President Warren Harding's blue silk pajamas. Muhammad Ali's boxing gloves. The Star Spangled Banner, stitched by Betsy Ross. Scripts from the television show "M*A*S*H." Nearly two million irreplaceable artifacts that tell the American story are housed in the National Museum of American History, part of the Smithsonian Institution, the biggest museum complex in the world. Now, because of climate change, the Smithsonian stands out for another reason: Its cherished buildings are extremely vulnerable to flooding, and some could eventually be underwater. From a report: Eleven palatial Smithsonian museums and galleries form a ring around the National Mall, the grand two-mile park lined with elms that stretches from the Lincoln Memorial to the U.S. Capitol. But that land was once marsh. And as the planet warms, the buildings face two threats. Rising seas will eventually push in water from the tidal Potomac River and submerge parts of the Mall, scientists say. More immediately, increasingly heavy rainstorms threaten the museums and their priceless holdings, particularly since many are stored in basements. At the American History Museum, water is already intruding.

It gurgles up through the floor in the basement. It finds the gaps between ground-level windows, puddling around exhibits. It sneaks into the ductwork, then meanders the building and drips onto display cases. It creeps through the ceiling in locked collection rooms, thief-like, and pools on the floor. Staff have been experimenting with defenses: Candy-red flood barriers lined up outside windows. Sensors that resemble electronic mouse traps, deployed throughout the building, that trigger alarms when wet. Plastic bins on wheels, filled with a version of cat litter, to be rushed back and forth to soak up the water. So far, the museum's holdings have escaped damage. But "We're kind of in trial and error," said Ryan Doyle, a facilities manager at the Smithsonian. "It's about managing water." An assessment of the Smithsonian's vulnerabilities, released last month, reveals the scale of the challenge: Not only are artifacts stored in basements in danger, but floods could knock out electrical and ventilation systems in the basements that keep the humidity at the right level to protect priceless art, textiles, documents and specimens on display. Of all its facilities, the Smithsonian ranks American History as the most vulnerable, followed by its next door neighbor, the National Museum of Natural History.

At its fall 2021 GPU Technology Conference (GTC), Nvidia unveiled Riva Custom Voice, a new toolkit that the company claims can enable customers to create custom, "human-like" voices with only 30 minutes of speech recording data. From a report: According to Nvidia, businesses can use Riva Custom Voice to develop a virtual assistant with a unique voice, while call centers and developers can leverage it to launch brand voices and apps to support people with speech and language disabilities. Brand voices like Progressive's Flo are often tasked with recording phone trees and elearning scripts in corporate training video series. For companies, the costs can add up -- one source pegs the average hourly rate for voice actors at $39.63, plus additional fees for interactive voice response (IVR) prompts. Synthesization could boost actors' productivity by cutting down on the need for additional recordings, potentially freeing the actors up to pursue more creative work -- and saving businesses money in the process. For example, Progressive used AI to create a Facebook Messenger chatbot with the voice of Stephanie Courtney, who plays Flo. KFC in Canada built a voice in a Southern U.S. English accent for the chain's ambassador, Colonel Sanders, in the company's Amazon Alexa app. Duolingo is employing AI to create voices for characters in its language learning apps. And National Australia Bank has deployed an AI-powered Australian English voice for the customers who call into its contact centers.

"Virtually all compilers -- programs that transform human-readable source code into computer-executable machine code -- are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected," warns cybersecurity expert Brian Krebs in a new report. An anonymous reader shares an excerpt: Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis). Specifically, the weakness involves Unicode's bi-directional or "Bidi" algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic -- which is read right to left -- and English (left to right). But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the "Bidi override," which can be used to make left-to-right text read right-to-left, and vice versa.

