Researchers at Ohio State University, the security company FireEye, and research firm Leidos last week published a paper [PDF] describing a new system that reads millions of tweets for mentions of software security vulnerabilities, and then, using their machine-learning-trained algorithm, assessed how much of a threat they represent based on how they're described. From a report: They found that Twitter can not only predict the majority of security flaws that will show up days later on the National Vulnerability Database -- the official register of security vulnerabilities tracked by the National Institute of Standards and Technology -- but that they could also use natural language processing to roughly predict which of those vulnerabilities will be given a "high" or "critical" severity rating with better than 80 percent accuracy.

"We think of it almost like Twitter trending topics," says Alan Ritter, an Ohio State professor who worked on the research and will be presenting it at the North American Chapter of the Association for Computational Linguistics in June. "These are trending vulnerabilities." A work-in-progress prototype they've put online, for instance, surfaces tweets from the last week about a fresh vulnerability in MacOS known as "BuggyCow," as well as an attack known as SPOILER that could allow webpages to exploit deep-seated vulnerabilities in Intel chips. Neither of the attacks, which the researchers' Twitter scanner labeled "probably severe," has shown up yet in the National Vulnerability Database.

Security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database containing 150GB of detailed, plaintext marketing data -- including hundreds of millions of unique email addresses. An anonymous Slashdot reader shares Diachenko's findings, which were made public today: On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information (PII). This database contained four separate collections of data and combined was an astounding 808,539,939 records. As part of the verification process I cross-checked a random selection of records with Troy Hunt's HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another "Collection" of previously leaked sources but a completely unique set of data. Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records.

In addition to the email databases, this unprotected Mongo instance also uncovered details on the possible owner of the database -- a company named "Verifications.io" -- which offered the services of "Enterprise Email Validation." Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text. Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication.

Big cloud companies are "strip-mining open-source technologies and companies," complains Michael Howard, CEO of MariaDB. At their developer conference, Howard accused "big cloud" of "really abusing the license and privilege [of open source], by not giving back to the community." ZDNet reports: Even as MariaDB grows by leaps and bounds in enterprise computing at Oracle's expense, Howard sees Oracle and Amazon fighting against it. "Oracle as the example of on-premise lock-in and Amazon being the example of cloud lock-in. You could interchange the names, you can honestly say now that Amazon should just be called Oracle Prime...."

In the first keynote, Austin Rutherford, MariaDB's VP of Customer Success, showed the result of a HammerDB benchmark on AWS EC2... In these tests, AWS's default MariaDB instances did poorly, while AWS homebrew Aurora, which is built on top of MySQL, consistently beat them. The top-performing database management system of all was MariaDB Managed Services on AWS. "My first reaction when I looked at the benchmarks," said Howard, was "maybe there's incompetence going on. Maybe they just don't know how to optimize a DBMS." He observed that one MariaDB customer, one of the biggest retail drug companies in the world, had told MariaDB that "Amazon offers the most vanilla MariaDB around. There's nothing enterprise about it. We could just install MariaDB from source on EC2 and do as well."

He then "began to wonder, Is there something that they're deliberately crippling?" Howard wouldn't go so far as to say AWS is consciously doing a poor job of implementing its MariaDB instances. Howard did say, "And then it became clear that, however, you want to articulate this, there is something not kosher happening." Howard doesn't have much against AWS promoting its own brands... But, if AWS's going out of its way to make a rival service look inferior to its own, well, Howard's not happy about that.
ZDNet adds that "it's also quite possible that unoptimized generic MariaDB instance will simply lag behind AWS-optimized Aurora.

"That said, even in this most innocent take on the benchmark results, cloud customers would be wise to take into consideration that cloud instances of any specific software service may not be created equal."

