Month: May 2016

Yesterday we launched an ambitious new redesign aimed at improving the site's functionality and performance while putting in place the building blocks for new expansion plans, including secure browsing and more customized layout options.

We have now temporarily reverted back to the old site while we attempt to address a handful of challenges, including a show-stopping code issue that prevented us from even fully activating the site. The problem we've encountered did not show up on our staging site, our local mirrors, or even in the low-load test production environment. But once the full weight of the audience showed up, we instantly discovered a handful of problems that we now know are not solvable without some extensive downtime.

Because of these issues, we now have an opportunity to revisit the design and take into account all of the comments readers provided over the last 24 hours. Many of the issues mentioned were problems that we normally could have addressed by now, but the aforementioned problem was preventing that.

Read 5 remaining paragraphs | Comments

The Federal Communications Commission recently adopted rules that required makers of WiFi routers to prohibit users to change some parameters of their devices. And some device makers have decided that the simplest way to comply with those rules is to prevent users from replacing their router’s firmware with third-party alternatives such as OpenWRT or DD-WRT.

But according to Ars Technicathat Linksys is taking a different approach.

Linksys is reportedly working with the developers of OpenWRT and chip-maker Marvell to make sure that users can install OpenWRT while still ensuring that users cannot make changes that the FCC says could cause interference with other wireless devices.

Continue reading Linksys WRT routers to continue supporting third-party, open source firmware at Liliputing.

Arianna Simpson's Model S after the crash outside Lebec, CA. (credit: Arianna Simpson)

For the second time in recent days, Tesla and one of its customers are at odds over a collision. Earlier this week, a Utah-based Tesla owner claimed that his parked Model S decided to crash into parked trailer of its own accord, something Tesla disputes. And now there's Arianna Simpson, who says that the safety features in her Model S did nothing to prevent her crashing into the back of another vehicle at speed. However, like the prior case, Tesla says the vehicle's data logs don't support the story.

On April 26, Simpson was driving north from Los Angeles on I-5, cruising in autopilot mode. "All of a sudden the car ahead of me came to a halt. There was a decent amount of space so I figured that the car was going to brake as it is supposed to and didn't brake immediately. When it became apparent that the car was not slowing down at all, I slammed on the brakes but was probably still going 40 when I collided with the other car," she told Ars.

In contrast, Tesla says that the vehicle logs show that its adaptive cruise control system is not to blame. Data points to Simpson hitting the brake pedal and deactivating autopilot and traffic aware cruise control, returning the car to manual control instantly. (This has been industry-wide practice for cruise control systems for many years.) Simpson's use of the brake also apparently disengaged the automatic emergency braking system, something that's been standard across Tesla's range since it rolled out firmware version 6.2 last year.

Read 5 remaining paragraphs | Comments

Brendan Fenerty

University of Toronto anthropologist Valérie Brosseau makes final preparations before her descent.

8 more images in gallery

The key to uncovering America's ancient past lies underwater. In the waning centuries of the last Ice Age, many of the favorite hunting grounds and camps of early Americans were flooded with waters unlocked from the melting polar ice. But now, thanks to SCUBA-diving archaeologists, a clear picture is emerging of the peoples who came to the Americas by boat—thousands of years before the Clovis peoples (who became the ancestors of today's Native Americans). In a deep sinkhole beneath Aucilla River in Florida, some of the most intriguing evidence to date for these pre-Clovis peoples has been carefully excavated—using specialized underwater exploration rigs. Scientists have discovered an incredibly rare 14,550 year-old hunting site, complete with stone tools, a slaughtered mastodon, and hints of canine companions who might have helped with the hunt.

Called the Page-Ladson site, the sinkhole is one of only a handful of pre-Clovis sites ever discovered, and it dates to roughly the same time period as similar sites such as the Paisley Caves in Oregon and Monte Verde, Chile. It’s also the oldest evidence of human occupation ever found in the US southeast, and it offers solid proof that humans lived throughout the Americas nearly 15,000 years ago, long before the Bering Land Bridge was ice-free. This adds further evidence to the idea that these people’s ancestors arrived by boat from the coasts of Asia, likely after thousands of years of migratory wandering.

