Slashdot Mirror

Last summer a developer created a plugin which made it possible to run snippets of COBOL code embedded in JavaScript using the Node.js interpreter. Now Slashdot reader techfilz writes: Romanian developer Bizau Ionica has engineered a software bridge called node.cobol which can execute Node.js scripts from within COBOL programs.
The link shows COBOL code executing a Node.js script that launches a Web server and creates ASCII art from a JPEG image -- in this case, Admiral Grace Hopper, who helped create COBOL in 1959. And Ars Technica points out the same developer has also built a Node.js bridge for FORTRAN.

An anonymous reader quotes a report from Ars Technica: Minecraft's PC and smartphone versions are finally coming to China. On Friday, Microsoft and Mojang announced the beginning of a "five-year exclusive partnership" with Chinese software publisher NetEase, Inc to roll the game out onto Chinese computer and smartphone marketplaces. Microsoft was able to publish the game on Xbox One consoles late last year, but those consoles have yet to penetrate the Chinese market to the extent that PCs and smartphones have, and the fact that even Microsoft had to license the game to someone else as opposed to launching it from its own Shanghai campus is a stern reminder of what roadblocks stand in the way of Western software developers. "The most challenging aspect of doing business in China by far is dealing with the government," former PopCap executive James Gwertzman said at the 2010 Game Developers Conference. Game publishers must acquire a combined six permits to launch a game in China, and most of those permits cannot be acquired by foreign-operated companies. Microsoft is presumably in the exact same regulatory boat, and its choice of partner is telling; NetEase already has a major Western-gaming reputation thanks to its partnership with megawatt game makers Blizzard. Gwertzman guessed that Minecraft will probably avoid such undue attention with its upcoming launch. "Minecraft is on the good side as it encourages teamwork and learning," he said. "I see Minecraft as the perfect example of a game that will receive public support [in China]." Meanwhile, American technology companies like Apple and Microsoft are undergoing security reviews in the communist country.

Dan Goodin, reporting for Ars Technica (edited and condensed): ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers. San Jose, California-based Ubiquiti Networks confirmed recently that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn't widely installed. Many customers claimed they never received notification of the threat.ISPs in Argentina, Spain, Brazil have been attacked by the worm, said Nico Waisman, a research at security firm Immunity, adding that it's likely that ISPs in the U.S. and other places have also been attacked by the same malware. From the report, "Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it's on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears."

Alphabet CEO Larry Page says his company never considered getting permission from Oracle for using the latter's Java APIs in Android. Page, who appeared in a federal court, said Java APIs are open and free, which warrants them or anyone to use it without explicit permission from Oracle. From an Ars Technica report (edited for clarity): "But you did copy the code and copy the structure, sequence, and organization of the APIs?" Oracle attorney Peter Bicks asked, raising his voice. "I don't agree with 'copy code,'" Page said. "For me, declaring code is not code," Page said. "Have you paid anything to Oracle for using that intellectual property?" Bicks asked. "When Sun established Java, they established it as an open source thing," Page said. "I believe the APIs we used were pretty open. No, we didn't pay for the free and open things." [...] "Was Google seeking a license for Java?" Google lawyer Robert Van Nest asked. "Yes, and a broader deal around other things, like branding and cooperation," Page said. "After discussions with Sun broke off, did you believe Google needed a license for APIs?" Van Nest asked. "No, I did not believe that," Page said. "It was established industry practice that the API and just the headers of those things could be taken and re-implemented. [It must be done] very carefully, not to use any existing implementation of those systems. That's been done many, many times. I think we acted responsibly and carefully around these intellectual property issues."

It's official: the Google Play Store is coming to Chrome OS. The company announced on Thursday that it is bringing more than 1.5 million Android apps to Chromebooks. Google adds that zero efforts are required from developers' end for their Android apps to function on Chrome OS. Users will also be able to see notifications and have in-line replies on the desktop. Users on developer channel builds of Chrome OS will get an option to use Google Play and Android apps starting early next month. Regular users on select Chromebook models will have this feature in September. Ars Technica has tons of more details about it. The Verge says Android apps are just what Chromebooks needed.

