Month: February 2017

More than 1 million websites running the WordPress content management system may be vulnerable to hacks that allow visitors to snatch password data and secret keys out of databases, at least under certain conditions.

The vulnerability stems from a "severe" SQL injection bug in NextGEN Gallery, a WordPress plugin with more than 1 million installations. Until the flaw was recently fixed, NextGEN Gallery allowed input from untrusted visitors to be included in WordPress-prepared SQL queries. Under certain conditions, attackers can exploit the weakness to pipe powerful commands to a Web server's backend database.

"This is quite a critical issue," Slavco Mihajloski, a researcher with Web security firm Sucuri, wrote in a blog post published Monday. "If you're using a vulnerable version of this plugin, update as soon as possible."

Enlarge / A figure from the patent that has been asserted against Intel, Google, and hundreds of other companies providing SSL and TLS on their websites. (credit: USPTO)

Patent-holding company TQP Development made millions claiming that it owned a breakthrough in Web encryption, even though most encryption experts had never heard of the company until it started a massive campaign of lawsuits. Yesterday, the company's litigation campaign was brought to an end when a panel of appeals judges refused (PDF) to give TQP a second chance to collect on a jury verdict against Newegg.

The TQP patent was invented by Michael Jones, whose company Telequip briefly sold a kind of encrypted modem. The company sold about 30 models before the modem business went bust. Famed patent enforcer Erich Spangenberg bought the TQP patent in 2008 and began filing lawsuits, saying that the Jones patent actually entitled him to royalties on a basic form of SSL Internet encryption. Spangenberg and Jones ultimately made more than $45 million from the patent.

Newegg finally took the TQP patent to a jury trial but lost in 2013 when a jury said Newegg should pay $2.3 million for infringement. But after a long delay, Newegg still won the lawsuit on post-trial motions. US District Judge Rodney Gilstrap agreed with Newegg's lawyers that because the company's encryption scheme didn't change "key values" with each block of data, it couldn't possibly fit into the description of the Jones patent.

Enlarge / Not what you expect when you're installing software you just bought from a software publisher online.

On Tuesday, I got a text message from my father that nearly made me fall off the treadmill at the gym: "Help! How do I turn off untrusted on my Mac?"

I texted back, "What do you mean?" and then stepped off to call him. He explained that he was trying to install Kaspersky Internet Security on his MacBook; his auto-renewal for software updates had been cancelled because he had gotten a new credit card, so Kaspersky had told him he needed to do a new install to re-establish his account. After downloading the installer from Digital River through an online purchase, he launched it and got an error: "Certificate used to sign package is not trusted. Use –allowUntrusted to override."

Given that there has been a number of cases of MacOS malware protection tools being shown to create security vulnerabilities—including, most recently, the revelation that ESET Endpoint Antivirus 6 for macOS could be used to remotely execute code by an attacker—I was concerned that something was going horribly wrong. I was afraid my father had somehow gotten a maliciously altered copy of the installer or that some other hijinks were involved, so I told him to contact Kaspersky's technical support. Then I got back on the treadmill. As I finished up my morning run, he texted again:

At the start of this month, we covered a bill making its way through the South Dakota legislature. It's the latest variation on a large collection of state bills that seek to protect educators from what has been termed "teaching the controversy." Should the bills pass, teachers would be immune to punishment for using outside material in instruction, as long as the teacher believes the material is scientific—even if it has overtly religious origins.

But in the intervening time, similar bills have appeared in three other states, and a fourth state is considering eliminating references to climate change in its teaching plan. Science education appears to be facing a busy year in the statehouses.

We can start with Indiana, where Senate Resolution 17 has now cleared the Education Committee. The resolution approvingly quotes a proposed amendment to the No Child Left Behind Act to challenge evolution: "Where topics are taught that may generate controversy (such as biological evolution), that the curriculum should help students to understand the full range of scientific views that exist, why such topics can generate controversy, and how scientific discoveries can profoundly affect society." What it neglects to note is that the amendment was rejected or that evolution is the only scientific view that currently exists.

Okja is a twist on the classic monster movie. It's also a twist on mad science movies, coming-of-age movies, and satires of corporate life. Things are so twisty because it's the latest offering from cult director Bong Joon-ho, who previously gave us wacky, dark science fiction movies like The Host and Snowpiercer.

Okja is the result of Netflix giving Bong $50 million and complete artistic freedom, and the results look just as bizarre as you might hope. The movie stars Ahn Seo-hyun, Tilda Swinton, and Giancarlo Esposito, among others.

The central struggle is between image-obsessed corporate scientist Nancy Mirando (Swinton) and a girl named Mija (Ahn). In this teaser trailer, we hear Nancy proclaim that she's put science and nature together to create something extraordinary. But that "something" is Mija's best friend, who also happens to be a giant monster. We only see a glimpse of the monster, but if Bong's previous monster movie The Host is any indication, this megabeast is going to look great.

(credit: gildas_f)

Americans went from having an average of 2.6 TVs per household in 2009 to having 2.3 TVs in 2015, according to survey data from the US Energy Information Agency (EIA).

The data comes from the agency’s Residential Energy Consumption Survey (RECS), which has been conducted periodically since the 1970s to understand American energy use. The 2015 survey included 5,600 respondents who were contacted in person and then given an option to follow up by mail or online. A fine-detail report on the survey results is due to be released in April 2017.

The latest data shows that in 2015, 2.6 percent of households had no TV at all, a jump from the previous four surveys in 2009, 2005, 2001, and 1997 in which a steady 1.2 to 1.3 percent of households didn’t own a TV. The 2015 data also showed that the number of people with three TVs or more dropped in 2015. That year, 39 percent of households had more than three TVs, whereas 44 percent had more than three TVs in 2009.

Enlarge / Lee Jae-yong, vice chairman of Samsung, leaves after attending a court hearing at the Seoul Central District Court last month in Seoul, South Korea. The de facto leader of Samsung was indicted Tuesday. (credit: Chung Sung-Jun/Getty Images)

Lee Jae-yong, the 48-year-old vice chairman of Samsung, was indicted in South Korea on bribery and other allegations Tuesday in a broadening corruption scandal that also saw charges leveled against four other top Samsung executives.

Lee, one of South Korea's best-known business leaders, was taken into custody last month following the issuance of an arrest warrant alleging bribery, perjury, embezzlement, and other charges. He is largely considered the head of Samsung. His father, the chairman, was hospitalized in 2014 after suffering a heart attack and remains ill.

Investigators believe that Lee, who is also known by the name Jay Y. Lee, is involved in a political corruption scandal that resulted in last year's impeachment of South Korean President Park Geun-hye.