CaptainDork shares a report from Motherboard: An Ethereum startup called Prodeum disappeared from the web on Sunday after raising a grand total of $11 USD from investors in a crowdsale. Shortly after the website disappeared, a message appeared on its homepage: "penis." Prodeum's website now redirects visitors to the Twitter account of a cryptocurrency trader (they did not immediately respond to our request for comment), and its Twitter account has been deactivated. Prodeum is at least the second Ethereum startup to pull up stakes after raising money from people in events called Initial Coin Offerings, or ICOs, in which a startup funds their enterprise by taking cryptocurrency from people in exchange for digital tokens. Some ICOs have managed to raise millions of dollars, and the last startup to vanish after conducting an ICO -- Confido, which disappeared from the internet in late 2017 -- made off with roughly $374,000. (A message later appeared on Confido's site stating that it would buy back investors' tokens, but it's unclear if that took place.)

Prodeum, by comparison, only seems to have raised $11 based on the Ethereum address that was advertised on Prodeum's site as being the ICO address. (Update: After this article was published the contents of the ICO wallet were sent to another wallet. That wallet contains roughly $100, with the other funds all coming from a single wallet that predates the Prodeum ICO and contains 46 cents.) Prodeum's pitch, according to a cached version of its webpage, was to track vegetables in a supply chain using digital addresses on a blockchain -- a decentralized ledger at the heart of Ethereum and other cryptocurrencies like Bitcoin. As for why the "penis" message was left on its homepage, it may have something to do with the name of the startup. Prodeum is a medication that treats urinary tract infections and other urinary problems...

An anonymous reader quotes a report from Bleeping Computer: A group of cyber-criminals created 28 fake ad agencies and bought over 1 billion ad views in 2017, which they used to deliver malicious ads that redirected unsuspecting users to tech support scams or sneaky pages peddling malware-laden software updates or software installers. The entire operation -- codenamed Zirconium -- appears to have started in February 2017, when the group started creating the fake ad agencies which later bought ad views from larger ad platforms. These fake ad agencies each had individual websites and even LinkedIn profiles for their fake CEOs. Their sole purpose was to interface with larger advertising platforms, appearing as legitimate businesses. Ad security company Confiant, the one who discovered this entire operation, says ads bought by this group reached 62% of ad-monetized websites on a weekly basis. All in all, Confiant believes that about 2.5 million users who've encountered Zirconium's malicious ads were redirected to a malicious site, with 95% of the victims being based in the U.S.

chicksdaddy shares a report from The Security Ledger: Billions of sensors that are already deployed lack protections against attacks that manipulate the physical properties of devices to cause sensors and embedded devices to malfunction, researchers working in the U.S. and China have warned. In an article in Communications of the ACM, researchers Kevin Fu of the University of Michigan and Wenyuan Xu of Zhejiang University warn that analog signals such as sound or electromagnetic waves can be used as part of "transduction attacks" to spoof data by exploiting the physics of sensors. Researchers say a "return to classic engineering approaches" is needed to cope with physics-based attacks on sensors and other embedded devices, including a focus on system-wide (versus component-specific) testing and the use of new manufacturing techniques to thwart certain types of transduction attacks.

"This is about uncovering the physics of cyber security and how some of the physical properties of systems have been abstracted to the point that we don't have a good way to describe the security of the system," Dr Fu told The Security Ledger in a conversation last week. That is particularly true of sensor driven systems, like those that will populate the Internet of Things. Cyberattacks typically target vulnerabilities in software such as buffer overflows or cross-site scripting. But transduction attacks target the physics of the hardware that underlies that software, including the circuit boards that discrete components are deployed on, or the materials that make up the components themselves. Although the attacks target vulnerabilities in the hardware, the consequences often arise as software systems, such as the improper functioning or denial of service to a sensor or actuator, the researchers said. Hardware and software have what might be considered a "social contract" that analog information captured by sensors will be rendered faithfully as it is transformed into binary data that software can interpret and act on it. But materials used to create sensors can be influenced by other phenomenon -- such as sound waves. Through the targeted use of such signals, the behavior of the sensor can be interfered with and even manipulated. "The problem starts with the mechanics or physics of the material and bubbles up into the operating system," Fu told The Security Ledger.