Another crucial piece of evidence from Page-Ladson has to do with the slaughtered mastodon. It’s not clear whether humans killed the mastodon or simply scavenged a dead body, but markings on the bones and tusks show clear signs of butchery with the stone tools preserved at the site. Careful analysis of the sediment layers in the lakebed revealed that the sinkhole was once a pond, likely a popular watering hole for migrating mastodons—and the hunter-gatherer humans who followed the herds. As the researchers put it, these humans were fairly sophisticated hunters, memorizing the seasonal terrain of their prey and possibly even enlisting the help of dogs.

Read 5 remaining paragraphs | Comments

Amazon’s Dash buttons are small, internet-connected buttons that usually do one thing: let you order refills of specific products from Amazon. The company sells them for $5 and gives you a $5 credit on your first order, which basically makes them free.

But if you’re not the sort of person who orders a lot of detergent, coffee, or diapers from Amazon, the buttons can still be useful: hackers have been finding other ways to use these small buttons for almost as long as they’ve been available.

Continue reading Amazon’s latest Dash Button is the programmable $20 AWS IoT Button at Liliputing.

A website that openly facilitated the brokering of compromised passwords, stolen bitcoins, and other sensitive data has been hacked, exposing login data, IP addresses, e-mail addresses, purchase histories, and private messages for some 500,000 members.

Nulled.io, a hacker forum that used the tagline "expect the unexpected," was compromised earlier this month in a hack that exposed virtually all of the private data associated with it, security researchers said. As of publication time, more than a week later, the resulting 1.3 gigabyte compressed archive file remained available on a popular data breach sharing site on the clear Web. It was easily accessible to anyone, including hacking victims, fellow hackers, and law enforcement agents. The dump was discovered by analysis firm Risk Based Security and confirmed by Troy Hunt, operator of the have i been pwned? breach disclosure service.

"When services such as Nulled.io are compromised and data is leaked, often it exposes members who prefer to remain anonymous and hide behind screen names," the Risk Based Security blog post stated. "By simply searching by e-mail or IP addresses, it can become evident who might be behind various malicious deeds. As you can imagine, this can lead to significant problems for forum users."

The leak provides a fly-on-the-wall account of the bartering that normally takes place only behind closed doors on criminal forums. In one exchange, two members discuss the trading of stolen Bitcoin and PayPal accounts and negotiate a profit share of 5 percent to 10 percent.

"Don't you make a fortune off Amazon Refunding? Lol," one user asks in the exchange. The action involves trading $250 worth of bitcoins for $250 in PayPal credit.

"I will when my bank is also out of negative balance m8 so I can get the full 250."

(credit: Troy Hunt)

In a separate private discussion between two different members, one seeks software and technical support for installing a keylogger on a lab of an unnamed university. In a third conversation, one member seeks help cracking a Hotmail account. All of the discussions show the IP addresses the members used when making their comments. Assuming they correspond to traceable Internet accounts, the data could be used to reveal the real-world identities of the members.

(credit: Troy Hunt)

The dump also includes e-mail addresses and password data for as many as 536,000 user accounts. The passwords appear to be protected by MD5, a hashing algorithm that's woefully inadequate for storing passwords because the underlying algorithm is so fast. The hashes observed by Hunt have cryptographic salts attached to them, so it's possible the MD5 hashes were iterated enough times to make mass cracking impractical. Either way, it's surprising that a hacking site that counseled users to expect the unexpected didn't rely on a more secure hashing function such as bcrypt or PBKDF2.

According to Risk Based Security, the dump also includes details of members' purchasing leaked content, stolen credentials, and pirated hacking software. The data cache contains discussions that took place in VIP forums, which allowed members a smaller, more intimate setting for trading stolen data and hacking techniques. In all, there are 2.2 million posts, 800,593 user personal messages, 5,582 purchase records, and 12,600 invoices. Company researchers said they also found credentials for the the site's PayPal, Bitcoin, and Paymentwall gateways and geolocation data linked to some users.

It's not clear precisely how Nulled.io was hacked, but the Risk Based Security researchers pointed out that the IP.board forum software and accompanying plugins the site relied on were riddled with critical vulnerabilities. They speculated that unknown hackers exploited the vulnerabilities to gain complete control to the site and then leaked the entire database. The breach is the latest reminder just how fragile privacy is on the Internet. It's likely that at least some Nulled.io users are now learning this lesson the hard way.

