By EditorDavid from Slashdot's bad-botnets department
An anonymous reader writes: Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper, researchers estimate its current size at nearly two million infected devices. According to researchers, the botnet is mainly made up of IP-based security cameras, routers, network-attached storage (NAS) devices, network video recorders (NVRs), and digital video recorders (DVRs), primarily from vendors such as Netgear, D-Link, Linksys, GoAhead, JAWS, Vacron, AVTECH, MicroTik, TP-Link, and Synology. The botnet reuses some Mirai source code, but it's unique in its own right. Unlike Mirai, which relied on scanning for devices with weak or default passwords, this botnet was put together using exploits for unpatched vulnerabilities. The botnet's author is still struggling to control his botnet, as researchers spotted over two million infected devices sitting in the botnet's C&C servers' queue, waiting to be processed. As of now, the botnet has not been used in live DDoS attacks, but the capability is in there.
Today is the one-year anniversary of the Dyn DDoS attack, the article points out, adding that "This week both the FBI and Europol warned about the dangers of leaving Internet of Things devices exposed online."Read Replies (0)
By EditorDavid from Slashdot's house-always-wins department
"A trio of data scientists developed a betting strategy to beat bookmakers at football games," writes austro. [The game Americans call soccer.] New Scientist reports:
The team studied 10 years' worth of data on nearly half a million football matches and the associated odds offered by 32 bookmakers between January 2005 and June 2015. When they applied their strategy in a simulation, they made a return of 3.5 per cent. Making bets randomly resulted in a loss of 3.32 per cent. Then the team decided to try betting for real. They developed an online tool that would apply their odds-averaging formula to upcoming football matches. When a favorable opportunity arose, a member of the team would email Kaunitz and his wife, one of whom then placed a bet. They kept this up for five months, placing $50 bets around 30 times a week. And they were winning. After five months the team had made a profit of $957.50 -- a return of 8.5 per cent. But their streak was cut short. Following a series of several small wins, the trio were surprised to find that their accounts had been limited, restricting how much they could bet to as little as $1.25. The gambling industry has long restricted players who appear to show an edge over the house, says Mark Griffiths at Nottingham Trent University, UK.
The paper "illustrates how the sports gambling industry compensates market inefficiencies with discriminatory practices against successful clients," adds austro, noting that the researchers posted a paper explaining their methodology on arxiv last week. "They also made the dataset and source code available on github. And best of all, they made an online publicly available dashboard that shows a live list of bet recommendations on football matches based on their strategy here or here for anyone to try."Read Replies (0)
By EditorDavid from Slashdot's hacks-for-hire department
An anonymous reader quotes Mashable:
Google, in collaboration with bug bounty platform HackerOne, has launched the Google Play Security Reward Program, which promises $1,000 to anyone who can identify security vulnerabilities in participating Google Play apps. Thirteen apps are currently participating, including Tinder, Duolingo, Dropbox, Snapchat, and Headspace... If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer. Google will be collecting data on the vulnerabilities and sharing it (anonymized) with other developers who may be exposed to the same problems. For HackerOne, it's about attracting more and better participants in bounty programs.Read Replies (0)
By EditorDavid from Slashdot's fake-credentials department
Here's some surprising news from the Akamia Edge conference. chicksdaddy writes:
[E]xecutives at some of the U.S.'s leading corporations agreed that the much maligned password won't be abandoned any time soon, even as data breaches and follow-on attacks make passwords more susceptible than ever to abuse, the Security Ledger reports. "We reached the end of needing passwords maybe seven years ago, but we still use them," said Steve Winterfeld, Director of Cybersecurity, at clothing retailer Nordstrom. "They're still the primary layer of defense."
"It's hard to kill them," noted Shalini Mayor, who is a Senior Director at Visa Inc. "The question is what to replace them with." This, even though the cost of using passwords is high and getting higher, as sophisticated attacks attempt to compromise legitimate accounts using so-called "credential stuffing" techniques, which use automated password guessing attacks against web-based applications... Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive. Shalani Mayor said Visa is "looking at" biometric technologies like Apple's TouchID as a tool for making payments securely. Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed. But customers often resist the technologies or find them error prone or too difficult to use.Read Replies (0)
By EditorDavid from Slashdot's gettingi-schooled department
An anonymous reader quotes Ars Technica:
[O]ne of the most prominent institutions, New York's Flatiron School, will be shelling out $375,000 to settle charges brought by New York Attorney General Eric Schneiderman's office. The AG said the school operated for a period without the proper educational license, and it improperly marketed both its job placement rates and the salaries of its graduates. New York regulators didn't find any inaccuracies in Flatiron's "outcomes report," a document the company is proud of. However, the Attorney General's office found that certain statements made on Flatiron's website didn't constitute "clear and conspicuous" disclosure.