Google is releasing a new version of Chrome this week and it includes a number of new features, such as an improved ad blocker and Spectre mitigations. The best new feature in Chrome 64 is the ability to permanently mute websites that autoplay videos. This feature was teased for several months, but now it's finally here. The Independent reports: To mute a site that automatically plays videos, users will need click the View Site Information symbol, which may look like a green padlock, on the left-hand edge of the omnibar -- the address bar combined with the Google search box. Then they will need to select Sound. Once the website is muted, it will not automatically play videos with sound again until you unmute it.

An anonymous reader quotes a report from the BBC: Kim Dotcom, the founder of file-sharing site Megaupload, is suing the New Zealand government for billions of dollars in damages over his arrest in 2012. The internet entrepreneur is fighting extradition to the U.S. to stand trial for copyright infringement and fraud. Mr Dotcom says an invalid arrest warrant negated all charges against him. He is seeking damages for destruction to his business and loss of reputation. Accountants calculate that the Megaupload group of companies would be worth $10 billion today, had it not been shut down during the raid. As he was a 68% shareholder in the business, Mr Dotcom has asked for damages going up to $6.8 billion. He is also considering taking similar action against the Hong Kong government. As stated in documents filed with the High Court, Mr Dotcom is also seeking damages for: all lost business opportunities since 2012, his legal costs, loss of investments he made to the mansion he was renting, his lost opportunity to purchase the mansion, and loss of reputation.

An anonymous shares a report: The National Security Agency maintains a page on its website that outlines its mission statement. But earlier this month, the agency made a discreet change: It removed "honesty" as its top priority. Since at least May 2016, the surveillance agency had featured honesty as the first of four "core values" listed on NSA.gov, alongside "respect for the law," "integrity," and "transparency." The agency vowed on the site to "be truthful with each other." On January 12, however, the NSA removed the mission statement page -- which can still be viewed through the Internet Archive -- and replaced it with a new version. Now, the parts about honesty and the pledge to be truthful have been deleted. The agency's new top value is "commitment to service," which it says means "excellence in the pursuit of our critical mission." Those are not the only striking alterations. In its old core values, the NSA explained that it would strive to be deserving of the "great trust" placed in it by national leaders and American citizens. It said that it would "honor the public's need for openness." But those phrases are now gone; all references to "trust," "honor," and "openness" have disappeared.

Google has cracked down on Fire TV users once again. Today, the technology company blocked Silk and Firefox browsers from displaying the YouTube.com interface usually shown on large screens. Cord Cutters News reports: Now if you try to access YouTube.com/TV on a Fire TV through the Firefox or Silk browser you will be redirected to the desktop version of the site. According to Elias Saba from AFTVnews, "By blocking access to the version of YouTube made for television browsers, Google has deliberately made browsing their website an unusable experience on Amazon Fire TVs, Fire TV Sticks, and Fire TV Edition televisions." This fight over YouTube and Amazon has been going on for some time. The standoff heated up in early December as Google announced plans to pull the YouTube app from the Fire TV on January 1st 2018. Amazon responded by adding a browser to allow access to the web version on the Fire TV. Now Google has countered by blocking the Fire TV's browsers from accessing the made-for-TV edition of YouTube.com. Back on December 15th, The Verge reported that Google and Amazon are in talks to keep YouTube on the Fire TV, but as of today it looks like nothing has come from these talks.

Tom Warren, writing for The Verge: Chrome now has the type of dominance that Internet Explorer once did, and we're starting to see Google's own apps diverge from supporting web standards much in the same way Microsoft did a decade and a half ago. Whether you blame Google or the often slow moving World Wide Web Consortium (W3C), the results have been particularly evident throughout 2017. Google has been at the center of a lot of "works best with Chrome" messages we're starting to see appear on the web. Google Meet, Allo, YouTube TV, Google Earth, and YouTube Studio Beta all block Windows 10's default browser, Microsoft Edge, from accessing them and they all point users to download Chrome instead. Some also block Firefox with messages to download Chrome. Hangouts, Inbox, and AdWords 3 were all in the same boat when they first debuted.

