Month: March 2019

Enlarge (credit: Michael Theis / Flickr)

Malicious hackers wasted no time exploiting a nasty code-execution vulnerability recently disclosed in WinRAR, a Windows file-compression program with 500 million users worldwide. The in-the-wild attacks install malware that, at the time this post was going live, was undetected by the vast majority of antivirus product.

The flaw, disclosed last month by Check Point Research, garnered instant mass attention because it made it possible for attackers to surreptitiously install persistent malicious applications when a target opened a compressed ZIP file using any version of WinRAR released over the past 19 years. The absolute path traversal made it possible for archive files to extract to the Windows startup folder (or any other folder of the archive creator’s choosing) without generating a warning. From there, malicious payloads would automatically be run the next time the computer rebooted.

On Thursday, a researcher at McAfee reported that the security firm identified “100 unique exploits and counting” in the first week since the vulnerability was disclosed. So far, most of the initial targets were located in the US.

Enlarge / Soft grains, dairy, and preserved food may have changed our mouths—and ultimately our languages. (credit: David Lifson / Flickr)

Something deep in the history of the German language pulled speech sounds toward hisses rather than pops. Words like that and ship end with a small popping sound in English, Dutch, and other Germanic languages—but in German, they end in softer s and f sounds—dass, Schiff. Centuries ago, before German was even German, this change was already underway, an example of one of the many small shifts that ends up separating a language from its close cousins and sending it off as its own distinct tongue.

How does change like this happen? One of the major reasons is speech efficiency. Speakers are constantly walking a tightrope between being understood and making speech as easy as possible—over time, this tension pulls languages in new directions. But if efficiency pushed German speakers in this direction, why not Dutch speakers, too? That is, if two languages share a given feature, why does that feature sometimes change in one language but not the other?

A paper published in Science today lays out an intriguing answer: technology might accidentally trigger a change. Changes like agriculture and food-preparation technology changed the arrangement of our teeth—and in turn, the authors suggest, this made certain speech sounds more likely. It's a daring suggestion, flying in the face of well-established linguistic thought. But the authors draw on multiple strands of evidence to support their proposal, which is part of a growing raft of ideas about how culture and environment could play a role in shaping language.

Enlarge (credit: Daniel Foster / Flickr)

The rash of e-commerce sites infected with card-skimming malware is showing no signs of abating. Researchers on Thursday revealed that seven sites—each with more than 50,000 collective visitors per month—have been compromised with a previously unseen strain of sniffing malware designed to surreptitiously swoop in and steal payment card data as soon as visitors make a purchase.

One of those sites, UK sporting goods outlet Fila.co.uk, had been infected since November and had only removed the malware in the past 24 hours, researchers with security firm Group-IB told Ars. The remaining six sites—jungleeny.com, forshaw.com, absolutenewyork.com, cajungrocer.com, getrxd.com, and sharbor.com—remained infected at the time this post was being reported. Ars sent messages seeking comment to all seven sites but has yet to receive a response from any of them.

Group-IB has dubbed the JavaScript sniffer GMO after the gmo[.]il domain it uses to send pilfered data from infected sites, all of which run the Magento e-commerce Web platform. The researchers said the domain was registered last May and that the malware has been active since then. To conceal itself, GMO compresses the skimmer into a tiny space that’s highly obfuscated and remains dormant when it detects the Firebug or Google Developer Tools running on a visitor’s computer. GMO was manually injected into all seven sites, an indication that it is still relatively fledgling.

• 

  A display (non-flying) version of an Iranian "Saegheh" drone based on the US RQ-170 Sentinel. [credit: Iran TV ]

Iran's Islamic Revolutionary Guard Corps (IRGC) Aerospace Division staged what Iranian state media described as "massive drone drills" on March 14, including coordinated offensive operations with dozens of flying-wing drones based on the Lockheed RQ-170 Sentinel, captured by Iran in 2011, and Iranian copies of the General Atomics MQ-1 Predator. During the exercise, called "Towards al-Quds" (al-Quds is the Arabic name for Jerusalem), a total of about 50 drones—including "Saegheh" unmanned combat aerial vehicles based on the RQ-170's flying wing design—were used in a coordinated air strike on training targets 1,000 kilometers (about 600 miles) from their launch site.