For instance, Flatiron claimed that 98.5 percent of graduates were employed within 180 days of graduation. However, only by carefully reading the outcomes report would one find that the rate included not just full-time employees, but apprentices, contract workers, and freelancers. Some of the freelancers worked for less than 12 weeks. The school also reported an average salary of $74,447 but didn't mention on its website that the average salary claim only applied to graduates who achieved full-time employment. That group comprised only 58 percent of classroom graduates and 39 percent of those who took online courses.
The school's courses last 12 to 16 weeks, and cost between $12,000 and $15,000, according to a statement from the attorney general's office [PDF]. (Or $1,500 a month for an onine coding class). Eligible graduate can claim their share of the $375,000 by filing a complaint within the next thee months.Read Replies (0)
By EditorDavid from Slashdot's pull-request department
The former Executive Director of the Free Software Foundation -- and Slashdot user #41121 -- contacted Slashdot with this announcement. bkuhn -- now president of the Software Freedom Conservancy --
writes: Software Freedom Conservancy, home of the GPL Compliance Project for Linux Developers, publicly applauded today the proposal of the Linux Kernel Enforcement Statement, which adds a per-copyright-holder-opt-in additional permission to the termination provisions of Linux's GPLv2-only license.
It apparently addresses a developer who "made claims based on ambiguities in the GPL-2.0 that no one in our community has ever considered part of compliance," according to a statement from some of the kernel developers who drafted the statement.
While the kernel community has always supported enforcement efforts to bring companies into compliance, we have never even considered enforcement for the purpose of extracting monetary gain... [W]e are aware of activity that has resulted in payments of at least a few million Euros. We are also aware that these actions, which have continued for at least four years, have threatened the confidence in our ecosystem. Because of this, and to help clarify what the majority of Linux kernel community members feel is the correct way to enforce our license, the Technical Advisory Board of the Linux Foundation has worked together with lawyers in our community, individual developers, and many companies that participate in the development of, and rely on Linux, to draft a Kernel Enforcement Statement to help address both this specific issue we are facing today, and to help prevent any future issues like this from happening again. It adopts the same termination provisions we are all familiar with from GPL-3.0 as an Additional Permission giving companies confidence that they will have time to come into compliance if a failure is identified.Read Replies (0)
By BeauHD from Slashdot's strongly-worded department
An anonymous reader quotes a report from Reuters: Nearly two dozen major companies in technology and other industries are planning to launch a coalition to demand legislation that would allow young, illegal immigrants a path to permanent residency, according to documents seen by Reuters. The Coalition for the American Dream intends to ask Congress to pass bipartisan legislation this year that would allow these immigrants, often referred to as "Dreamers," to continue working in the United States, the documents said. Alphabet Inc's Google, Microsoft Corp, Amazon.com Inc, Facebook Inc, Intel Corp, Uber Technologies Inc, IBM Corp, Marriott International Inc and other top U.S. companies are listed as members, one of the documents shows. The push for this legislation comes after President Donald Trump's September decision to allow the Deferred Action for Childhood Arrivals (DACA) program to expire in March. That program, established by former President Barack Obama in 2012, allows approximately 900,000 illegal immigrants to obtain work permits. Some 800 companies signed a letter to Congressional leaders after Trump's decision, calling for legislation protecting Dreamers. That effort was spearheaded by a pro-immigration reform group Facebook Chief Executive Mark Zuckerberg co-founded in 2013 called FWD.us.Read Replies (0)
By BeauHD from Slashdot's life-support department
Apple has refreshed just about every Mac product within the last couple of years -- except for the Mac Mini. Naturally, this has left many analysts questioning whether or not the company would be phasing out the Mini to focus more on its mobile devices. A MacRumors reader decided to email Apple CEO Tim Cook to get an update on the Mac mini and he received a response. Cook said it was "not time to share any details," but he confirmed that the Mac mini will be an important part of the company's product lineup in the future. MacRumors reports: Cook's response echoes a similar statement from Apple marketing chief Phil Schiller, who commented on the Mac mini when Apple's plans for a new Mac Pro were unveiled. "The Mac mini is an important product in our lineup and we weren't bringing it up because it's more of a mix of consumer with some pro use," he said. Positioned as a "bring your own peripherals" machine that comes without a mouse, keyboard, or display, the Mac mini is Apple's most affordable desktop machine. The current version is woefully outdated though, and continues to use Haswell processors and integrated Intel HD 5000/Intel Iris Graphics. It's not clear when Apple will introduce a new Mac mini, and aside from a single rumor hinting at a new high-end Mac mini with a redesign that "won't be so mini anymore," we've heard no rumors about work on a possible Mac mini refresh.Read Replies (0)
By BeauHD from Slashdot's green-economy department
