Slashdot Mirror

Just because Nintendo doesn't officially let their tiny replica NES receive new games doesn't mean hackers won't find a way to add their own. This week, hackers in Japan and Russia figured out soft-mod solutions to adding new games to the NES Classic, meaning you don't need to grab a screwdriver or a soldering iron to mod your own console. Ars Technica reports: According to the whiz kids at Reddit's NESClassicMods community, the solution won't work until you've created a save file in Super Mario Bros' first slot. (Chances are, you've already done this just by playing the game, since creating game saves is so easy with this system.) Once you've done that, connect your NES Classic Edition to a computer via a micro-USB cable, then boot the NES in "FEL" mode. This is done by holding down the system's reset button while pushing down the power button from a powered-off state. While you're booting, you should also run a "sunxi-FEL" interface on your computer. (An open-source version of compatible "USBBoot" software can be found here.) The rest of the steps land firmly in "operate at your own risk" territory, as they require copying your NES Classic's internal data to your computer, then modifying and adding files via an application made by hackers. Doing so, by the way, includes the dubious step of supplying your own ROM files, which you may have either dumped from your own cartridges or downloaded from other Internet users. One tool linked from that Reddit community, however, comes with two open-source NES ROMs that are in the legal free-and-clear to upload to your hardware. Once you've added your own game files, which should also include custom JPGs that will appear in the NES Classic's "box art" GUI, you'll have to repack the hardware's kernel, then fully flash the hardware yourself. Do all of those steps correctly, and you'll see every single game you've added appear in the slick, default interface.

An anonymous reader quotes a report from Ars Technica: T-Mobile USA will stop selling its older and cheaper limited-data plans to postpaid customers, shifting entirely to its new "unlimited" data plans that impose bandwidth limits on video and tethering unless customers pay extra. To ease the transition, T-Mobile will offer bill credits of $10 a month to customers when they use less than 2GB per month. T-Mobile began its shift to unlimited data plans in August with the introduction of T-Mobile One, which starts at $70 a month. While there are no data caps, customers have to pay a total of $95 a month to get high-definition video and mobile hotspot speeds of greater than 512kbps. The carrier said in August that the unlimited plan would be "replacing all our rate plans," including its cheaper plans that cost $50 or $65 a month. Nonetheless, T-Mobile kept selling limited postpaid data plans to new customers for a few months, but yesterday CEO John Legere said that as of January 22, T-Mobile One will be the "only postpaid consumer plan we sell." Existing postpaid customers can keep their current plans. For new customers, T-Mobile will presumably keep selling its prepaid plans that cost $40 to $60 a month and come with 3GB to 10GB of data. T-Mobile also said yesterday that it will start including taxes and fees in its advertised rate when customers sign up for new T-Mobile One plans and enroll in automatic payments, essentially giving subscribers a discount. "The average monthly bill for a family of four will drop from $180.48 to $160, according to a company spokesman," The Wall Street Journal reported.

AT&T and Time Warner say they have a plan to avoid a Federal Communications Commission review of their pending merger. From a report on Ars Technica: An FCC review would be necessary if Time Warner transfers any FCC licenses to AT&T, but Time Warner might get rid of any such licenses before the deal is finished. "Time Warner has conducted a review of all licenses that it holds that are granted by the FCC," AT&T said in a filing with the Securities and Exchange Commission yesterday. "While subject to change, it is currently anticipated that Time Warner will not need to transfer any of its FCC licenses to AT&T in order to continue to conduct its business operations after the closing of the transaction." "Time Warner has been looking to transfer or sell its licenses to another broadcaster for some time, according to a person familiar with the matter. "Time Warner can contract with third parties instead of owning the licenses, the person said."

An anonymous reader quotes a report from Ars Technica: Intel mostly missed the boat on smartphones, but the company is trying to establish a firm foothold in the ever-broadening marketplace for connected appliances and other smart things. Intel's latest effort in this arena is its new "Compute Card," a small 94.5mm by 55mm by 5mm slab that includes a CPU and GPU, RAM, storage, and wireless connectivity. Intel hasn't given us specific information about the specs and speeds of its first Compute Cards, but you can expect the fastest ones to approach the performance of high-end fanless laptops like Apple's MacBooks. Intel told us that processors with a TDP of up to 6W could fit inside the Compute Cards, which covers both low-power Atom chips like those that powered early versions of Intel's Compute Stick to full Core M and Y-series Core i5 and i7 CPUs like the ones you find in laptops. Intel says that the card uses a variant of the USB-C port called "USB-C plus extension" to connect with the systems it's plugged into. That connector gives devices direct access to the USB and PCIe buses as well as HDMI and DisplayPort video outputs. The company considers the Compute Card to be a replacement of sorts for the Compute Stick, which Intel says will probably disappear from its roadmap in 2018 or so. The issue with the Compute Stick from Intel's perspective is that its input and output ports were unnecessarily limiting -- it could only connect to HDMI ports and could only accept a limited number of USB inputs. The Compute Card can be slid into a wider variety of enclosures that can use all kinds of ports and display interfaces, and Intel says the Card will also offer a large array of performance and storage options, unlike current Compute Sticks.

Layzej writes from a report via Ars Technica: In 2015, NOAA released version 4 of their marine temperature dataset called ERSST. The new dataset accounted for a known cooling bias introduced when ocean temperature measurements transitioned from being taken in ship engine intake valves to buoy-based measurements. The warming of the last couple decades increased ever so slightly in NOAA's new analysis. This was a red flag for U.S. House Science Committee Chair Lamar Smith (R-TX), who rejects the conclusions of climate science -- like the fact that the Earth's climate is warming. Suddenly he wanted to see the researchers' e-mails and echoed the accusations of contrarian blogs about scientists' supposedly nefarious adjustments to sea surface temperature measurements. Rather than invoking scientific conspiracies, issues like this should be settled by analyzing the data. A new study, led by University of California Berkeley's Zeke Hausfather, does just that -- and Rep. Smith won't like these results, either. To test the NOAA dataset, Zeke's team created instrumentally homogeneous temperature records from sensors available only over the last couple decades. As it happens, the Argo float data, the buoy data, and the satellite data each hew closer to the updated dataset that NOAA used. The older version (3b) gives a global average that is too cool in recent years, growing to an offset of about 0.06 degrees Celsius. The researchers repeat this same analysis for two more major sea surface datasets that are used by the UK Met Office and the Japanese Meteorological Agency for their global temperature records. Both of those datasets also drift cooler than the comparison data, but less so than NOAA's old dataset.

An anonymous reader quotes a report from Ars Technica: Medium, the San Francisco-based online publishing platform founded in 2012, has laid off 50 employees, or roughly one-third of its staff. The company will also close offices in New York and Washington, DC. Ev Williams, Medium's CEO, wrote in a lengthy post on Wednesday that the company would be changing its business model despite ending 2016 as "our best year yet." He blamed the entire concept of "ad-driven media on the Internet" as the root of the company's shortcomings. As Williams, who is also a co-founder of Twitter, wrote: "It simply doesn't serve people. In fact, it's not designed to. The vast majority of articles, videos, and other "content" we all consume on a daily basis is paid for -- directly or indirectly -- by corporations who are funding it in order to advance their goals. And it is measured, amplified, and rewarded based on its ability to do that. Period. As a result, we getwell, what we get. And it's getting worse."