The Saegheh is much smaller than the RQ-170, with a wingspan of about six meters (about 20 feet). It has been shown carrying Sadid-1 TV-guided antitank missiles on its belly in static displays, and it does not appear to have landing gear—unlike a fiberglass replica of the RQ-170 that was displayed five years ago. There are two variants of the Saegheh: one uses a piston-driven propeller for thrust, while the other uses a small turbofan engine.

Video from Iran's PressTV showed guided bombs being dropped from other types of Iranian drones but did not show weapons released from the Saegheh drones. The video claimed 50 of the RQ-170 knockoffs were used in the exercise, while the text of the article published by PressTV said "dozens" in a headline, and then the actual text of the article stated 10 Saegheh drones were used. So just how many were flown is left as an exercise for the reader's imagination.

Enlarge (credit: Getty Images | skaman306)

Smartphone 911 location data is getting more precise, but the Federal Communications Commission isn't updating its privacy rules despite carriers' history of selling their customers' location data.

AT&T, T-Mobile, and Sprint were recently found to be selling detailed location data to third parties, despite rules banning such sales, and requiring that data to be used only for 911 purposes. The data ended up in the hands of bounty hunters, bail bondsmen, bail agents, and others, Motherboard reported in one of a series of articles detailing such privacy violations.

On Friday this week, the FCC is scheduled to vote on a Further Notice of Proposed Rulemaking (FNPRM) requiring collection of more precise location data. The data, referred to as "Z-axis" data, would identify a person's floor in a multi-story building when someone calls 911. Carriers could gather this data by using the barometric pressure sensors in a customer's phone to determine a person's distance above the ground to within three meters.

Enlarge / This kind of streaming setup now works anywhere with a good enough Internet connection, not just in the house. (credit: Valve Corporation)

In a major expansion to its years-old in-home game-streaming efforts, Valve announced today that Steam users can now stream games from their PC gaming libraries to devices outside the home as well.

The Steam Link Anywhere program, launched in beta today, lets users stream games from "any computer running Steam" to:

• Any other computer running Steam (even on a different network)
• Any mobile device running the Steam Link app (sorry, iOS users are still out of luck)
• Any Steam Link hardware box (if you can still find one)

The only requirements for today's "early beta" release, according to the announcement, are that "your computer has good upload speed and your Steam Link device has a good network connection." Those are imprecise terms, of course, but Steam's in-home streaming has previously shown a pretty good ability to scale visual quality up and down based on network conditions.

Enlarge (credit: TechBargains)

Greetings, Arsians! Courtesy of our friends at TechBargains, we have another round of deals to share. Today's list is headlined by a deal for board game lovers, as Michael Kiesling's Azul is down to $22.84 on Amazon. The game has been hovering around $26 or so for the past few weeks, but if you're looking to save a few bucks on a new game for the family, this is the lowest we've seen it on the site to date (excluding brief dips from less reputable third-party sellers).

For those not familiar with Azul, it won last year's Spiel des Jahres, a German award that is arguably the most prestigious in board gaming. Kiesling has won a few of those over the course of his decades-long career, so there's some critical weight to the game. The Dealmaster won't dive into a full description of how Azul works, but we urge you to take a look at our review from last July for a more in-depth look. In short, Azul is a tile-laying game that's dead simple to set up and get going but gradually opens itself up to more tactical play. It's on the abstract side, but Ars' Nate Anderson ultimately deemed it "an ideal weeknight game, or a game-night opener, or a family title." We estimate each playthrough to take about a half-hour to finish.

If board games aren't your thing, we also have a site-wide 31.4 percent-off sale at ThinkGeek (it is Pi Day, after all), an Amazon Gold Box sale on Acer PC gear, deals on Nintendo Switch bundles and Kindle e-readers, and more. Have a look for yourself below.