110548488
submission
Artem S. Tashkinov writes:
A draft departmental order of Roskomnadzor has been published on the government’s website, which describes in detail the rules for isolating the Russian segment of the Internet. The document says that in the event of a threat, a centralized Internet traffic control regime is introduced. Directing traffic outside of Russia will be prohibited, except when it affects communications between users from the Kaliningrad region and other regions of the Russian Federation. It is also proposed to make an exception for embassies, consulates and representative offices of Russia abroad.
110513514
submission
Artem S. Tashkinov writes:
The Register reports that it is possible to crash network-facing Linux servers, PCs, smartphones and tablets, and gadgets, or slow down their network connections, by sending them a series of maliciously crafted packets. It is also possible to hamper FreeBSD machines with the same attack. Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0.
At the heart of the drama is a programming flaw dubbed SACK Panic aka CVE-2019-11477: this bug can be exploited to remotely crash systems powered by Linux kernel version 2.6.29 or higher, which was released 10 years ago.
There are three other related holes: SACK Slowness, aka CVE-2019-11478, which affects Linux kernels pre-4.15, and all versions to a degree; SACK Slowness, aka CVE-2019-5599, which affects FreeBSD 12 using the RACK TCP stack; and Excess Resource Consumption Due to Low MSS Values, aka CVE-2019-11479, which affects all Linux kernel versions. They were discovered and reported by Netflix security's Jonathan Looney, and described in an advisory released on GitHub.
110441298
submission
Artem S. Tashkinov writes:
Boffins from Graz University of Technology in Austria have devised an automated system for browser profiling using two new side channel attacks that can help expose information about software and hardware to fingerprint browsers and improve the effectiveness of exploits. he researchers say their automated browser profiling scheme facilitates browser fingerprinting, overcomes some anti-fingerprinting techniques, and shows that browser privacy extensions "can leak more information than they disguise and can even be semi-automatically circumvented, leading to a false sense of security." The technique is simple enough. First comes the profiling phase, which involves compiling a list of properties accessible from JavaScript objects (eg window.Array.name, performance.timeOrigin). These become a profile. The data collection then gets repeated using a different environment, such as an alternate browser or operating system. Together, these varied profiles of JavaScript objects and properties form a template that can be used to probe for variations. The variations identified in this matrix of data reveal environmentally-dependent properties in Chrome, Edge, Firefox and mobile Tor, properties that provide information useful for identification and attack targeting.
109997196
submission
Artem S. Tashkinov writes:
Gene therapy — for so long something that belonged to the future — has just hit the streets. A couple of weeks back, you might have picked up a headline alerting us to the most expensive drug in history—a one off gene therapy cure for spinal muscular atrophy. Novartis have priced the drug Zolgensma at A$3 million (US$2.1 million). Traditionally a parent of a baby with spinal muscular atrophy was told: take your baby home and love her or him. Have no false hope, the baby will die paralyzed and unable to eat or talk by the age of two. What's the narrative going to be now? There is a cure but it costs A$3 million.
106810932
submission
Artem S. Tashkinov writes:
Hailed as a third wave of computing, Microsoft has made HoloLens 2 mixed reality headset available for preorder for staggering $3,500 and it's expected to be shipped later this year. It will be sold only to enterprise customers. Compared to the first generation HoloLens, the second version is better in almost every important way: it's more comfortable to wear, it offers a much wider field of view, it contains powerful recognition software thus it can detect real world physical objects and allows you to seamlessly interact with them using hand and finger gestures. It features new components like the Azure Kinect sensor, SnapDragon 850 SoC, eye-tracking sensors, and an entirely different display system with 2K resolution for each eye, a couple of speakers, an 8-megapixel front-facing camera for video conferencing, it’s capable of full 6 degrees of tracking, and it also uses USB-C to charge.
