谷歌自动翻译 》

The inner workings of surreal mechanical sculptures - CNET
For a new exhibit, artists bring creatures to colorful life though objects that are part toys, part art and part science.

Source: CNET News | 18 Nov 2017 | 8:01 am

Whimsical mechanical creatures spring to life, tell stories - CNET
These absurdist sculptures of people and animals explore the intersection of art and engineering -- and tell playful little tales while they're at it.

Source: CNET News | 18 Nov 2017 | 8:00 am

Pandemic Legacy: Season 2—The world’s “best board game” gets better

Welcome to Ars Cardboard, our weekend look at tabletop games! Check out our complete board gaming coverage at cardboard.arstechnica.com.

How do you follow the most popular board game ever made?

In a world where three separate versions of Smurfs Monopoly exist, Pandemic Legacy: Season One (PL:S1) isn’t the biggest-selling game of all time—but it has topped the popularity charts at Board Game Geek since it was released. It’s as close to “universally loved” as it’s possible to get in this contrarian world.

Read 23 remaining paragraphs | Comments

Source: Ars Technica | 18 Nov 2017 | 8:00 am

HomePod delay clouds Apple’s smart speaker future - CNET
Apple is ceding the key holiday shopping season to Google and Amazon.

Source: CNET News | 18 Nov 2017 | 8:00 am

Pentagon contractor leaves social media spy archive wide open on Amazon

(credit: Wikipedia)

A Pentagon contractor left a vast archive of social-media posts on a publicly accessible Amazon account in what appears to be a military-sponsored intelligence-gathering operation that targeted people in the US and other parts of the world.

The three cloud-based storage buckets contained at least 1.8 billion scraped online posts spanning eight years, researchers from security firm UpGuard's Cyber Risk Team said in a blog post published Friday. The cache included many posts that appeared to be benign, and in many cases those involved from people in the US, a finding that raises privacy and civil-liberties questions. Facebook was one of the sites that originally hosted the scraped content. Other venues included soccer discussion groups and video game forums. Topics in the scraped content were extremely wide ranging and included Arabic language posts mocking ISIS and Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan.

The scrapings were left in three Amazon Web Servers S3 cloud storage buckets that were configured to allow access to anyone with a freely available AWS account. It's only the latest trove of sensitive documents left unsecured on Amazon. In recent months, UpGuard has also found private data belonging to Viacom, security firm TigerSwan, and defense contractor Booz Allen Hamilton similarly exposed. In Friday's post, UpGuard analyst Dan O'Sullivan wrote:

Read 3 remaining paragraphs | Comments

Source: Ars Technica | 18 Nov 2017 | 7:30 am

Iconic hacker booted from conferences after sexual misconduct claims surface

Enlarge / John Draper, seen here in 2011. (credit: campuspartycolombia)

John Draper, a legendary figure in the world of pre-digital phone hacking known as "phreaking," has been publicly accused of inappropriate sexual behavior going back nearly two decades.

According to a new Friday report by BuzzFeed News, Draper, who is also known as "Captain Crunch," acted inappropriately with six adult men and minors between 1999 and 2007 during so-called "energy" exercises, which sometimes resulted in private invitations to his hotel room. There, Draper allegedly made unwanted sexual advances.

As a result of the new revelations, Draper, 74, is now no longer welcome at Defcon. Michael Farnum, the founder of HOU.SEC.CON, told Ars on Friday afternoon that Draper, who had been scheduled to speak in April 2018, was disinvited.

Read 16 remaining paragraphs | Comments

Source: Ars Technica | 18 Nov 2017 | 6:30 am

Best Black Friday deals for cord-cutters: Roku, Fire TV and more - CNET
Want to stream video or watch free over-the-air TV instead of paying for cable? Black Friday is the perfect time to upgrade your hardware.

Source: CNET News | 18 Nov 2017 | 5:00 am

Why wait for Black Friday? These Xbox One deals rock - CNET
We scoured the depths of the internet to find all the best Black Friday deals for all your Xbox needs.

Source: CNET News | 17 Nov 2017 | 8:48 pm

What to play this weekend: Star Wars, Pokemon and Skyrim - CNET
There's something for everyone this week. Even PlayStation Vita owners.

