By BeauHD from Slashdot's proof-of-concept department
An anonymous reader quotes a report from ZDNet: A slew of newly discovered vulnerabilities can wreak havoc on 4G LTE network users by eavesdropping on phone calls and text messages, knocking devices offline, and even spoofing emergency alerts. Ten attacks detailed in a new paper by researchers at Purdue University and the University of Iowa expose weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to the network and maintaining a connection to receive calls and messages. Those flaws can allow authentication relay attacks that can allow an adversary to connect to a 4G LTE network by impersonating an existing user -- such as a phone number. Although authentication relay attacks aren't new, this latest research shows that they can be used to intercept message, track a user's location, and stop a phone from connecting to the network. By using common software-defined radio devices and open source 4G LTE protocol software, anyone can build the tool to carry out attacks for as little as $1,300 to $3,900, making the cost low enough for most adversaries. The researchers aren't releasing the proof-of-concept code until the flaws are fixed, however.Read Replies (0)
By BeauHD from Slashdot's denial-of-service department
A 1.35 terabit-per-second DDoS attack hit GitHub all at once last Wednesday. "It was the most powerful distributed denial of service attack recorded to date -- and it used an increasingly popular DDoS method, no botnet required," reports Wired. From the report: GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off. "We modeled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. "So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."
Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.Read Replies (0)
By BeauHD from Slashdot's new-and-improved department
Frederic Lardinois reports via TechCrunch: Hangouts Chat, Google's take on modern workplace communication, is now generally available and is becoming a core part of G Suite. Hangouts Chat was first announced at Google Cloud Next 2017, together with Hangouts Meet. While Meet went right into public availability, though, Chat went into an invite-only preview. Now, Google is rolling Chat out to all G Suite users over the course of the next seven days (so if you don't see it yet, don't despair). For all intents and purposes, Hangouts Chat is Google's take on Slack, Microsoft Teams and similar projects. Since Google first announced this project, Atlassian also joined the fray with the launch of Stride. Like its competitors, Chat is available on iOS, Android and the web. Chat currently supports 28 languages and each room can have up to 8,000 members. What's maybe just as important, though, is that Google has already built an ecosystem of partners that are integrating with Chat by offering their own bots. They include the likes of Xero, RingCentral, UberConference, Salesforce, Zenefits, Zoom.ai, Jira, Trello, Wrike and Kayak. There's even a Giphy bot. Developers can also build their own bots and integrate their own services with Chat.Read Replies (0)
By EditorDavid from Slashdot's minimum-wages department
An MIT study using data from more than 1,100 Uber and Lyft drivers concluded they're earning a median pretax profit of just $3.37 per hour. But now Reuters reports:
Uber Chief Executive Dara Khosrowshahi criticized the MIT study in a tweet on Friday as "Mathematically Incompetent Theories (at least as it pertains to ride-sharing)," and linked to a response by Uber chief economist Jonathan Hall that challenged the study's methodology. Hall's rebuttal to the study said the likely misinterpretation of a survey question and the study's "inconsistent logic" produced a wage result that was below similar studies elsewhere. He said the study used a "flawed methodology" compared with a survey that found drivers' average hour earnings were $15.68. "The earnings figures suggested in the paper are less than half the hourly earnings numbers reported in the very survey the paper derives its data from," wrote Hall.
The MIT study's lead author, Stephen Zoepf, told Reuters in an email on Saturday, "I can see how the question on revenue might have been interpreted differently by respondents" and called Hall's rebuttal thoughtful. "I'm re-running the analysis this weekend using Uber's more optimistic assumptions and should have new results and a public response acknowledging the discrepancy by Monday," he wrote.
Saturday Uber's CEO tweeted a thank-you to MIT, "for listening and revisiting this study and its findings. Right thing to do."Read Replies (0)
By BeauHD from Slashdot's detailed-analysis department
An anonymous reader quotes a report from the BBC: Scientists say diabetes is five separate diseases, and treatment could be tailored to each form. Diabetes, or uncontrolled blood sugar levels, is normally split into type 1 and type 2. But researchers in Sweden and Finland think the more complicated picture they have uncovered will usher in an era of personalized medicine for diabetes. The study, by Lund University Diabetes Centre in Sweden and the Institute for Molecular Medicine Finland, looked at 14,775 patients including a detailed analysis of their blood. The results, published in The Lancet Diabetes and Endocrinology, showed the patients could be separated into five distinct clusters:
Cluster 1 - severe autoimmune diabetes is broadly the same as the classical type 1 -- it hit people when they were young, seemingly healthy and an immune disease left them unable to produce insulin
Cluster 2 - severe insulin-deficient diabetes patients initially looked very similar to those in cluster 1 -- they were young, had a healthy weight and struggled to make insulin, but the immune system was not at fault
Cluster 3 - severe insulin-resistant diabetes patients were generally overweight and making insulin but their body was no longer responding to it
Cluster 4 - mild obesity-related diabetes was mainly seen in people who were very overweight but metabolically much closer to normal than those in cluster 3
Cluster 5 - mild age-related diabetes patients developed symptoms when they were significantly older than in other groups and their disease tended to be milderRead Replies (0)
By BeauHD from Slashdot's mixed-bag department
Kirsten Grind and Douglas MacMillan report via The Wall Street Journal (Warning: source may be paywalled; alternative source): YouTube last year stopped hiring white and Asian males for technical positions because they didn't help the world's largest video site achieve its goals for improving diversity, according to a civil lawsuit filed by a former employee. The lawsuit, filed by Arne Wilberg, a white male who worked at Google for nine years, including four years as a recruiter at YouTube, alleges the division of Alphabet's Google set quotas for hiring minorities. Last spring, YouTube recruiters were allegedly instructed to cancel interviews with applicants who weren't female, black or Hispanic, and to "purge entirely" the applications of people who didn't fit those categories, the lawsuit claims.