106774144
submission
Artem S. Tashkinov writes:
Duo Labs have recently scanned the Google Chrome Extensions store and they've discovered that:
- 84.7% had no privacy policy
- 35.4% could read your data on any website
- 31.8% used third-party libraries that contained publicly known vulnerabilities
- 9% could read all your cookies
105516170
submission
Artem S. Tashkinov writes:
NVIDIA finally got around to realizing that the number of monitors with VESA adaptive-sync overwhelmingly outnumber those supporting NVIDIA G-Sync, and is going ahead with adding support for adaptive-sync monitors. This however, comes with a big rider. NVIDIA is not immediately going to unlock adaptive-sync to all monitors, just the ones it has tested and found to work "perfectly" with their hardware. NVIDIA announced that it has found a handful of the 550+ monitor models in the market that support adaptive-sync, and has enabled support to them. Over time, as it tests more monitors, support for these monitors will be added through GeForce driver updates, as a "certified" monitor. It's worth noting that you can manually enable G-SYNC on all Adaptive-Sync monitors, even non-certified ones: "For gamers who have monitors that we have not yet tested, or that have failed validation, we'll give you an option to manually enable VRR, too."
104128734
submission
Artem Tashkinov writes:
Sergey Zelenyuk, a security engineer from Russia, has published a VirtualBox exploit which allows a root user in the guest operating system to gain complete control over the host operating system by utilizing bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code. Currently there's no statement from Oracle, fix or a CVE entry available because the researcher is highly dissatisfied with the state of security research and bug-bounty programs which often do not work as intended: he mentions the fact that, companies often take too much time to analyze the issues they get notified about, they don't have formal rewards ranges for the found vulnerabilities, and the rewards to be paid are not enough to cover the time and effort spent on researching them.
103937701
submission
Artem Tashkinov writes:
The new estimate of the massacre of wildlife is made in a major report produced by WWF and involving 59 scientists from across the globe. It finds that the vast and growing consumption of food and resources by the global population is destroying the web of life, billions of years in the making, upon which human society ultimately depends for clean air, water and everything else. Many scientists believe the world has begun a sixth mass extinction, the first to be caused by a species – Homo sapiens. Other recent analyses have revealed that humankind has destroyed 83% of all mammals and half of plants since the dawn of civilisation and that, even if the destruction were to end now, it would take 5-7 million years for the natural world to recover. Tanya Steele, chief executive at WWF, said: “We are the first generation to know we are destroying our planet and the last one that can do anything about it.”
101952924
submission
Artem Tashkinov writes:
In a world first, Melbourne scientists have discovered a new type of anti-cancer drug that can put cancer cells into a permanent sleep, without the harmful side-effects caused by conventional cancer therapies.
Published today in the journal Nature, the research reveals the first class of anti-cancer drugs that work by putting the cancer cell to sleep – arresting tumour growth and spread without damaging the cells' DNA.
The new class of drugs could provide an exciting alternative for people with cancer, and has already shown great promise in halting cancer progression in models of blood and liver cancers, as well as in delaying cancer relapse.
101946118
submission
Artem Tashkinov writes:
In a world first, Melbourne scientists have discovered a new type of anti-cancer drug that can put cancer cells into a permanent sleep, without the harmful side-effects caused by conventional cancer therapies.
Published today in the journal Nature, the research reveals the first class of anti-cancer drugs that work by putting the cancer cell to sleep – arresting tumour growth and spread without damaging the cells' DNA.
The new class of drugs could provide an exciting alternative for people with cancer, and has already shown great promise in halting cancer progression in models of blood and liver cancers, as well as in delaying cancer relapse.
101819044
submission
Artem Tashkinov writes:
A recently posted bug report on Mozilla's bug tracking website indicates that Mozilla is planning to remove RSS feed reader and Live Bookmarks support from the Firefox web browser. Here's the rationale from their yet to published blog post:Having gathered data on usage of the feed preview and live bookmark feature in Firefox, considering the technical state of their implementations and their maintenance costs, and reflecting the wider state of traditional RSS/Atom feed usage on the web, we’ve decided to remove the built-in feed reader feature as well as the “live bookmarks” support that allows users to view feed articles within the bookmarks UI. Usage data from Firefox shows that 99.9% of our users don’t actually use either the feed viewer or live bookmarks.