Source: CNET News | 17 Nov 2017 | 8:30 pm

Best pre-Black Friday deals you can get right now - CNET
Why wait? There are already some great deals out there -- without the need to wait in line at 4 a.m.

Source: CNET News | 17 Nov 2017 | 8:04 pm

Apple Park: Normal people like you can now visit - CNET
Apple's new visitor center opened to the public Friday, complete with special schwag and an AR-enabled model of the spaceship campus.

Source: CNET News | 17 Nov 2017 | 7:34 pm

NASA sees a crazy, angry storm swirl across Jupiter - CNET
Jupiter's stormy atmosphere does its best impression of a hellscape in an eye-popping Juno spacecraft image.

Source: CNET News | 17 Nov 2017 | 6:47 pm

Weekend code warriors prepare to clash in Codewarz

Enlarge / Obviously a Codewarz competitor. (credit: Alain Daussin/Getty Images)

If you didn't have any weekend plans yet—or maybe even if you did—and you're interested in scratching your programming itch, there's something to add to your calendar. Codewarz, a programming competition that presents participants with 24 coding challenges, is running its first live event starting at 1pm Eastern on November 18 and ending at 9pm on November 20.

This is not a hacking competition—it’s strictly coding. Participants can use their language of choice as long as it's one of the 15 supported by the event: the various flavors of C, Python, Node.js, Scala, PHP, Go, Ruby, and even BASH. (Sorry, no one has asked them to support ADA or Eiffel yet.) There's no compiling required, either. Each submitted solution is run in an interpreted sandbox on a Linux machine for evaluation and scoring. And the challenges run the gamut from beginner (things like text parsing, math and basic networking) to advanced (more advanced parsing and math, hashing, cryptography, and forensics challenges).

Scoring is straightforward. Each of the challenges has an expected output (checked through hash-matching), and matching that output equals success for whatever number of points a challenge is worth. The easiest challenges (such as a "Hello World" tutorial challenge) are worth 10 points, while the hardest are worth 250 points.

Read 3 remaining paragraphs | Comments

Source: Ars Technica | 17 Nov 2017 | 6:20 pm

This phone carrier is building its own smart speaker - CNET
Republic Wireless' smart speaker appears to take a calls-first mantra.

Source: CNET News | 17 Nov 2017 | 5:37 pm

Dealmaster: The Black Friday tech deals that might actually be worth buying

Enlarge / Get ready for lots of ads like this. (credit: Best Buy)

Brace yourself for Walmart fights and snarky tweets about capitalism, because Black Friday is nearly here. Once again, the day after Thanksgiving—and in many cases the days before that—will see retailers across the country pushing an avalanche of sales to the gift-needy public.

And once again, many of those “discounts” won’t be discounts at all. Year after year, the corporate holiday isn’t quite the deals bonanza it proclaims to be. Many of the devices on sale either won’t be priced significantly lower than they are at other points in the year or just won’t be worth buying to begin with.

After sorting through the early ad scans and retailer offers for this year’s Black Friday, we’re confident this trend will continue. That said, even if just a fraction of the several thousand sales on show are worth getting, that still leaves more than a few diamonds in the rough.

Read 20 remaining paragraphs | Comments

Source: Ars Technica | 17 Nov 2017 | 4:30 pm

How to fix a program without the source code? Patch the binary directly

Enlarge (credit: Flickr user: Ivan T)

When a company like Microsoft needs to fix a security flaw in one of its products, the process is normally straightforward: determine where the bug lies, change the program's source code to fix the bug, and then recompile the program. But it looks like the company had to step outside this typical process for one of the flaws it patched this Tuesday. Instead of fixing the source code, it appears that the company's developers made a series of careful changes directly to the buggy program's executable file.

Bug CVE-2017-11882 is a buffer overflow in the ancient Equation Editor that comes with Office. The Equation Editor allocates a fixed-size piece of memory to hold a font name and then copies the font name from the equation file into this piece of memory. It doesn't, however, check to ensure that the font name will fit into this piece of memory. When provided with a font name that's too long, the Equation Editor overflows the buffer, corrupting its own memory, and an attacker can use this to execute arbitrary malicious code.

