Medicine

The Feds Are Officially Cracking Down on Basement Biohackers (gizmodo.com) 93

Kristen Brown, reporting for Gizmodo: The Food and Drug Agency has issued a stern warning to anyone who might be crazy enough to undertake gene therapy in the do-it-yourself fashion. Definitely don't do this at home, a statement released on Tuesday implies. And if you do, we'll throw every law we can at you. The FDA's deterrent comes on the heels of a brazen DIY gene therapy experiment, in which a 27-year-old software engineer injected himself with an unprove gene therapy for HIV designed by three biohacker friends. The first injection was streamed live on Facebook in October, and went viral after it was covered by Gizmodo. "You can't stop it, you can't regulate these things," patient zero, Tristan Roberts, told Gizmodo at the time. Apparently the FDA begs to differ.
Microsoft

Stop Using Excel, Finance Chiefs Tell Staffs (wsj.com) 189

Tatyana Shumsky, reporting for WSJ: Adobe's finance chief Mark Garrett says his team struggles keeping track of which jobs have been filled at the software company. The process can take days and requires finance staff to pull data from disparate systems that house financial and human-resources information into Microsoft's Excel spreadsheets. From there they can see which groups are hiring and how salary spending affects the budget. "I don't want financial planning people spending their time importing and exporting and manipulating data, I want them to focus on what is the data telling us," Mr. Garrett said. He is working on cutting Excel out of this process, he said. CFOs at companies including P.F. Chang's China Bistro, ABM Industries and Wintrust Financial are on a similar drive to reduce how much their finance teams use Excel for financial planning, analysis and reporting (Editor's note: the link could be paywalled; an alternative source wasn't immediately available). Finance chiefs say the ubiquitous spreadsheet software that revolutionized accounting in the 1980s hasn't kept up with the demands of contemporary corporate finance units. Errors can bloom because data in Excel is separated from other systems and isn't automatically updated.
Privacy

How a Wi-Fi Pineapple Can Steal Your Data (And How To Protect Yourself From It) (vice.com) 41

An anonymous reader writes: The Wi-Fi Pineapple is a cheap modified wireless router enables anyone to execute sophisticated exploits on Wi-Fi networks with little to no networking expertise. A report in Motherboard explains how it can be used to run a Wall of Sheep and execute a man-in-the-middle attack, as well as how you can protect yourself from Pineapple exploits when you're connected to public Wi-Fi. "... it's important that whenever you are done connecting to a public Wi-Fi network that you configure your phone or computer to 'forget' that network. This way your device won't be constantly broadcasting the SSIDs of networks it has connected to in the past, which can be spoofed by an attacker with a Pineapple," reports Motherboard. "Unfortunately there is no easy way to do this on an Android or an iPhone, and each network must be forgotten manually in the 'Manage Network' tab of the phone's settings. Another simple solution is to turn off your Wi-Fi functionality when you're not using it -- though that isn't as easy to do on some devices anymore -- and don't allow your device to connect to automatically connect to open Wi-Fi networks."
Windows

Microsoft Confirms Surface Book 2 Can't Stay Charged During Gaming Sessions (engadget.com) 130

The Verge mentioned in their review that the Surface Book 2's power supply can't charge the battery fast enough to prevent it from draining in some cases. Microsoft has since confirmed that "in some intense, prolonged gaming scenarios with Power Mode Slider set to 'best performance' the battery may discharge while connected to the power supply." Engadget reports: To let you choose between performance and battery life, the Surface Book has a range of power settings. If you're doing video editing or other GPU intensive tasks, you can crank it up to "best performance" to activate the NVIDIA GPU and get more speed. Battery drain is normally not an issue with graphics apps because the chip only kicks in when needed. You'll also need the "best performance" setting for GPU-intensive games, as they'll slow down or drop frames otherwise. The problem is that select titles like Destiny 2 use the NVIDIA chip nearly continuously, pulling up to 70 watts of power on top of the 35 watt CPU. Unfortunately, the Surface Book comes with a 102-watt charger, and only about 95 watts of that reaches the device, the Verge points out. Microsoft says that the power management system will prevent the battery from draining completely, even during intense gaming, but it would certainly mess up your Destiny 2 session. It also notes that the machine is intended for designers, developers and engineers, with the subtext that it's not exactly marketed as a gaming rig.
Bitcoin