An anonymous reader quotes a report from Ars Technica: Nintendo's most recent fiscal-year disclosure made headlines for announcing a release window for the new "Nintendo NX" console and yet another Zelda game delay, but it also included news of serious corporate restructuring. The short version: Nintendo will soon involve a supervisory committee in making top-level executive decisions. A Tuesday announcement included the company's amended articles of incorporation, expected to be approved by shareholders this June, and it included three new entries in its "business engagement" list: restaurants, medical and health devices, and "computer software." The choice of adding "computer software" to that list, on the other hand, seems particularly curious -- especially since Nintendo's existing list of engaged businesses includes terms that sound very much like computer software, particularly the broad term of "contents such as games, images, and music." That list also revised an entry that used to say that the company would license the "use or reproduction of copyrighted works" and "trademarks." Now, Nintendo will license its "intellectual property rights." That shift to the term "intellectual property" includes copyrighted works and trademarks in an umbrella that also may include such Nintendo-owned concepts as patents.

Also at the conference, Google announced Allo, a new smart messaging app, and Duo, a high-definition video chat app for Android and iOS devices. TechCrunch reports: Why the decision to launch two separate apps? A couple of reasons, it seems. The first is to keep the experiences simple and lightweight; and the second: to do something a little different from the rest of the pack. Facebook, for example, has supercharged Messenger with smart bots, as well as voice and video calling and more on top of its basic text messaging service. Allo leverages Google's assistant bot to prompt interesting and relevant responses to texts. Duo is a one-to-one video chatting app with a number of interesting features including "Knock Knock" which lets you see the real-time video of the person calling you.
Google has also released the third preview of Android N. The company says that it is now safe enough to be used on your primary smartphone and tablet. The new update comes with a feature called "Seamless Updates" which will install system updates in the background.
The company also announced Instant Apps, a feature that will allow users to tap an Instant App URL, and run the app without installing it. Clicking on Instant App URL, Google says, only gleans the parts of the app that you need for a specific purpose. The feature will work on all phones running Android 4.2 or newer version, and will be available starting later this year.

At its developer conference I/O, Google on Wednesday unveiled Google Home, a small round gadget with microphones and speakers that listens and responds to your questions and commands. As you may have guessed, Google Home will compete with Amazon Echo. The company also announced Assistant. Ars Technica reports: Google's conversational assistant is in the same vein as Cortana and Siri, Google Assistant. Google Assistant will be on phones and wearables too, and Google says that it will be better at picking out the context of what you're doing than any of the competitors. As an example, when standing near Cloud Gate, better known as The Bean, in Chicago, you can ask Google Assistant "Who designed this?" Based on your location alone, Assistant will understand that you're probably referring to the large shiny sculpture in front of you, and answer "Anish Kapoor."The Google Home will be available for purchase later this year. CNET has more details.

JustAnotherOldGuy writes: Rightscorp, the copyright trolls whose business model was convincing ISPs to freeze their customers' Internet access in response to unsubstantiated copyright accusations, and then ransom those connections back for $20 each, will be out of money by the end of this quarter. Despite a massive courtroom win against Cox Cable in 2015 (and a counterbalancing gigantic fine for its robocalls), the company couldn't win a technology cat-and-mouse game against its prey -- the wily file-sharers who switched to VPNs and other anonymizing technologies. For the moment, the company is teetering on the brink of financial collapse. It raised $500,000 on February 22, the company reported, but it needs another $1 million to stay afloat. It has only enough cash on hand to continue "into the second quarter of 2016," according to the company's latest financial report.

An anonymous reader writes: In 2014, Threshold Entertainment announced it would be producing a live-action film based on the Russian stacking game Tetris. Today, Threshold Entertainment announced it had secured $80 million in funding for the project. Threshold's Larry Kasanoff has worked on the Mortal Kombat film in 1995, which grossed $70 million. Media mogul Bruno Wu, will serve as co-producer on the film ensuring that the movie will be able to sustain any unplanned budget overruns. According to Deadline, the film is planned for a 2017 release with Chinese locations and a Chinese case. However, Kasanoff notes "the goal is to make world movies for the world market." What's more is that the movie could be the basis of a trilogy, the producer says, with a plot that's "not at all what you think; it will be a cool surprise." Kasanoff told the Wall Street Journal that "this isn't a movie with a bunch of lines running around the page. We're not giving feet to the geometric shapes... What you [will] see in Tetris is the teeny tip of an iceberg that has intergalactic significance."

