Security

How Hollywood Got Hacked: Studio at Center of Netflix Leak Breaks Silence (variety.com) 78

Earlier this year, hackers obtained and leaked the episodes of TV show Orange Is the New Black. In a candid interview, Larson Studios' chief engineer David Dondorf explained how the audio post-production business allowed the hacker group to gain access to the Netflix original content. Dandorf says the company hired private data security experts to find how it was breached. The investigation found that the hacker group had been searching the internet for PCs running older versions of Windows and stumbled across an old computer at Larson Studios still running Windows 7. From the report: Larson's employees just didn't know all that much about it. Having a computer running an ancient version of Windows on the network was clearly a terrible lack of oversight, as was not properly separating internal servers from the internet. "A lot of what went on was ignorance," admitted Rick Larson. "We are a small company. Did we even know what the content security departments were at our clients? Absolutely not. I couldn't have told you who to call. I can now." It's a fascinating story about how the hacker group first made contact and tried to threaten Larson Studios' president and his wife, and how they responded. Worth a read.
Security

Russian Malware Communicates Using Britney Spears's Instagram Account (welivesecurity.com) 54

JustAnotherOldGuy writes: A key weakness in malicious software is the "Command and Control" (C&C) system -- a central server that the malware-infected systems contact to receive updates and instructions, and to send stolen data. Anti-malware researchers like to reverse engineer malicious code, discover the C&C server's address, and then shut it down. Turla is an "advanced persistent threat" hacking group based in Russia with a long history of attacking states in ways that advance Russian state interests. A new analysis by Eset shows that Turla is solving its C&C problems by using Britney Spears' Instagram account as a cut-out for its C&C servers. Turla moves the C&C server around, then hides the current address of the server in encrypted comments left on Britney Spears's image posts. The compromised systems check in with Spears' Instagram whenever they need to know where the C&C server is currently residing.
Facebook

Facebook Unveils New Tools To Help Elected Officials Reach Constituents (techcrunch.com) 52

An anonymous reader quotes a report from TechCrunch: Facebook this year has launched a number of features that make it easier for people to reach their government representatives on its social network, including "Town Hall," and related integrations with News Feed, as well as ways to share reps' contact info in your own posts. Today, the company is expanding on these initiatives with those designed for elected officials themselves. The new tools will help officials connect with their constituents, as well as better understand which issues their constituents care about most. Specifically, the social network is rolling out three new features: constituent badges, constituent insights, and district targeting. Constituent badges are a new, opt-in feature that allow Facebook users to identify themselves as a person living in the district the elected official represents. A second feature called Constituent Insights is designed to help elected officials learn which local news stories and content is popular in their district, so they can share their thoughts on those matters. The third new feature -- District Targeting -- is arguably the most notable. This effectively gives elected officials the means of gathering feedback from their constituents through Facebook directly, using either posts or polls that are targeted only towards those who actually live in their particular district. That means the official can post to Facebook to ask for feedback from constituents about an issue, and these posts will only be viewable by those who live in their district.
Government

Trump Misunderstood MIT Climate Research, University Officials Say (reuters.com) 361

MIT officials said U.S. President Donald Trump badly misunderstood their research when he cited it on Thursday to justify withdrawing the United States from the Paris Climate Agreement. From a report: Trump announced during a speech at the White House Rose Garden that he had decided to pull out of the landmark climate deal, in part because it would not reduce global temperatures fast enough to have a significant impact. "Even if the Paris Agreement were implemented in full, with total compliance from all nations, it is estimated it would only produce a two-tenths of one degree Celsius reduction in global temperature by the year 2100," Trump said. "Tiny, tiny amount." That claim was attributed to research conducted by MIT, according to White House documents seen by Reuters. The Cambridge, Massaschusetts-based research university published a study in April 2016 titled "How much of a difference will the Paris Agreement make?" showing that if countries abided by their pledges in the deal, global warming would slow by between 0.6 degree and 1.1 degrees Celsius by 2100. "We certainly do not support the withdrawal of the U.S. from the Paris agreement," said Erwan Monier, a lead researcher at the MIT Joint Program on the Science and Policy of Global Change, and one of the study's authors. "If we don't do anything, we might shoot over 5 degrees or more and that would be catastrophic," said John Reilly, the co-director of the program, adding that MIT's scientists had had no contact with the White House and were not offered a chance to explain their work.
Government