It's led to one developer at Microsoft to describe Google's behavior as a strategic pattern. "When the largest web company in the world blocks out competitors, it smells less like an accident and more like strategy," said a Microsoft developer in a now-deleted tweet. Google also controls the most popular site in the world, and it regularly uses it to push Chrome. If you visit Google.com in a non-Chrome browser you're prompted up to three times if you'd like to download Chrome. Google has also even extended that prompt to take over the entire page at times to really push Chrome in certain regions. Microsoft has been using similar tactics to convince Windows 10 users to stick with Edge. The troubling part for anyone who's invested in an open web is that Google is starting to ignore a principle it championed by making its own services Chrome-only -- even if it's only initially.

"The movement to encrypt the web reached milestone after milestone in 2017," writes the EFF, adding that "the web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol." In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads on Firefox are encrypted, and Chrome shows even higher numbers. At the beginning of the year, Let's Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let's Encrypt's total issuance volume has exceeded 177 million certificates...

Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users "Not secure" warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a "Not secure" warning for all HTTP pages... The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically...

The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year... [And] there's plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April.

Dangerous_Minds shares a report from ThreatPost: Ancestry.com said it closed portions of its community-driven genealogy site RootsWeb as it investigated a leaky server that exposed 300,000 passwords, email addresses and usernames to the public internet. In a statement issued over the weekend, Chief Information Security Officer of Ancestry.com Tony Blackham said a file containing the user data was publicly exposed on a RootsWeb server. On Wednesday, Ancestry.com told Threatpost it believed the data was exposed on November 2015. The data resided on RootsWeb's infrastructure, and is not linked to Ancestry.com's site and services. Ancestry.com said RootsWeb has "millions" of members who use the site to share family trees, post user-contributed databases and host thousands of messaging boards. The company said RootsWeb doesn't host sensitive information such as credit card data or social security numbers. It added, there are no indications data exposed to the public internet has been accessed by a malicious third party. The company declined to specify how and why the data was stored insecurely on the server. "Approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts. Additionally, we found that about 7,000 of those password and email address combinations matched credentials for active Ancestry customers," Blackham wrote.

An anonymous reader writes: Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain. This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers. Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user's login information, such as username and passwords.

The trick is an old one, known for more than a decade but until now it's only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks. Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information. The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list. A demo page has been created to show how the tracking works.

According to The Wall Street Journal, Uber is selling its Xchange Leasing unit to the car marketplace Fair.com. "It reportedly won't be a clean break," reports Engadget. "Uber will both take a stake in Fair and point would-be drivers to the site through its app. Fair, in return, will offer jobs to roughly 150 workers affected by the switch. Other companies in the running had included Avis Budget Group (yes, the car rental agency), activist investor Carl Icahn's self-titled Icahn Enterprises, Innovate Auto Finance and two capital investment firms."

An anonymous reader quotes a report from Los Angeles Times: In the heated competition between airlines in the U.S., JetBlue Airways offers an extra perk that is pretty alluring to most travelers: Free, high-speed wireless internet. For that reason, an internet comparison site named JetBlue as the top domestic airline for overall WiFi service, followed by rivals Southwest Airlines, Delta Air Lines and Virgin America. The ranking by Highspeedinternet.com considered not only the speed of the connection but the cost and the availability on every plane. JetBlue won the top spot because the New York-based carrier offers free WiFi with speeds of 15 megabits per second on 78% of its fleet, according to the ranking. Southwest Airlines ranked second because it offers WiFi at speeds of up to 10 Mbps for $8 per flight on 90% of its fleet.

If you want to be assured to have WiFi on your next flight, Virgin America is the only domestic carrier that offers internet connections on 100% of its fleet, for a price of up to $25, depending on the length of the flight. Virgin America's WiFi speed is 15 Mbps, which is considered fast enough to stream movies and television shows. Don't care about connecting to the internet? Frontier, Hawaiian and Spirit Airways are the only three major U.S. carriers that offer no onboard WiFi at all, according to the ranking.