One of the prototypes Alphabet's Sidewalk Labs is working on for its planned neighborhood on Toronto's waterfront is a hexagonal paving system. "The slabs are porous and heated, which may keep snow and ice at bay without salting," reports Engadget. "They're easy to replace, and include LED lights that can, for instance, help direct traffic flow during construction or mark street closures." From the report: Sidewalk will also demonstrate what it's calling a Building Raincoat, an awning it says will help protect sidewalks from wind, rain, sun and snow to make outdoor space usable throughout the year. It attaches to the sides of buildings and is fixed to ground anchors. It's made from a durable, lightweight and transparent plastic called ETFE (Ethylene Tetrafluoroethylene).

In addition, Sidewalk will have a number of art installations at the public event, which "use lighting, projection mapping, mud and other techniques to reflect on relationships between humans and animals in public space, and the broader connection of ecology and urbanism." Some of the works will be projected onto the awning. Along with the prototypes, Sidewalk will discuss some of its broader ideas about how to make its neighborhood livable and accessible, in part through affordable housing and its transit system.

An anonymous reader shares a report: Any sports fan will know, or at least appreciate, the disappointment of going to watch your team only to find that a top player has been left out. But what if you could pay an extra bit of money for your ticket -- say, 5-15% on top of the normal price -- and insure the cost of your ticket against such a situation? If your favourite player does not play, for whatever reason, you get your money back. That's the intriguing premise behind Fansure, a start-up currently based in Belmont, California. When I spoke to the firm's marketing manager, Tara Fan, she explained it in the context of a basketball game: "Some tickets are $300-$400 to go to a game. Typically, you're paying that to see someone like LeBron James, or Kevin Durant, or someone like that." It works like this: You buy the ticket as normal. Then, at least 48 hours before the game, you go to Fansure, and you pay them an added percentage. The amount reflects what Fansure thinks is the likelihood of your selected player appearing or not.

Someone like Durant for instance, rarely misses a game for the Golden State Warriors and so the premium would be relatively low. "It would only be, I would say, 8% of your ticket price," Ms Fan explained. "It's like... $30 to cover a $400 ticket. And so that's where the benefit rolls out." If Durant plays, you've wasted your $30, which Fansure pockets. If he doesn't, you still get to go and enjoy the game, and Fansure will refund you the entire amount of the ticket (but keeps the bit you paid for insurance).

Airline Lufthansa has sued a passenger, who didn't show up for the last leg of his ticketed journey, in an apparent bid to clamp down on "hidden city" trick. From a report: The practice involves passengers leaving their journey at a layover point, instead of making a final connection. For instance, someone flying from New York to San Francisco could book a cheaper trip from New York to Lake Tahoe with a layover in San Francisco and get off there, without bothering to take the last leg of the flight. According to a court document, an unnamed male passenger booked a return flight from Oslo to Seattle, which had a layover in Frankfurt. The passenger used all legs of the outbound flight, but did not catch the Frankfurt to Oslo return flight. He instead flew on a separate Lufthansa reservation from Frankfurt to Berlin. The report adds that a Berlin district court dismissed the case in December last year, but the airline company is now appealing that verdict. Worth noting here that United Airlines has also tried its luck on this front -- to no dice.

Reddit is about to get a huge new round of investment of up to $300 million. As Gizmodo points out, "the first $150 million is reportedly expected to come from the Chinese tech giant Tencent, the first ever Asian technology company to pass a $500 billion market value." The investment is complicated since Reddit is banned in China via the Great Firewall of China. Also, "Tencent is not merely a resident of China's internet -- the company is one of the most important architects of the Great Firewall," reports Gizmodo. "It's an interesting source of cash for a Silicon Valley company whose product is essentially speech." From the report: Tencent is, at great cost and ultimately for great profit, literally reinventing censorship in China. The Great Firewall was not built by the Communist Party in Beijing, it's built by the tech giants all around China. This opaque but clearly powerful relationship between the $500 billion company and the Chinese government raises interesting and unanswered questions about Tencent's forays into the West, including questions about Reddit's future.