"In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient," the Cambridge researchers wrote. "For these cases, Bidi override control characters enable switching the display ordering of groups of characters." Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email. Here's the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text -- including control characters -- is ignored by compilers and interpreters. Also, it's bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

"So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty," said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. "That's bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything." The research paper, which dubbed the vulnerability "Trojan Source," notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides. [...] Anderson said such an attack could be challenging for a human code reviewer to detect, as the rendered source code looks perfectly acceptable. "If the change in logic is subtle enough to go undetected in subsequent testing, an adversary could introduce targeted vulnerabilities without being detected," he said. Equally concerning is that Bidi override characters persist through the copy-and-paste functions on most modern browsers, editors, and operating systems.

Akamai researchers have analyzed 10,000 JavaScript samples including malware droppers, phishing pages, scamming tools, Magecart snippets, cryptominers, etc. At least 26% of them use some form of obfuscation to evade detection, indicating an uptick in the adoption of this basic yet effective technique. BleepingComputer reports: Obfuscation is when easy-to-understand source code is converted into a hard to understand and confusing code that still operates as intended. Threat actors commonly use obfuscation to make it harder to analyze malicious scripts and to bypass security software. Obfuscation can be achieved through various means like the injection of unused code into a script, the splitting and concatenating of the code (breaking it into unconnected chunks), or the use of hexadecimal patterns and tricky overlaps with function and variable naming.

But not all obfuscation is malicious or tricky. As the report explains, about 0.5% of the 20,000 top-ranking websites on the web (according to Alexa), also use obfuscation techniques. As such, detecting malicious code based on the fact that is obfuscated isn't enough on its own, and further correlation with malicious functionality needs to be made. This mixing with legitimate deployment is precisely what makes the detection of risky code challenging, and the reason why obfuscation is becoming so widespread in the threat landscape.

Security Week reports: A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday. Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.

What's more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.

Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia. The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.

The various trojanized applications that ESET's researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems. What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims. ESET's analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.

The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.
The second backdoor was also capable of file manipulation, updating itself, and uploading and downloading files, according to the article, while the third backdoor "accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials."

Microsoft has published a new support webpage where they provide an official method to bypass the TPM 2.0 and CPU checks (TPM 1.2 is still required) and have Windows 11 installed on unsupported systems. Bleeping Computer reports: [I]t looks like Microsoft couldn't ignore the fact that bypassing TPM checks is fairly simple, so to avoid having people breaking their systems by using non-standardized third-party scripts, they decided to just give users an official way to do it. Installing Windows 11 on unsupported hardware comes with some pitfalls that users must be aware of, and in some cases, agree to before the operating system will install. "Your device might malfunction due to these compatibility or other issues. Devices that do not meet these system requirement will no longer be guaranteed to receive updates, including but not limited to security updates," Microsoft explains in a new support bulletin. [Y]ou will still require a TPM 1.2 security processor, which many will not likely have. If you are missing a TPM 1.2 processor, you can bypass all TPM checks by using this script that deletes appraiser.dll during setup. To use the new AllowUpgradesWithUnsupportedTPMOrCPU bypass to install Windows 11 on devices, Microsoft instructs you to perform the following steps:

1. Please read all of these instructions before continuing. 2. Visit the Windows 11 software download page, select "Create tool now," and follow the installation instructions to create a bootable media or download an ISO. 3. On Windows, click 'Start', type 'Registry Editor' and click on the icon to launch the tool. 4. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup Registry key and create a new "REG_DWORD" value named "AllowUpgradesWithUnsupportedTPMOrCPU" and set it to "1". Alternatively, you can download a premade Registry file that you can double-click on and merge it to create the above value for you. 5. Reboot your system

Having done all that, you may now upgrade to Windows 11 by double-clicking on the downloaded ISO file and running Setup.exe or by using the bootable Windows 11 media you created in Step 1. Microsoft states that standard installation options such as 'Full Upgrade', 'Keep Data Only', and 'Clean Install', will all be available as usual.

The Apache Software Foundation has released a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild. From a report: Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes (a process called path or URI normalization). "An attacker could use a path traversal attack to map URLs to files outside the expected document root," the ASF team said in the Apache HTTP Server 2.4.50 changelog. "If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts," Apache engineers added. More than 120,000 servers currently exposed online to attacks.

