread
The perfect pair. The Dems who want to "save the children" and Repubs who want to stick it to social media.

Here's a fix

By John.Banister • Score: 3 • Thread
Use the facial recognition algorithms for cameras. If the photo has a face, don't allow teens to upload it to Instagram, and don't allow Instagram accounts held by teens to display it. Sure, there'll be workarounds. But, the workarounds will be educational regarding online fakery, and teens will go elsewhere for the kind of photo sharing they commit suicide over.

Emergency Software Patches Are on the Rise

Posted by msmashView on SlashDotShareable Link
Emergency software patches, in which users are pushed to immediately update phones and computers because hackers have figured out some novel way to break in, are becoming more common. From a report: Researchers raised the alarm Monday about a big one: The Israeli spyware company NSO Group, which sells programs for governments to remotely take over people's smartphones and computers, had figured out a new way into practically any Apple device by sending a fake GIF through iMessage. The only way to guard against it is to install Apple's emergency software update. Such emergency vulnerabilities are called "zero days" -- a reference to the fact that they're such an urgent vulnerability in a program that software engineers have zero days to write a patch for it. Against a hacker with the right zero day, there is nothing consumers can do other than wait for software updates or ditch devices altogether.

Once considered highly valuable cyberweapons held mostly by elite government hackers, publicly disclosed zero-day exploits are on a sharp rise. Project Zero, a Google team devoted to identifying and cataloging zero days, has tallied 44 this year alone where hackers had likely discovered them before researchers did. That's already a sharp rise from last year, which saw 25. The number has increased every year since 2018. Katie Moussouris, founder and CEO of Luta Security, a company that connects cybersecurity researchers and companies with vulnerabilities, said that the rise in zero days is thanks to the ad hoc way that software is usually programmed, which often treats security as an afterthought. "It was absolutely inevitable," she said. "We've never addressed the root cause of all of these vulnerabilities, which is not building security in from the ground up." But almost paradoxically, the rise in zero days reflects an online world in which certain individuals are more vulnerable, but most are actually safer from hackers.

0 day means something different

By Mal-2 • Score: 4, Insightful • Thread

It's not an estimate of severity, it's an estimate of how long until it's exploited in the wild. 0 Day just means it's already being exploited, it does not necessarily indicate a severe threat.

Sixteen Windows Zero Linux, hooda thunkit

By Tough Love • Score: 3 • Thread

Sixteen out of 45 Windows. Four Android. Zero Linux.

Yeah, I know, Android is Linux. If Android development was actually open we would have that fixed too. Doing our best.

Good share of Apple crapware in there too. All aligns pretty with what we've been telling you. Never believe Apple or (especially) Microsoft when they claim they've turn the page. Just more of the same old same old.

Re:maybe add more QA time and stop deadlines?

By Junta • Score: 4, Informative • Thread

Security QA is pretty hard. You can have penetration testers come in, but ultimately they will never have as much time spent on it as the general world will spend.

What I generally see are a lot of analysis tools with some manual auditing that can be more effective than you might think, but if your product attracts enough attention, it's hard to compete with the malicious community manually examining all sorts of nuance of how your product works. A very popular product can be subjected to decades of man-hours in a few days upon release, and there's no way you can budget in enough to compete. You can impress upon all your developers the importance of thinking through the potentially unsafe failure modes of deliberately bad input and do better than an audit and if your team is pretty good you can have a solid outcome, but one slip up is all it takes.

Deadlines are tricky as it's also a very competitive landscape. Slow and steady does not, in fact, win the race in business. Look no further than Windows itself, which was a cesspool of security issues for years and the market chose to give them more money which ultimately allowed Microsoft to largely address the fundamental issues in time rather than other more hardened desktops that tried to proceed more carefully to avoid precisely some of the pitfalls that Windows suffered from.

FCC Wants Landlords To Stop Screwing Up Your Internet

Posted by BeauHDView on SlashDotShareable Link
An anonymous reader quotes a report from Motherboard: The FCC has announced (PDF) it's investigating deals the broadband industry strikes with landlords that block broadband competition in apartment complexes, condos, and developments. While the FCC passed rules in 2008 attempting to prevent such deals, Internet Service Providers (ISPs) have exploited massive loopholes in the restrictions for more than a decade. "With more than one-third of the U.S. population living in condos and apartment buildings, it's time to take a fresh look at how exclusive agreements between carriers and building owners could lock out broadband competition and consumer choice," interim FCC boss Jessica Rosenworcel said of the announcement. "I look forward to reviewing the record."

The inquiry comes after President Biden signed an executive order in July urging regulators to take a closer look at competition and monopoly issues in several sectors. The order also mandated the creation of a competition council, which urged the FCC to take a closer look at the anticompetitive nature of these arrangements. The FCC's existing rules technically bar landlords and ISPs from colluding to restrict broadband competition. But in a 2016 piece in Wired, Harvard Law Professor Susan Crawford outlined the various ways big telecom wiggles around the restrictions -- often by simply calling what they're doing -- something else. "Sure, a landlord can't enter into an exclusive agreement granting just one ISP the right to provide Internet access service...but a landlord can refuse to sign agreements with anyone other than Big Company X, in exchange for payments labeled in any one of a zillion ways," Crawford wrote. "Exclusivity by any other name still feels just as abusive."