The pending Chinese investment in Reddit, a social media company with relatively little Chinese-language community, is a richer twist on that old tale, and it's a part of Tencent's expanding global investment strategy. The Chinese company owns about 12 percent of Snap, for instance, even though Snapchat is banned in China. Tencent also owns a piece of the chat app Discord even though, you guessed it, Discord is blocked in China. If Tencent does kick in $150 million on a nearly $3 billion valuation for Reddit, as TechCrunch reports, it will be interesting if we ever find out exactly what it means. What kind of influence and position, if any, will Tencent gain at Reddit? Neither company responded to Gizmodo's questions.

An anonymous reader quotes a report from The Atlantic: Meteorologists have never gotten a shiny magazine cover or a brooding Aaron Sorkin film, and the weather-research hub of Norman, Oklahoma, is rarely mentioned in the same breath as Palo Alto. But over the past few decades, scientists have gotten significantly -- even staggeringly -- better at predicting the weather. How much better? "A modern five-day forecast is as accurate as a one-day forecast was in 1980," says a new paper, published last week in the journal Science. "Useful forecasts now reach nine to 10 days into the future." "Modern 72-hour predictions of hurricane tracks are more accurate than 24-hour forecasts were 40 years ago," the authors write. The federal government now predicts storm surge, stream level, and the likelihood of drought. It has also gotten better at talking about its forecasts: As I wrote in 2017, the National Weather Service has dropped professional jargon in favor of clear, direct, and everyday language. "Everybody's improving, and they're improving a lot," says Richard Alley, an author of the paper and a geoscientist at Penn State.

Understanding months-long events like El Niño, for instance, has allowed meteorologists to go beyond the seven-day forecast. Alley, the Penn State professor, says that he is awed by the new models. Well-studied features of Earth's climate -- like the temperate Gulf Stream in the Atlantic Ocean -- emerge in computer models, even though developers have written code that only mimics basic physics. We are now surrounded by the products of these miraculous models. In 2009, a back-of-the-envelope study estimated that U.S. adults check the weather forecast about 300 billion times per year. Perhaps in all that checking we have forgotten how strange the forecast is, how almost supernatural it is that people can describe the weather before it happens. More than 1,000 years ago, the Spanish archbishop Agobard of Lyon argued that no witch could control the weather because only God could understand it. "Man does not know the paths of the clouds, nor their perfect knowledges," he wrote. He cited the Book of Job for authority, which asks: "Dost thou know when God caused the light of his cloud to shine? Dost thou know the balancings of the clouds ?"

An anonymous reader writes: Amazon and Walmart have been dealt a big blow in India, one of their most important markets, after the local government today declined a request to extend the deadline for the implementation of revised rules regarding how foreign ecommerce platforms sell goods and conduct business in the country. The local government, which revised its ecommerce policies late December, prohibit Amazon and Flipkart from selling goods from companies in which they have a stake. The two companies were hoping the Department of Industrial Policy and Promotion, the government agency that issued the revised policies, would extend the February 1 deadline. But efforts to gain more time were unsuccessful. (At around 6:50 p.m. local time -- 8.20 a.m. Pacific, the government said it won't be extending the deadline.)

Under the current laws, foreign-owned ecommerce companies are not allowed to sell directly to customers (in other words, to operate under an inventory-based model of ecommerce). Instead, they can only provide a marketplace that acts as "an information technology platform" and serves as a facilitator between "buyer and seller." To bypass this restriction, both Amazon and Flipkart, which sold a majority stake to Walmart last year, have acquired stakes in some of the biggest third-party sellers in the country. For instance, Amazon owns stake in parent companies of Cloudtail India and Appario Retail, while Flipkart until recently controlled WS Retail, the largest seller on its platform. The local government's revised policies fixed that loophole.

Starting at 1.30 am Friday local time, several Amazon-owned products, including select Echo smart speakers, as well as some travel bags, batteries, and chargers under Basics brand, have become unavailable on Amazon's website.