After focusing on cancer, the brain, and personalized medicine, the Obama Administration is now zooming in on the bustling microbial communities within us, on us, and all around us in our built and natural environments.

On Friday, the White House revealed the Microbiome Initiative, a nationwide project to coordinate and fund microbiome research. The federal government is investing $121 million into the program. Several agencies will chip into that number, including NASA, the National Institutes of Health, the Department of Energy, the National Science Foundation, and the US Department of Agriculture. Additionally, more than 100 external organizations will add more money and projects to the pot, including $100 million in funding from the Bill and Melinda Gates Foundation.

The initiative has three main goals: to fund interdisciplinary microbiome research, develop technologies that can be used across different research projects, and support a microbiome research workforce.

The administration announced the initiative in a three-hour event in Washington, DC on Friday, bringing together researchers, agency representatives, politicians, and other funders. Researchers discussed some of the work that the program will support, which included studying ocean microbiomes that might help clean up oil spills, microbiomes on the walls of buildings that might help curb the spread of infectious germs, soil microbiomes that may benefit crop production, and humans' microbes that profoundly impact our health and well-being.

“You can see that there are great things going on,” Martin Blaser, a microbiome researcher at New York University, said at the event.

Such federal initiatives tend to draw mixed reactions from scientists, raising concerns about unsustainable support of specific fields and lack of specific goals and clear leadership. However, in the case of microbiome research, the call for a coordinated, government-led program was spurred by scientists themselves. Last October, a large group of researchers published two papers calling for just such a program.

“Further uncoordinated national microbiome programmes will almost certainly waste research efforts and taxpayers' money,” the authors argued at the time. “Let's transcend national silos and gain universal insights that will benefit all humankind.”

The call follows the end of the NIH’s Human Microbiome Project, which completed its main funding phase in 2012. Since then, many microbiome researchers have felt lost without a coordinated effort to direct the field forward.

If someone receives the flu vaccine, there’s a better chance they’ll get through flu season without getting sick. But because the flu vaccine isn’t 100 percent effective, they might still end up infected despite the vaccine. To most observers, these two possible outcomes are “not equally salient,” write Frederick Chen and Ryan Stevens, two economists with an interest in vaccine refusal.

When someone gets sick, it’s an adverse event. People take notice of this and use it to predict the likelihood of similar adverse events. When someone doesn’t get sick, that’s, well, nothing. It’s the absence of an event, and that's hard to recognize. “We see when the vaccine fails to protect us," write Chen and Stevens, "but when the vaccine does work, we do not see anything different from our normal state of being.”

The duo thinks that cognitive biases like these are probably playing a role in the incredibly poor uptake of flu vaccines in the US. By tailoring public health messages around known cognitive biases, the economists believe it's possible to improve vaccine uptake. At this point, we don't know whether they're right in their assumptions about the links between these particular cognitive biases and vaccine myths or whether their recommendations would work. Nonetheless, the ideas are interesting and could provide some new avenues for public health research. And given the high national costs of flu, their proposal could turn out to be particularly useful.

Most people will likely be able to recall flu vaccine failures, whether their own experiences of vaccine failure or through annoyed stories told by friends and family. They’ll be less likely to recall cases where the vaccine worked, because they're pretty much impossible to detect. So it becomes easy to overestimate how likely the vaccine is to fail and to consider it just a waste of time or money.

This way of thinking is an example of what's called an availability heuristic. It leads people to overuse recent or salient events when they’re estimating the risk of something (think about how you might involuntarily get nervous about flying straight after a huge airplane crash, even if your brain overrides your gut).

The availability heuristic also underlies more damaging myths, Chen and Stevens think. Some people believe that the flu vaccine actually causes flu, which could arise from people seeing all these visible cases of sickness following the vaccine and constructing a narrative that joins those dots in a particular way (“oh, the vaccine causes the flu!”). That in turns leads to people thinking that people who are pregnant or who have suppressed immune systems should avoid the flu vaccine.

People often don’t get the flu vaccine because they think they’re at low risk for flu. This, Chen and Stevens suggest, could be due to people’s “unrealistic optimism about themselves”—people believe themselves to be above average and think they’re great drivers, for example. They also consider themselves immune to pesky cognitive biases, as the comment thread on any article about cognitive biases will demonstrate. So, the authors write, people may “vastly underestimate their susceptibility by constructing a mental narrative that wholly attributes their influenza-free experiences thus far to their having superior health or genetics.”