Cybercrime and computer security reporter Brian Krebs tells the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online. From the report: The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source -- we'll call him "Bill" to preserve his requested anonymity -- has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world's major email providers each day. Bill said he's not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

In about half the cases the credentials are being checked via "IMAP," which is an email standard used by email software clients like Mozilla's Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds "OK" = successful access). You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim's contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold. And they seem particularly focused on stealing gift card data.

"Sometimes they'll log in as much as two to three times a week for months at a time," Bill said. "These guys are looking for low-hanging fruit -- basically cash in your inbox. Whether it's related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value." According to Bill, the fraudsters aren't downloading all of their victims' emails: That would quickly add up to a monstrous amount of data. Rather, they're using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment. Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

UK ISP Sky Broadband is monitoring the IP addresses of servers suspected of streaming pirated content to subscribers and supplying that data to an anti-piracy company working with the Premier League. That inside knowledge is then processed and used to create blocklists used by the country's leading ISPs, to prevent subscribers from watching pirated events. An anonymous reader shares the report from Torrent Freak: In recent weeks, an anonymous source shared a small trove of information relating to the systems used to find, positively identity, and then ultimately block pirate streams at ISPs. According to the documents, the module related to the Premier League work is codenamed 'RedBeard.' The activity appears to start during the week football matches or PPV events take place. A set of scripts at anti-piracy company Friend MTS are tasked with producing lists of IP addresses that are suspected of being connected to copyright infringement. These addresses are subsequently dumped to Amazon S3 buckets and the data is used by ISPs to block access to infringing video streams, the documents indicate. During actual event scanning, content is either manually or fingerprint matched, with IP addresses extracted from DNS information related to hostnames in media URLs, load balancers, and servers hosting Electronic Program Guides (EPG), all of which are used by unlicensed IPTV services.

The big question then is how the Premier League's anti-piracy partner discovers the initial server IP addresses that it subsequently puts forward for ISP blocking. According to documents reviewed by TF, information comes from three sources -- the anti-piracy company's regular monitoring (which identifies IP addresses and their /24 range), manually entered IP addresses (IP addresses and ports), and a third, potentially more intriguing source -- ISPs themselves. The document revealing this information is not dated but other documents in the batch reference dates in 2021. At the time of publishing date, the document indicates that ISP cooperation is currently limited to Sky Broadband only. TorrentFreak asked Friend MTS if that remains the case or whether additional ISPs are now involved. It appears that instead of monitoring customer IP addresses, Sky is compiling data on which IP addresses subscribers are pulling most data from during (and potentially before) match or event times. Sky then uploads the highest-trafficked IP addresses along with the port the traffic is streamed on to the S3 bucket mentioned above, every five minutes. It is then accessed by the anti-piracy company which, every five minutes, extracts the IP, bandwidth rate, and the port number that bandwidth is on. At the time of the document's publication, the Sky 'Top Talker' threshold for the Premier League's 'RedBeard' module was 100mbps. The IP address information provided by the ISP that exceeds this limit then appears to be cross-referenced by IP address and port number with data obtained during game week scanning at Friend MTS. It is then processed accordingly. Torrent Freak goes on to note that the Premier League is "seeking cooperation from additional ISPs too."

"In summary, it appears that Sky subscribers aren't being directly monitored per se, but the servers they draw most bandwidth from are being noted by Sky and that data is being forwarded for anti-piracy enforcement," the report adds. "This means that Sky subscribers' piracy habits are directly providing information to support Premier League, Matchroom Boxing, and Queensbury Promotions blocking efforts."

"The director of a tiny UK company has apologised after sending letters to businesses suggesting they had infringed his patents that he claimed covered an age-old web standard," writes The Register.

LeeLynx shares their report: The tech in question is the content security policy (CSP) mechanism that websites use to protect their visitors from cross-site scripting (XSS) attacks and similar exploits that steal data and hijack accounts. Specifically, the cryptographic nonce [number-used-once] feature of CSP to stop unauthorized scripts from running. Datawing Ltd sent a number of letters to small businesses this month claiming to own one UK and one US patent on CSP and its use of a nonce.