$31 Million In Tokens Stolen From Dollar-Pegged Cryptocurrency Tether 56

Mark Wilson shares a report from BetaNews: All eyes may be on the meteoric rise of Bitcoin at the moment, but it's far from being the only cryptocurrency on the block. Startup Tether issued a critical announcement after it was discovered that "malicious action by an external attacker" had led to the theft of nearly $31 million worth of tokens. Tether is a dollar-pegged cryptocurrency formerly known as Realcoin, and it says that $30,950,010 was stolen from a treasury wallet. The company says it is doing what it can to ensure exchanges do not process these tokens, including temporarily suspending its backend wallet service. Tether knows the address used by the attacker to make the theft, but is not aware of either who the attacker is, or how the attack took place. The company is releasing a new version of its Omni Core software client in what it says is "effectively a temporary hard fork to the Omni Layer."
Security

Ask Slashdot: How Are So Many Security Vulnerabilities Possible? 318

dryriver writes: It seems like not a day goes by on Slashdot and elsewhere on the intertubes that you don't read a story headline reading "Company_Name Product_Name Has Critical Vulnerability That Allows Hackers To Description_Of_Bad_Things_Vulnerability_Allows_To_Happen." A lot of it is big brand products as well. How, in the 21st century, is this possible, and with such frequency? Is software running on electronic hardware invariably open to hacking if someone just tries long and hard enough? Or are the product manufacturers simply careless or cutting corners in their product designs? If you create something that communicates with other things electronically, is there no way at all to ensure that the device is practically unhackable?
Security

Sacramento Regional Transit Systems Hit By Hacker (cbslocal.com) 35

Zorro shares a report from CBS Local: Sacramento Regional Transit is the one being taken for a ride on this night, by a computer hacker. That hacker forced RT to halt its operating systems that take credit card payments, and assigns buses and trains to their routes. The local transit agency alerted federal agents following an attack on their computers that riders may not have noticed Monday. "We actually had the hackers get into our system, and systematically start erasing programs and data," Deputy General Manager Mark Lonergan. Inside RT's headquarters, computer systems were taken down after the hacker deleted 30 million files. The hacker also demanded a ransom in bitcoin, and left a message on the RT website reading "I'm sorry to modify the home page, I'm good hacker, I just want to help you fix these vulnerability."
Privacy

Uber Concealed Cyberattack That Exposed 57 Million People's Data (bloomberg.com) 31

According to Bloomberg, hackers stole the personal data of 57 million customers and drivers from Uber. The massive breach was reportedly concealed by the company for more than a year. From the report: Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver's license numbers. No Social Security numbers, credit card details, trip location info or other data were taken, Uber said. At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers $100,000 to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

Here's how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

OS X

New Windows Search Interface Borrows Heavily From MacOS (arstechnica.com) 84

An anonymous reader quotes a report from Ars Technica: Press clover-space on a Mac (aka apple-space or command-space to Apple users) and you get a search box slap bang in the middle of the screen; type things into it and it'll show you all the things it can find that match. On Windows, you can do the same kind of thing -- hit the Windows key and then start typing -- but the results are shown in the bottom left of your screen, in the Start menu or Cortana pane. The latest insider build of Windows, build 17040 from last week, has a secret new search interface that looks a lot more Mac-like. Discovered by Italian blog Aggiornamenti Lumia, set a particular registry key and the search box appears in the middle of the screen. The registry key calls it "ImmersiveSearch" -- hit the dedicated key, and it shows a simple Fluent-designed search box and results. This solution looks and feels a lot like Spotlight on macOS.
Microsoft

Microsoft Offering Free Windows 10 Development Environment VM for a Limited Time (bleepingcomputer.com) 80

An anonymous reader shares a report: Microsoft is providing a free virtual machine that comes preloaded with Windows 10 Enterprise, Visual Studio 2017, and various utilities in order to promote the development of Universal Windows Platform apps. Before you get too excited about a free version of Windows 10 Enterprise, this Virtual Machine will expire on January 15th 2018. When downloading the development environment, you can choose either a VMware, VirtualBox, Hyper-V, or Parallels virtual machine depending on what virtual machine software you use. Each of these images are about 17-20GB when extracted from the downloaded archive and include almost everything you need to develop Universal Windows Platform apps.
Privacy

Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com) 257

An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.
Transportation

Uber Expands Driverless-Car Push With Deal For 24,000 Volvos (bloomberg.com) 171

Uber agreed to buy 24,000 sport utility vehicles from Volvo to form a fleet of driverless autos. According to Bloomberg, "The XC90s, priced from $46,900 at U.S. dealers, will be delivered from 2019 to 2021 in the first commercial purchase by a ride-hailing provider." Uber will add its own sensors and software to permit pilot-less driving. From the report: Uber's order steps up efforts to replace human drivers, the biggest cost in its on-demand taxi service. The autonomous fleet is small compared with the more than 2 million people who drive for Uber but reflects dedication to the company's strategy of developing self-driving cars. "This new agreement puts us on a path toward mass-produced, self-driving vehicles at scale," Jeff Miller, Uber's head of auto alliances, told Bloomberg News. "The more people working on the problem, we'll get there faster and with better, safer, more reliable systems."
iMac

iMac Pro Will Have An A10 Fusion Coprocessor For 'Hey, Siri' Support and More Secure Booting, Says Report (theverge.com) 163

According to Apple firmware gurus Steven Troughton-Smith and Guilherme Rambo, the upcoming iMac Pro will feature an A10 Fusion coprocessor to enable two interesting new features. "The first is the ability for the iMac Pro to feature always-on 'Hey, Siri' voice command support, similar to what's currently available on more recent iPhone devices," reports The Verge. "[T]he bigger implication of the A10 Fusion is for a less user-facing function, with Apple likely to use the coprocessor to enable SecureBoot on the iMac Pro." From the report: In more practical terms, it means that Apple will be using the A10 Fusion chip to handle the initial boot process and confirm that software checks out, before passing things off to the regular x86 Intel processor in your Mac. It's not something that will likely change how you use your computer too much, like the addition of "Hey, Siri" support will, but it's a move toward Apple experimenting with an increased level of control over its software going forward.
Software

Google Is Working On Fuchsia OS Support For Apple's Swift Programming Language (androidpolice.com) 54

An anonymous reader shares a report from Android Police: Google's in-development operating system, named "Fuchsia," first appeared over a year ago. It's quite different from Android and Chrome OS, as it runs on top of the real-time "Magenta" kernel instead of Linux. According to recent code commits, Google is working on Fuchsia OS support for the Swift programming language. If you're not familiar with it, Swift is a programming language developed by Apple, which can be used to create iOS/macOS/tvOS/watchOS applications (it can also compile to Linux). Apple calls it "Objective-C without the C," and on the company's own platforms, it can be mixed with existing C/Objective-C/C++ code (similar to how apps on Android can use both Kotlin and Java in the same codebase). We already know that Fuchsia will support apps written in Dart, a C-like language developed by Google, but it looks like Swift could also be supported. On Swift's GitHub repository, a pull request was created by a Google employee that adds Fuchsia OS support to the compiler. At the time of writing, there are discussions about splitting it into several smaller pull requests to make reviewing the code changes easier.
Security

Why Hackers Reuse Malware (helpnetsecurity.com) 26

Orome1 shares a report from Help Net Security: Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publicly released vulnerabilities and tools). This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy -- which can create a more dangerous final product.

There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.

Bitcoin

An Ethereum Startup Just Vanished After People Invested $374K (vice.com) 190

An anonymous reader quotes a report from Motherboard: A startup on the Ethereum platform vanished from the internet on Sunday after raising $374,000 USD from investors in an Initial Coin Offering (ICO) fundraiser. Confido is a startup that pitched itself as a blockchain-based app for making payments and tracking shipments. It sold digital tokens to investors over the Ethereum blockchain in an ICO that ran from November 6 to 8. During the token sale, Confido sold people bespoke digital tokens that represent their investment in exchange for ether, Ethereum's digital currency. But on Sunday, the company unceremoniously deleted its Twitter account and took down its website. A company representative posted a brief comment to the company's now-private subforum on Reddit, citing legal problems that prevent the Confido team from continuing their work. The same message was also posted to Medium but quickly deleted.