Understanding how these biases drive people’s (often unconscious) decision-making processes could steer public health efforts to improve vaccine uptake. For example, campaigns could try to tell stories about people who got the vaccine and then didn’t get sick to balance out the salience of the vaccine failure stories with something more memorable than statistics. Advertisements that ask the audience to consider the vaccine choice made by a relatable person could also lead them to take a less overly optimistic, more objective stance on their own risk of flu infection.

It could also be possible to use cognitive biases to public health advantage by leveraging loss aversion. This is people’s tendency to get far more upset about things they lose than they get happy about things they gain. Because of this, saying “vaccination reduces your risk of flu by up to 80 percent” might be less effective than saying “your risk of getting the flu increases by up to 400 percent if you’re not vaccinated.”

One really important thing that Chen and Stevens don’t discuss is whether people might have different levels of resistance to flu vaccines. For instance, your average Joe might not have given flu vaccines much thought. This person could have a vague awareness that they don't work too well and that he doesn't really get sick anyway. These techniques might work on him, but they likely won't on a hardcore anti-vaxxer whose position is rooted as much in identity as anything else.

Overall, these ideas seem sensible, but the next step now is to study whether they actually work.

Health Promotion International, 2016. DOI: 10.1093/heapro/daw031  (About DOIs).

The attempted billion dollar attack on the Bangladesh Central Bank was not an isolated incident, according to a report today from the SWIFT payment network. Some of the malware used in the Bangladesh heist has been found in another attack on a bank. SWIFT didn't name the other bank, but BAE Systems, which has been investigating the Bangladesh attack, has said that a Vietnamese commercial bank has been hit by closely related malware in a report of its own.

In February, unknown hackers broke into the Bangladesh Bank and nearly got away with a sum just shy of $1 billion. In that event, their fraudulent transactions were cancelled when a typo raised concerns about one of the transactions. The thieves still succeeded in transferring $81 million, and that money is still unrecovered. In April, we learned that preliminary investigations had revealed the use of cheap networking and a lack of firewalls, both contributing to the attack. The SWIFT organization is owned by 3,000 financial companies and operates a network for sending financial transactions between financial institutions. The SWIFT network was used to move the stolen money.

According to BAE, the malware used in both hacks has a range of similarities, including the names of the malicious executables, the internal structure of the code, and in particular a distinctive block of code used to securely wipe files and cover up the evidence of the attack.

BAE has found a surprising third use of the same deletion routines and other code features—these tactics were deployed in some of the malware used in the 2014 Sony attack that saw vast quantities of data from Sony Pictures published online. The FBI asserted that the Sony hack was the work of North Korea. Publicly, a group calling itself the Guardians of Peace claimed responsibility, saying the hack was retaliation for the Sony produced film The Interview, which depicted the assassination of North Korean dictator Kim Jong-un.

The data deletion routines used in the Sony attacks were themselves used to tie that hack to 2013 attacks made on South Korean banks and media outlets.

BAE notes that attribution is not an exact science. While the re-use of existing code suggests that the same group—even the same developer—is responsible for creating the malware, it's possible the attackers deliberately crafted their malware to merely give the appearance of being related.

SWIFT's report also described some new features of the Vietnamese attack. In Bangladesh, the malware took considerable effort to cover up its tracks and hide the bogus transactions, modifying databases and deleting incriminating data. This cover-up indicated extensive knowledge of the software and systems used to transfer money, and that same extensive knowledge appears to be present in the Vietnamese case. Staff in Vietnam used PDF reports to inspect payment confirmations. The attackers produced a trojaned version of the PDF reader that looks like the regular software, but it instead detects when the fraudulent transactions are being examined and shows bank staff different data to hide the fraud.

Motorola is expected to launch its next-gen Moto G smartphone on May 17th, and a series of leaks have given us an idea of what to expect… but the latest leak suggests the phone might be more of an upgrade than previously thought.

A phone that may be the 4th-gen Moto G passed through the FCC this week, and as Roland Quandt notes, the website for benchmarking utility Geekbench also has a few more details.

Continue reading 4th-gen Motorola Mot G hits the FCC, may have Snapdragon 617 at Liliputing.