After an initial wave of alarm and outrage on Twitter when the letters surfaced, The Register tracked down their author: a penitent William Coppock... "What a stupid plonker, all I've done," he sighed, adding that he has six children and has been diagnosed with cancer. Applying for the UK and US patents cost him his "life savings," he said, adding: "I didn't intend any harm to come to anyone. Maybe I've just got to sell or give this thing to Mozilla...."

[H]e denied to The Register that he was a patent troll. A law firm had checked over the letter and the "patent infringement outline" document before he sent them, he claimed. Coppock also apologised to all who received his letters and urged them to contact him if they had any questions about it.

We have asked the law firm Coppock named for comment on the advice he says it gave him and will update this article if we hear back from it.

Firefox 90 introduces the next version of SmartBlock, the browser's tracker blocking mechanism built into its private browsing and strict modes, which now has improvements designed to prevent buttons that let you log into websites using your Facebook account from breaking, Mozilla announced on Tuesday. From a report: SmartBlock was first introduced with Firefox 87 in March, and if you aren't familiar, here's Mozilla's description of how it works, from the company's blog: "SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy. SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact." Sometimes, though, the feature would break Facebook login buttons. In a new blog post, Mozilla's Tom Wisniewski and Arthur Edelstein explain why this would happen, using an example of trying to log in to Etsy.

An anonymous reader quotes a report from The Record: Thousands of Google Chrome extensions available on the official Chrome Web Store are tampering with security headers on popular websites, putting users at risk of a wide range of web-based attacks. While they are a little-known technical detail, security headers are an important part of the current internet landscape. At a technical level, a security header is an HTTP response sent by the server to a client app, such as a browser. [...] In a paper presented at the MADWeb workshop at the NDSS 2021 security conference, researchers from the CISPA Helmholtz Center for Information Security said they tried to assess the number of Chrome extensions tampering with security headers for the very first time. Using a custom framework they built specifically for their study, the research team said they analyzed 186,434 Chrome extensions that were available on the official Chrome Web Store last year. Their work found that 2,485 extensions were intercepting and modifying at least one security header used by today's Top 100 most popular websites (as available in the Tranco list).

The study didn't focus on all security headers, but only on the four most common ones, such as: Content-Security Policy (CSP), HTTP Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options. While 2,485 extensions disabled at least one, researchers said they found 553 disabling all the four security headers they analyzed in their research. The most commonly disabled security header was CSP, a security header that was developed to allow site owners to control what web resources a page is allowed to load inside a browser and a typical defense that can protect websites and browsers against XSS and data injection attacks. According to the research team, in most of the cases they analyzed, the Chrome extensions disabled CSP and other security headers "to introduce additional seemingly benign functionalities on the visited webpage," and didn't look to be malicious in nature. However, even if the extensions wanted to enrich a user's experience online, the German academics argued that by tampering with security headers, all the extensions did was to expose users to attacks from other scripts and sites running inside the browser and on the web.

Slashdot reader storagedude writes: That's right, Microsoft's CLI management tool was the source of more than a third of critical security threats detected by Cisco in the second half of 2020, according to eSecurity Planet.

Dual-use tool exploitation was the top threat category noted by Cisco, followed by ransomware, fileless malware, and credential dumping, with PowerShell a primary vector in those last two categories also.

"Based on Cisco's research, PowerShell is the source of more than a third of critical threats," noted Gedeon Hombrebueno, Endpoint Security Product Manager for Cisco Secure.

Cisco recommends a number of protection steps that are, of course, made easier with Cisco Secure Endpoint, and other EDR tools are effective against PowerShell exploits also.

But there are a number of steps admins can (and should) take that are completely free, like preventing or restricting PowerShell execution in non-admin accounts, allowing execution of signed scripts only, and using Constrained Language mode.

Bleeping Computer reports: The most well-known and popular blogging platform, WordPress, is considering dropping support for Internet Explorer 11 as the browser's usage dips below 1%. Using three metrics to determine the number of people still using IE 11, WordPress has found that its cumulative usage is below 1%...