Michael J. Coren reports via Quartz: Every two years, the U.S. Energy Information Administration (EIA), America's official source for energy statistics, issues 10-year projections about how much solar, wind and conventional energy the future holds for the U.S. Every two years, since the mid-1990s, the EIA's projections turn out to be wrong. Last year, they proved spectacularly wrong. The Natural Resources Defense Council, an environmental advocacy group, and Statista recently teamed up to analyze the EIA's predictions for energy usage and production. They found that the EIA's 10-year estimates between 2006 to 2016 systematically understated the share of wind, solar and gas. Solar capacity, in particular, was a whopping 4,813% more in 2016 than the EIA had predicted in 2006 it would be. To be fair, there is a caveat here: The prediction in 2006 was that 10 years hence the U.S. would be generating just 0.8 gigawatts (GW) of solar energy. With such a low baseline figure, any increase will look huge in percentage terms. Nonetheless, there is an unmistakable trend in the data: The EIA regularly underestimates the growth in renewables but overestimates U.S. fossil-fuel consumption, which some critics see as an attempt to boost the oil and gas industry.Read Replies (0)
By BeauHD from Slashdot's surprise-surprise department
An anonymous reader quotes a report from NPR: Having police officers wear little cameras seems to have no discernible impact on citizen complaints or officers' use of force, at least in the nation's capital. That's the conclusion of a study performed as Washington, D.C., rolled out its huge camera program. The city has one of the largest forces in the country, with some 2,600 officers now wearing cameras on their collars or shirts. In the wake of high-profile shootings, many police departments have been rapidly adopting body-worn cameras, despite a dearth of solid research on how the technology can change policing. "We need science, rather than our speculations about it, to try to answer and understand what impacts the cameras are having," says David Yokum, director of the Lab @ DC. His group worked with local police officials to make sure that cameras were handed out in a way that let the researchers carefully compare officers who were randomly assigned to get cameras with those who were not. The study ran from June 2015 to last December. It's to be expected that these cameras might have little impact on the behavior of police officers in Washington, D.C., he says, because this particular force went through about a decade of federal oversight to help improve the department.Read Replies (0)
By BeauHD from Slashdot's disgusting-behavior department
Freshly Exhumed writes: Axios is working to get details about a revelation on a government website that Vungle CEO Zain Jaffer is facing charges at the Maple Street Correctional Center in Redwood City, California of attempted murder, a lewd act on a child, oral copulation of a person under 14, child abuse, assault with a deadly weapon and battery upon an officer and emergency personnel. Vungle is self-described on its website as "the leading in-app video advertising platform for performance marketers," and was founded by Jaffer in 2011. Vungle has since issued a statement: "While we do not have any information that is not in the public record at this point, these are extremely serious allegations, and we are shocked beyond words. While these are only preliminary charges, they are obviously so serious that it led to the immediate removal of Mr. Jaffer from any operational responsibility at the company. The company stressed that this matter has nothing to do with Mr. Jaffer's former role at the company." Axios notes that "the San Francisco-based company has raised over $25 million in VC funding from firms like Google Ventures, Thomvest Ventures, Crosslink Capital, SoftTech VC and 500 Startups."Read Replies (0)
By BeauHD from Slashdot's cash-incentives department
theodp writes: The State of Arkansas will be handing out cash to high school students who pass an Advanced Placement test in computer science. "The purpose of the incentive program is to increase the number of qualifying scores (3, 4, or 5) on Advanced Placement Computer Science A exams," explained a press release for the Arkansas Advanced Placement Computer Science A Incentive Program (only 87 Arkansas public school students passed the AP CS A exam in 2016, according to College Board data). Gov. Asa Hutchinson added, "The Arkansas Department of Education's incentive for high scores on the AP Computer Science A exam is a terrific way to reward our students for their hard work in school. The real payoff for their hard work, of course, is when they show their excellent transcripts to potential employers who offer good salaries for their skills." The tiered monetary awards call for public school students receiving a top score of 5 on the AP CS A exam to receive $1,000, with another $250 going to their schools. Scores of 4 will earn students $750 and schools $150, while a score of 3 will result in a $250 payday for students and $50 for their schools. The program evokes memories of the College Board's Google-funded AP STEM Access program, which rewarded AP STEM teachers with a $100 DonorsChoose.org gift card for each student who received a 3, 4, or 5 on an AP exam. DonorsChoose.org credits were also offered later by tech-bankrolled Code.org and Google to teachers who got their students coding.Read Replies (0)
By BeauHD from Slashdot's Dropbox-for-cops department
tedlistens shares a report from Fast Company: Axon, the police supplier formerly known as Taser and now a leading maker of police body cameras, has also charged into police software with a service that allows police to manage and eventually analyze increasingly large caches of video, like a Dropbox for cops. Now it wants to add the public's video to the mix. An online tool called Citizen, set to launch later this year, will allow police to solicit the public for photos or video in the aftermath of suspected crimes and ingest them into Axon's online data platform. Todd Basche, Axon's executive vice president for worldwide products, said the tool was designed after the company conducted surveys of police customers and the public and found that potentially valuable evidence was not being collected. "They all pointed us to the need to collect evidence that's out there in the community."