Mozilla's current plan aims for a removal of both features in Firefox 63 or Firefox 64, out October or December 2018. The change won't affect the current Firefox 60 ESR version but the next Firefox ESR after Firefox 60 ESR won't support both features anymore as well.This work is currently expected to be done for either Firefox 63 or 64, scheduled for release in October and December 2018, respectively. We don’t intend to change anything on ESR, so Firefox 60 ESR will keep support, and the next ESR won’t have support anymore.
101242550
submission
Artem Tashkinov writes:
On Monday, the Wi-Fi Alliance, the organization that manages Wi-Fi technologies, announced the official release of WPA3. News that the Wi-Fi Alliance was working on WPA3 leaked online in January. The organization started working on WPA3 after a security researcher revealed KRACK, a vulnerability in the WPA2 WiFi protocol that made it somewhat trivial for an attacker to gain access to WiFi transmissions protected by WPA2.
New security features include:
- WPA3 uses the Simultaneous Authentication of Equals (SAE) algorithm, which replaces Pre-shared Key (PSK) in WPA2-Personal, while WPA3-Enterprise uses a more complex set of features that replace IEEE 802.1X from WPA2-Enterprise. These are: authenticated encryption, key derivation and confirmation, key establishment and authentication, robust management frame protection.
- WPA3 is resistant to dictionary attacks. The Wi-Fi Alliance says that WPA3's SAE is resistant to offline dictionary attacks where an attacker tries to guess a Wi-Fi network's password by trying various passwords in a quick succession.
- Wi-Fi Easy Connect for WPA2 and WPA3: This feature is aimed at smart (Internet of Things) devices that don't have a screen where a user can configure its Wi-Fi network settings. For example, a user will be able to use his phone or tablet to configure the WiFi WPA3 options of another device that doesn't have a screen, such as tiny IoT equipment like smart locks, smart light bulbs, and others.
- Wi-Fi Enhanced Open: a proprietary technology, which uses an algorithm known as Opportunistic Wireless Encryption (OWE) to encrypt each connection between a WiFi user and the router/access point with its own custom encryption key. This per-user encryption prevents local attackers from snooping on other users' traffic, even if the network doesn't require a password to join.
100824028
submission
Artem Tashkinov writes:
It needs more sigmas, but Fermilab boffins in America are carefully speculating that they may have seen evidence of a new fundamental particle: the sterile neutrino. The suggestion follows tests conducted by the MiniBooNE (Mini Booster Neutrino Experiment) instrument, located near Chicago. Its mission is to detect neutrino mass through their oscillations. In the Standard Model of physics, neutrinos, like all particles, are initially assumed to be massless, but some observations, like neutrino oscillation, suggest there's mass there. The experiment that possibly detected sterile neutrinos collected 15 years of data from its commissioning in 2002, and the results have only now reached pre-press outlet arXiv.
100758092
submission
Artem Tashkinov writes:
Microsoft has recently held talks to buy GitHub, reviving on-and-off conversations the two have had for years, according to people close to the companies. The price tag for an acquisition could be $5 billion or more, and it's not clear whether Microsoft is willing to pay that much — or whether the talks are ongoing. If Microsoft were to acquire GitHub, it would mark a significant change of course from where the startup stood just six months ago. As recently as late 2017, insiders said GitHub was fully committed to staying independent and eventually going public. It is also possible that instead of striking a deal to buy GitHub outright, Microsoft may make an investment — possibly with an option to buy — and allow one of its top engineers to be poached as CEO.
A combination of Microsoft and GitHub would make a lot of sense from a product and customer perspective, and it could provide stability for GitHub, which has found plans to monetize its popular products more challenging than expected and suffered a lot of turnover in its executive ranks. Microsoft and GitHub have become close partners — Microsoft uses GitHub's technology to manage Windows development.
