By EditorDavid from Slashdot's false-flags department
There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog:
On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...
< article continued at Slashdot's false-flags department
>Read Replies (0)
By BeauHD from Slashdot's mature-audience department
chicksdaddy writes from The Security Ledger: Somebody deserves a spanking after personal information on thousands of users of an adult virtual reality game were exposed to security researchers in the UK by a balky application. Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application -- a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger. Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count. SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, naughty teacher, and so on. The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named "downloadallcustomers." That function called a web service that returned thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.Read Replies (0)
By EditorDavid from Slashdot's releasing-the-kraken department
An anonymous reader quotes the San Francisco Chronicle:
One of the biggest cryptocurrency exchanges was down more than 40 hours this week, causing clients to freak out... San Francisco's Kraken went offline at 9 p.m. on Wednesday for maintenance that was initially scheduled to last two hours, plus an additional two to three hours for withdrawals, according to an announcement on the company's website. "We are still working to resolve the issues that we have identified and our team is working around the clock to ensure a smooth upgrade," according to a status update on Kraken's website posted early Friday. "This means it may still take several hours before we can relaunch." Shortly after noon, the company said it was "still working to track down an elusive bug which is holding up launch." It promised customers "a substantial amount of free trading" after the problem was resolved. In previous updates, Kraken mentioned it is working on "unexpected and delicate issues" and assured clients their funds were secure, adding that "Yes, this is our new record for downtime since we launched in 2013. No, we're not proud of it."
It's 45 hours after the downtime began, and their web page is still showing the same announcement.
"Kraken is presently offline for maintenance."Read Replies (0)
By BeauHD from Slashdot's first-of-its-kind department
dryriver shares a report from the BBC, highlighting "a new album that features everything from cowboy sci-fi to Europop." What's special about the album -- Hello World by Canadian singer Kiesza -- is that it's the first full-length mainstream music album co-written with the help of artificial intelligence. You can judge the quality for yourself: First, view the single "Hellow Shadow" with Canadian singer Kiesza. Next, the BBC story, which seems to think that the album is actually rather good: "Benoit Carre has written songs for some of France's biggest stars: from Johnny Halliday -- the French Elvis, who died last year -- to chanteuse Francoise Hardy. But this month, the 47-year-old is releasing an album with a collaborator he could never have dreamt of working with. It's not a singer, or rapper. It's not even really a musician. It's called Flow Machines, and it is, arguably, the world's most advanced artificially-intelligent music program. For musicians, there's been one good thing about these projects so far: the music they've produced has been easy to dismiss, generic and uninspiring -- hardly likely to challenge Bob Dylan in the songwriting department. But Carre's album, Hello World, is different for the simple reason that it's good. Released under the name SKYGGE (Danish for shadow), it features everything from sci-fi cowboy ballads to Europop, and unlike most AI music, if you heard it on the radio, you wouldn't think something had gone horribly wrong. Flow Machines, developed at Sony's Computer Science Laboratories in Paris, does indeed write original melodies, Carre adds. It also suggests the chords and sounds to play them with. But Carre says a human is always needed to stitch the songs together, give them structure and emotion. Without people, its songs would be a bit rubbish. "There were many people involved in this," he says, listing the likes of Belgian house producer Stromae and Canadian pop star Kiesza. "They gave their soul, their enthusiasm. I think that's the most important point of the album, in a way -- that it's a very human one.'"Read Replies (0)
By BeauHD from Slashdot's history-lesson department
An anonymous reader quotes a report from Quartz: With a few minor exceptions, there are really only two ways to say "tea" in the world. One is like the English term -- te in Spanish and tee in Afrikaans are two examples. The other is some variation of cha, like chay in Hindi. Both versions come from China. How they spread around the world offers a clear picture of how globalization worked before "globalization" was a term anybody used. The words that sound like "cha" spread across land, along the Silk Road. The "tea"-like phrasings spread over water, by Dutch traders bringing the novel leaves back to Europe. The term cha is "Sinitic," meaning it is common to many varieties of Chinese. It began in China and made its way through central Asia, eventually becoming "chay" in Persian. That is no doubt due to the trade routes of the Silk Road, along which, according to a recent discovery, tea was traded over 2,000 years ago. This form spread beyond Persia, becoming chay in Urdu, shay in Arabic, and chay in Russian, among others. It even it made its way to sub-Saharan Africa, where it became chai in Swahili. The Japanese and Korean terms for tea are also based on the Chinese cha, though those languages likely adopted the word even before its westward spread into Persian. But that doesn't account for "tea." The te form used in coastal-Chinese languages spread to Europe via the Dutch, who became the primary traders of tea between Europe and Asia in the 17th century, as explained in the World Atlas of Language Structures. The main Dutch ports in east Asia were in Fujian and Taiwan, both places where people used the te pronunciation. The Dutch East India Company's expansive tea importation into Europe gave us the French the, the German Tee, and the English tea.Read Replies (0)
