Month: January 2017

Last May, Ars reported that a critical vulnerability in a widely used image-processing application left a huge number of websites open to attacks that allowed hackers to execute malicious code on the underlying servers. More than five months later, Facebook paid a $40,000 bounty after discovering it was among those at risk.

On Tuesday, researcher Andrey Leonov, said he was able to exploit the vulnerability in the ImageMagick application by using a tunneling technique based on the domain name system that bypassed Facebook firewalls. The firewalls had successfully protected against his earlier exploit attempts. Large numbers of websites use ImageMagick to quickly resize images uploaded by users.

"I am glad to be the one of those who broke the Facebook," Leonov wrote in a blog post that gave a blow-by-blow account of how he exploited the ImageMagick vulnerability. Two days after the researcher privately shared the exploit with Facebook security personnel, they patched their systems. Ten days after that, they paid Leonov $40,000, one of the biggest bounties Facebook has ever paid.

Enlarge / U.S. Health and Human Services Secretary Nominee Rep. Tom Price (R-Ga.) testifies during his confirmation hearing. (credit: Getty | Alex Wong)

In a four-hour Senate confirmation hearing Wednesday, Rep. Tom Price (R-Ga.), Donald Trump’s nominee to run the Department of Health and Human Services, tried unsuccessfully to ratchet down the rhetoric surrounding the fate of the Affordable Care Act. He repeatedly emphasized that “nobody is interested in pulling the rug out from under anybody.” And in broad strokes he described the Republicans' replacement plan—which has yet to be revealed—as a beefed-up version of the ACA; a plan that covers even more people, has better benefits, and is cheaper.

He went on, explaining:

We believe that it’s absolutely imperative that individuals that have health coverage be able to keep health coverage, and move—hopefully—to greater choices and opportunities for them to gain the kind of coverage they want for themselves and for their families… There’s been a lot of talk about individuals losing health coverage. That is not our goal, nor is it our desire, nor is it our plan.

The assurances stopped there, however, as did hope of calming the fevered debate on the subject. Senators on the Committee on Health, Education, Labor and Pensions, which held the hearing, continued to pepper the discussion with dramatic statements. Republicans compared the ACA to a collapsing bridge and described it as being in a death spiral. Democrats compared repealing the mammoth health law without replacement legislation to jumping out of a plane without a parachute.

Enlarge (credit: Carl Court, Getty Images)

Julian Assange, the WikiLeaks founder, backed out of his pledge Wednesday that he would surrender to US authorities if President Barack Obama granted clemency to Chelsea Manning.

Manning, a whistleblower serving a 35-year-sentence for leaking classified material to WikiLeaks as an army private, had her sentence commuted by President Barack Obama on Tuesday. Instead of being released in 2045, Obama said Manning could leave military detention May 17.

But just days before the commutation, WikiLeaks tweeted that Assange—who is living in a self-imposed exile in the Ecuadorian Embassy in London amid fears he could be charged in the US for exposing the secrets Manning leaked—tweeted, "If Obama grants Manning clemency Assange will agree to US extradition despite clear unconstitutionality of DoJ case." As recently as Tuesday, WikiLeaks said that Assange "stands" by the promise.

Jen Guyton

They look a little like crop circles and a little like artistic earthworks. Around the world, they have many names: in the Namib Desert of Africa, they're called "fairy circles;" in Brazil they're dubbed "murundus," and in North America they're known as "Mima mounds." In a recent paper for Nature, Princeton ecologist Corina E. Tarnita and her colleagues call them "landscapes of overdispersed (evenly spaced) elements." All are regions where plants grow into such perfectly symmetrical, large-scale patterns that they seem unnatural.

Debates rage among ecologists about whether these patterned environments have a common cause and what it might be. Two of the leading hypotheses involve plant cooperation and insect rivalries. In areas where water resources are scarce or irregular, plants are known to engage in "scale-dependent feedbacks," where plants over a wide area grow into clusters rather than spreading out over a big area. The plant clumps limit their sizes to make the best use of water, and this strategy leads to reproductive success. It also might explain why we see patterns of plant growth that are characteristic of fairy circles and Mima mounds.

Enlarge / Where's the defense and cyber-weapon procurement budget going, Mr. President-elect? (credit: Getty Images | Joe Raedle)

Since Election Day, President-elect Donald Trump has taken an inordinate interest in some of the minutia of defense policy. His tweets (particularly about the F-35 Joint Strike Fighter and the Air Force One presidential aircraft replacement program) have sent shockwaves through the defense industry. The same is true of the cyber realm—particularly in his treatment of the intelligence community that currently dominates the US' cyber-defense capabilities.