[But] systems like Citizen still raise new privacy and policy questions, and could test the limits of already brittle police-community relations. Would Citizen, for instance, also be useful for gathering civilian evidence of incidents of police misconduct or brutality? [And how would ingesting citizen video into online police databases, like Axon's Evidence.com, allow police to mine it later for suspicious activity, in a sort of dragnet fashion?] "It all depends," says one observer, "on how agencies use the tool."Read Replies (0)
By BeauHD from Slashdot's safety-calendar department
An anonymous reader quotes a report from Ars Technica: In the beginning of 2017, Twitter said it would take on harassment and hate speech. CEO Jack Dorsey said the company would embrace a "completely new approach to abuse on Twitter" with open dialogue along the way. For months, though, the company has offered few details about what it would do, or when. That changed late yesterday, when Twitter posted a timeline with specific promises on actions it will take. The changes begin next week. On October 27, Twitter will expand what types of "non-consensual nudity" (aka "revenge porn") that it takes action against. The company will already act when a victim complains, but Twitter will soon act even in cases where the victims may not be aware images were taken, instances like upskirt photos and hidden webcams. "Anyone we identify as the original poster of non-consensual nudity will be suspended immediately," the October entry reads. On November 3, Twitter will ban hate imagery in profile headers and avatars, and the service will start suspending accounts "for organizations that use violence to advance their cause." The same day it will institute a policy of stopping "Unwanted Sexual Advances," although the company says it has already been taking enforcement actions on this front. Later in November, Twitter will ban "hateful display names."Read Replies (0)
By msmash from Slashdot's things-to-ponder department
An anonymous reader shares a report: Now that AlphaGo's arguably got nothing left to learn from humans -- now that its continued progress takes the form of endless training games against itself -- what do its tactics look like, in the eyes of experienced human players? We might have some early glimpses into an answer. AlphaGo Zero's latest games haven't been disclosed yet. But several months ago, the company publicly released 55 games that an older version of AlphaGo played against itself. (Note that this is the incarnation of AlphaGo that had already made quick work of the world's champions.) DeepMind called its offering a "special gift to fans of Go around the world." Since May, experts have been painstakingly analyzing the 55 machine-versus-machine games. And their descriptions of AlphaGo's moves often seem to keep circling back to the same several words: Amazing. Strange. Alien. "They're how I imagine games from far in the future," Shi Yue, a top Go player from China, has told the press. A Go enthusiast named Jonathan Hop who's been reviewing the games on YouTube calls the AlphaGo-versus-AlphaGo face-offs "Go from an alternate dimension." From all accounts, one gets the sense that an alien civilization has dropped a cryptic guidebook in our midst: a manual that's brilliant -- or at least, the parts of it we can understand. Will Lockhart, a physics grad student and avid Go player who codirected The Surrounding Game (a documentary about the pastime's history and devotees) tried to describe the difference between watching AlphaGo's games against top human players, on the one hand, and its self-paired games, on the other. According to Will, AlphaGo's moves against Ke Jie made it seem to be "inevitably marching toward victory," while Ke seemed to be "punching a brick wall." Any time the Chinese player had perhaps found a way forward, said Lockhart, "10 moves later AlphaGo had resolved it in such a simple way, and it was like, 'Poof, well that didn't lead anywhere!'" By contrast, AlphaGo's self-paired games might have seemed more frenetic. More complex. Lockhart compares them to "people sword-fighting on a tightrope."Read Replies (0)