For example, to get around FCC rules expanding access to an ISP's in-building wiring, companies like Comcast or Charter will often deed ownership of these wires to a landlord, then turn around and pay that landlord to ensure that nobody else can have access. Because the landlord now technically owns the wires, the FCC rules no longer apply. ISPs also pay landlords to sign agreements that ban any other competing ISPs from advertising in the building. If you're a landlord that violates such arrangements, you can then expect a nastygram from a company like Comcast for violating your deal. In addition, many landlords will charge "door fees" to any company that needs access to a building to install new wiring, creating an additional layer of difficulty and expense for smaller broadband competitors trying to compete with dominant ISPs. Collectively such restrictions serve the same function as blocking broadband competition outright. Much as it does on the national level, this lack of block by block competition directly contributes to higher prices, slower speeds, and comically-terrible customer service.

Re:Yep

By ShanghaiBill • Score: 4, Interesting • Thread

I live in a single-family house and pay $70 per month for Internet.

My daughter lives in a condo and pays $15 per month.

From what I can see, these single-ISP arrangments are a good deal for tenants.

Re:Yep

By Known Nutter • Score: 4, Interesting • Thread

What's the mechanism that keeps the price that low?

The real question is what's the mechanism that keeps "regular" prices inflated.

and then comes Starlink

By cjonslashdot • Score: 3 • Thread
Thanks goodness Starlink will bypass all of this bullshit.

Re:and then comes Starlink

By ShanghaiBill • Score: 4, Informative • Thread

Thanks goodness Starlink will bypass all of this bullshit.

StarLink will be a godsend to farmers and others living in remote areas.

It makes no sense for an apartment building in a city.

Re:Yep

By CoolDiscoRex • Score: 5, Informative • Thread

CWhat's the mechanism that keeps the price that low?

Condo Fees. My building did something similar, with a deep discount on Internet access, because the balance was made up from the $350 month condo fees.

The paid X amount to Comcast for every resident, whether they got service or not, and if they did want service, the resident paid the balance.

There is no free lunch and it was not a good deal, IMHO, since we all paid full price, it was just bundled and backed-doored. I'd rather the fees have been less and I could have purchased whatever connection I wished.

They wanted it to look like a good deal, though. I'm sure some people bought it hook, line, and sinker, but many were also opposed. Service went down pretty often, and every time you called to report it, they blamed your modem, then offered to send you a brand-new modem with an XFinity Wi-Fi secondary network enabled, thus allowing you to pay for their infrastructure.

Each time, an hour or so later, the general outage message got posted to their website. It was never our modem, despite being told it was over 30 times.

Yeah, what a deal.

Most Plans for New Coal Plants Scrapped Since Paris Agreement

Posted by msmashView on SlashDotShareable Link
The global pipeline of new coal power plants has collapsed since the 2015 Paris climate agreement, according to research that suggests the end of the polluting energy source is in sight. From a report: The report found that more than three-quarters of the world's planned plants have been scrapped since the climate deal was signed, meaning 44 countries no longer have any future coal power plans. The climate groups behind the report -- E3G, Global Energy Monitor and Ember -- said those countries now have the opportunity to join the 40 countries that have already signed up to a "no new coal" commitment to help tackle global carbon emissions. "Only five years ago, there were so many new coal power plants planned to be built, but most of these have now been either officially halted, or are paused and unlikely to ever be built," said Dave Jones, from Ember. "Multiple countries can add their voices to a snowball of public commitments to 'no new coal,' collectively delivering a key milestone to sealing coal's fate."

I don't think it has anything to do with Paris

By rsilvergun • Score: 4, Interesting • Thread
Natural gas ate Coal's lunch. Wind and solar gobbled up any of the leftovers. It's just a pity it didn't happen before 2016 so that the coal miners couldn't be used as a prop in that election. I read a story where they talked about how they got nothing out of that.

Hold your horses

By kot-begemot-uk • Score: 4, Informative • Thread
This week most of the remaining European coal plants which were mothballed or even scheduled for demolition were fired again.

Exhibit A: Britain. https://www.bbc.co.uk/news/bus...

Exhibit B: Estonia (can't find an English link).

The situation is similar in other countries.

No wind so the great and wonderful windmills do not have anything to move them. Russians deciding that they will supply Europe strictly on long term contracts and world market prices (isn't 3rd energy regulation package by EC just lovely) and as an icing on the cake the interconnect between UK and France catching fire.

So do not write off coal just yet. It will be interesting how things develop, but we may see some roll-back of the CO2 reduction measures as well as restart of coal in the coming months. Anything else aside, the cycle of cold winters in Europe is roughly 10-11 years and the last one was exactly 11 years ago. It was only -35 in Germany, Poland and Czech then and only one-two meters of snow with the balmy warm -20 in Hungary, Serbia, Bulgaria and Romania. Based on the normal long term weather cycle in Europe we are due for a repeat this winter or next.

With one overwhelming exception

By cirby • Score: 5, Informative • Thread

China.

They built about three times as much coal capacity in 2020 as the rest of the world, COMBINED. They're not slowing down, either (at least 47 more are planned over the next few years).

India, Japan, Vietnam, and Indonesia are all happily building new coal plants, too.

When 44 out of the 195 (more or less) countries in the world stop building coal, but the biggest ones keep constructing like mad, you don't gain much.

Correlation != Causation

By 140Mandak262Jamuna • Score: 4, Informative • Thread
Paris accord happened in 2015. Coal started dying off since 2015. But correlation is not causation.

But Paris climate accord did not kill the coal plants.

Fracking and natural gas killed coal plants. Natural gas is cheaper coal. Coal died.

There are definite shifts to renewables happening. But again real long term trend is, unsubsidized cost of solar and wind is becoming competitive with natural gas. Paris climate accord might have helped the renewables in the fight with natural gas, but when it comes to coal, the killer was natural gas, not Paris accord.

Re:Correlation != Causation

By Luckyo • Score: 4, Interesting • Thread

Mostly correct, but not quite. Almost everywhere outside US, natgas remains more expensive than coal. In most places, much more expensive. Reminder: fracking at scale for natgas is only really a major source of fuel in US.