WordPress is not alone in dropping support for IE 11. In August 2020, Microsoft announced that they would no longer support Internet Explorer on the Microsoft Teams web app, and Microsoft 365 would no longer support it starting on August 17th, 2021.
"Dropping support would result in smaller scripts, lower maintenance burden, and decrease build times," notes a post on the Wordpress blog. "For instance, a recent exploration by @youknowriad demonstrated that not transpiling the scripts to IE11 immediately resulted in a net reduction of nearly 84kB in the Gutenberg JavaScript [Wordpress Editor interface] built files, representing a 7,78% total decrease in size; these scripts have seen a size contraction up to 60%, with an average reduction of 24%...

"Moreover, dropping support would ultimately make WordPress' currently included polyfill script obsolete, decreasing the enqueued scripts size up to 102kB more."

Today is the 30th anniversary of the Python programming language, "which has never been more popular, arguably thanks to the rise of data science and AI projects in the enterprise," writes Venture Beat.

To celebrate the historical releases file has been updated to include Guido van Rossum's original 0.9.1 beta release from 1991. (Its ReadMe file advises that Python 0.9 "can be used instead of shell, Awk or Perl scripts, to write prototypes of real applications, or as an extension language of large systems, you name it.")

And meanwhile, VentureBeat interviewed Pablo Galindo, one of the five members of the 2021 Python Steering Council and a software engineer at Bloomberg: VentureBeat: What's your current assessment of Python?

Galindo: Python is a very mature language, and it has evolved. It also has a bunch of things that it carries over. Python has some baggage that nowadays feels a bit old, but the community and the ecosystem has to be preserved. It's similar to how C and C++ are evolving right now. When you make changes to the language, it's quite dangerous [because you can] break things. That's what people are scared of the most.

But even though Python is quite old, there are big changes. The Python 3.1 release for this October will include pattern matching, which is one of the biggest syntax changes that Python has seen in a long time. We can learn from other languages. I think we're happy to say that we are still evolving and adapting. We have a good experience with respecting the importance of backwards compatibility.

VentureBeat: If you could be Python king for a day, what would you change?

Galindo: I would be a horrible King for a day. The first order of business would be to fix all these things that we have acquired over the years in the language. That would require breaking a bunch of things. Obviously, I will not do that, but I think one of the things I really would like to see in the future is for Python to become faster than it is. I think Python still has a lot of potential to become faster. I'm thinking this will be impossible. But one can dream.

VentureBeat: What do you know now about Python today that you wish you knew when you first began using it?

Galindo: I think the most important thing I learned is how many different uses there are for Python. It's important to listen to all these sorts of users when considering the evolution of the language. It's quite surprising and quite revealing to consider how changes or improvements will conflict or will interact with other users of the language.

That's something that when I started I didn't even consider. It would be good if people could be empathetic to us changing the language when we have to balance these things.

Early Friday the principal author of GNU Privacy Guard (the free encryption software) warned that version 1.9.0 of its cryptographic library Libgcrypt, released January 19, had a "severe" security vulnerability and should not be used.

A new version 1.9.1, which fixes the flaw, is available for download, Help Net Security reports: He also noted that Fedora 34 (scheduled to be released in April 2021) and Gentoo Linux are already using the vulnerable version... [I]t's a heap buffer overflow due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs.

It was discovered and flagged by Google Project Zero researcher Tavis Ormandy and affects only Libgcrypt v1.9.0.
"Exploiting this bug is simple and thus immediate action for 1.9.0 users is required..." Koch posted on the GnuPG mailing list. "The 1.9.0 tarballs on our FTP server have been renamed so that scripts won't be able to get this version anymore."

Long-time Slashdot reader lee1 shares his recent article from LWN: On November 26, version 6.1 of GNU Octave, a language and environment for numerical computing, was released. There are several new features and enhancements in the new version, including improvements to graphics output, better communication with web services, and over 40 new functions...

In the words of its manual:

GNU Octave is a high-level language primarily intended for numerical computations. It is typically used for such problems as solving linear and nonlinear equations, numerical linear algebra, statistical analysis, and for performing other numerical experiments.