An anonymous reader quotes a report from Ars Technica: In the last four or five years, Intel's "Next Unit of Computing" (NUC) hardware has evolved from interesting experiments to pace cars for the rest of the mini desktop business. Mini PCs represent one of the few segments of the desktop computing business that actually has growth left in it, and every year the NUC has added new features that make it work for a wider audience. This year's models, introduced alongside the rest of Intel's new "Kaby Lake" processor lineup at CES, include new processors with new integrated GPUs, but that's probably the least interesting thing about them. Thanks to the demise of Intel's "tick-tock" strategy, the processing updates are minor. Kaby Lake chips include smaller performance and architectural improvements than past generations, and the year-over-year improvements have been mild over the last few years. The big news is in all the ways you can get bytes into and out of these machines. There are two Core i3 models (NUC7i3BNK and NUC7i3BNH), two Core i5 models (NUC7i5BNK and NUC7i5BNH), and one Core i7 model (NUC7i7BNH) -- that last one is intended to replace the older dual-core Broadwell i7 NUC and not the recent quad-core "Skull Canyon" model. The Core i3 and i5 versions come in both "short" and "tall" cases, the latter of which offers space for a 2.5-inch laptop-sized SATA hard drive or SSD. The i7 version only comes in a "tall" version. Like past NUCs, all five models offer two laptop-sized DDR4 RAM slots and an M.2 slot for SATA and PCI Express SSDs (up to four lanes of PCIe 3.0 bandwidth is available). Bluetooth and 802.11ac Wi-Fi is built-in. As for the rest of the NUCs' features, Intel has drawn a line between the Core i3 model and the i5/i7 models. All of the boxes include four USB 3.0 ports (two on the front, two on the back), a headphone jack, an IR receiver, an HDMI 2.0 port, a gigabit Ethernet port, a microSD card slot, a dedicated power jack, and a new USB-C port that can be used for data or DisplayPort output (the dedicated DisplayPort is gone, and this port can't be used to power the NUCs). In the i5 and i7 models, the USB-C port is also a full-fledged Thunderbolt 3 port, the first time any of the smaller dual-core NUCs have included Thunderbolt since the old Ivy Bridge model back in 2012.

An anonymous reader quotes a report from Ars Technica: In the last four or five years, Intel's "Next Unit of Computing" (NUC) hardware has evolved from interesting experiments to pace cars for the rest of the mini desktop business. Mini PCs represent one of the few segments of the desktop computing business that actually has growth left in it, and every year the NUC has added new features that make it work for a wider audience. This year's models, introduced alongside the rest of Intel's new "Kaby Lake" processor lineup at CES, include new processors with new integrated GPUs, but that's probably the least interesting thing about them. Thanks to the demise of Intel's "tick-tock" strategy, the processing updates are minor. Kaby Lake chips include smaller performance and architectural improvements than past generations, and the year-over-year improvements have been mild over the last few years. The big news is in all the ways you can get bytes into and out of these machines. There are two Core i3 models (NUC7i3BNK and NUC7i3BNH), two Core i5 models (NUC7i5BNK and NUC7i5BNH), and one Core i7 model (NUC7i7BNH) -- that last one is intended to replace the older dual-core Broadwell i7 NUC and not the recent quad-core "Skull Canyon" model. The Core i3 and i5 versions come in both "short" and "tall" cases, the latter of which offers space for a 2.5-inch laptop-sized SATA hard drive or SSD. The i7 version only comes in a "tall" version. Like past NUCs, all five models offer two laptop-sized DDR4 RAM slots and an M.2 slot for SATA and PCI Express SSDs (up to four lanes of PCIe 3.0 bandwidth is available). Bluetooth and 802.11ac Wi-Fi is built-in. As for the rest of the NUCs' features, Intel has drawn a line between the Core i3 model and the i5/i7 models. All of the boxes include four USB 3.0 ports (two on the front, two on the back), a headphone jack, an IR receiver, an HDMI 2.0 port, a gigabit Ethernet port, a microSD card slot, a dedicated power jack, and a new USB-C port that can be used for data or DisplayPort output (the dedicated DisplayPort is gone, and this port can't be used to power the NUCs). In the i5 and i7 models, the USB-C port is also a full-fledged Thunderbolt 3 port, the first time any of the smaller dual-core NUCs have included Thunderbolt since the old Ivy Bridge model back in 2012.

An anonymous reader quotes a report from Ars Technica: In the last four or five years, Intel's "Next Unit of Computing" (NUC) hardware has evolved from interesting experiments to pace cars for the rest of the mini desktop business. Mini PCs represent one of the few segments of the desktop computing business that actually has growth left in it, and every year the NUC has added new features that make it work for a wider audience. This year's models, introduced alongside the rest of Intel's new "Kaby Lake" processor lineup at CES, include new processors with new integrated GPUs, but that's probably the least interesting thing about them. Thanks to the demise of Intel's "tick-tock" strategy, the processing updates are minor. Kaby Lake chips include smaller performance and architectural improvements than past generations, and the year-over-year improvements have been mild over the last few years. The big news is in all the ways you can get bytes into and out of these machines. There are two Core i3 models (NUC7i3BNK and NUC7i3BNH), two Core i5 models (NUC7i5BNK and NUC7i5BNH), and one Core i7 model (NUC7i7BNH) -- that last one is intended to replace the older dual-core Broadwell i7 NUC and not the recent quad-core "Skull Canyon" model. The Core i3 and i5 versions come in both "short" and "tall" cases, the latter of which offers space for a 2.5-inch laptop-sized SATA hard drive or SSD. The i7 version only comes in a "tall" version. Like past NUCs, all five models offer two laptop-sized DDR4 RAM slots and an M.2 slot for SATA and PCI Express SSDs (up to four lanes of PCIe 3.0 bandwidth is available). Bluetooth and 802.11ac Wi-Fi is built-in. As for the rest of the NUCs' features, Intel has drawn a line between the Core i3 model and the i5/i7 models. All of the boxes include four USB 3.0 ports (two on the front, two on the back), a headphone jack, an IR receiver, an HDMI 2.0 port, a gigabit Ethernet port, a microSD card slot, a dedicated power jack, and a new USB-C port that can be used for data or DisplayPort output (the dedicated DisplayPort is gone, and this port can't be used to power the NUCs). In the i5 and i7 models, the USB-C port is also a full-fledged Thunderbolt 3 port, the first time any of the smaller dual-core NUCs have included Thunderbolt since the old Ivy Bridge model back in 2012.

An anonymous reader quotes a report from Ars Technica: Today at the Flat Rock Assembly Plant, Ford Motor Company CEO Mark Fields unveiled a large-scale electric vehicle initiative that will run through the company's next five years. Ford plans to invest $4.5 billion in electric vehicle production by 2020, and the company said it will produce 13 new electric vehicles, including a Mustang, an F-150, police cars, and a Transit Custom van. Additionally, Fields revealed that Ford would be canceling a previously announced $1.6 billion-production facility in Mexico. Instead, the company wants to invest $700 million in the existing Flat Rock facility, generating 700 new jobs focused on EV and autonomous initiatives at that location, according to Ford. Ford described seven of the 13 upcoming EVs during its press conference today. The F-150 Hybrid will be available by 2020 in North America and the Middle East, and Fields noted it'll be powerful enough to stand-in for on-site generators in a pinch. The Mustang Hybrid will deliver "V8 power and even more low-end torque" according to Ford; it too is intended for a 2020 release. Generally, electric motors are well suited to applications where you want a lot of immediate torque, so their presence should work well in a light duty truck like the F-150. Among the other notable vehicles highlighted, Ford is planning a fully electric small SUV that can "deliver an estimated range of at least 300 miles" by 2020. The company also wants to produce an autonomous vehicle "designed for commercial ride hailing or ride sharing" in North America by 2021.