And natgas is really hard to transport. Having to cool and compress or liquefy it is very energy intensive, so you want to pipe it. But it still did drive cost of natgas down globally for a while, because US was no longer a place to export it to. So temporary glut on the market until demand and supply rebalance around the new normal where US is a net exporter rather than net importer.

But the biggest change is modern automation and physics simulation capability enabling novel designs for combined cycle gas turbines about a decade ago. Gas turbines became extremely efficient, and rapid increase in built up of intermittents meant extreme demand for spinning and cold reserve plants that could quickly take up the load. And gas turbines are really, REALLY good at rapidly taking the load.

So you had a combined pressure from increase in efficiency of CCGTs, combined with cheaper gas (for foreseeable future in US and temporarily in Europe), combined with rapidly growing demand for power generators able to spin up quickly due to rapid increase in built up of intermittents like wind and solar.

End result is that CCGTs simply outcompete almost everything in short term. Until gas supply and demand situation changes again.

When the Wind Stops Blowing, an Energy Storm Brews

Posted by msmashView on SlashDotShareable Link
An anonymous reader shares a report (paywalled): Gas made up the largest share of the UK's energy mix in 2020, at 34%; followed by wind on a quarter; nuclear at 17%; biomass at 6.5% and solar at 4.4%. Despite the progress of renewables, detractors note the problems arise when the sun doesn't shine and the wind doesn't blow. Until reliable battery storage for renewable energy is developed, these sources can only ever be intermittent, critics argue, and some infrastructure will continue to use oil for back-up generation. It is a case made by the nuclear industry, which says that it is uniquely placed to provide the zero-emissions baseload the grid requires. Runaway gas prices are already sparking concern across the energy sector, with fears that consumers are facing a "bill shock" this winter. Personal finance expert Martin Lewis warned his readers last week: "This autumn's signature noise will be a deep thud... the sound of jaws hitting the floor as people finally see the practical evidence of the energy bill catastrophe laid bare."

UK gas prices reached 130p per therm last week, compared to 30p a year ago. In an unusual inversion, gas prices are trading above the equivalent price of Brent, the benchmark for crude oil. Both supply and demand factors are at play. The reopening of economies after Covid lockdowns has pushed up demand for gas. Countries are also trying to cut their use of coal, and switching to less polluting gas as a result. Europe is thus competing with Asia for shipments of liquid natural gas (LNG), a more mobile form of gas that is increasingly popular. Supply is also tight: a particularly cold winter meant Europe used up more reserves than usual and these have not been replenished. A spate of outages at gas production plants in different parts of the world have compounded the problem. To make matters worse, the UK has relatively low levels of gas storage. The country has eight gas storage sites that can hold an estimated 12 days of supply. Storage capacity was drastically reduced when the Rough site under the North Sea was closed in 2017 for safety and economic reasons. Rough, a disused oil field, could hold around 70% of UK gas reserves. "The market hasn't been able to fill up storage as we move into this winter. And hence we are very exposed, especially if it is another cold winter like last year," said James Huckstepp, analyst at S&P Platts. "Consumers are starting to recognise that their energy bills are going to be much higher this winter."

Rough well closing

By clovis • Score: 3 • Thread

It might have been nice to have filled some storage when the prices were low.
If you're curious about the gas storage problem and are asking "why not reopen", here's a writeup on the Rough site problems.

https://assets.publishing.serv...

Re:Problem isn't wind or solar

By Smidge204 • Score: 4, Insightful • Thread

> Complete nonsense. Wind generators can be turned off at any time, so this is a completely false impediment to connecting the systems.

True.

Unfortunately that means you're using expensive nuclear power instead of practically-free wind while the wind is available, because you *have* to shut the wind turbines down to prevent overproduction.

This is why nuclear and renewables are antagonistic, not synergistic.
=Smidge=

Re:Problem isn't wind or solar

By AleRunner • Score: 4, Informative • Thread

The UK can't afford nuclear, and can't find anyone to build it. The subsides needed to get companies in board are just eye watering.

We have to solve this but it has to be affordable. What we really need is a proper strategy, not just relying on investors delivering a stable grid. Build more offshore, build more storage. Interconnect with other grids.

The UK has a bunch of solutions that we haven't done - we could be investing in tidal energy, for example and the Swansea bay project would make a huge difference. The problem is that, whilst they guarantee subsidised, massively long term prices for nuclear, the government won't even make price guarantees ("contract for difference") for any of the tidal projects.

We could also have grid connections to Norway and bigger ones to Denmark and France and from France, through to Marocco where there's plenty of potential for Concentrated Solar Power. Instead, as you rightly say, we've wasted money and time on failed nuclear projects which we just can't afford. The story is straight propaganda.

Re:Problem isn't wind or solar

By Aighearach • Score: 4 • Thread

Only if you build a bunch of it.

I'm certainly not advocating that.

I'm simply saying that however much nuclear you build, there is no trouble also connecting wind and solar to the same grid. It's just a stupid lie that armchair nuclear boosters trot out to try to make it look like wind and solar are not feasible. But they're decades too late to be playing that trick.

There is nothing antagonistic about the technologies at all. There is not some massive surplus of wind power being generated. It's just another lie.

Re:Problem isn't wind or solar

By Smidge204 • Score: 4, Insightful • Thread

> I'm simply saying that however much nuclear you build, there is no trouble also connecting wind and solar to the same grid.

Again; technically correct, but whether or not you can connect wind to a nuclear-powered grid is not the problem - over production is the problem. You have it exactly backwards.

