Source: CNET News | 18 Nov 2017 | 8:01 am
Source: CNET News | 18 Nov 2017 | 8:00 am
Welcome to Ars Cardboard, our weekend look at tabletop games! Check out our complete board gaming coverage at cardboard.arstechnica.com.
How do you follow the most popular board game ever made?
In a world where three separate versions of Smurfs Monopoly exist, Pandemic Legacy: Season One (PL:S1) isn’t the biggest-selling game of all time—but it has topped the popularity charts at Board Game Geek since it was released. It’s as close to “universally loved” as it’s possible to get in this contrarian world.
Source: Ars Technica | 18 Nov 2017 | 8:00 am
Source: CNET News | 18 Nov 2017 | 8:00 am
A Pentagon contractor left a vast archive of social-media posts on a publicly accessible Amazon account in what appears to be a military-sponsored intelligence-gathering operation that targeted people in the US and other parts of the world.
The three cloud-based storage buckets contained at least 1.8 billion scraped online posts spanning eight years, researchers from security firm UpGuard's Cyber Risk Team said in a blog post published Friday. The cache included many posts that appeared to be benign, and in many cases those involved from people in the US, a finding that raises privacy and civil-liberties questions. Facebook was one of the sites that originally hosted the scraped content. Other venues included soccer discussion groups and video game forums. Topics in the scraped content were extremely wide ranging and included Arabic language posts mocking ISIS and Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan.
The scrapings were left in three Amazon Web Servers S3 cloud storage buckets that were configured to allow access to anyone with a freely available AWS account. It's only the latest trove of sensitive documents left unsecured on Amazon. In recent months, UpGuard has also found private data belonging to Viacom, security firm TigerSwan, and defense contractor Booz Allen Hamilton similarly exposed. In Friday's post, UpGuard analyst Dan O'Sullivan wrote:
Source: Ars Technica | 18 Nov 2017 | 7:30 am
John Draper, a legendary figure in the world of pre-digital phone hacking known as "phreaking," has been publicly accused of inappropriate sexual behavior going back nearly two decades.
According to a new Friday report by BuzzFeed News, Draper, who is also known as "Captain Crunch," acted inappropriately with six adult men and minors between 1999 and 2007 during so-called "energy" exercises, which sometimes resulted in private invitations to his hotel room. There, Draper allegedly made unwanted sexual advances.
As a result of the new revelations, Draper, 74, is now no longer welcome at Defcon. Michael Farnum, the founder of HOU.SEC.CON, told Ars on Friday afternoon that Draper, who had been scheduled to speak in April 2018, was disinvited.
Source: Ars Technica | 18 Nov 2017 | 6:30 am
Source: CNET News | 18 Nov 2017 | 5:00 am
Source: CNET News | 17 Nov 2017 | 8:48 pm
Source: CNET News | 17 Nov 2017 | 8:30 pm
Source: CNET News | 17 Nov 2017 | 8:04 pm
Source: CNET News | 17 Nov 2017 | 7:34 pm
Source: CNET News | 17 Nov 2017 | 6:47 pm
If you didn't have any weekend plans yet—or maybe even if you did—and you're interested in scratching your programming itch, there's something to add to your calendar. Codewarz, a programming competition that presents participants with 24 coding challenges, is running its first live event starting at 1pm Eastern on November 18 and ending at 9pm on November 20.
This is not a hacking competition—it’s strictly coding. Participants can use their language of choice as long as it's one of the 15 supported by the event: the various flavors of C, Python, Node.js, Scala, PHP, Go, Ruby, and even BASH. (Sorry, no one has asked them to support ADA or Eiffel yet.) There's no compiling required, either. Each submitted solution is run in an interpreted sandbox on a Linux machine for evaluation and scoring. And the challenges run the gamut from beginner (things like text parsing, math and basic networking) to advanced (more advanced parsing and math, hashing, cryptography, and forensics challenges).
Scoring is straightforward. Each of the challenges has an expected output (checked through hash-matching), and matching that output equals success for whatever number of points a challenge is worth. The easiest challenges (such as a "Hello World" tutorial challenge) are worth 10 points, while the hardest are worth 250 points.
Source: Ars Technica | 17 Nov 2017 | 6:20 pm
Source: CNET News | 17 Nov 2017 | 5:37 pm
Brace yourself for Walmart fights and snarky tweets about capitalism, because Black Friday is nearly here. Once again, the day after Thanksgiving—and in many cases the days before that—will see retailers across the country pushing an avalanche of sales to the gift-needy public.