An anonymous reader quotes a report from Ars Technica: Just before the Christmas holiday, Fitbit dropped a case it filed with the U.S. International Trade Commission claiming Jawbone had violated one of Fitbit's patents. The trial for this case had been set for March 2017, and if Fitbit had won, it would have prevented Jawbone from importing its devices into the US. In a report from The Wall Street Journal, Fitbit states: "Jawbone appears to be a different company. SEC filings of one of its biggest investors now value Jawbone shares as worth nothing, as well as indicate that Jawbone has filed for bankruptcy or is in default." There are no reports of Jawbone being in default, nor has the company filed for bankruptcy. Jawbone gave a statement to Recode which states: "By dismissing this action, Fitbit is no longer seeking to block importation of Jawbone devices, including Jawbone products in development. Jawbone believes this case -- involving patents already found once to be invalid -- should have been dismissed long ago by Fitbit." This is likely the simplest ending that any of the lawsuits between Fitbit and Jawbone will have. In April, the ITC ruled in Fitbit's favor after Jawbone filed a claim stating its rival had infringed on some of its sleep monitoring and data output patents. Later in August, Fitbit came out on top again after the ITC ruled it did not misappropriate trade secrets from Jawbone.

earlytime writes: Large scale account hacks such as the billion user Yahoo breach and targeted phishing hacks of gmail accounts during the U.S. election have made 2016 an infamous year for web security. Along comes U2F/web-security keys to address these issues at a critical time. Ars Technica reports that U2F keys "may be the world's best hope against account takeovers": "The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a 'cryptographic assertion' that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms. After more than two years of public implementation and internal study, Google security architects have declared Security Keys their preferred form of two-factor authentication. The architects based their assessment on the ease of using and deploying keys, the security it provided against phishing and other types of password attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication."

The researchers wrote in a recently published report: "We have shipped support for Security Keys in the Chrome browser, have deployed it within Google's internal sign-in system, and have enabled Security Keys as an available second factor in Google's Web services. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction as well as cheaper support cost."

An anonymous reader quotes a report from Ars Technica: With Firefox 50, Mozilla has rolled out the first major piece of its new multi-process architecture. Edge, Internet Explorer, Chrome, and Safari all have a multiple process design that separates their rendering engine -- the part of the browser that reads and interprets HTML, CSS, and JavaScript -- from the browser frame. They do this for stability reasons (if the rendering process crashes, it doesn't kill the entire browser) and security reasons (the rendering process can be run in a low-privilege sandbox, so exploitable flaws in the rendering engine are harder to take advantage of). Moreover, these browsers can all create multiple rendering engine processes and use different processes for different tabs. This means that the scope of a crash is narrowed even further, typically to a single tab. Internet Explorer and Chrome both implemented this long ago, in 2009. Firefox, however, has not offered a similar design. Although work on a multi-process browser was started in 2009, under the codename Electrolysis, that work was suspended between 2011 and 2013 as priorities within the organization shifted. In response, Mozilla started switching to a new extension system in 2015 that opened the door to a multi-process design. The first stage of Firefox's move to multi-process involves separating the browser shell from a single rendering process that's used by every tab. In Firefox 48, that feature was enabled for a small number of users who used no extensions. Firefox 49 was rolled out to include users running a limited selection of extensions. Now, in Firefox 50, a separate renderer process is used for most users and most extensions. Developers are now able to mark their extensions as explicitly multi-process compatible. Firefox 51 will extend this even further to cover all extensions, except those that are explicitly marked as incompatible. Mozilla says that, even with the limited changes made in Firefox 50, responsiveness of the browser has improved by 400 percent due to the separation between the renderer and the browser shell. During page loads, responsiveness will increase to 700 percent.

Federals agents have accused Brian Brundage, the former owner of Chicago-based electronics recycling company Intercon Solutions and current owner of EnviroGreen Processing, of fraud for failing to properly break down and recycle electronic devices according to federal guidelines. Brundage allegedly shipped Cathode Ray Tubes (CRTs) from old computer and TV monitors, which contained "hazardous amounts of lead," and batteries to overseas landfills for disposal. The leftover electronics that weren't shipped overseas were destroyed inappropriately at his businesses or stored in warehouses, which is forbidden by federal guidelines. Ars Technica reports: According to the indictment (PDF), Brundage also improperly resold many of the electronics he acquired. Between 2009 and 2015, Brundage received shipments of calculators from an unnamed technology company in Texas with instructions to disassemble the calculators and recycle them accordingly. But Brundage apparently resold the calculators to another company based in Tampa, Florida, which purchased and sold used electronics. In exchange for the shipments of calculators, Brundage allegedly had the company in Tampa directly pay some of Brundage's personal expenses. Those expense include between $31,000 and $39,000 per year for a nanny and $26,000 to $42,000 per year for a housekeeper, as well as tens of thousands of dollars for jewelry expenses and payments to an Indiana-based casino. Among the more colorful accusations in the US government's indictment of Brundage: the businessman allegedly went to lengths to fool third-party auditors into giving his companies the certifications necessary to keep doing business as an e-recycler. Brundage allegedly invited unknowing customers on sham tours of Intercon's facility. Once there, he "directed Intercon's warehouse staff to set up a staged disassembly line to make it falsely appear as though Intercon regularly processed e-waste in a manner that was consistent with its public representations." The Chicago Tribune published a feature on Intercon in 2007. In it, Brundage is quoted saying, "We put old products on a disassembly line. We break each item down to raw materials and send them off to be smelted and reused." He added, "nothing that leaves here goes to a landfill."

The Nintendo Switch -- the hybrid portable games console/tablet due for release in March 2017 -- will be powered by Nvidia's older Tegra X1 SoC and not its upcoming Tegra X2 "Parker" SoC as initially rumored. From a report on ArsTechnica: The use of Tegra X1, which also powers the Nvidia Shield Android TV, means the graphics hardware inside the Switch is based on Nvidia's older second-generation Maxwell architecture, rather than the latest Pascal architecture. While the two architectures share a very similar design, the Switch will miss out on some of the smaller performance improvements made in Pascal. When docked, the Switch's GPU runs at a 768MHz, already lower than the 1GHz of the Shield Android TV. When used as a portable, the Switch downclocks the GPU to 307.2MHz -- just 40 percent of the clock speed when docked. Given the Switch is highly likely to use a 720p screen rather than 1080p -- this is currently assumed to be a 6.2-inch IPS LCD with 10-point multi-touch support -- there is some overhead to run games at 1080p when docked. However, it's questionable how many developers will go to the effort of creating games that make use of the extra horsepower when docked, rather than simply opting to program for the slower overall GPU clock speed. While GPU performance is variable, the rest of the Switch's specs remain static. Its four ARM A57 CPU cores are purported to run at 1020MHz regardless of whether the console is docked or undocked, while the memory controller can run at either 1600MHz or 1331MHz in either mode.