"Right now, we are in a tight spot, as we are having legal trouble caused by a contract we signed," the message stated (a cached version of the Medium post is viewable). "It is likely that we will be able to find a solution to rectify the situation. However, we cannot assure you with 100% certainty that we will get through this." The message was apparently written by Confido's founder, one Joost van Doorn, who seems to have no internet presence besides a now-removed LinkedIn profile. Even the Confido representative on Reddit doesn't seem to know what's going on, though, posting hours after the initial message, "Look I have absolutely no idea what has happened here. The removal of all of our social media platforms and website has come as a complete surprise to me." Confido tokens had a market cap of $10 million last week, before the company disappeared, but now the tokens are worthless. And investors are crying foul.

Iphone

Apple Could Have Brought a Big iPhone X Feature To Older iPhone But Didn't, Developer Says (twitter.com) 64

Steven Troughton-Smith, a prominent iOS developer best known for combing new software codes for references for upcoming features, over the weekend indicated that portrait mode lighting effects, a major feature in the current iPhone generation -- iPhone 8 Plus, and iPhone X, could technically be added to iPhone 7 Plus from last year. The feature works like this: you take a picture, go to the photos app on your new iPhone and play with the "Lighting" effects. He writes: So yeah you just need to hexedit the metadata in the HEIC. Not quite sure where, I copied a whole section from an iPhone X Portrait Mode photo and it worked. Original photo taken on 7 Plus on iOS 11. Someone could automate this. Just to add insult to injury, if you AirDrop that photo back to the iPhone 7 Plus now it shows the Portrait Lighting UI, and lets you change mode. So Portrait Lighting is 100% an artificial software limitation. 7 Plus photos can have it, 7 Plus can do it.
Firefox

Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation (bleepingcomputer.com) 92

An anonymous reader writes: Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet. The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55. FPI works by separating cookies on a per-domain basis.

This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad. With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing. This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile. This feature was first implemented in the Tor Browser, a privacy-focused fork of the Firefox browser managed by the Tor Project, where it is known as Cross-Origin Identifier Unlinkability. FPI was added to Firefox as part of the Tor Uplift project, an initiative to bolster the Firefox codebase with some of the Tor Browser's unique privacy-focused features. The feature is not enabled by default. Information on how to enable it is in the linked article.

AI

Deep Learning Is Eating Software (petewarden.com) 147

Pete Warden, engineer and CTO of Jetpac, shares his view on how deep learning is already starting to change some of the programming is done. From a blog post, shared by a reader last week: The pattern is that there's an existing software project doing data processing using explicit programming logic, and the team charged with maintaining it find they can replace it with a deep-learning-based solution. I can only point to examples within Alphabet that we've made public, like upgrading search ranking, data center energy usage, language translation, and solving Go, but these aren't rare exceptions internally. What I see is that almost any data processing system with non-trivial logic can be improved significantly by applying modern machine learning. This might sound less than dramatic when put in those terms, but it's a radical change in how we build software. Instead of writing and maintaining intricate, layered tangles of logic, the developer has to become a teacher, a curator of training data and an analyst of results. This is very, very different than the programming I was taught in school, but what gets me most excited is that it should be far more accessible than traditional coding, once the tooling catches up. The essence of the process is providing a lot of examples of inputs, and what you expect for the outputs. This doesn't require the same technical skills as traditional programming, but it does need a deep knowledge of the problem domain. That means motivated users of the software will be able to play much more of a direct role in building it than has ever been possible. In essence, the users are writing their own user stories and feeding them into the machinery to build what they want.
Intel

Intel Planning To End Legacy BIOS Support By 2020, Report Says (phoronix.com) 122

Michael Larabel, writing for Phoronix: Intel is planning to end "legacy BIOS" support in their new platforms by 2020 in requiring UEFI Class 3 or higher. Making rounds this weekend is a slide deck from the recent UEFI Plugfest. Brian Richardson of Intel talked about the "last mile" barriers to removing legacy BIOS support from systems. By 2020, they will be supporting no less than UEFI Class 3, which means only UEFI support and no more legacy BIOS or CSM compatibility support mode. But that's not going to force on UEFI Secure Boot unconditionally: Secure Boot enabled is considered UEFI Class 3+. Intel hasn't removed legacy BIOS / CSM support yet due to many customers' software packages still relying upon legacy BIOS, among other reasons. Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies, etc.

Slashdot Top Deals