An anonymous reader writes from a report via Ars Technica: For the first time, Firefox has pulled ahead of Microsoft's Internet Explorer and Edge browsers. Mozilla's Firefox grabbed 15.6 percent of worldwide desktop browser usage in April, according to the latest numbers from Web analytics outfit StatCounter. Google Chrome continues to dominate two thirds of the market. StatCounter, which analyzed data from three million websites, found that Firefox's worldwide desktop browser usage last month was 0.1 percent ahead of the combined share of Internet Explorer and Edge at 15.5 percent. Firefox has reportedly been losing market share over the last three months, but Microsoft's Edge and Internet Explorer browsers appear to be declining faster. Last week, Mozilla launched Test Pilot, a program for trying out experimental Firefox features. They've also been fighting the FBI in court for details about a vulnerability in the Tor Browser hack, which may affect the company since the Tor browser is partially based on the Firefox browser code.

An anonymous reader shares an Ars Technica report: Are you the type to dash madly toward any new online service's sign-up page even if you think you'll never touch it again, just to lock down your username of choice? As any good geek knows, handles are a precious commodity, especially for free services that don't have explicitly advertised nickname-recycling policies. One online ecosystem, Xbox Live, may have a respite in store for users who want to remove extraneous numbers or characters from their Gamertag of choice. A Monday announcement from Xbox Live PR chief Larry "Major Nelson" Hryb confirmed that a slew of "nearly one million" dormant Gamertags will be made available for qualified Xbox Live Gold members starting on Wednesday, May 18, at 2pm EDT.

An anonymous reader writes:"Starting 5/13/16, 'Project Spark' will no longer be available for download on the Xbox Marketplace or Windows Store," Microsoft wrote in a blog post, adding that it will go offline for good on August 12th. They thanked fans who have "gone above and beyond supporting 'Project Spark' by uploading hundreds of thousands of creations and dreaming up millions of objects, behaviors, and experiences..."

Ars Technica remembered Spark as the free multi-device, build-your-own game platform that you never knew existed. "Marketing teams never effectively sold the possibilities and power of Spark's make-your-own-game system," reports Ars Technica. "While short teaser videos hinted at the game enabling everything from kart racers to airborne battles, major demonstrations tended to revolve more around generic 3D platformers.

An anonymous reader writes: FitnessKeeper, the company behind running app Runkeeper, is in hot water in Europe. The company has received a formal complaint from the Norwegian Consumer Council for breaching European data protection laws. But why? Runkeeper tracks its users' location at all times -- not just when the app is active -- and sends that data to advertisers. The NCC, a consumer rights watchdog, is conducting an investigation into 20 apps' terms and conditions to see if the apps do what their permissions say they do and to monitor data flows. Tinder has already been reported to the Norwegian data protection authority for similar breaches of privacy laws. The NCC's investigation into Runkeeper discovered that user location data is tracked around the clock and gets transmitted to a third party advertiser in the U.S. called Kiip.me.Finn Myrstad, the council's digital policy director, said: We checked the apps technically, to see the data flows and to see if the apps actually do what they say they do. Everyone understands that Runkeeper tracks users while they exercise, but to continue after the training has ended is not okay. Not only is it a breach of privacy laws, we are also convinced that users do not want to be tracked in this way, or for information to be shared with third party advertisers.

The FCC requires all manufacturers to prevent users from having any direct ability to change RF parameters (frequency limits, output power, country codes, etc). The easiest way for a router manufacturer to comply with FCC's guideline is to block the open source router firmware -- which is what TP-Link has been doing. But thankfully, at least one router manufacturer doesn't think blocking the firmware is the right way to go about it. Ars Technica reports: Linksys has been collaborating with chipmaker Marvell and the makers of OpenWrt to make sure its latest WRT routers can comply with the new rules without blocking open source firmware, company officials told Ars. Linksys' effort stands in contrast with TP-Link, which said it would entirely prevent loading of open source firmware on its routers to satisfy the new Federal Communications Commission requirements. "They're named WRT... it's almost our responsibility to the open source community," Linksys router product manager Vince La Duca told Ars. Cybersecurity experts have urged the router manufacturers to not block open source firmware.

An anonymous reader writes: Opera Software has added a power-saving mode to its desktop web browser that "can increase the battery life by as much as 50 percent." The company claims optimizations are what has made the battery life increase possible, including "reducing activity from background tabs, adapting page-redrawing frequency, and tuning video-playback parameters." Opera claimed that a laptop running Windows 10 64-bit with the power-saving feature enabled lasts 49 percent longer than one with Chrome put under equal stress. Ad blocking was turned on during the test as well. The feature is not enabled by default, but a blue battery icon will appear next to the browser's address bar whenever the power cable is unplugged from your computer. When the laptop's battery is running low, the browser will suggest turning on power-saving mode, too. Earlier this week, Opera launched a new VPN app for iOS that is free to use and includes unlimited data.