Investigation Demanded Over Fake FCC Comments Submitted By Dead People (bbc.com) 140

An anonymous reader writes: Fight for the Future has found another issue with the fake comments submitted to the FCC opposing net neutrality. "The campaign group says that some of the comments were posted using the names and details of dead people," according to the BBC. The exact same comment was also submitted more than 7,000 times using addresses in Colorado, where a reporter discovered that contacting the people at those addresses drew reactions which included "I have never seen this before in my life" and "No, I did not post this comment. In fact, I disagree with this comment." Fight for the Future also knocked on doors in Tampa, Florida, where the few people who answered "were shocked to hear that their name and address were publicly listed alongside a political message they did not necessarily understand or agree with." An alleged commenter in Montana told a reporter she didn't even know what net neutrality was.

14 people have already signed Fight for the Future's official complaint to the FCC, which calls for notification of all people affected, an investigation, and the immediate removal of all fake comments from the public docket. "Based on numerous media reports, nearly half a million Americans may have been impacted by whoever impersonated us," states the letter, "in a dishonest and deceitful campaign to manufacture false support for your plan to repeal net neutrality protections."

Fight for the Future says they've already verified "dozens" of instance of real people discovering a fake comment was submitted in their name -- and that in addition, more than 2,400 people have already used their site to contact their state Attorneys General demanding an investigation. They note the FCC has taken no steps to remove the fake comments from its docket, "risking the safety and privacy of potentially hundreds of thousands of people," while a campaign director at Fight for the Future added, "For the FCC's process to have any legitimacy, they simply cannot move forward until an investigation has been conducted."
Security

Wikimedia Is Clear To Sue the NSA Over Its Use of Warrantless Surveillance Tools (engadget.com) 60

The Wikimedia Foundation has the right to sue the National Security Agency over its use of warrantless surveillance tools, a federal appeals court ruled. "A district judge shot down Wikimedia's case in 2015, saying the group hadn't proved the NSA was actually illegally spying on its communications," reports Engadget. "In this case, proof was a tall order, considering information about the targeted surveillance system, Upstream, remains classified." From the report: The appeals court today ruled Wikimedia presented sufficient evidence that the NSA was in fact monitoring its communications, even if inadvertently. The Upstream system regularly tracks the physical backbone of the internet -- the cables and routers that actually transmit our emoji. With the help of telecom providers, the NSA then intercepts specific messages that contain "selectors," email addresses or other contact information for international targets under U.S. surveillance. "To put it simply, Wikimedia has plausibly alleged that its communications travel all of the roads that a communication can take, and that the NSA seizes all of the communications along at least one of those roads," the appeals court writes. "Thus, at least at this stage of the litigation, Wikimedia has standing to sue for a violation of the Fourth Amendment. And, because Wikimedia has self-censored its speech and sometimes forgone electronic communications in response to Upstream surveillance, it also has standing to sue for a violation of the First Amendment."
Encryption

Hackers Unlock Samsung Galaxy S8 With Fake Iris (vice.com) 79

From a Motherboard report: Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device. "We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture. And, that's it. They're in.
China

Did China Hack The CIA In A Massive Intelligence Breach From 2010 To 2012? (ibtimes.com) 115

schwit1 quotes the International Business Times: Both the CIA and the FBI declined to comment on reports saying the Chinese government killed or imprisoned 18 to 20 CIA sources from 2010 to 2012 and dismantled the agency's spying operations in the country. It is described as one of the worst intelligence breaches in decades, current and former American officials told the New York Times.

Investigators were uncertain whether the breach was a result of a double agent within the CIA who had betrayed the U.S. or whether the Chinese had hacked the communications system used by the agency to be in contact with foreign sources. The Times reported Saturday citing former American officials from the final weeks of 2010 till the end of 2012, the Chinese killed up to 20 CIA sources.

Power

Possible Radioactive Leak Investigated At Washington Nuclear Site (upi.com) 94

Authorities are investigating radioactive material found on a worker's clothing one week after a tunnel collapse at the waste nuclear waste site in the state of Washington. Around 7 p.m. Thursday, Washington River Protection Solutions, a government contractor contractor in charge of all 177 underground storage tanks at the nuclear site. detected high radiation readings on a robotic device that seven workers were pulling out of a tank. Then, contamination was also discovered on the clothing of one worker -- on one shoe, on his shirt and on his pants in the knee area.