By BeauHD from Slashdot's new-and-not-so-approved department
The new Snapchat redesign that jams Stories in between private messages is not receiving a whole lot of praise. "In the few countries including the U.K., Australia, and Canada where the redesign is widely available, 83 percent of App Store reviews (1,941) for the update are negative with one or two stars, according to data by mobile analytics firm Sensor Tower," reports TechCrunch. "Just 17 percent, or 391 of the reviews, give it three to five stars." From the report: The most referenced keywords in the negative reviews include "new update," "Stories," and "please fix." Meanwhile, Snapchat's Support Twitter account has been busy replying to people who hate the update and are asking to uninstall it, noting "It's not possible to revert to a previous version of Snapchat," and trying to explain where Stories are to confused users. Hopes were that the redesign could boost Snapchat's soggy revenue, which fell short of Wall Street earnings expectations in Q3 and led to a loss of $443 million. The redesign mixes Stories, where Snapchat shows ads but which have seen stagnation in sharing rates amidst competition from Instagram Stories, into the more popular messaging inbox, where Snapchat's ephemeral messaging is more differentiated and entrenched.Read Replies (0)
By BeauHD from Slashdot's my-way-or-the-high-way department
shanen writes: Regarding politics, is there anything that Americans agree on? If so, it's probably something negative like "The system is broken," or "The leading candidates are terrible," or even "Your state is a shithole." With all our fancy technology, what's going wrong? Our computers are creating problems, not solutions. For example, gerrymandering relies on fancy computers to rig the maps. Negative campaigning increasingly relies on computers to target the attacks on specific voters. Even international attacks exploit the internet to intrude into elections around the world. Here are three of my suggested solutions, though I can't imagine any of today's politicians would ever support anything along these lines: (1) Guest voting: If you hate your district, you could vote in a neighboring district. The more they gerrymander, the less predictable the election results. (2) Results-based weighting: The winning candidates get more voting power in the legislature, reflecting how many people actually voted for them. If you win a boring and uncontested election where few people vote, then part of your vote in the legislature would be transferred to the winners who also had more real votes. (3) Negative voting: A voter could use an electronic ballot to make it explicit that the vote is negative, not positive. The candidate with the most positive or fewest negative votes still wins, but if the election has too many negative votes, then that "winner" would be penalized, perhaps with a half term rather than a full term. What wild and crazy ideas do you have for using computers to make elections better, not worse?Read Replies (0)
By BeauHD from Slashdot's fear-of-the-unknown department
A new poll was released today that basically repeats data we've seen in previous surveys: Americans still don't trust self-driving cars, and are nervous about the coming onslaught. The Verge reports: Asked how concerned they'd be to share the road with a driverless car, 31 percent said they'd be "very concerned," while 33 percent said "somewhat concerned," according to the poll which was just released by Advocates for Highway and Auto Safety. A majority (63 percent) said they would not support "mass exemptions" from federal motor vehicle safety standards for self-driving cars, and were not comfortable (75 percent) with automakers having the power to remotely disable vehicle controls, such as the steering wheel, and brake and gas pedals, when the autonomous vehicle is being operated by the computer. And people overwhelmingly support (75 percent) the U.S. Department of Transportation developing new standards related to driverless vehicles. The poll surveyed 1,005 adults between December 7-10th, 2017, with a margin of error of +/- 3.09 percent.Read Replies (0)
By BeauHD from Slashdot's brushed-under-the-rug department
Yesterday, it was reported that Apple's iCloud services in mainland China will be operated by a Chinese company from next month. What wasn't reported was the fact that Apple has included iCloud accounts that were opened in the U.S., are paid for using U.S. dollars and/or are connected to U.S.-based App Store accounts in the data that will be handled by local partner Guizhou-Cloud Big Data (GCBD) from February 28. TechCrunch reports: Apple has given China-based users the option to delete their data, but there is no opt out that allows them to have it stored elsewhere. That has concerned some users who are uneasy that the data migration is a sign of closer ties with the Chinese government, particularly since GCBD is owned by the Guizhou provincial government. When asked for comment, Apple pointed TechCrunch to its terms and conditions site which explains that it is migrating iCloud accounts based on their location: "The operation of iCloud services associated with Apple IDs that have China in their country or region setting will be subject to this transition. You will be notified of this transition via email and notifications on your devices. You don't need to take any further action and can keep using iCloud in China. After February 28, 2018, you will need to agree to the terms and conditions of iCloud operated by GCBD to keep using iCloud in China."