Specifically, you will be forced to disable the cheapest, most environmentally friendly power first because nuclear lacks sufficient flexibility. That is wasteful and negates the most valuable and worthwhile aspect of renewable power. It defeats the whole point.

> There is not some massive surplus of wind power being generated.

Yet. At least not in the UK; excess wind power in mainland Europe is common, to the point where retail prices can go negative in an effort to get people to take the excess power of their hands. There will be a problem if you continue to expand wind power installation while insisting you also build nuclear power to cover the times when wind power isn't sufficient.

This isn't complicated; Let's say you need 1000 gigawatts of power, for sake of example. You install 400 gigwatts (nameplate) of wind, so logically you might think you need 600 gigawatts of nuclear to make up for it, right? 400 + 600 = 1000.

Except, of course, that 400 GW of wind will not always be producing 400GW. Some times you might only get, say, 300 GW. Now you're 100 GW in the hole. Okay, you might think, just build another 100 GW worth of nuclear and you're covered!

So what happens when your wind farm *does* produce 400 GW? ow you're producing 1100 GW total, and that's bad. You can't shave 100 GW worth of nuclear in the span of minutes that would be necessary to prevent overloading the grid, so your only recourse is to disable some of that wind power.

You now have 100GW of wind energy going untapped. 25% of your wind turbines are going completely to waste, because you had to turn them off. While the wind continues to blow, you're passing up cheap energy in favor of stupidly expensive energy, while also ruining the economics of your wind farms.

This is why nuclear and wind - and other renewables like solar, though to a lesser extent - are at odds with each other. This is why, instead of building nuclear power plants that cost a fortune and have tons of externalities, we should instead be investing in storage technologies to make the best use of energy when it's abundant, and diversifying the grid to level out the variations.
=Smidge=

SpaceX Rocket To Take World's First All-Civilian Crew Into Orbit

Posted by msmashView on SlashDotShareable Link
The world's first crew of "amateur astronauts" is preparing to blast off on a mission that will carry them into orbit before bringing them back down to Earth at the weekend. From a report: The four civilians, who have spent the past few months on an astronaut training course, are due to launch on SpaceX's Falcon 9 rocket from the Kennedy Space Center in Florida at 8.02pm local time on Wednesday (1.02am UK time on Thursday). Barring any glitches, the two men and two women on the Inspiration4 mission are expected to orbit the planet for three or four days, performing experiments and admiring the view through a glass dome fitted to their Dragon capsule, before splashing down in the Atlantic Ocean.

Touted as "the world's first all-civilian mission to orbit," the launch is the latest to promote the virtues of space tourism and follows suborbital flights in July by Sir Richard Branson on Virgin Galactic's SpaceShipTwo -- which has since been grounded for going off course -- and Jeff Bezos on Blue Origin's New Shepard rocket. While the Inspiration4 crew has had flying lessons, centrifuge sessions to experience the G-forces of launch, and hours of training in SpaceX's capsule simulator, the mission will be almost entirely automated. The capsule is due to orbit Earth at an altitude of 360 miles (575km), about 93 miles higher than the International Space Station.
UPDATE: They did it.

God speed to the civilian crew!

By nightflameauto • Score: 5, Insightful • Thread

This may not seem like that big of a deal due to the number of successes the Dragons have had at this point, but for a dude that grew up with the day-dream of civilians in space being commonplace, this first flight is a huge step in the right direction.

I hope all goes as planned. And I hope they all enjoy the view.

Self-flying.

By Ostracus • Score: 3 • Thread

While the Inspiration4 crew has had flying lessons, centrifuge sessions to experience the G-forces of launch, and hours of training in SpaceX's capsule simulator, the mission will be almost entirely automated.

Tesla autopilot. Good enough for cars. Good enough for space.

Live Stream

By Areyoukiddingme • Score: 3 • Thread

Live stream on SpaceX YouTube channel up already: https://www.youtube.com/watch?...

We need another Bezos lawsuit

By TomR teh Pirate • Score: 3 • Thread
to prevent him from being upstaged by SpaceX, again

Amazon Loss of Executive To Microsoft Sets Up Potential Clash

Posted by msmashView on SlashDotShareable Link
Microsoft said it has hired a former Amazon cloud executive to run its cybersecurity operations, potentially setting in motion a legal battle between the two tech giants. From a report: Charlie Bell, who long reported to former Amazon Web Services chief Andy Jassy and oversaw the engineering teams working on AWS's main software services, will become an executive vice president reporting to Microsoft Chief Executive Officer Satya Nadella. "Cybersecurity is one of the most challenging issues of our time -- for every person and organization on the planet -- and it is core to our mission," Nadella wrote in an email to employees obtained by Bloomberg. Securing customers' digital technology platforms, devices, and clouds "is a bold ambition we are going after and is what attracted Charlie to Microsoft."

[...] Bell's departure to a direct rival is a major blow for Amazon, and Microsoft said it's committed to continuing "constructive discussions" with the cloud leader about Bell's role. "We're sensitive to the importance of working through these issues together, as we've done when five recent Microsoft executives moved across town to work for Amazon," Microsoft said in a statement. Amazon, which has a history of seeking to enforce non-compete agreements vigorously, didn't immediately comment on the move. Bell will officially start his role once "a resolution is reached with his former employer," Nadella wrote in the email.

Neo-Slavery

By aerogems • Score: 3, Interesting • Thread

A bit hyperbolic, yes, but non-compete clauses are really a kind of indentured servitude or slavery. You either work for Company X, or you can't work for anyone in the field for a period of time that will make sure your skills are out of date and you're essentially unhirable. They are fundamentally in opposition to the founding principles of the United States and the federal government should follow the lead of states like California in abolishing them completely.