An anonymous reader quotes a report from Gizmodo: We The People, the petition section of the White House's website, is shutting down for a promised January relaunch. First launched in 2011 under then-President Obama, We The People pledged to provide a White House response to any petition which garnered 100,000 or more signatures within 30 days. The 200+ petitions that have received an official response have largely been unremarkable, leading to revelations like the White House's official beer recipe or condemnations (in word only) of groups like the Westboro Baptist Church. In short, the site has functioned as a PR tool for fostering good will -- one that the Trump administration has reportedly considered killing since April and now appears to be sluggishly getting around to putting in the ground.

"To improve this site's performance, the platform is currently down for maintenance and will return in late January," the site now reads. "All existing petitions and associated signatures have been preserved and will be available when the site is relaunched. Following the site's relaunch, petitions that have reached the required number of signatures will begin receiving responses." Further reading: The New York Times

An anonymous reader writes: Just days before voting to repeal net neutrality regulations, FCC chairman Ajit Pai introduced a comedy video at the annual gathering of the Federal Communications Bar Association -- and it offered its own self-disparaging version of Pai's tenure as a Verizon attorney in 2003. "We want to brainwash and groom a Verizon puppet to install as FCC chairman," says a real-world Verizon executive appearing in the videotaped skit. "That sounds awesome," Pai responds.

And the day of the vote Pai also appeared in another trying-to-be-funny video on the conservative site The Daily Caller demonstrating "seven things you can still do on the internet after net neutrality." In the first image he's holding a fidget spinner and dressed as Santa Claus, and the unmistakably patronizing video reminds critics that they can still upload photos of their meals to Instagram and "post photos of cute animals, like puppies." He also demonstrated that net neutrality critics can still stay part of their favorite fan communities -- by showing himself holding a light saber. And this unexpectedly drew the wrath of Star Wars actor Mark Hamill, who responded on Twitter by calling him "Ajit 'Aren't I Precious?' Pai."

Hamill also added that "you are profoundly unworthy 2 wield a lightsaber. A Jedi acts selflessly for the common man, NOT lie 2 enrich giant corporations." When U.S. Senator Ted Cruz responded -- likening government overreach to Darth Vader and urging Hamill to "reject the dark side" -- Hamill responded again, complaining that the Senator was "smarm-splaining." Hamill also added, "you'd have more credibility if you spelled my name correctly. I mean IT'S RIGHT THERE IN FRONT OF YOU! Maybe you're just distracted from watching porn at the office again."
The Houston Chronicle reports that the newest meme on Twitter is now Pai's over-sized coffee mug stamped with the logo for Reese's Peanut Butter cups, "which he occasionally sipped from during the widely-criticized reversal." The Dangerous Minds site notes that some angry net neutrality supporters have even taken their complaints to Reese's Facebook page, adding "Perhaps these protester's pleas to the candy company are simply a misguided hope that someone, ANYONE will listen to their frustration."

"Clearly, the FCC wasn't listening to the estimated 83% of Americans who support net neutrality."

"Gawker may soon return from the dead," reports TechCrunch. While Univision acquired most of Gawker Media's sites last year (and renamed them as the Gizmodo Media Group), the deal didn't include Gawker itself. In fact, BuzzFeed reported last month that a bankruptcy administrator has not been able to find a buyer for the Gawker site, and that lawyers for Peter Thiel (the billionaire venture capitalist who helped fund the lawsuit that led to Gawker's bankruptcy) were arguing that he'd been unfairly excluded from the process. Now a group of former Gawker employees calling themselves the Gawker Foundation has launched a Kickstarter campaign to buy the old domain and relaunch with a nonprofit, membership-funded model.
"The truth is often inconvenient, and Gawker's work isn't done," explains a mirror of their campaign site at SaveGawker.com. "We want to dig deeper." $10 pledges get you a laptop sticker, $250 pledges earn you an invite to their glorious re-launch party, and to solicit $10,000 pledges they're even asking wealthy backers to "Give us half of one bitcoin."