An anonymous reader quotes a report from Ars Technica: The U.S. electric grid continued to transform in 2016. No new coal plants were added, and solar became the top new source of generating capacity. Combined with wind, a small bit of hydro, and the first nuclear plant added to the grid in decades, sources that generate power without carbon emissions accounted for two-thirds of the new capacity added in 2016. These numbers come from the U.S. Energy Information Administration, which asked utilities about what sources they expected to have online at the end of the year. These numbers typically show a burst of activity in December, as projects are raced to completion to take advantage of the tax benefits of reaching operational status in the current year. Overall, the EIA recorded 26 GW of new capacity added to the grid in 2016. This includes a small amount (0.3GW) of new hydropower and a smattering of projects collected under "other" that produce a similar magnitude. Notably absent from the list is coal. Also absent is distributed solar, meaning panels installed on homes and other small-scale projects. Distributed solar accounted for about 2GW of new capacity in 2015, and the EIA notes that the incentives for these projects haven't changed considerably in 2016. Even without that 2GW, solar comes out on top, with 9.5GW of new additions this year. At 8GW, natural gas comes in second place on the EIA's list, followed by wind at 6.8GW. Thanks to the opening of a new reactor at Watts Bar in Tennessee, nuclear also joins the list for the first time in years, adding 1.1GW of capacity. Combined, wind, nuclear, hydro, and solar account for 68 percent of the new additions, making 2016 a low-carbon year for the U.S. grid. Assuming distributed solar this year is similar to its 2015 levels, the percentage of new non-fossil generation goes up above 70.

An anonymous reader writes: One of the biggest selling points of ATT's DirecTV Now service is that it streams video without counting against data caps on the ATT mobile network. But T-Mobile USA customers will also be able to watch DirecTV Now without using up data, the carrier announced yesterday. DirecTV Now is one of the latest services added to Binge On, which exempts dozens of video services from data caps as long as customers are willing to limit mobile viewing quality to about 480p. T-Mobile also promised to reimburse customers for DirecTV Now for 12 months if they port a phone number from the ATT network to T-Mobile and purchase at least two lines. This offer consists of a $35 monthly bill credit, enough to cover the DirecTV Now promotional price. This is a limited-time offer and cannot be combined with other offers like "Carrier Freedom," which reimburses customers for early termination fees when they switch to T-Mobile. "ATT wants you to think DirecTV is theirs exclusively, but that's a load of crap," Legere said in T-Mobile's press release yesterday. "Both DirecTV Now and the DirecTV apps stream free on T-Mobile with a faster, more advanced network that covers nearly every American. ATT is so distracted by their new businesses and DirecTV that they continue to ignore their 110 million wireless customers. Luckily, the Un-carrier's here to show them how to actually take care of customers!"

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."

An anonymous reader quotes a report from Ars Technica: Barely two weeks after ATT launched DirecTV Now, the online streaming service's customers have already been hit by multiple outages, unexpected blackouts of live local sports games, and missing channels. There was an outage of about three hours last night and a two-hour outage Friday night, TVPredictions reported today. "DirecTV Now's customers said they couldn't log onto the streaming service, or they were suddenly met with a blank screen if already watching," the report said. The "Error Message 30" article tells customers that they may be suffering from "an intermittent or weak Internet connection," but in this case the problem was on DirecTV's end. "Tuesday evening we experienced an issue that prevented some customers from streaming on DirecTV Now," ATT told Ars today. "The issue has since been resolved and we're seeing normal streaming levels at this time. We thank our customers for their patience." Even when DirecTV Now works, availability of live sports games hasn't lived up to what the company promised. There appear to be technical problems affecting local games, but licensing restrictions may be limiting availability as well. This past Sunday, some DirecTV Now subscribers in cities such as San Francisco, Tampa Bay, and Atlanta could not watch NFL games on local Fox channels due to a technical problem, TVPredictions reported in another article.

An anonymous reader quotes a report from Ars Technica: Barely two weeks after ATT launched DirecTV Now, the online streaming service's customers have already been hit by multiple outages, unexpected blackouts of live local sports games, and missing channels. There was an outage of about three hours last night and a two-hour outage Friday night, TVPredictions reported today. "DirecTV Now's customers said they couldn't log onto the streaming service, or they were suddenly met with a blank screen if already watching," the report said. The "Error Message 30" article tells customers that they may be suffering from "an intermittent or weak Internet connection," but in this case the problem was on DirecTV's end. "Tuesday evening we experienced an issue that prevented some customers from streaming on DirecTV Now," ATT told Ars today. "The issue has since been resolved and we're seeing normal streaming levels at this time. We thank our customers for their patience." Even when DirecTV Now works, availability of live sports games hasn't lived up to what the company promised. There appear to be technical problems affecting local games, but licensing restrictions may be limiting availability as well. This past Sunday, some DirecTV Now subscribers in cities such as San Francisco, Tampa Bay, and Atlanta could not watch NFL games on local Fox channels due to a technical problem, TVPredictions reported in another article.

Microsoft has quietly fixed a software update it released last week, which effectively prevented Windows 10 users from connecting to the Internet or joining a local network. From a report on ArsTechnica: It's unclear exactly which automatic update caused the problem or exactly when it was released -- current (unconfirmed) signs point to KB3201845 released on December 9 -- but whatever it was appeared to break DHCP (Dynamic Host Configuration Protocol), preventing Windows 10 from automatically acquiring an IP address from the network. There's also little detail on how many people were affected or why, but multiple cases have been confirmed across Europe by many ISPs. A Microsoft spokesperson has meanwhile confirmed that "some customers" had been experiencing "difficulties" getting online, but that's about it for public statements at present. However, a moderator on the company's forums has said the fix was included in a patch released on Tuesday called KB3206632.

An anonymous reader quotes a report from Ars Technica: On Monday, energy company Deepwater Wind announced that its wind farm three miles off the coast of Block Island, Rhode Island, has the all-clear to sell electricity to the regional power grid. The Block Island Wind Farm is the first offshore wind energy plant in the U.S., and it's expected to produce 30 MW of electricity at full capacity. Deepwater Wind is slowly ramping up energy output and still must provide additional paperwork to the Rhode Island Coastal Resources Management Council, but the executive director of that organization, Grover Fugate, told the Providence Journal, "we don't anticipate any major issues" to getting the wind farm fully online. The one hitch in the Deepwater's plan is that one of the five turbines was recently damaged when a drill bit was left in a critical part of turbine. According to the Providence Journal, "the bit had caused damage to an unspecified number of the 128 magnet modules that line the circular generator and are critical to producing energy." Although the magnet modules can apparently be replaced easily, Deepwater needs to have the components shipped from France, where General Electric, the manufacturer of the wind turbines, makes them. For now, four turbines capable of churning out 6 MW of power each are operational. The Providence Journal notes that National Grid will pay Deepwater Wind 24.4 cents per kilowatt hour of power, with the price escalating over time to 47.9 cents per kilowatt hour. Because the residents of Block Island have some of the most expensive electricity rates in the nation, they will actually see energy savings, despite the price. Mainland Rhode Islanders, on the other hand, will pay an extra $1.07 per month on average.

Google wants to put Android in the next wave of smart devices that'll be vying to fill up your home. It's launching a version of Android today called Android Things that can run on products like connected speakers, security cameras, and routers. A report adds: The OS is supposed to make it easier for companies to start shipping hardware, since they'll be able to work with the Android dev tools they already know. Android Things is a new name, but the operating system itself isn't strictly new. It's basically an update and a rebranding to Brillo, an Android-based OS for smart devices and Internet of Things products announced a little more than a year and a half ago. Brillo has -- publicly, at least -- gone close to nowhere. It was more or less a no-show at CES last year, and there's been little mention of it since. But today's rebranding marks a key update meant to make developing a product with this operating system much easier. Unlike Brillo, development on Android Things can be accomplished with "the same developer tools as standard Android," according to Google. The hope is that experienced developers will be able to quickly get up to speed and start work on a new product.ArsTechnica has more details.