As long as the guy isn't bringing with him a bunch of proprietary info, just his skills, I don't give two shits if Amazon is pissed. Clearly the guy wasn't happy at Amazon or he wouldn't have been looking for another job, so maybe instead of using non-competes to force people to stay, Amazon should try to fix the culture and environment of its workplace so people don't want to leave. A novel idea, I know, and I have serious doubts that anyone in upper management at Amazon has the necessary level of introspection to even consider this option, but maybe with a little push from federal courts ruling non-compete clauses unenforceable...

US Fines Former NSA Employees Who Provided Hacker-for-Hire Services To UAE

Posted by msmashView on SlashDotShareable Link
The US Department of Justice has fined three former NSA employees who worked as hackers-for-hire for a United Arab Emirates cybersecurity company. From a report: Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, broke US export control laws that require companies and individuals to obtain a special license from the State Department's Directorate of Defense Trade Controls (DDTC) before providing defense-related services to a foreign government. According to court documents, the three suspects helped the UAE company develop and successfully deploy at least two hacking tools. The three entered into a first-of-its-kind deferred prosecution agreement with the DOJ today, agreeing to pay $750,000, $600,000, and $335,000, respectively, over a three-year term, in order to avoid jail time for their actions.

No jail time?

By mendax • Score: 5, Insightful • Thread

They should have gone to jail. No doubt about it. Fining people for such treachery just is not sufficient.

The Book

By chill • Score: 4, Informative • Thread

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth is an excellent book and details the story on these people and much more.

Re:No jail time?

By tragedy • Score: 4, Interesting • Thread

What really needs to be considered here is the web of connections that got those people working there in the first place. Apparently the three were contractors for a company named Darkmatter, which seems to be largely just a breakaway entity from another company called Cyberpoint. Whether it's truly independent or just exists to provide plausible deniability to Cyberpoint is hard to say. Cyberpoint is based in Baltimore, md (In other words, right outside Washington, D.C.) and itself has lots of ties to Booz Allen.

So, basically I think what we're seeing here is these guys getting a slap on the wrist to avoid exposing their politically-connected overlords from scrutiny (and the same criminal charges since these guys are probably just employees following directives from their supervisors). The people behind these companies are probably the same politically-connected swamp dwellers we see all the time. They run various "consultant" companies, they're probably "operatives" or money guys of some kind in one of the two major political parties and probably have a revolving door to positions in government (probably just below the cabinet level, but maybe even cabinet members sometimes) when their party is in power. This is exactly the kind of stuff that Guliani has been involved in, for example. Remember how he ran a "cybersecurity" company. He used to run a security consulting business as well. The role these guys play in this sort of thing is really as lobbyists and selling access. That means access to politicians, but also access to other human resources. Like, for example, former NSA employees.

Baked Beans

By TechyImmigrant • Score: 3 • Thread

>broke US export control laws that require companies and individuals to obtain a special license from the State Department's Directorate of Defense Trade Controls (DDTC) before providing defense-related services to a foreign government.

Calling hacking a defense related service is like calling baked beans a defense related food because soldiers eat it.

Theranos Burned Through $2M a Week as Investors Were Given Rosy Projections

Posted by msmashView on SlashDotShareable Link
Around the time that Theranos was losing nearly $2 million per week, investors in the blood-testing startup were being told that the company would soon be bringing in almost $1 billion per year. From a report: It's not uncommon for startups to lose money in their early years, and it's not entirely unusual for the fastest burn rate to happen right before things turn around. Instead, Theranos continued to produce mounting losses. But that's not what the company was telling investors, according to new documents shared during the jury trial of Theranos founder and CEO Elizabeth Holmes.

In court yesterday, jurors heard testimony from the company's longtime chief financial officer, Danise Yam, who also goes by So Han Spivey. Yam said that Theranos lost $16.2 million in 2010, $27.2 million in 2011, $57 million in 2012, and $92 million in 2013. In 2013, things had "started to get a bit tight," Yam said. There were weeks where the company was burning through around $2 million per week, and there wasn't any revenue to help ameliorate the losses. In 2012 and 2013, Yam didn't even bother adding a line for revenue -- there was none.

Lies about progress, not cash were the problem

By gurps_npc • Score: 5, Insightful • Thread

Look, no one cares if you burn through a million a day, even if you do not have revenue.

What they care about is:

1) Does your tech work in theory?
2) Are you actively turning theory into practice?, i.e. solving the practical issues.
3) Once your tech works in practice, then how much can you make selling it?

They lied about 1 and 2. They could not take a drop of blood and give you back multiple test results that each currently take a test tube by themselves. They were not solving the practical issues

If they had burned through 10 million a day, but had working technology, they would be billionaires now, instead of criminals.

Investors should have thought twice..

By BytePusher • Score: 3 • Thread
We were all shocked that a 19 year old could start a revolutionary biotech company. They didn't do their due diligence to vet the technology before forking over billions. I personally feel like the investors got what they deserved. This is capitalism, no risk, no reward. But these days capitalists can't accept losses from the risks they took.

Re:Investors should have thought twice..

By prisoner-of-enigma • Score: 4, Insightful • Thread

We were all shocked that a 19 year old could start a revolutionary biotech company. They didn't do their due diligence to vet the technology before forking over billions. I personally feel like the investors got what they deserved. This is capitalism, no risk, no reward. But these days capitalists can't accept losses from the risks they took.