Google may have discontinued the sale of Google Glass years ago, but die hard fans have not given up. From a report: Glassholes still exist, just not as boogeymen haunting the tech section of your newspaper. There's a small group of fans still talking and updating and buying and selling on Reddit. Somebody who picked up a pair for $150 and wants help using the device to display sheet music; somebody with questions about installing an older operating system onto Glass Enterprise; another person looking for foldable frames; somebody else trying to fix a broken device; people looking to buy, as well as a number of people asking if it's even worth it to spend any money on the now-defunct tech. (Spoiler: survey says it's not.) There is also, weirdly, somebody asking if Google nixed Google Glass "because 'someone' was made aware of the book 'The Circle' by Dave Eggers?"

Reading through the forum, it seems wrong to regard the dwindling frequenters of /r/googleglass as Glassholes. On the contrary, they seem to bust out their devices at incredibly appropriate moments. "I pretty much only use Glass for taking pictures/video while running/hiking or anywhere I don't have access to a phone or don't want to carry one," writes one Redditor. "It's a great way to capture highlights of a marathon, for instance, without having to stop and pull out a phone." "Text notifications. Phone calls whilst driving, pix and video while on the go," writes another.

Facebook Moments, the standalone mobile app designed to let users privately share photos and videos, is shutting down next month. "Facebook confirmed the app's services will end February 25," reports TechCrunch. "Facebook decided to end support for the app, which hasn't been updated in some time, because people weren't using it." From the report: Moments, which first launched in 2015, has seen some competition from other Facebook products recently, which might have led to its demise. For instance, Facebook built out its Stories feature, which includes a direct sharing option. That option, while designed for one-offs and not whole albums, did allow users to bypass the Moments app entirely in order to privately send photos with a select friend or friends. Users also have the option to share any of their photos from the app as Albums on Facebook. If someone downloads the app to an Album, the privacy setting will default to "Only Me" but a user always has the option to share it with friends. Facebook says it will continue to incorporate options for saving memories within the Facebook app, as well. "We're ending support for the Moments app, which we originally launched as a place for people to save their photos. We know the photos people share are important to them so we will continue offering ways to save memories within the Facebook app," Rushabh Doshi, director of product management said in a statement. If you're a Moments user, you should see a message warning you about the app's demise. You can either export your photos from any device, or create a private album on your Facebook account to retrieve your photos.

An anonymous reader quotes a report from Ars Technica, written by Sean Gallagher: Want to be able to run classic Mac OS applications compiled for the Motorola 68000 series of processors on your ever-so-modern Mac OS X machine? Or maybe you'd rather run them on a Raspberry Pi, or an Android device for that matter? There's an emulation project that's trying to achieve just that: Advanced Mac Substitute (AMS). Advanced Mac Substitute is an effort by long-time Mac hacker Josh Juran to make it possible to run old Mac OS software (up to Mac OS 6) without a need for an Apple ROM or system software. Other emulators out there for 64000 Mac applications such as Basilisk II require a copy of MacOS installation media -- such as install CDs from Mac OS 7.5 or Mac OS 8. But AMS uses a set of software libraries that allow old Mac applications to launch right within the operating environment of the host device, without needing to have a full virtual hardware and operating system instance behind them. And it's all open source.

I got a demo of AMS from Juran at Shmoocon in Washington, DC, this past weekend. He showed me an early attempt at getting the game LoadRunner to work with the emulator -- it's not yet interactive. A version of the project, downloadable from Github, includes a "Welcome" screen application (a sort of Mac OS "hello world"), Mac Tic-Tac-Toe, and an animation of NyanCat. Applications are launched from the command line for now and are executed by the emulation software, which interprets the system and firmware calls. Unfortunately, there's still a lot of work to be done. While AMS works on Mac OS X up to version 10.12 -- both on Intel and PowerPC versions of the operating system -- the code currently won't compile on MacOS Mojave. And the Linux implementation of AMS does not yet support keyboard input. I was unable to get the front end to execute at all on Debian 9 on Intel.