An anonymous reader quotes a report from Ars Technica: Comcast's latest price hikes include a significant increase in the company's widely despised "Broadcast TV" and "Regional Sports Network" fees. The Broadcast TV fee is moving from $5 a month to $7 a month, while the Regional Sports Network fee is rising from $3 a month to $5 a month, according to notices sent to customers in several cities. Combined, that's a change from $8 to $12 a month, giving Comcast an extra $48 a year from each customer that has to pay the fees. Comcast began charging these fees a few years ago, which have risen quickly. Just over a year ago, Comcast raised the Broadcast TV fee from $3 to $5 and the Regional Sports fee from $1 to $3. The two fees have thus gone from $4 to $12, combined, in little more than a year. Comcast customers recently sued the company, saying that Comcast falsely advertises lower-than-actual prices and then raises rates by tacking on these two fees. Comcast falsely portrays these fees as being required by the government, the proposed class action lawsuit said. Charter is facing a similar lawsuit. Comcast says the fees recover a portion of the price it pays broadcast networks and regional sports networks to air their content. But paying for programming is simply part of the cost of doing business as a cable TV provider, and programming costs have always been passed on to consumers in their cable TV bills. By charging fees separately from basic rates, "Comcast has found a way to secretly and repeatedly increase the monthly price it charges for its channel packages" even when customers are supposed to be getting a flat rate during a contract term, the lawsuit said. The Broadcast TV fee was introduced in 2014, initially as $1.50 a month, and the Regional Sports fee was added in 2015 at $1 a month. Comcast charges the sports fee even though it owns many of the regional sports networks that broadcast sporting events in local markets. The price increases were reported by TVPredictions and DSLReports, and customers have been posting letters they received from Comcast detailing the price changes.

An anonymous reader quotes a report from Ars Technica: Comcast's latest price hikes include a significant increase in the company's widely despised "Broadcast TV" and "Regional Sports Network" fees. The Broadcast TV fee is moving from $5 a month to $7 a month, while the Regional Sports Network fee is rising from $3 a month to $5 a month, according to notices sent to customers in several cities. Combined, that's a change from $8 to $12 a month, giving Comcast an extra $48 a year from each customer that has to pay the fees. Comcast began charging these fees a few years ago, which have risen quickly. Just over a year ago, Comcast raised the Broadcast TV fee from $3 to $5 and the Regional Sports fee from $1 to $3. The two fees have thus gone from $4 to $12, combined, in little more than a year. Comcast customers recently sued the company, saying that Comcast falsely advertises lower-than-actual prices and then raises rates by tacking on these two fees. Comcast falsely portrays these fees as being required by the government, the proposed class action lawsuit said. Charter is facing a similar lawsuit. Comcast says the fees recover a portion of the price it pays broadcast networks and regional sports networks to air their content. But paying for programming is simply part of the cost of doing business as a cable TV provider, and programming costs have always been passed on to consumers in their cable TV bills. By charging fees separately from basic rates, "Comcast has found a way to secretly and repeatedly increase the monthly price it charges for its channel packages" even when customers are supposed to be getting a flat rate during a contract term, the lawsuit said. The Broadcast TV fee was introduced in 2014, initially as $1.50 a month, and the Regional Sports fee was added in 2015 at $1 a month. Comcast charges the sports fee even though it owns many of the regional sports networks that broadcast sporting events in local markets. The price increases were reported by TVPredictions and DSLReports, and customers have been posting letters they received from Comcast detailing the price changes.

An anonymous reader quotes a report from Ars Technica: Comcast's latest price hikes include a significant increase in the company's widely despised "Broadcast TV" and "Regional Sports Network" fees. The Broadcast TV fee is moving from $5 a month to $7 a month, while the Regional Sports Network fee is rising from $3 a month to $5 a month, according to notices sent to customers in several cities. Combined, that's a change from $8 to $12 a month, giving Comcast an extra $48 a year from each customer that has to pay the fees. Comcast began charging these fees a few years ago, which have risen quickly. Just over a year ago, Comcast raised the Broadcast TV fee from $3 to $5 and the Regional Sports fee from $1 to $3. The two fees have thus gone from $4 to $12, combined, in little more than a year. Comcast customers recently sued the company, saying that Comcast falsely advertises lower-than-actual prices and then raises rates by tacking on these two fees. Comcast falsely portrays these fees as being required by the government, the proposed class action lawsuit said. Charter is facing a similar lawsuit. Comcast says the fees recover a portion of the price it pays broadcast networks and regional sports networks to air their content. But paying for programming is simply part of the cost of doing business as a cable TV provider, and programming costs have always been passed on to consumers in their cable TV bills. By charging fees separately from basic rates, "Comcast has found a way to secretly and repeatedly increase the monthly price it charges for its channel packages" even when customers are supposed to be getting a flat rate during a contract term, the lawsuit said. The Broadcast TV fee was introduced in 2014, initially as $1.50 a month, and the Regional Sports fee was added in 2015 at $1 a month. Comcast charges the sports fee even though it owns many of the regional sports networks that broadcast sporting events in local markets. The price increases were reported by TVPredictions and DSLReports, and customers have been posting letters they received from Comcast detailing the price changes.

Congress passed a bill yesterday that will make it illegal for people to use software bots to buy concert tickets. Ars Technica reports: The Better Online Ticket Sales (BOTS) Act makes it illegal to bypass any computer security system designed to limit ticket sales to concerts, Broadway musicals, and other public events with a capacity of more than 200 persons. Violations will be treated as "unfair or deceptive acts" and can be prosecuted by the Federal Trade Commission or the states. The bill passed the Senate by unanimous consent last week, and the House of Representatives voted yesterday to pass it as well. It now proceeds to President Barack Obama for his signature. Computer programs that automatically buy tickets have been a frustration for the concert industry and fans for a few years now. The issue had wide exposure after a 2013 New York Times story on the issue. Earlier this year, the office of New York Attorney General Eric Schneiderman completed an investigation into bots. The New York AG's ticket sales report (PDF) found that the tens of thousands of tickets snatched up by bots were marked up by an average of 49 percent.

An anonymous reader shares an ArsTechnica report: Apple has received at least $6 per American taxpayer over the last five years in the form of interest payments on billions' worth of United States Treasury bonds, according to a report by Bloomberg. Citing Apple's regulatory filings and unnamed sources, the business publication found "the Treasury Department paid Apple at least $600 million and possibly much more over the past five years in the form of interest." By taking advantage of a provision in the American tax code, Bloomberg says that Apple has "stashed much of its foreign earnings -- tax-free -- right here in the US, in part by purchasing government bonds." As The Wall Street Journal reported in September, American companies are believed to be holding approximately $2 trillion in cash overseas that is shielded from US taxes. Under American law, companies must pay a 35-percent corporate tax rate on global profits when that money is brought home -- so there is an incentive to keep as much of that money overseas as possible.

When Google launched Cloud Print, it removed a lot of the hassle from using a printer. Instead of a printer only printing documents from the PC it was connected to, Cloud Print allowed any device, be it a Windows PC, Mac, Chromebook, smartphone, tablet, etc. to print to any printer either locally or remotely. However, Google Cloud Print has gone awry this week, as reports PCMag, and Epson printer owners are suffering because of it. From the article: A thread appeared on the Chromebook Central Help Forum explaining a problem where an Epson XP-410$185.00 at Amazon printer was turning itself off after 30 seconds. The printer worked without issue for two years, but now it wouldn't stay powered on. At first, this seems like a printer hardware problem, but the printer started working again once it was disconnected from the Internet. However, as soon as Google Print Cloud was enabled, the automatic power down happened again. Later in the support thread an Epson WF-4630 owner reports the same issue, as do XP-215, XP-415, XP-610, WF-545, WF-845, and WF-7610 owners.A change in Google's API for its cloud service triggered the issue, reports ArsTechnica. The change has caused a conflict between Cloud Print and printers' firmware.