I feel some of this was due to how the media lionized Holmes, almost exclusively because of her youth, gender, and beauty. Any article about a "strong, successful woman bucking the patriarchy" was immediately elevated to biblical status in the mad search to promote "women breaking the glass ceiling." They were so invested in making her out to be Joan of Arc they never stopped to check whether what she was claiming was even possible. Her claims could've been easily debunked many times before everything came crashing down. Not only did nobody try, nobody -- especially the press -- seemed even interested in trying.

Put simply, if Holmes had instead been a middle-aged, overweight, glasses-wearing, slightly balding male, does anyone think for a moment this would've gone as far as it did? Possibly, but very doubtful. Never underestimate the power of charisma when separating people from their money.

Re:Ok so we have no revenue!

By stabiesoft • Score: 5, Insightful • Thread
I think a bit different. Uber/WeWork are not lying about what they have. Holmes was claiming a magic method to do blood analysis with a single drop of blood and she was claiming it was working, to the point of people getting blood draws and under the impression it was being done with a single drop when it was not. She needs to sit in a prison cell for a very long time like Dennis if for no other reason to give pause to others. Others committing fraud and getting away with it is not a reason to give her a pass. While I think people are simply nuts to believe wework uber will ever be profitable, they are clear about what service they offer.

Re: Lies about progress, not cash were the problem

By ShanghaiBill • Score: 4, Interesting • Thread

"do you have any medical background, whatsoever?"

Once the blood is drawn, the testing is chemistry, not medicine. Holmes has a background in chemical engineering. She also worked in a chemical process research lab at Stanford University.

"at least you have some technological background, right?"

Plenty of people at Theranos had technological backgrounds, including Holmes.

"well, you at least DO know how to run a company?"

Theranos had several C-level executives with successful business backgrounds.

Anonymous Hacks Epik Web Hosting

Posted by msmashView on SlashDotShareable Link
ArchieBunker writes: Members of the hacktivist collective Anonymous claim to have hacked web registration company Epik, allegedly stealing 'a decade's worth of data,' including reams of information about its clients and their domains. Epik is controversial, having been known to host a variety of rightwing clients, including ones that previous web hosting providers, like GoDaddy, have dropped for various reasons. Its users have included conservative social media networks Parler and Gab, as well as conspiracy-theory-laden YouTube wannabe Bitchute and former President Trump fansite, The Donald. The company recently hosted prolifewhistleblower.com -- the website designed to help people snitch on Texas residents who want abortions -- but later forcibly removed the tip-collecting platform after determining that it had violated Epik's terms by nonconsensually collecting third-party information.

MAD

By JBMcB • Score: 4 • Thread

Yes. Right and wrong matter.

That tends to work out until someone thinks that *you* are wrong and *you* get hacked. Of course, you think you are right. But if you think hacking people whom are wrong is OK you then can't really complain about the tactics, can you?

It's like watching children fight

By davide marney • Score: 3 • Thread

If you can't win an argument on the merits, call them names. If they don't care, cancel them. If they still don't care, DOX them. Steal their personal data if you have to. This is about "justice".

Now pat yourself on the back. Ignore the fact that you're working for the establishment. You're just a useful idiot.

Like I said, childish.

Why do these folks even need Epik anyway?

By martynhare • Score: 5, Interesting • Thread
For the record: I'm pro-choice. However....

The absurdity that private businesses right to refuse "is censorship" and the absurdity that hosting providers are responsible for what they host... it all needs to end. So perhaps, if providers did just ban whatever they wanted for any reason, folks would design their services not to trust the hosting providers themselves and we would all get over it. If nobody trusted hosting providers and designed systems accordingly, hosting providers could then legitimately argue "if we didn't host it, someone else would" and nobody would be able to disagree. The Pirate Bay successfully implemented decent distributed infrastructure with this in mind, meaning no one provider hosts a meaningful enough portion of the service for it to ever be fully shut down. While no cloud provider would be happy to host the service as a whole, none of them would be unhappy about hosting parts of the service infrastructure which standalone amount to nothing. Ever since 2015, TPB has remained reliably functional without any serious downtime, despite many more entities wanting it to be taken down than the stuff Epik hosts. High Courts (and their judges) across the world all have been exposed for how powerless they really are by a small group of nerds, even while incarcerated!

There is no reason why others can't follow their blueprint. If they do, they don't need to rely on Epik.

Re:So...

By LKM • Score: 4, Informative • Thread
The website (back when it still worked) did not just ask people to submit doctors who perform abortions, but specifically also to explain how the law has been violated, and to upload evidence that the law has been violated. It's not clear to me how one could do this without submitting personal information of women who had abortions.

I can not ascertain what the website is interested in (as far as a website can be interested in anything), but it's difficult to find a genuine argument for the position that a vast majority of "pro-life" people aren't interested in harming women who have abortions, or supporting measures that harm women who have abortions, whether they do so directly or indirectly. Given the actual things these people say, and the measures they support, it's clear that a major motivation for many of these people is, in fact, to punish women for abortions (or, more likely, abortion-related behavior such as premarital sex).

Re:So...

By DaveV1.0 • Score: 4, Informative • Thread
You left out people who drive the woman to the clinic and/or help her get an abortion in any way, shape, or form. Remember, this website is to help people collect $10,000 per person that can be proven to be involved in anyway. Uber and Lyft have started defense funds for their drivers.

OpenSea Confirms Executive Used Insider Knowledge When Buying NFTs

Posted by msmashView on SlashDotShareable Link
One of the non-fungible token (NFT) space's biggest marketplaces has admitted that a senior employee has been getting the drop on its most popular drops. From a report: Twitter users last night accused Nate Chastain, head of product at OpenSea, of using secret Ethereum wallets to snap up the platform's front-page NFT drops before general release. Citing transactional data on Etherscan, Twitter user Zuwu said that Chastain seems to be selling these pieces "shortly after the front-page-hype spike for profits." His actions have been likened to frontrunning or insider trading, which in regulated financial markets refers to dealing on information that is not yet public.