And once again, many of those “discounts” won’t be discounts at all. Year after year, the corporate holiday isn’t quite the deals bonanza it proclaims to be. Many of the devices on sale either won’t be priced significantly lower than they are at other points in the year or just won’t be worth buying to begin with.
After sorting through the early ad scans and retailer offers for this year’s Black Friday, we’re confident this trend will continue. That said, even if just a fraction of the several thousand sales on show are worth getting, that still leaves more than a few diamonds in the rough.
Source: Ars Technica | 17 Nov 2017 | 4:30 pm
When a company like Microsoft needs to fix a security flaw in one of its products, the process is normally straightforward: determine where the bug lies, change the program's source code to fix the bug, and then recompile the program. But it looks like the company had to step outside this typical process for one of the flaws it patched this Tuesday. Instead of fixing the source code, it appears that the company's developers made a series of careful changes directly to the buggy program's executable file.
Bug CVE-2017-11882 is a buffer overflow in the ancient Equation Editor that comes with Office. The Equation Editor allocates a fixed-size piece of memory to hold a font name and then copies the font name from the equation file into this piece of memory. It doesn't, however, check to ensure that the font name will fit into this piece of memory. When provided with a font name that's too long, the Equation Editor overflows the buffer, corrupting its own memory, and an attacker can use this to execute arbitrary malicious code.
Source: Ars Technica | 17 Nov 2017 | 4:24 pm
For residents of our nation’s capital, news of a fire on the city’s rapid transit system—the Washington Metro—is not surprising. It catches fire and smokes quite regularly. At some points last year, there were reports of more than four fires per week (although there’s some dispute about that rate). There’s even the handy site—IsMetroOnFire.com—to check the current blaze status.
Yet, despite the common occurrence, residents may be surprised to learn a potential contributor to the system-wide sizzling: their own hair.
According to a safety specialist with the Amalgamated Transit Union (ATU), a thick, felt-like layer of human hair, skin, and other debris has collected on the aging tracks of the city’s rails. In particular, hair has built up on insulators supporting the transit system’s electrified third rails, which run cables carrying 750 Volts of electricity to power the trains. The hair coating delivers a real threat of electrical sparks and fire.
Source: Ars Technica | 17 Nov 2017 | 3:45 pm
The US Navy and NASA have joined the search for an Argentine Armada (navy) diesel-electric attack submarine—the ARA San Juan (S-42)—and its crew of 44 sailors missing in the Southern Argentine Sea. The last contact with the TR-1700 class sub, built in 1983 by the German shipbuilder Thyssen Nordseewerke, was on November 15.
NASA has dispatched a modified P-3 Orion patrol plane—previously used by the Navy for submarine hunting—to aid in the search. The P-3 is equipped with a magnetic anomaly detector (or magnetometer), a gravimeter for detecting small fluctuations in the Earth's gravity, infrared cameras, and other sensors for measuring ice thickness. With that array, the P-3 may be able to detect the submerged submarine.
Source: Ars Technica | 17 Nov 2017 | 2:42 pm
Yesterday, the US House of Representatives passed its version of a tax bill that would drop corporate tax rates and alter various deductions. While most of the arguments about the bill have focused on which tax brackets will end up paying more, an entire class of individuals appears to have been specifically targeted with a measure that could raise their tax liability by 300 percent or more: graduate student researchers. If maintained, the changes could be crippling for research in the US.
Many graduate programs in areas like business, medicine, and law can afford to charge high tuitions. That's in part because these degrees are in high demand and in part because the students know that they'll have the potential to earn very large salaries after graduation.
PhD programs are nothing like this. Despite typically taking five to six years to complete, a PhD student is only likely to earn in the area of $44,000 after graduation if they're funded by the National Institutes of Health. Even four years of additional experience doesn't raise the salary above $50,000. As such, charging them tuition would leave them with no way to possibly pay back their student loans. Doing so would almost certainly discourage anyone but the independently wealthy from attending research-focused graduate programs.
Source: Ars Technica | 17 Nov 2017 | 2:33 pm
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
DJI launched its bug bounty this fall shortly after the US Army issued a ban on using DJI drones for any military purpose due to "operational security" concerns. There were also spreading reports of people hacking the firmware of DJI drones—some have even posted hacks to GitHub by Finisterre. But according to Finisterre, the program was clearly rushed out. The company did not, and has yet to, define the scope of the bounty program publicly. So when Finisterre discovered that DJI's SSL certificates and firmware AES encryption keys had been exposed through searches on GitHub—in some cases for as long as four years—he contacted the company to see if its servers were within the scope of the bug bounty program. He was told they were—a statement that would later be walked back from by DJI officials.
Source: Ars Technica | 17 Nov 2017 | 1:30 pm