An online casino group has leaked information on over 108 million bets, including details about customers' personal information, deposits, and withdrawals, ZDNet has learned. From the report: The data leaked from an ElasticSearch server that was left exposed online without a password, Justin Paine, the security researcher who discovered the server, told ZDNet. ElasticSearch is a portable, high-grade search engine that companies install to improve their web apps' data indexing and search capabilities. Last week, Paine came across one such ElasticSearch instance that had been left unsecured online with no authentication to protect its sensitive content. From a first look, it was clear to Paine that the server contained data from an online betting portal.

[...] After an analysis of the URLs spotted in the server's data, Paine and ZDNet concluded that all domains were running online casinos where users could place bets on classic cards and slot games, but also other non-standard betting games. Some of the domains that Paine spotted in the leaky server included kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, just to name a few.

The partial government shutdown is affecting a wide range of business and financial concerns nationwide. From a report: Shuttered government offices are stalling the approval of new loans, initial public offerings, the processing of tax documents, and the approval of new products such as prescription drugs, among other effects. While some programs are reopening on a temporary basis or providing workarounds for affected companies, most services won't return to normal until the government fully reopens and 800,000 federal workers sift through the backlog.

Here is a round up of the impact: The partial closure of the Securities and Exchange Commission is delaying the ability of companies to open the IPO market. Companies that were seeking to list shares in January are delaying plans since the regulator has stopped reviewing and approving new and pending corporate registration statements. Airlines expect to have sluggish revenue growth in the first quarter in part because of revenue lost from government travel cancellations. Delta Air Lines Inc. Chief Executive Ed Bastian, for instance, said the shutdown would cost his airline $25 million in lost revenue from government travel. The U.S. Food and Drug Administration has dramatically curtailed inspections of domestic facilities at food-processing companies during the shutdown, though unpaid inspectors have resumed work inspecting higher-risk products such as fresh fruits and vegetables, eggs, seafood and dairy products.

At the Internal Revenue Service, the shutdown has created delays in getting some employer identification numbers, holding up some routine business deals. Some small-business loans are also stuck in limbo. The Small Business Administration has stopped approving routine loans that the agency backs to ensure entrepreneurs have access to funds, halting their plans for expansion and repairs and forcing some owners to consider costlier sources of cash. The government process for reviewing proposed mergers has been slowed by the shutdown, but it is still operating. Businesses that have government contracts are feeling the strain across a variety of industries, including the building of highways and bridges.

According to a report from HackenProof, a database containing resumes of over 200 million job seekers in China was exposed last month. "The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well," reports The Next Web. From the report: Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28. Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn't have any password protection and was open to anyone to read.

Diachenko wasn't able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website's spokesperson denied the leak. Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.

Bird, an electric scooter rental company, sent a "Notice of Claimed Infringement" to news blog Boing Boing for reporting about people doing legal things that Bird does not like. EFF reports: Electric scooters have swamped a number of cities across the US, many of the scooters carelessly discarded in public spaces. Bird, though, has pioneered a new way to pollute the commons by sending a meritless takedown letter to a journalist covering the issue. The company cites the Digital Millennium Copyright Act and implies that even writing about the issue could be illegal. It's not.

Bird sent a "Notice of Claimed Infringement" over this article on Boing Boing, one of the Internet's leading sources of news and commentary. The article reports on the fact that large numbers of Bird scooters are winding up in impound lots, and that it's possible to lawfully purchase these scooters when cities auction them off, and then to lawfully modify those scooters so they work without the Bird app. The letter is necessarily vague about exactly how the post infringed any of Bird's rights, and with good reason: the post does no such thing, as we explain in a letter on behalf of Happy Mutants LLC, which owns and operates Boing Boing.

The post reports on lawful activity, nothing more. In fact, the First Amendment would have protected it even if reported on illegal conduct or advocated for people to break the law. (For instance, a person might lawfully advocate that an electric scooter startup should violate local parking ordinances. Hypothetically.) So, in a sense, it doesn't matter whether Bird is right or wrong when it claims that it's illegal to convert a Bird scooter to a personal scooter. Either way, Boing Boing was free to report on it.