A Google spokeswoman said the company will vigorously defend itself in the lawsuit. "We have a clear policy to hire candidates based on their merit, not their identity," she said in a statement. "At the same time, we unapologetically try to find a diverse pool of qualified candidates for open roles, as this helps us hire the best people, improve our culture, and build better products." People familiar with YouTube's and Google's hiring practices in interviews corroborated some of the lawsuit's allegations, including the hiring freeze of white and Asian technical employees, and YouTube's use of quotas.Read Replies (0)
By BeauHD from Slashdot's false-advertising department
The Australian government is currently considering a bill that would make it illegal for internet service providers to exaggerate speeds, or else face a fine of up to $1 million. "One constituent says he's being charged for a 25 megabit per second download speed and a five megabit per second upload and he's actually getting less than one tenth of that," said Andrew Wilkie, the Member of Parliament who introduced the bill. "In other words, people are getting worse than dial-up speed when they've been promised a whizz-bang, super-fast connection." Motherboard reports: Internet speeds can vary based on how many people are on the network and even the hardware you use, but while we can't expect ISPs to deliver maximum speed 100 percent of the time, previous probes into their performance have shown many ISPs in the U.S. aren't delivering even the minimum advertised speeds a majority of the time for the average user. Under the proposed Australian law, ISPs are simply required to be more transparent about what consumers can expect with a specific plan. Rather than advertising only the maximum speeds, they would have to include typical speeds for the average user, indicate busy periods, and clearly list any other factors that might impact service. The bill was only introduced this week, so it's yet to be seen if it will gain traction.Read Replies (0)
By EditorDavid from Slashdot's ready-Player-Two department
Remember when the World Health Organization moved to define a new disease called "gaming disorder"? An anonymous reader quotes Motherboard:
Multiple video game lobbying groups from around the world have banded together to push back against the classification, and 36 academics, scientists, doctors, and researchers have drafted a paper that called the WHO's methodology and motives into question. The professionals will publish the paper, titled "Weak Basis for Gaming Disorder," in an upcoming issue of Journal of Behavioral Addictions. The article is a collection of well reasoned arguments against classifying "gaming disorder" as a disease, complete with references to extant research...
"We agree that there are some people whose play of video games is related to life problems," said the article's abstract. "However, moving from research construct to formal disorder requires a much stronger evidence base than we currently have"... To be clear, the article doesn't argue that something isn't going on and that gaming addiction isn't real and isn't a problem. It just thinks that rushing to define it and put it in the the ICD is a bad idea.Read Replies (0)
By EditorDavid from Slashdot's nasty-nor'easter department
An anonymous reader quotes the Associated Press:
Tens of thousands of utility workers in the Northeast raced to restore power to more than 1.5 million homes and businesses just days after a powerful nor'easter caused flooding and wind damage from Virginia to Maine... Flood waters had receded in most areas, but Friday's storm had taken huge chunks out of the coastline in Massachusetts and other states... Residents in other areas, meanwhile, bailed out basements and surveyed the damage while waiting for power to be restored, a process that power companies warned could take days in some areas.
Power outages on the East Coast dipped by about 500,000 from a peak of 2 million earlier Saturday, but officials said lingering wind gusts were slowing repair efforts. The storm's aftermath also was still affecting travel, with airports from Washington, D.C. to Boston reporting dozens of delays and cancellations, while service was slowly returning to normal on rail systems throughout the region... The death toll from the storm increased by four, with authorities saying at least nine people had lost their lives.
Airlines canceled more than 2,800 flights, according to the Associated Press, while Amtrak suspended service along the northeast corridor (though it's saying they should all return to service on Sunday).
CNN reported roughly 1 in 4 Americans were in the storm's path, facing winds as high as 50 mph, while the Associated Press reports gusts up to 90 mph on Cape Cod.Read Replies (0)
By EditorDavid from Slashdot's see-attachments department
An anonymous reader quotes Ars Technica:
A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates. The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec...
In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns. When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security... In a statement, Trustico officials said the keys were recovered from "cold storage," a term that typically refers to offline storage systems. "Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process," the statement read. "These Private Keys are stored in cold storage, for the purpose of revocation."
"There's no indication the email was encrypted," reports Ars Technica, and the next day DigiCert sent emails to Trustico's 23,000+ customers warning that their certificates were being revoked, according to Bleeping Computer.
In a related development, Thursday Trustico's web site went offline, "shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers."Read Replies (0)
By msmash from Slashdot's holding-companies-accountable department
The European Union issued internet giants an ultimatum to remove illegal online terrorist content within an hour, or risk facing new EU-wide laws. From a report: The European Commission on Thursday issued a set of recommendations for companies and EU nations that apply to all forms of illegal internet material, "from terrorist content, incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement. Considering that terrorist content is most harmful in the first hours of its appearance online, all companies should remove such content within one hour from its referral as a general rule.â The commission last year called upon social media companies, including Facebook, Twitter and Google owner Alphabet, to develop a common set of tools to detect, block and remove terrorist propaganda and hate speech. Thursday's recommendations aim to "further step up" the work already done by governments and push firms to "redouble their efforts to take illegal content off the web more quickly and efficiently."Read Replies (0)