On September 15, OpenSea published a blog post acknowledging Chastain's actions. "Yesterday we learned that one of our employees purchased items that they knew were set to display on our front page before they appeared there publicly," said OpenSea. "This is incredibly disappointing. We want to be clear that this behavior does not represent our values as a team. We are taking this very seriously and are conducting an immediate and thorough review of this incident so that we have a full understanding of the facts and additional steps we need to take." The company has rolled out new policies specifying that team members may not buy or sell from collections while they are being promoted, and cannot use confidential information to purchase or sell NFTs.

Repeat after me

By LatencyKills • Score: 3 • Thread

NFTs are worthless bullsh*t. Bonus points for buying them with equally worthless digital currency. Have we suddenly been struck stupid collectively as a species?

Re:Repeat after me

By S_Stout • Score: 4, Insightful • Thread
Everyone knows they're worthless, the game is everyone thinks that they will be the one to make money and pawn them off on others when it all crashes. The other use of NFT's is money laundering. Much easier than buying/selling artwork.

Not even fired?

By Pinky's Brain • Score: 3, Informative • Thread

How serious can you take their commitment when they don't even fire him.

The entire market is bagholders keeping up appearances and wash traders. Flipping to bagholders ASAP is how you make money, except for the rare few NFTs which might attract the traditional art crowd who just want bragging rights. Interchangeable drawing of an ape number 100 does not give bragging rights.

Microsoft Account Goes Passwordless

Posted by msmashView on SlashDotShareable Link
Anyone with a Microsoft account can now remove their password from the account entirely to enable better security. From a report: "For the past couple of years we've been saying that the future is passwordless, and today I am excited to announce the next step in that vision," Microsoft corporate vice president Vasu Jakkal writes in the announcement post. "Beginning today, you can now completely remove the password from your Microsoft account." As for the "why" of this change, Microsoft points to the fact that passwords are insecure and are the focus of over 18 billion attacks every year, or 579 attacks every second. Before you can go passwordless, you'll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that's sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.

Re:OT: Excited, eh?

By GrumpySteen • Score: 5, Funny • Thread

You do realize that "excited" refers to mental states that don't involve sexual arousal, right?

Like... a two year old can be excited to go to the playground and it doesn't mean the two year old wants to fuck a piece of playground equipment.

Antiquated news

By WaffleMonster • Score: 3 • Thread

I already have no passwords on ANY of my Microsoft accounts.

Doing away with PW - to send you a PW

By Bomarc • Score: 5, Insightful • Thread
MS: We are doing away with password; so we can send you a password.
Me: Ya; right. I lost my phone.
MS: You are f*ed. (This already happens with Google)

I live in the US. Why can't I block access to my account from non-US locations (geo-blocking)? Why are IP addresses that attempt to log in to 20 different accounts in 30 seconds -- allowed to continue?

I had a similar issue with eBay and my wife's phone. They (eBay, PP, MS and others) assume that your phone is tied to your account (I don't for several reasons). While away from home (taking my wife to a hospital) I had internet access (Wifi) using her phone. Attempted to place a bid on an item; and it/they wanted another level of verification. When I called to ask if there was something that I could do; the 'in person' verification got even stranger (such as: 20 years ago; what address did you live at?)

Best example -- you left your phone at home (or was stolen) ... you need to log in. What you/they going to do? Send a text to a device that I don't have access to??

Re:"579 attacks every second."

By ceoyoyo • Score: 4, Insightful • Thread

Most people dislike multiple factors. It is kind of a pain in the ass for something that doesn't need to be super secure. One time passwords are a nice intermediate option between a classic password and a classic password plus an OTP.

If you lose your phone you need to install the authenticator app on your new phone and enter the recovery codes, which you wrote down and put somewhere secure... right?

You can still accidentally say "yes" to an attack

By ianbnet • Score: 4, Interesting • Thread

I fundamentally believe in the passwordless future, BUT - and this is a big but - I get 2-3 notifications per day in my Microsoft Authenticator app asking me to authorize a login.

It's not from me.

And the authorization requires nothing but me to say "yes."

This terrifies me. A slip of a thumb and they're in, without knowing my password.

There are ways around this - for instance, some prompts (but not others? I have no idea why) require me to match a number on both devices. But some do not, and I don't know why, and I have no control over that. Honestly this feels about as secure as a bad password I repeat on multiple sites.

Uber's Chief Technical Officer To Step Down

Posted by msmashView on SlashDotShareable Link
Uber Chief Technology Officer Sukumar Rathnam is stepping down as the company's head of engineering, a spokesperson of the ride-hailing company said late on Tuesday. From a report: The spokesperson did not specify the reason for Rathnam's departure but Business Insider reported earlier that he had been increasingly at odds with chief product officer Sundeep Jain. Rathnam, who joined Uber about a year ago, plans to leave in early October, the spokesperson said.

Amazon Gives Kindle E-Readers a Rare User Interface Overhaul

Posted by BeauHDView on SlashDotShareable Link
An anonymous reader quotes a report from Ars Technica: Amazon's Kindle e-readers get new software updates regularly, and they're mostly of the nondescript, invisible "performance improvements and bug fixes" variety. But the most recent operating system update (version 5.13.7) is rolling out now, and it refreshes the device's user interface for the first time since 2016 or so. Amazon says that redesigns for the Home and Library screens, which are mostly untouched in the current Kindle update, will be coming "later this year." The software update that enables the new interface began rolling out in August, but because Kindles only install updates automatically when they're charging and connected to Wi-Fi, it will be a few weeks or months before all supported Kindles will have a chance to grab the update (mine only installed it over this past weekend).