"Radiological monitoring showed contamination on the unit that was three times the planned limit. Workers immediately stopped working and exited the area according to procedure," said Rob Roxburgh, deputy manager of WRPS Communications & Public Relations said to KING-TV. Using leak-detection instruments, WRPS said it did not find liquid escaping the tank. "Everybody was freaked, shocked, surprised," said a veteran worker, who was in direct contact with crew members. "[The contamination] was not expected. They're not supposed to find contamination in the annulus [safety perimeter] of the double shell tanks."

Washington's attorney general, urging a federal clean-up of the site, insists "This isn't the first potential leak and it won't be the last."
Medicine

Researchers Create a T-Shirt That Monitors the Wearer's Breathing Rate In Real Time (sciencedaily.com) 38

"Researchers at Universite Laval's Faculty of Science and Engineering and its Center for Optics, Photonics, and Lasers have created a smart T-shirt that monitors the wearer's respiratory rate in real time," reports Science Daily. The details have been published in the latest edition of Sensors. From the report: Unlike other methods of measuring respiratory rate, the smart T shirt works without any wires, electrodes, or sensors attached to the user's body, explains Younes Messaddeq, the professor who led the team that developed the technology. "The T shirt is really comfortable and doesn't inhibit the subject's natural movements. Our tests show that the data captured by the shirt is reliable, whether the user is lying down, sitting, standing, or moving around." The key to the smart T shirt is an antenna sewn in at chest level that's made of a hollow optical fiber coated with a thin layer of silver on its inner surface. The fiber's exterior surface is covered in a polymer that protects it against the environment. "The antenna does double duty, sensing and transmitting the signals created by respiratory movements," adds Professor Messaddeq, who also holds the Canada Excellence Research Chair in Photonic Innovations. "The data can be sent to the user's smartphone or a nearby computer." As the wearer breathes in, the smart fiber senses the increase in both thorax circumference and the volume of air in the lungs, explains Messaddeq. "These changes modify some of the resonant frequency of the antenna. That's why the T shirt doesn't need to be tight or in direct contact with the wearer's skin. The oscillations that occur with each breath are enough for the fiber to sense the user's respiratory rate."
Earth

Humans Accidentally Made a Space Cocoon For Ourselves Out of Radio Waves (vice.com) 137

An anonymous reader shares a Motherboard article: Humans have accidentally created a protective bubble around Earth by using very low frequency (VLF) radio transmissions to contact submarines in the ocean. It sounds nuts, but according to recent research published in Space Science Reviews, underwater communication through VLF channels has an outer space dimension. This video explainer, released by NASA on Wednesday, visualizes how radio waves wafting into space interact with the particles surrounding Earth, and influence their motion. Satellites in certain high-altitude orbits, such as NASA's particle-watching Van Allen Probes, have observed these VLF ripples creating an 'impenetrable boundary,' a phrase coined by study co-author Dan Baker, director of the University of Colorado's Laboratory for Atmospheric and Space Physics. This doesn't mean impenetrable to spacecraft or asteroids, per se, but rather to potentially harmful particle showers created by turbulent space weather.
The Almighty Buck

WanaDecrypt0r Ransomware Earns Just $26,000 In Ransom Payments (krebsonsecurity.com) 222

An anonymous reader quotes Krebs On Security: As thousands of organizations work to contain and clean up the mess from this week's devastating Wana ransomware attack, the fraudsters responsible for releasing the digital contagion are no doubt counting their earnings and congratulating themselves on a job well done. But according to a review of the Bitcoin addresses hard-coded into Wana, it appears the perpetrators of what's being called the worst ransomware outbreak ever have made little more than USD $26,000 so far from the scam...

It's worth noting that the ransom note Wana popped up on victim screens (see screenshot above) included a "Contact Us" feature that may have been used by some victims to communicate directly with the fraudsters... I find it depressing to think of the massive financial damage likely wrought by this ransom campaign in exchange for such a comparatively small reward.