A new program at DARPA is aimed at creating a machine learning system that can sift through the innumerable events and pieces of media generated every day and identify any threads of connection or narrative in them. It's called KAIROS: Knowledge-directed Artificial Intelligence Reasoning Over Schemas. From a report: "Schema" in this case has a very specific meaning. It's the idea of a basic process humans use to understand the world around them by creating little stories of interlinked events. For instance when you buy something at a store, you know that you generally walk into the store, select an item, bring it to the cashier, who scans it, then you pay in some way, and then leave the store. This "buying something" process is a schema we all recognize, and could of course have schemas within it (selecting a product; payment process) or be part of another schema (gift giving; home cooking).

Although these are easily imagined inside our heads, they're surprisingly difficult to define formally in such a way that a computer system would be able to understand. They're familiar to us from long use and understanding, but they're not immediately obvious or rule-bound, like how an apple will fall downwards from a tree at a constant acceleration. And the more data there are, the more difficult it is to define. Buying something is comparatively simple, but how do you create a schema for recognizing a cold war, or a bear market? That's what DARPA wants to look into.

In 2018, Best Buy decided to stop selling CDs, with the change partly brought on by record labels' increasing reluctance to even issue them. Both choices are symptoms as well as causes of a seemingly inevitable trend: Buying music is now going out of style nearly as fast as streaming music is rising. From a report: In 2018, album sales fell 18.2 percent from the previous year and song sales fell 28.8 percent, according to U.S. year-end report figures from data company BuzzAngle, which tracks music consumption. Meanwhile, total on-demand music streams, including both audio and video, shot up 35.4 percent. Audio on-demand streams set a new record high in 2018 of 534.6 billion streams, which is up 42 percent from 2017's 376.9 billion streams.

It's tricky to compare the specific unit numbers of sales to streams --since such a comparison would be pitting continuous playback of a certain piece of music against a one-time purchase of it -- but certain other milestones in the consumption market can help highlight just how much streaming is replacing physical sales and downloads in America. For instance: Even though total song downloads are still in the hundreds of millions, they're coming down in scale at the top. In 2018, there was not a single song that broke 1 million sales -- compared to 14 songs that reached that figure in 2017, 36 in 2016 and 60 in 2015. At the 2 million sales mark, two songs took that trophy in 2017, while five claimed it in 2016 and 16 songs made it in 2015, throwing the modest figures of this year's sales into even sharper relief.

For years, Mozilla has largely neglected development of Thunderbird, an email client it owns. But the company, which grew its team to eight staff last year, says it plans to address most of the issues that users have complained about and add six more people to Thunderbird staff this year, it said in a blog post. In the blog post Wednesday, the company said: Our hires are already addressing technical debt and doing a fair bit of plumbing when it comes to Thunderbird's codebase. Our new hires will also be addressing UI-slowness and general performance issues across the application. This is an area where I think we will see some of the best improvements in Thunderbird for 2019, as we look into methods for testing and measuring slowness -- and then put our engineers on architecting solutions to these pain points. Beyond that, we will be looking into leveraging new, faster technologies in rewriting parts of Thunderbird as well as working toward a multi-process Thunderbird.

[...] For instance, one area of usability that we are planning on addressing in 2019 is integration improvements in various areas. One of those in better Gmail support, as one of the biggest email providers it makes sense to focus some resources on this area. We are looking at addressing Gmail label support and ensuring that other features specific to the Gmail experience translate well into Thunderbird. We are looking at improving notifications in Thunderbird, by better integrating with each operating system's built-in notification system. By working on this feature Thunderbird will feel more "native" on each desktop and will make managing notifications from the app easier.

The UX/UI around encryption and settings will get an overhaul in the coming year, whether or not all this work makes it into the next release is an open question â" but as we grow our team this will be a focus. It is our hope to make encrypting Email and ensuring your private communication easier in upcoming releases, we've even hired an engineer who will be focused primarily on security and privacy.

Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. From a report: The discussion of Sednit was part of the 35C3 conference, and a session given by Frederic Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall [PDF]. During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard's flash memory, giving it both persistence and stealth.

"UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said. The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system's UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.