An anonymous reader quotes a report from Ars Technica: Blood tests that try to quantify marijuana use are in fact useless at assessing how impaired a driver is, according to a study by the AAA Foundation for Traffic Safety. The study found that people with low blood amounts of THC -- or delta-9-tetrahydrocannabinol, the main psychoactive component of pot -- may still act as if they're really stoned. On the other hand, some people may have THC measurements off the charts yet still act normally. The finding is critical because several states have already set legal limits for the amount of THC a person can have in their blood while driving. AAA concluded that such limits are "arbitrary and unsupported by science, which could result in unsafe motorists going free and others being wrongfully convicted for impaired driving." The conclusion echoes that of other researchers that also noted no correlation between blood THC levels and impairment. Still, there is a need to deter people from smoking pot while driving, AAA argues, as it can impair driving. It recommends that until scientifically valid measures of impairments are put into place, law enforcement should use a combination of behavior and psychological tests to assess whether drivers who use marijuana are safe to drive.

According to German newspaper Merkur, one 18-year old and four of her friends lost control of her father's Model S electric vehicle. The car reportedly flew more than 80 feet into a field before it came to a stop. Even though the driver and two of the passengers were airlifted to hospitals, none of their injuries were life-threatening, thanks largely in part to Tesla's skateboard chassis. Ars Technica writes, "The skateboard chassis used by the Model S and Model X is extremely safe, with crumple zones that are unconcerned with engines that can transfer kinetic energy into the passengers during a frontal collision." The images of the crash are not pretty, but one could imagine how much worse they would be if a front-engined internal combustion vehicle were involved instead of the Tesla Model S.

An anonymous reader cites an Ars Technica report: Four U.S. senators say that the Internet speed standard for a government grant program shouldn't be stuck at 4Mbps. The Community Connect program run by the US Department of Agriculture (USDA) funds broadband deployment in rural communities, but it uses a speed standard of just 4Mbps downstream and 1Mbps upstream. Even that speed is an increase over the 3Mbps (download and upload combined) standard the program used until just a few weeks ago. US Senators Angus King (I-Maine), Shelley Moore Capito (R-W.Va.), Jeanne Shaheen (D-N.H.), and Kirsten Gillibrand (D-N.Y.) say that the USDA didn't raise the standard high enough. In a letter last week to USDA Secretary Tom Vilsack, the senators questioned the decision to set the grant program's speed threshold below the 10Mbps/1Mbps standard used by a separate USDA loan program. "Earlier this month, USDA upped broadband speed requirements for the Broadband Access Loan Program to 10Mbps, while Community Connect was only upped to 4Mbps," the senators noted. "In order to maintain the programs' relevance in an age of rapidly increasing demand for bandwidth, we strongly urge you to consider updating their broadband speed definitions, particularly the Community Connect Program's Minimum Broadband Service benchmark."

Hundreds of millions of email login credentials -- affecting Gmail, Yahoo, Mail.ru (Russia's most popular email service), and Hotmail among other websites -- were being traded earlier this week in Russia's criminal underground. According to a report on Ars Technica, Google, Yahoo, Microsoft, and Mail.ru have now assured that the vast majority of leaked credentials are invalid. For instance, "More than 98% of the Google account credentials in this research turned out to be bogus," Google said. Dan Goodin reports: What has been clear all along to anyone paying attention is that the plaintext credentials recovered by Hold Security almost certainly didn't come from hacks on the e-mail providers. Instead, they most likely were collected by hackers who hit dozens, hundreds or thousands of third-party Web services over the years and dumped the account databases into a single list.

Dan Goodin, reporting for Ars Technica: A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images. The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users. According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security. "The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."

An anonymous reader cites a story on Ars Technica: Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers. The updates were released Tuesday morning for both versions 1.0.1 and 1.0.2 of OpenSSL, which a large portion of the Internet relies on to cryptographically protect sensitive Web and e-mail traffic using the transport layer security protocol. OpenSSL advisories labeled the severity of both vulnerabilities "high," meaning the updates fixing them should be installed as soon as possible. The fixes bring the latest supported versions to 1.0.1t and 1.0.2h. The decryption vulnerability is the result of what cryptographers call a padding oracle weakness, which allows attackers to repeatedly probe an encrypted payload for clues about the plaintext content inside. According to TLS expert Filippo Valsorda, the bug allows for only 16 bytes of encrypted traffic to be recovered, and even then only when an end user sends it repeatedly.