The one thing that is certain is that Trump wants more muscle in both departments, urging an increase in the number of troops, ships, planes, and weapons deployed by the Department of Defense; the end of defense budget sequestration; and an expansion of the US nuclear and ballistic missile defense arsenal. And he has also pledged a new focus on offensive "cyber" capabilities, as outlined by his campaign, "to deter attacks by both state and non-state actors and, if necessary, to respond appropriately."

That sort of aggressive posture is not a surprise. But the policies that will drive the use of those physical and digital forces are still a bit murky. Considering the position Trump has taken regarding the North Atlantic Treaty Organization (NATO) and his attitudes toward Russia, Trump's statements may hint at a desire for a Fortress America—armed to the teeth and going it alone in every domain of conflict.

Oracle is very proud of its cloud sales. But not everyone is very happy about how it got them. (credit: Håkan Dahlström)

The US Department of Labor has filed a lawsuit against Oracle America, saying the software giant systemically pays Caucasian male workers more than their counterparts with the same job title. The lawsuit also says Oracle favors Asians in hiring for certain roles, which results in discrimination against non-Asian employees.

The lawsuit is the result of an investigation that began in 2014. In a statement issued on the lawsuit, the Dept. of Labor's Office of Federal Contract Compliance Programs (OFCCP) says that Oracle wouldn't comply with "routine requests for employment data and records" during the investigation. OFCCP tried for "almost a year" to resolve the matter before filing suit.

Federal contracting rules prohibit Oracle from employment discrimination. If Oracle doesn't stop the discrimination alleged in the lawsuit, OFCCP has requested that all of company's government contracts be canceled and that it be prevented from entering into future federal contracts.

Microsoft will cease updating Minecraft Pocket Edition for its own Windows Phone 8.1 and Windows 10 Mobile, reports Windows Central. Although the game will continue to be available in the store, it's apparently no longer being maintained or updated.

The reason for this move is reported to be that so few people play the game on the platform that it's not worth maintaining.

Minecraft has a somewhat complicated development history. There are multiple versions of the block-building zombie fighting game developed in parallel. The original Minecraft, built for PCs and with a rich ecosystem of third-party extensions, is a Java application. Console versions of Minecraft appear to use a C++ port of the Java version, with a console controller-friendly interface. Minecraft Pocket Edition is a C++ application with a user interface that's tailored for smartphones. Multiplayer is generally limited to the same stream of development; Pocket Edition players on different platforms can play with each other, but Java edition players can only play with other Java edition players, and the console editions only allow multiplayer with other people on the same console.

Enlarge / BEIJING, CHINA - NOVEMBER 29: A Chinese man wears a mask as he waits to cross the road near the CCTV building during heavy smog on November 29, 2014, in Beijing, China. (credit: Kevin Frayer)

This week, China’s Energy Administration issued a directive to cancel planning and construction on 85 coal plants in the country, according to The New York Times. An additional 18 were ordered to be canceled late last year. The 103 plants represent an astounding 120GW of electricity that would have come online for the country in the coming years.

The coal plants on the chopping block span 13 provinces, mostly in China’s northern and western regions. The Times reports that China’s Energy Administration was quite specific on which plants must halt development, but it’s unclear whether locals will immediately adhere to the directive—some of these plants have been under construction for 10 years already, and local officials may be reluctant to abandon those projects and fire the construction workers.

The cancellation is indicative of an economic imbalance that external environmental trackers have noted for a while—China has over-invested in coal power plants, with its existing capacity “being used less than half the time” according to Carbon Tracker. The International Energy Agency (IEA) notes that China produces more than 900GW of coal-sourced electricity a year, making it the biggest energy-related carbon polluter in the world. The country has promised to limit its coal-based electricity generation to 1,100GW a year by 2020, and this new directive will help China reach that goal.

(credit: Aurich x Getty)

If you have any legally incriminating information sitting in your PSN account, don't count on the Fourth Amendment to protect it from "unreasonable search and seizure" by Sony without a warrant. A district court judge in Kansas has ruled in a recent case that information Sony finds has been downloaded to a PlayStation 3 or a PSN account is not subject to the "reasonable expectation of privacy" that usually protects evidence obtained without a warrant.

The case involves Michael Stratton, who went by the handle Susan_14 on PSN. According to Sony, Stratton was reported to PSN multiple times for sending spam messages asking about interest in child pornography. After reviewing the Susan_14 account in response to these complaints, Sony found that several images containing child porn had been downloaded by and uploaded to the account.

Sony shared information about the Susan_14 account and the images with the National Center for Missing and Exploited Children. The NCMEC then coordinated with the FBI to get additional information about Susan_14's e-mail address and IP address from Google and CenturyLink via subpoena. This action led to a warrant on Stratton's Kansas home, the discovery of child pornography stored on his PS3, and his arrest.