"By setting ourselves up as an ownerless, advertiser-less, non-profit media organization, the editorial team will be able to do what they do best. More than a dozen Gawker Media alumni are involved in this project..."

Chrome 64 is now in beta and it has several new features over version 63. In addition to a stronger pop-up blocker and support for HDR video playback when Windows 10 is in HDR mode, Chrome 64 features sitewide audio muting to block sound when navigating to other pages within a site. 9to5Google reports: An improved pop-up blocker in Chrome 64 prevents sites with abusive experiences -- like disguising links as play buttons and site controls, or transparent overlays -- from opening new tabs or windows. Meanwhile, as announced in November, other security measures in Chrome will prevent malicious auto-redirects. Beginning in version 64, the browser will counter surprise redirects from third-party content embedded into pages. The browser now blocks third-party iframes unless a user has directly interacted with it. When a redirect attempt occurs, users will remain on their current page with an infobar popping up to detail the block. This version also adds a new sitewide audio muting setting. It will be accessible from the permissions dropdown by tapping the info icon or green lock in the URL bar. This version also brings support for HDR video playback when Windows 10 is in HDR mode. It requires the Windows 10 Fall Creator Update, HDR-compatible graphics card, and display. Meanwhile, on Windows, Google is currently prototyping support for an operating system's native notification center. Other features include a new "Split view" feature available on Chrome OS. Developers will also be able to take advantage of the Resize Observer API to build responsive sites with "finger control to observe changes to sizes of elements on a page."

Freshly Exhumed shares a report from Straight: A report released this week by the Ministry of Innovation, Science, and Economic Development (ISED) confirms that Canada ranks among the top three most costly countries for mobile wireless plans. Comparing the U.K, Italy, France, Australia, Japan, and the U.S. on six tiers of pricing -- which looked at talk-time, texts, and data -- the document shows that Canada has the most expensive mid-range and higher-tier plans in the world. "It is unacceptable that Canadians continue to pay ever-rising prices year after year for something as critical as mobile communications services," said Katy Anderson, Digital Rights Advocate at OpenMedia.

An anonymous reader shares a report (condensed for space): Online streaming is a win for the environment. Streaming music eliminates all that physical material -- CDs, jewel cases, cellophane, shipping boxes, fuel -- and can reduce carbon-dioxide emissions by 40 percent or more. Scientists who analyze the environmental impact of the internet tout the benefits of this "dematerialization," observing that energy use and carbon-dioxide emissions will drop as media increasingly can be delivered over the internet. But this theory might have a major exception: porn. Since the turn of the century, the pornography industry has experienced two intense hikes in popularity. In the early 2000s, broadband enabled higher download speeds. Then, in 2008, the advent of so-called tube sites allowed users to watch clips for free, like people watch videos on YouTube. Adam Grayson, the chief financial officer of the adult company Evil Angel, calls the latter hike "the great mushroom-cloud porn explosion of 2008." Precise numbers don't exist to quantify specifics, but the impression across the industry is that viewership is way, way up. Pornhub, the world's most popular porn site, provides some of the only accessible data on its yearly web-traffic report. The first Year In Review post in 2013 tabulated that 14.7 billion people visited the site. By 2016, the number of visitors had almost doubled, to 23 billion, and those visitors watched more than 4.59 billion hours of porn. And Pornhub is just one site. Using a formula that Netflix published on its blog in 2015, Nathan Ensmenger, a professor at Indiana University who is writing a book about the environmental history of the computer, calculates that if Pornhub streams video as efficiently as Netflix (0.0013 kWh per streaming hour), it used 5.967 million kWh in 2016. For comparison, that's about the same amount of energy 11,000 light bulbs would use if left on for a year. And operating with Netflix's efficiency would be a best-case scenario for the porn site, Ensmenger believes.

Three hackers responsible for creating the massive Mirai botnet that knocked large swathes of the internet offline last year have pleaded guilty. Brian Krebs reports: The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men (Editor's note: three men) first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called "Internet of Things" devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site). Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania. Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks. Editor's note: The story was updated to note that three men have pleaded guilty. -- not two as described in some reports.