The Internet

Cloudflare Helps Serve Up Hate Online: Report (cnet.com) 210

An anonymous reader writes: If you've been wondering how hate has proliferated online, especially since the 2016 election, ProPublica has some answers. According to ProPublica, Cloudflare -- a major San Francisco-based internet company -- enables extremist web sites to stay in business by providing them with internet data delivery services. Cloudflare reportedly also keeps to a policy of turning over contact information of anyone who complains to operators of the offending sites, thus exposing the complainants to personal harassment.
Android

User Expresses Privacy Concerns After Software Update Replaces Default Phone App (martinruenz.de) 95

An anonymous reader writes: Since I am not living in my home country, I frequently use two different SIM cards and prefer having a phone with dual-sim support. This limits your choice significantly when buying a new device and last time I bought one, I opted for the Wileyfox Swift. It was cheap, had most features I desired and shipped with CyanogenMod (Android) -- which, I thought, might indicate that Wileyfox delivers a slim, privacy-aware system. Yesterday, I was delighted to see that Wileyfox provides an update to a new version of Android (7.1.1) and I didn't hesitate long to install the upgrade. Concerns that the hardware might not hold-up to the new system showed to be unfounded and everything seemed to work just fine. But when I realised that the dialler now labelled itself as 'truecaller' -- something I had never heard of, shoot, I didn't even know the dialler is an app -- it gave rise to a bad suspicion: Is some of my phone's core functionality now provided by a 3rd-party app? Indeed. Does it respect my privacy? No. Can I uninstall it again? No. Was I ever asked to comply with their terms and conditions? Of course not. On top of this, Truecaller doesn't seem to have a clean background. Here's how an Indian daily (Truecaller seems to be popular in emerging regions) described the app: Truecaller is a popular app that shows you contact details of unknown numbers calling you. It crowdsources contact details from all its users' address books. So even if you've never used the service, your name and number could be on Truecaller's database, thanks to someone else who's saved your contact details and allowed the app to access them.
Businesses

107 Cancer Papers Retracted Due To Peer Review Fraud (arstechnica.com) 153

An anonymous reader quotes a report from Ars Technica: The journal Tumor Biology is retracting 107 research papers after discovering that the authors faked the peer review process. This isn't the journal's first rodeo. Late last year, 58 papers were retracted from seven different journals -- 25 came from Tumor Biology for the same reason. It's possible to fake peer review because authors are often asked to suggest potential reviewers for their own papers. This is done because research subjects are often blindingly niche; a researcher working in a sub-sub-field may be more aware than the journal editor of who is best-placed to assess the work. But some journals go further and request, or allow, authors to submit the contact details of these potential reviewers. If the editor isn't aware of the potential for a scam, they then merrily send the requests for review out to fake e-mail addresses, often using the names of actual researchers. And at the other end of the fake e-mail address is someone who's in on the game and happy to send in a friendly review. This most recent avalanche of fake-reviewed papers was discovered because of extra screening at the journal. According to an official statement from Springer, the company that published Tumor Biology until this year, "the decision was made to screen new papers before they are released to production." The extra screening turned up the names of fake reviewers that hadn't previously been detected, and "in order to clean up our scientific records, we will now start retracting these affected articles...Springer will continue to proactively investigate these issues."
Programming

Researchers Determine What Makes Software Developers Unhappy (vice.com) 149

Researchers recently surveyed 2,200 software developers to calculate the distribution of unhappiness throughout the profession, and to identify its top causes, "incorporating a psychometrically validated instrument for measuring (un)happiness." An anonymous reader quotes Motherboard: Daniel Graziotin and his team found their survey subjects via GitHub. Contact information was found by mining archived data for past public GitHub events, where email addresses are apparently more plentiful. They wound up with 33,200 records containing developer locations, contact information, and employers. They took a random sampling from this dataset and wound up with about 1,300 valid survey responses... According to survey results released earlier this month, software developers are on average a "slightly happy" group of workers...

Survey responses were scored according to the SPANE-B metric, a standard tool used in psychology to assess "affect," defined as total negative feelings subtracted from total positive feelings. It ranges from -24 to 24. The mean score found in the developer happiness survey was 9.05. Slightly happy. The minimum was -16, while the maximum was 24. So, even in the worst cases, employees weren't totally miserable, whereas in the best cases employees weren't miserable at all.

The paper -- titled "On the Unhappiness of Software Developers" -- found that the top cause of unhappiness was being stuck while solving a problem, followed by "time pressure," bad code quality/coding practices, and "under-performing colleague."