Curious how a buffer overflow works? Previously on Ars we did a deep-dive explanation. (video link)

Read 7 remaining paragraphs | Comments

Source: Ars Technica | 17 Nov 2017 | 4:24 pm

Hairy situation: DC’s rail system may be taken down by human shedding

Enlarge / The DC Metro, when it's not on fire. (credit: Getty | Bill Clark)

For residents of our nation’s capital, news of a fire on the city’s rapid transit system—the Washington Metro—is not surprising. It catches fire and smokes quite regularly. At some points last year, there were reports of more than four fires per week (although there’s some dispute about that rate). There’s even the handy site—IsMetroOnFire.com—to check the current blaze status.

Yet, despite the common occurrence, residents may be surprised to learn a potential contributor to the system-wide sizzling: their own hair.

According to a safety specialist with the Amalgamated Transit Union (ATU), a thick, felt-like layer of human hair, skin, and other debris has collected on the aging tracks of the city’s rails. In particular, hair has built up on insulators supporting the transit system’s electrified third rails, which run cables carrying 750 Volts of electricity to power the trains. The hair coating delivers a real threat of electrical sparks and fire.

Read 6 remaining paragraphs | Comments

Source: Ars Technica | 17 Nov 2017 | 3:45 pm

Argentine Navy diesel sub disappears, NASA plane joins in search

NASA

The US Navy and NASA have joined the search for an Argentine Armada (navy) diesel-electric attack submarine—the ARA San Juan (S-42)—and its crew of 44 sailors missing in the Southern Argentine Sea. The last contact with the TR-1700 class sub, built in 1983 by the German shipbuilder Thyssen Nordseewerke, was on November 15.

NASA has dispatched a modified P-3 Orion patrol plane—previously used by the Navy for submarine hunting—to aid in the search. The P-3 is equipped with a magnetic anomaly detector (or magnetometer), a gravimeter for detecting small fluctuations in the Earth's gravity, infrared cameras, and other sensors for measuring ice thickness. With that array, the P-3 may be able to detect the submerged submarine.

Read 3 remaining paragraphs | Comments

Source: Ars Technica | 17 Nov 2017 | 2:42 pm

Tax bill that passed the House would cripple training of scientists

Enlarge / Whatever you made in that flask, it's going to cost you. (credit: Oak Ridge National Lab)

Yesterday, the US House of Representatives passed its version of a tax bill that would drop corporate tax rates and alter various deductions. While most of the arguments about the bill have focused on which tax brackets will end up paying more, an entire class of individuals appears to have been specifically targeted with a measure that could raise their tax liability by 300 percent or more: graduate student researchers. If maintained, the changes could be crippling for research in the US.

Tuition waivers

Many graduate programs in areas like business, medicine, and law can afford to charge high tuitions. That's in part because these degrees are in high demand and in part because the students know that they'll have the potential to earn very large salaries after graduation.

PhD programs are nothing like this. Despite typically taking five to six years to complete, a PhD student is only likely to earn in the area of $44,000 after graduation if they're funded by the National Institutes of Health. Even four years of additional experience doesn't raise the salary above $50,000. As such, charging them tuition would leave them with no way to possibly pay back their student loans. Doing so would almost certainly discourage anyone but the independently wealthy from attending research-focused graduate programs.

Read 7 remaining paragraphs | Comments

Source: Ars Technica | 17 Nov 2017 | 2:33 pm

Man gets threats—not bug bounty—after finding DJI customer data in public view

Enlarge / A security researcher says he was trying to play fair with DJI's bug bounty program. DJI calls him a hacker who exposed customer data.

DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

"Hacker?"

DJI launched its bug bounty this fall shortly after the US Army issued a ban on using DJI drones for any military purpose due to "operational security" concerns. There were also spreading reports of people hacking the firmware of DJI drones—some have even posted hacks to GitHub by Finisterre. But according to Finisterre, the program was clearly rushed out. The company did not, and has yet to, define the scope of the bounty program publicly. So when Finisterre discovered that DJI's SSL certificates and firmware AES encryption keys had been exposed through searches on GitHub—in some cases for as long as four years—he contacted the company to see if its servers were within the scope of the bug bounty program. He was told they were—a statement that would later be walked back from by DJI officials.

Read 12 remaining paragraphs | Comments

Source: Ars Technica | 17 Nov 2017 | 1:30 pm