The new update is available on most Kindles released in or after 2015, including the 7th- and 10th-generation Kindle Paperwhite, the 8th-, 9th-, and 10th-generation Kindle Oasis, and the 8th- and 10th-generation standard Kindle. Older "7th-generation" Kindle devices like 2014's Kindle Voyage don't appear to be supported. [...] The new update doesn't fix Amazon's confusing Kindle naming scheme, which groups different devices into "generations" that are numbered based roughly on when they were released, not on what generation of product they actually are; the "10th-generation" Paperwhite is actually only the fourth Paperwhite Amazon has released. But you now can head into the Device Info screen and see which Kindle you're using instead of having to guess.

Made it worse

By DarkRookie2 • Score: 3 • Thread
They made the interface worse. They added gestures to it and hid the shortcut behind them.
They didn't add ePub support. They didn't add folder support. This is a meaningless update to bump a number up to look like they still care.

No USB-C

By fazig • Score: 3 • Thread
They should give them a USB-C port.

Indian Researchers Create a Raspberry-Pi-Based Device To Monitor Health

Posted by BeauHDView on SlashDotShareable Link
Two researchers in India have developed a new blood test that is simple, affordable, and easily deployed anywhere where a source of electricity is available. IEEE Spectrum reports: Sangeeta Palekar is a researcher at Shri Ramdeobaba College of Engineering and Management (RCOEM) who helped devise the new design. She and her colleague, Jayu Kalambe, understand how powerful a simple blood test can be. "Routine blood tests can help track and eliminate the threat of many potential diseases," explains Palekar, noting that blood tests make up roughly one-third of all pathology laboratory tests. [...] [The new analyzer] involves an automated fluid dispenser that adds a controlled amount of reagent into the blood sample. Light is then passed through the sample, and a Raspberry Pi computer analyzes the data. The system can be adapted to analyze any biochemical substances in the blood by simply modifying the reagent and spectral wavelength that's used. [...] When comparing the data obtained by their biochemical analyzer to the known results obtain by standard laboratory equipment, they found the data matched almost perfectly. What's more, the device could yield accurate results in just half a minute. The researchers describe the results in a study published in IEEE Sensors Journal.

BASIC - take a photo after adding reagent

By johnjones • Score: 3 • Thread

they add a reactive substance and take a photo of the result this is not cutting edge science nor anything new sensors wise

the cheaper way is to place a drop onto a paper stick laced with the reagent and compare it to a chart using your eyes (which is how people do it currently) it would have been far more useful to develop a smartphone app to actually read these existing tests and give a more consistent and therefore accurate reading because the machine is doing it... but that would have actually been hard having to calibrate the chart and allow for fade within the paper and reagents so thats not done go for the easy win of pumping fresh reagent into a lightbox and using only 1 sensor.

I do not see how this paper helpful or innovative.

Yikes!

By gweihir • Score: 3 • Thread

The RPi is an unreliable, badly designed PoS. It is not fit to be used as anything but a toy. There are tons of professionally designed alternatives that actually work reliably and have competent designers instead of amateurs with delusions.

'Massive' Transatlantic Data Cable Landed On Beach In Bude

Posted by BeauHDView on SlashDotShareable Link
Thelasko shares a report from the BBC: A new "massive" undersea transatlantic communications cable has been brought ashore on a beach in Cornwall. The Google data cable, called Grace Hopper, was landed in Bude on Tuesday. Once operational, it would have the capacity to handle "17.5 million people streaming 4K video concurrently," Google bosses said. The cable has been laid between New York in the United States, Bilbao in Spain and Bude over several months, and is expected to be operational in 2022. It was part of a "new generation" of lines that "connect continents along the ocean floor with an additional layer of security beyond what's available over the public internet," Google said. The tech giant has named it Grace Hopper after the American computer scientist and United States Navy rear admiral. It is about 7,000km (4,350 miles) long and is the company's fourth privately-owned undersea data cable, which transport 98% of international internet traffic around the world.

So unfair

By Harold Halloway • Score: 5, Funny • Thread
The last time I laid a massive cable on Bude beach, I was arrested. It's just one rule for them and another for the rest of us.

Re:Why land in Bude?

By echo123 • Score: 5, Informative • Thread
50 3.965' N, 5 42.745 W Land's End, Cornwall, England

As anyone can see from a map of England, Cornwall is a good jumping-off place for cables across the Atlantic, whether they are laid westward to the Americas or southward to Spain or the Azores. A cable from this corner of the island needs to traverse neither the English Channel nor the Irish Sea, both of which are shallow and fraught with shipping. Cornwall also possesses the other necessary prerequisite of a cable landing site in that it is an ancient haunt of pirates and smugglers and is littered with ceremonial ruins left behind by shadowy occult figures. The cable station here is called Porthcurno.

Re:Conversion for units?

By nagora • Score: 4, Informative • Thread

How do I convert 4k_video/person to something useful?

Well, first divide it by 2 because 4K video is really 2K but that's what happens when you let industries define their own terms (see also: USB)

Re:Why land in Bude?

By AmiMoJo • Score: 5, Insightful • Thread

This is why it's so important to encrypt everything. It's not a perfect defence, they can still do a lot with encrypted data and metadata, and can probably crack a lot of it given some time, but encryption does prevent a lot of mass surveillance and increases the cost to a point where hopefully they have to target their resources.

Clickbait

By nospam007 • Score: 3 • Thread

When reading the title, I immediately assumed some fisherman accidentally dragged an existing cable to the harbour. (has British spelling because of Cornwall)