Update: Epson has responded to Slashdot, pointing us to its support page that has instructions on how to fix the issue on many of Epson printers.

Last month, Apple announced a repair program for a "small number" of iPhone 6s phones that suffer from faulty batteries. The phones that were affected by this fault were manufactured between September and October 2015. Two weeks later, Apple now says the fault was caused by overexposure to "controlled ambient air." Ars Technica reports: The same press release -- issued only in China so far, but available in English if you scroll down -- says that some owners of later iPhone 6S models are also reporting problems with unexpected shutdowns. Apple isn't replacing those batteries just yet, but the company says that an iOS update "available next week" will add "additional diagnostic capability" that will allow Apple to better track down and diagnose the causes of these shutdowns. It "may potentially help [Apple] improve the algorithms used to manage battery performance and shutdown," as well. Those improvements will be included in future iOS updates. Apple says that the battery problem "is not a safety issue," an important thing to note given the way the Galaxy Note 7 blew up in Samsung's face. The software update that Apple mentions in the release is almost certainly iOS 10.2, which is currently in its sixth beta build. The update will be the first major bug-fix release since October's iOS 10.1, and it also includes a handful of other changes like new and redesigned emoji, the TV app that Apple demoed at its last product event, and other features.

The US Supreme Court today will take up a case that will determine how much help an overseas manufacturer can get from the U.S. without running afoul of US patent laws. From a report on ArsTechnica: The case originates in a dispute between two competitors in the field of genetic testing. Both Promega Corporation and Life Technologies (selling through its Applied Biosciences brand) make DNA testing kits that can be used in a variety of fields, including forensic identification, paternity testing, medical treatment, and research. Promega licensed several patents to Applied Biosystems that allowed its competitor to sell kits for use in "Forensics and Human Identity Applications." The license forbade sales for clinical or research uses. In 2010, Promega filed a lawsuit in federal court, saying that Life Technologies had "engaged in a concerted effort to sell its kits into unlicensed fields," thus infringing its patents. A Wisconsin federal jury found that Life Tech had willfully infringed and should pay $52 million in damages. But the district judge overseeing the case set aside that verdict after trial, ruling that since nearly all of the Life Tech product had been assembled and shipped from outside the US, the product wasn't subject to US patent laws.

An anonymous reader quotes a report from Ars Technica: A rifle-wielding North Carolina man was arrested Sunday in Washington, DC for carrying his weapon into a pizzeria that sits at the center of the fake news conspiracy theory known as "Pizzagate," authorities said Monday. DC's Metropolitan Police Department said it had arrested 28-year-old Edgar Maddison Welch on allegations of assault with a dangerous weapon. "During a post arrest interview this evening, the suspect revealed that he came to the establishment to self-investigate 'Pizza Gate' (a fictitious online conspiracy theory," the agency said in a statement. "Pizzagate" concerns a baseless conspiracy theory about a secret pedophile group, the Comet Ping Pong restaurant, and Hillary Clinton's campaign chief, John Podesta. The Pizzagate conspiracy names Comet Ping Pong as the secret headquarters of a non-existent child sex-trafficking ring run by Clinton and members of her inner circle. James Alefantis, the restaurant's owner, said he has received hundreds of death threats. According to Buzzfeed, the Pizzagate theory is believed to have been fostered by a white supremacist's tweets, the 4chan message board, Reddit, Donald Trump supporters, and right-wing blogs. The day before Thanksgiving, Reddit banned a "Pizzagate" conspiracy board from the site because of a policy about posting personal information of others. Alefantis, the pizzeria's owner, told CNN, "What happened today demonstrates that promoting false and reckless conspiracy theories comes with consequences. I hope that those involved in fanning these flames will take a moment to contemplate what happened here today, and stop promoting these falsehoods right away."

An anonymous reader quotes a report from Ars Technica: Millions of Americans still have extremely slow Internet speeds, a new Federal Communications Commission report shows. While the FCC defines broadband as download speeds of 25Mbps, about 47.5 million home or business Internet connections provided speeds below that threshold. Out of 102.2 million residential and business Internet connections, 22.4 million offered download speeds less than 10Mbps, with 5.8 million of those offering less than 3Mbps. About 25.1 million connections offered at least 10Mbps but less than 25Mbps. 54.7 million households had speeds of at least 25Mbps, with 15.4 million of those at 100Mbps or higher. These are the advertised speeds, not the actual speeds consumers receive. Some customers will end up with slower speeds than what they pay for. Upload speeds are poor for many Americans as well. While the FCC uses 3Mbps as the upload broadband standard, 16 million households had packages with upload speeds less than 1Mbps. Another 27.2 million connections were between 1Mbps and 3Mbps, 30.1 million connections were between 3Mbps and 6Mbps, while 29 million were at least 6Mbps. The Internet Access Services report released last week contains data as of December 31, 2015. The 11-month gap is typical for these reports, which are based on information collected from Internet service providers. The latest data is nearly a year old, so things might look a bit better now, just as the December 2015 numbers are a little better than previous ones.

An anonymous reader writes: Congress has passed a law protecting the right of U.S. consumers to post negative online reviews without fear of retaliation from companies. The bipartisan Consumer Review Fairness Act was passed by unanimous consent in the US Senate, a Senate Commerce Committee announcement said. The bill, introduced in 2014, was already approved by the House of Representatives and now awaits President Obama's signature.

The Consumer Review Fairness Act -- full text available here -- voids any provision in a form contract that prohibits or restricts customers from posting reviews about the goods, services, or conduct of the company providing the product or service. It also voids provisions that impose penalties or fees on customers for posting online reviews as well as those that require customers to give up the intellectual property rights related to such reviews.

An anonymous reader quotes a report from ValueWalk: Nikola Motor Company just unveiled a huge class 8 truck which will run on hydrogen fuel cells. Nikola claimed that the truck's operational range will be as much as 1,200 miles (1,900 km), and it will be released in 2020. Nikola designed the Nikola One for long-haul transport across a large landmass. The truck will deliver over 1,000 horsepower and 2,000 foot-pounds of torque. Provided these claims are true, the vehicle will provide nearly double the power of the current-gen diesel-powered semis/articulated lorries, notes Ars Technica. The leasing cost of the trucks will include the fuel price, servicing costs and warranty, but exactly how the lease will work is not known now, notes Ars Technica. The company says it has already accepted nearly $3 billion in future orders. A fully-electric drivetrain which gets power from high-density lithium batteries runs the vehicle, and a hydrogen fuel cell charges the batteries on the go. Its reach is presently limited, as hydrogen fueling stations currently exist in only small numbers. This made Nikola decide to construct a network of 364 hydrogen fueling stations across the U.S. and Canada, just like Tesla with its network of Superchargers. Milton claims it will come with a smart dashboard which has the capability of picking the most cost-efficient route for drivers. Also one or two full-size beds will be included inside the vehicle's enormous cab. It will have other luxuries and necessities as well, such as Wi-Fi, a refrigerator, 4G LTE connectivity, freezer, a 40-inch curved 4K TV with Apple TV and a microwave.