Octave is free software distributed under the GPLv3. The program was first publicly released in 1993; it began as a teaching tool for students in a chemical engineering class. The professors, James B. Rawlings and John G. Ekerdt, tried to have the students use Fortran, but found that they were spending too much time trying to get their programs to compile and run instead of working on the actual substance of their assignments... Octave became part of the GNU project in 1997...

Octave, written in C, C++, and Fortran, soon adopted the goal and policy of being a fully compatible replacement for MATLAB. According to the Octave Wiki, any differences between Octave and MATLAB are considered to be bugs, "in general", and most existing MATLAB scripts will work unmodified when fed to Octave, and vice versa...

When octave is started in the terminal it brings up an interactive prompt. The user can type in expressions, and the results are printed immediately.

"We recommend that you discuss this situation with us in the chat," one caller warned, "or the problems with your network will never end."

ZDNet reports: In attempts to put pressure on victims, some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands. "We've seen this trend since at least August-September," Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet on Friday...

"We think it's the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants," Bill Siegel, CEO and co-founder of cyber-security firm Coveware, told ZDNet in an email. Arete IR and Emsisoft said they've also seen scripted templates in phone calls received by their customers.

The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they've encrypted corporate networks. Previous tactics included the use of ransom demands that double in value if victims don't pay during an allotted time, threats to notify journalists about the victim company's breach, or threats to leak sensitive documents on so-called "leak sites" if companies don't pay.

After analyzing 275,699,516 passwords leaked during 2020 data breaches, NordPass and partners found that the most common passwords are incredibly easy to guess -- and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered "unique." ZDNet reports: On Wednesday, the password manager solutions provider published its annual report on the state of password security, finding that the most popular options were "123456," "123456789," "picture1," "password," and "12345678." With the exception of "picture1," which would take approximately three hours to decipher using a brute-force attack, each password would take seconds using either dictionary scripts -- which compile common phrases and numerical combinations to try -- or simple, human guesswork.

As one of the entrants on the 200-strong list describes the state of affairs when it comes to password security, "whatever," it seems many of us are still reluctant to use strong, difficult-to-crack passwords -- and instead, we are going for options including "football," "iloveyou," "letmein," and "pokemon." When selecting a password, you should avoid patterns or repetitions, such as letters or numbers that are next to each other on a keyboard. Adding a capital letter, symbols, and numbers in unexpected places can help, too -- and in all cases, you should not use personal information as a password, such as birthdates or names.

An anonymous reader quotes a report from The Register: The Brave web browser will soon block CNAME cloaking, a technique used by online marketers to defy privacy controls designed to prevent the use of third-party cookies. The browser security model makes a distinction between first-party domains -- those being visited -- and third-party domains -- from the suppliers of things like image assets or tracking code, to the visited site. Many of the online privacy abuses over the years have come from third-party resources like scripts and cookies, which is why third-party cookies are now blocked by default in Brave, Firefox, Safari, and Tor Browser.

In a blog post on Tuesday, Anton Lazarev, research engineer at Brave Software, and senior privacy researcher Peter Snyder, explain that online tracking scripts may use canonical name DNS records, known as CNAMEs, to make associated third-party tracking domains look like they're part of the first-party websites actually being visited. They point to the site https://mathon.fr/ as an example, noting that without CNAME uncloaking, Brave blocks six requests for tracking scripts served by ad companies like Google, Facebook, Criteo, Sirdan, and Trustpilot. But the page also makes four requests via a script hosted at a randomized path under the first-party subdomain 16ao.mathon.fr. When Brave 1.17 ships next month (currently available as a developer build), it will be able to uncloak the CNAME deception and block the Eulerian script. Other browser vendors are planning related defenses. "Mozilla has been working on a fix in Firefox since last November," notes The Register. "And in August, Apple's Safari WebKit team proposed a way to prevent CNAME cloaking from being used to bypass the seven-day cookie lifetime imposed by WebKit's Intelligent Tracking Protection system."