However, TechCrunch found instances of iCloud accounts registered overseas that were part of the migration. One user did find an apparent opt-out. That requires the user switching their iCloud account back to China, then signing out of all devices. They then switch their phone and iCloud settings to the U.S. and then, upon signing back into iCloud, their account will (seemingly) not be part of the migration. Opting out might be a wise-move, as onlookers voice concern that a government-owned company is directly involved in storing user data.Read Replies (0)
By BeauHD from Slashdot's when-it-rains-it-pours department
An anonymous reader quotes a report from Ars Technica: Meltdown and Spectre are not the only security problems Intel is facing these days. Today, researchers at F-Secure have revealed another weakness in Intel's management firmware that could allow an attacker with brief physical access to PCs to gain persistent remote access to the system, thanks to weak security in Intel's Active Management Technology (AMT) firmware -- remote "out of band" device management technology installed on 100 million systems over the last decade, according to Intel. [T]he latest vulnerability -- discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post -- is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer -- even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords -- by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel's Management Engine BIOS Extension (MEBx).
If MEBx hasn't been configured by the user or by their organization's IT department, the attacker can log into the configuration settings using Intel's default password of "admin." The attacker can then change the password, enable remote access, and set the firmware to not give the computer's user an "opt-in" message at boot time. "Now the attacker can gain access to the system remotely," F-Secure's release noted, "as long as they're able to insert themselves onto the same network segment with the victim (enabling wireless access requires a few extra steps)."Read Replies (0)
By BeauHD from Slashdot's safe-guard department
Cyberthreat intelligence firm Check Point on Friday disclosed the existence of malicious code buried inside dozens of apps that displays pornographic images to users. Many of the apps are games reportedly geared toward young children. As a result, Google quickly removed the roughly 60 apps said to be affected from its Play Store. Gizmodo reports: While they appeared as such, the pornographic images displayed were not actually Google ads. Google supposedly maintains tight controls on all ads that appear in what it calls "Designed for Family" apps. The company also maintains a white-list of advertisers deemed safe for children under the ages of 13. None of the affected apps were part of Google's "Family Link" program, which is the category of recognized kid-friendly apps available across Google's platforms. The malware, dubbed AdultSwine, is said to have displayed the highly inappropriate images while also attempting to trick users into installing a fake-security app, or "scareware." After the fake "ads" were delivered, users would've received a "Remove Virus Now" notification, or something similar, designed to provoke users into downloading the scareware. The affected gaming apps included at least one which may have had up to 5,000,000 downloads -- Five Nights Survival Craft -- as well as many others which had between 50,000 and 500,000 downloads.Read Replies (0)
By msmash from Slashdot's old-habits-die-hard department
An anonymous reader shares a report: Last summer, Ford worked with Domino's Pizza on a test in Ann Arbor, Michigan, where it delivered pizza to randomly chosen customers in a self-driving Ford Fusion hybrid. An operator was inside the car, and a regular human-driven car trailed behind, videotaping the drive. Customers had to approach the car and enter a number on a touch screen on the side of the vehicle to get their pizza. Speaking at CES, the annual consumer electronics show, in Las Vegas this week, Jim Farley, Fordâ(TM)s executive vice president, acknowledged that the idea sounds silly, "but we learned so freaking much," he said. Apparently, most people say "thank you" to the car after getting their pizza.Read Replies (0)