New submitter npslider writes: The "USB Killer," a USB stick that fries almost everything that it is plugged into, has been mass produced -- available online for about $50. Ars Technica first wrote about this diabolical device that looks like a fairly humdrum memory stick a year ago. From the report: "The USB Killer is shockingly simple in its operation. As soon as you plug it in, a DC-to-DC converter starts drawing power from the host system and storing electricity in its bank of capacitors (the square-shaped components). When the capacitors reach a potential of -220V, the device dumps all of that electricity into the USB data lines, most likely frying whatever is on the other end. If the host doesn't just roll over and die, the USB stick does the charge-discharge process again and again until it sizzles. Since the USB Killer has gone on sale, it has been used to fry laptops (including an old ThinkPad and a brand new MacBook Pro), an Xbox One, the new Google Pixel phone, and some cars (infotainment units, rather than whole cars... for now). Notably, some devices fare better than others, and there's a range of possible outcomes -- the USB Killer doesn't just nuke everything completely." You can watch a video of EverythingApplePro using the USB Killer to fry a variety of electronic devices. It looks like the only real defense from the USB Killer is physically capping your ports.

New submitter npslider writes: The "USB Killer," a USB stick that fries almost everything that it is plugged into, has been mass produced -- available online for about $50. Ars Technica first wrote about this diabolical device that looks like a fairly humdrum memory stick a year ago. From the report: "The USB Killer is shockingly simple in its operation. As soon as you plug it in, a DC-to-DC converter starts drawing power from the host system and storing electricity in its bank of capacitors (the square-shaped components). When the capacitors reach a potential of -220V, the device dumps all of that electricity into the USB data lines, most likely frying whatever is on the other end. If the host doesn't just roll over and die, the USB stick does the charge-discharge process again and again until it sizzles. Since the USB Killer has gone on sale, it has been used to fry laptops (including an old ThinkPad and a brand new MacBook Pro), an Xbox One, the new Google Pixel phone, and some cars (infotainment units, rather than whole cars... for now). Notably, some devices fare better than others, and there's a range of possible outcomes -- the USB Killer doesn't just nuke everything completely." You can watch a video of EverythingApplePro using the USB Killer to fry a variety of electronic devices. It looks like the only real defense from the USB Killer is physically capping your ports.

20-year-old Lan Cai was in a car crash this summer, after she was plowed into by a drunk driver and broke two bones in her lower back. She didn't know how to navigate her car insurance and prove damages, so she reached out for legal help. Things didn't go as one would have liked, initially, as ArsTechnica documents:The help she got, Cai said, was less than satisfactory. Lawyers from the Tuan A. Khuu law firm ignored her contacts, and at one point they came into her bedroom while Cai was sleeping in her underwear. "Seriously, it's super unprofessional!" she wrote on Facebook. (The firm maintains it was invited in by Cai's mother.) She also took to Yelp to warn others about her bad experience. The posts led to a threatening e-mail from Tuan Khuu attorney Keith Nguyen. Nguyen and his associates went ahead and filed that lawsuit, demanding the young woman pay up between $100,000 and $200,000 -- more than 100 times what she had in her bank account. Nguyen said he didn't feel bad at all about suing Cai. Cai didn't remove her review, though. Instead she fought back against the Khuu firm, all thanks to attorney Michael Fleming, who took her case pro bono. Fleming filed a motion arguing that, first and foremost, Cai's social media complaints were true. Second, she couldn't do much to damage the reputation of a firm that already had multiple poor reviews. He argued the lawsuit was a clear SLAPP (strategic Lawsuit Against Public Participation). Ultimately, the judge agreed with Fleming, ordering the Khuu firm to pay $26,831.55 in attorneys' fees.

plover writes: Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis. A Europol release says: "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked." Sean Gallagher writes via Ars Technica: "The domains seized have been 'sinkholed' to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world. The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the U.S. portion of the takedown. 'The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,' the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as 'the world's most prolific phishing gang,' noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). 'During that time, it targeted more than 40 major financial institutions, online services, and job search providers,' APWG reported. In December of 2009, the network used 959 distinct domains for its phishing campaigns. Avalanche also actively spread the Zeus financial fraud botnet at the time."

According to a report from The Information, Fitbit is buying smartwatch maker Pebble for a "small amount" of money. One source says Fitbit is paying between $34 and $40 million for the company and is "barely covering their debts." TechCrunch reports: A source close to the company told TechCrunch that watch maker Citizen was interested in purchasing Pebble for $740 million in 2015. This deal failed and before the launch of the Pebble 2 Intel made an offer for $70 million. The CEO, Eric Migicovsky refused both offers. Pebble released the newest version of its smartwatch in October, but the past year or so has been a challenging period. It laid off 25 percent of its staff in March, while we reported last year that it was in some trouble and had turned to debt funding and loans, as well as traditional investor cash, "in order to stay afloat." Earlier this year, Pebble CEO Migicovsky confirmed that his company had raised $28 million in debt and venture financing. He blamed a more cautious outlook from VCs focused on tech as the primary reason for letting 40 of Pebble's staff go.

An anonymous reader quotes a report from Ars Technica: The Food and Drug Administration on Tuesday approved the first large-scale, phase 3 clinical trial of ecstasy in patients suffering from post-traumatic stress disorder (PTSD), the New York Times reported. The regulatory green-light follows six smaller-scale trials that showed remarkable success using the drug. In fact, some of the 130 PTSD patients involved in those trials say ecstasy -- or 3,4-Methylenedioxymethamphetamine (MDMA) -- saved them from the devastating impacts of PTSD after more than a decade of seeing no improvement with the other treatment options available. Currently, the best of those established treatment options can only improve symptoms in 60 to 70 percent of PTSD patients, one expert noted. However, after one of the early MDMA studies, the drug had completely erased all traces of symptoms in two-thirds of PTSD patients. The new Phase 3 trial will involve at least 230 patients and is planned to start in 2017. Like the other trials, it is backed by the Multidisciplinary Association for Psychedelic Studies (MAPS), a nonprofit created in 1985 to advocate for the medical benefits and use of psychedelic drugs, such as MDMA and marijuana. Also like the others, the new, larger trial will involve a limited number of MDMA treatments administered by professional psychotherapists as part of a therapy program. In previous trials, patients spent 12 weeks in a psychotherapy program, including three eight-hour sessions in which they took MDMA and talked through traumatic memories.

An anonymous reader quotes a report from Computerworld: A Firefox zero-day being used in the wild to target Tor users is using code that is nearly identical to what the FBI used in 2013 to unmask Tor-users. A Tor browser user notified the Tor mailing list of the newly discovered exploit, posting the exploit code to the mailing list via a Sigaint darknet email address. A short time later, Roger Dingledine, co-founder of the Tor Project Team, confirmed that the Firefox team had been notified, had "found the bug" and were "working on a patch." On Monday, Mozilla released a security update to close off a different critical vulnerability in Firefox. Dan Guido, CEO of TrailofBits, noted on Twitter, that "it's a garden variety use-after-free, not a heap overflow" and it's "not an advanced exploit." He added that the vulnerability is also present on the Mac OS, "but the exploit does not include support for targeting any operating system but Windows." Security researcher Joshua Yabut told Ars Technica that the exploit code is "100% effective for remote code execution on Windows systems." "The shellcode used is almost exactly the shellcode of the 2013 one," tweeted a security researcher going by TheWack0lian. He added, "When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn't looking at a 3-year-old post." He's referring to the 2013 payload used by the FBI to deanonymize Tor-users visiting a child porn site. The attack allowed the FBI to tag Tor browser users who believed they were anonymous while visiting a "hidden" child porn site on Freedom Hosting; the exploit code forced the browser to send information such as MAC address, hostname and IP address to a third-party server with a public IP address; the feds could use that data to obtain users' identities via their ISPs.