And since happiness has been linked to productivity, the researchers write that "Our results, which are available as open data, can act as guidelines for practitioners in management positions and developers in general for fostering happiness on the job...unhappiness is present, caused by various factors and some of them could easily be prevented."
Google

Google Accused of 'Extreme' Gender Pay Discrimination By US Labor Department (theguardian.com) 312

The U.S. Department of Labor is accusing Google of discriminating against its female employees and violating federal employment laws with its salaries for women. "We found systemic compensation disparities against women pretty much across the entire workforce," Janette Wipper, a Department of Labor regional director, testified in court in San Francisco on Friday. The Guardian reports: Google strongly denied the accusations of inequities, claiming it did not have a gender pay gap. The allegations emerged at a hearing in federal court as part of a lawsuit the DoL filed against Google in January, seeking to compel the company to provide salary data and documents to the government. Google is a federal contractor, which means it is required to allow the DoL to inspect and copy records and information about its its compliance with equal opportunity laws. Last year, the department's office of federal contract compliance programs requested job and salary history for Google employees, along with names and contact information, as part of the compliance review. Google, however, repeatedly refused to hand over the data, which was a violation of its contractual obligations with the federal government, according to the DoL's lawsuit. Labor officials detailed the government's discrimination claims against Google at the Friday hearing while making the case for why the company should be forced to comply with the DoL's requests for documents. Wipper said the department found pay disparities in a 2015 snapshot of salaries and said officials needed earlier compensation data to evaluate the root of the problem and needed to be able to confidentially interview employees.
Games

Two Studies Suggesting a Link Between Violent Video Games, Real-Life Behavior Have Been Retracted (qz.com) 174

Keith Collins reports via Quartz: In the first three months of 2017, academic journals retracted two papers that suggested a link between violent video games and real-life behavior. The first, entitled "Boom, Headshot!" was published in the Journal of Communication Research in 2012 and, after years of controversy, retracted last January. That study looked at the "effect of video game play and controller type on firing aim and accuracy," and found that playing first-person shooter games can train a player to become a better marksman in real life. Patrick Markey, a psychology professor at Villanova University, found some inconsistencies in the data published in the study. In January 2015, he and a colleague alerted Ohio State University, where the authors of the paper conducted the research. The lead author of the study, psychology professor Brad Bushman, emailed an official at OSU a month later, suggesting the allegations were part of a smear campaign against him and his co-author, according to Retraction Watch. Last January, the Journal of Communication Research retracted the paper. Bushman had agreed to the retraction, and began an attempt to re-do the original study with a larger sample size. A paper published in Gifted Child Quarterly in 2016, authored by Bushman and three others, caught the attention of Joseph Hilgard, a postdoctoral fellow at the University of Pennsylvania. The paper had studied the "effects of violent media on verbal task performance in gifted and general cohort children," and found that when children watched a violent cartoon for 12 minutes, their verbal skills dropped substantially for a temporary period. What surprised Hilgard most, according to an interview with Retraction Watch, was the sheer size of the effect. Hilgard said that OSU, Bushman, and others he spoke with about the study were helpful and forthcoming, but could not provide information on the study's data collection process. The author who collected the data, it turned out, lived in Turkey and fell out of contact following the recent coup attempt. Last week, Gifted Child Quarterly retracted the paper.
Government

Will VPNs Protect Your Privacy? It's Complicated 141

From a CNET report: A VPN redirects your internet traffic, disguising where your computer, phone or other device is when it makes contact with websites. It also encrypts information you send across the internet, making it unreadable to anyone who intercepts your traffic. That includes your internet service provider. Ha! Problem solved -- right? Well, sort of. The big catch is, now the VPN has your internet traffic and browsing history, instead of your ISP. What's to stop the VPN from selling your information to the highest bidder? Of course, there are reputable VPN services out there, but it's incumbent on you the user to "do your homework," Ajay Arora, CEO of cybersecurity company Vera said. In addition to making sure the VPN will actually keep your data private, you'll want to make sure there's nothing shady in the terms and conditions. Shady how? Well, in 2015, a group of security-minded coders discovered that free VPN service Hola was selling its users' bandwidth to the paying customers of its Luminati service. That meant some random person could have been using your internet connection to do something illegal. So, shady like that. "I would recommend you do some cursory level research in terms of reputation [and] how long they've been around," Arora said, "And when you sign up, read the fine print." From a report on Wired: Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady." Haschek found that the other 79 percent of surveyed proxy services forbid secure, HTTPS traffic.

Slashdot Top Deals