Shortly after it officially launched in August on PlayStation and Windows, No Man's Sky -- the game that sees the protagonist explore space and experience uncertain places -- was accused of false advertising. Players felt that the pictures and videos used to promote the game on its Steam page didn't represent the sort of things players might expect to encounter in the game. Today, a UK advertising regulator has ruled the opposite -- the game didn't mislead gamers. Ars Technica reports: The complainants -- who had been part of a semi-organized campaign upset with the state of the game at release -- insisted that the screenshots on the storefront had seemed to promise various features that turned out to be absent from the final game. These included things like the appearance and behavior of animals, large in-game buildings, large-scale space combat, loading screens, a promised system wherein the different factions contested galactic territory, and general graphical polish. Hello Games' defense rested on the fact that No Man's Sky is procedurally generated, and that while players would not enjoy the exact experience shown in promotional images, they could reasonably expect to see similar things. The Advertising Standards Authority (ASA) agreed, saying: "The summary description of the game made clear that it was procedurally generated, that the game universe was essentially infinite, and that the core premise was exploration. As such, we considered consumers would understand the images and videos to be representative of the type of content they would encounter during gameplay, but would not generally expect to see those specific creatures, landscapes, battles, and structures." It also ruled that the developers hadn't misled customers over graphics: "We understood the graphical output of the game would be affected by the specifications of each player's computer, and considered that consumers would generally be aware of this limitation."

An anonymous reader quotes a report from Ars Technica: The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan. In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers." That description of the ransomware attack is not consistent with some of the evidence of previous ransomware attacks by those behind the SFMTA incident -- which Rose said primarily affected about 900 desktop computers throughout the agency. Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a "deserialization" attack after it was identified by a vulnerability scan. A security researcher told Krebs that he had been able to gain access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner's security question, and he provided details from the mailbox and another linked mailbox on Yandex. Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations' networks.

An anonymous reader quotes a report from Ars Technica: The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan. In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers." That description of the ransomware attack is not consistent with some of the evidence of previous ransomware attacks by those behind the SFMTA incident -- which Rose said primarily affected about 900 desktop computers throughout the agency. Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a "deserialization" attack after it was identified by a vulnerability scan. A security researcher told Krebs that he had been able to gain access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner's security question, and he provided details from the mailbox and another linked mailbox on Yandex. Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations' networks.

An anonymous reader quotes a report from Ars Technica: Congress has passed a law protecting the right of U.S. consumers to post negative online reviews without fear of retaliation from companies. The bipartisan Consumer Review Fairness Act was passed by unanimous consent in the U.S. Senate yesterday, a Senate Commerce Committee announcement said. The bill, introduced in 2014, was already approved by the House of Representatives and now awaits President Obama's signature. The Consumer Review Fairness Act -- full text available here -- voids any provision in a form contract that prohibits or restricts customers from posting reviews about the goods, services, or conduct of the company providing the product or service. It also voids provisions that impose penalties or fees on customers for posting online reviews as well as those that require customers to give up the intellectual property rights related to such reviews. The legislation empowers the Federal Trade Commission to enforce the new law and impose penalties when necessary. The bill also protects reviews that aren't available via the Internet.

An anonymous reader quotes a report from Ars Technica: Last week the Environmental Protection Agency (EPA) announced its final renewable fuel standards for 2017, requiring that fuel suppliers blend an additional 1.2 billion gallons of renewable fuel into U.S. gas and diesel from 2016 levels. The rule breaks down the requirements to include quotas for cellulosic biofuels, biomass-based diesel, advanced biofuel, and traditional renewable fuel. Reuters points out that the aggressive new biofuel standards will create a dilemma for an incoming Trump administration, given that his campaign courted both the gas and corn industries. While the EPA under the Obama administration has continually increased so-called renewable fuel standards (RFS), the standards were first adopted by a majority-Republican Congress in 2005 and then bolstered in 2007 with a requirement to incorporate 36 billion gallons of renewable fuel into the fuel supply by 2022, barring "a determination that implementation of the program is causing severe economic or environmental harm," as the EPA writes. Some biofuels are controversial not just for oil and gas suppliers but for some wildlife advocates as well. Collin O'Mara, CEO of the National Wildlife Federation, said in a statement that the corn ethanol industry that most stands to benefit from the EPA's expansion of the renewable fuel standards "is responsible for the destruction of millions of acres of wildlife habitat and degradation of water quality." Still, the EPA contends that biofuels made from corn and other regenerating plants offer reductions in overall fuel emissions, if the processes used to make and transport the fuels are included. "Advanced biofuels" will offer "50 percent lifecycle carbon emissions reductions," and their share of the new standards will grow by 700 million gallons in 2017 from 2016 requirements, the EPA says. Cellulosic biofuel will be increased by 81 million gallons and biomass-based diesel will be increased by 100 million gallons. "Non-advanced or 'conventional' renewable fuel" will be increased to 19.28 billion gallons from 18.11 billion gallons in 2016. Conventional renewable fuel "typically refers to ethanol derived from corn starch and must meet a 20 percent lifecycle GHG [greenhouse gas] reduction threshold," according to EPA guidelines. Other kinds of renewable fuels include sugarcane-based ethanol, cellulosic ethanol derived from the stalks, leaves, and cobs leftover from a corn harvest, and compressed natural gas gleaned from wastewater facilities.

An anonymous reader quotes a report from Ars Technica: A low-tech but cunning malware program is worrying security researchers after it started spreading rapidly in the past week through a new attack vector: by forcibly exploiting vulnerabilities in Facebook and LinkedIn. According to the Israeli security firm Check Point, security flaws in the two social networks allow a maliciously coded image file to download itself to a user's computer. Users who notice the download, and who then access the file, cause malicious code to install "Locky" ransomware onto their computers. Locky has been around since early this year, and works by encrypting victims' files and demands a payment of around half a bitcoin for the key. Previously, it had relied on a malicious macro in Word documents and spam e-mails, but Check Point says that in the past week there has been a "massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign." Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA -- though benign-looking images could exploit the way Windows hides file extensions by default.

An anonymous reader quotes a report from Ars Technica: Whistleblower Edward Snowden can be asked to give evidence in person by a German committee probing the NSA's spying activities, the country's Federal Court of Justice has ruled. Germany's government has been told that it should make suitable arrangements for that to happen. It has been refusing to invite Snowden to give evidence personally since it would need to guarantee that he would not be handed over to the U.S. -- a promise the German authorities say would risk damaging the political relations between the two countries. Instead, it has called for him to give evidence via a video link, or for German officials to interview him in Moscow, both of which Snowden turned down. Following a formal complaint by the greens and left-wing politicians, Germany's Federal Court of Justice has ruled that the German government must provide the necessary guarantees that would allow Snowden to give evidence in person, or explain why it will not do so. Snowden's lawyer, Wolfgang Kaleck, told the Suddeutsche Zeitung that the German government might refuse to provide guarantees, and officially admit that it regards cooperating with the U.S. on intelligence matters in the future as more important than getting to the bottom of past surveillance. In that case, an appeal could be made to Germany's constitutional court, according to an article in Der Spiegel, which would decide whether the German government was allowed to make that trade-off. The committee of inquiry is examining to what extent German citizens and politicians were spied on by the NSA and its so-called Five Eyes partners -- notably GCHQ -- and whether German politicians and intelligence agencies knew about this activity.