Researchers have discovered flaws in Samsung's Smart Home automation system, which if exploited, allows them to carry a range of remote attacks. These attacks include digitally picking connected door locks from anywhere in the world. The flaws have been documented by researchers from the University of Michigan ahead of the 2016 IEEE Symposium on Security and Privacy. "All of the above attacks expose a household to significant harm -- break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper. "The attack vectors are not specific to a particular device and are broadly applicable." Dan Goodin, reports for Ars Technica: Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to attackers, disable a preprogrammed vacation mode setting, and issue a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a "backdoor pin code injection attack." It exploited vulnerabilities in an existing app in the SmartThings app store that gives an attacker sustained and largely surreptitious access to users' homes. The attack worked by obtaining the OAuth token that the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed the link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.

An anonymous reader writes: Thursday one technology site reported that thousands of developers building bots for the team-collaboration tool Slack were exposing their login credentials in public GitHub repositories and tickets. "The irony is that a lot of these bots are mostly fun 'weekend projects', reported Detectify. "We saw examples of fit bots, reminding you to stretch throughout the day, quote bots, quoting both Jurassic Park...and Don Quixote...."

Slack responded that they're now actively searching for publicly-posted login credentials, "and when we find any, we revoke the tokens and notify both the users who created them, as well as the owners of affected teams." Detectify notes the lapse in security had occurred at a wide variety of sites, including "Forbes 500 companies, payment providers, multiple internet service providers and health care providers... University classes at some of the world's best-known schools. Newspapers sharing their bots as part of stories. The list goes on and on..."

An anonymous reader quotes a report from Ars Technica: A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives. The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes. Instead, he remains indefinitely imprisoned in Philadelphia's Federal Detention Center for refusing to unlock two drives encrypted with Apple's FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices. The man is to remain jailed "until such time that he fully complies" with the decryption order. The government successfully cited a 1789 law known as the All Writs Act to compel (PDF) the suspect to decrypt two hard drives it believes contain child pornography. The All Writs Act was the same law the Justice Department asserted in its legal battle with Apple.

An anonymous reader quotes a report from Ars Technica: A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives. The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes. Instead, he remains indefinitely imprisoned in Philadelphia's Federal Detention Center for refusing to unlock two drives encrypted with Apple's FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices. The man is to remain jailed "until such time that he fully complies" with the decryption order. The government successfully cited a 1789 law known as the All Writs Act to compel (PDF) the suspect to decrypt two hard drives it believes contain child pornography. The All Writs Act was the same law the Justice Department asserted in its legal battle with Apple.

An anonymous reader quotes a report from Ars Technica: A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives. The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes. Instead, he remains indefinitely imprisoned in Philadelphia's Federal Detention Center for refusing to unlock two drives encrypted with Apple's FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices. The man is to remain jailed "until such time that he fully complies" with the decryption order. The government successfully cited a 1789 law known as the All Writs Act to compel (PDF) the suspect to decrypt two hard drives it believes contain child pornography. The All Writs Act was the same law the Justice Department asserted in its legal battle with Apple.

An anonymous reader writes: Comcast has announced today it will be raising its monthly data cap of 300GB to 1TB beginning June 1st. They will however charge more to customers who want unlimited data. After June 1st, less people will need to buy unlimited data from the company. Previously, users were charged an extra $30 to $35 a month for unlimited data but now they will have to pay an additional $50 for unlimited data. "All of the data plans in our trial markets will move from a 300 gigabyte data plan to a terabyte by June 1st, regardless of the speed," Comcast's announcement today said. The reason for the change? Customers are exceeding the 300GB cap. In late 2013, Comcast said only 2 percent of its customers used more than 300GB of data a month. That number was up to 8 percent in late 2015.

Reader MarkWhittington writes: SpaceX has announced that it intends to send a version of its Dragon spacecraft, called "Red Dragon," to Mars as early as 2018. The mission, to be launched on top of a Falcon Heavy rocket, would be the first to another planet conducted by a commercial enterprise. The flight of the Red Dragon would be the beginning of SpaceX CEO Elon Musk's long-term dream of building a settlement on Mars.Ars Technica reports: According to the company, these initial test missions will help demonstrate the technologies needed to land large payloads propulsively on Mars. This series of missions, to be launched on the company's not-yet-completed Falcon Heavy rocket, will provide key data for SpaceX as the company develops an overall plan to send humans to the Red Planet to colonize Mars. One of the biggest challenges in landing on Mars is the fact that its atmosphere is so thin it provides little braking capacity. To land the 900kg Curiosity rover on Mars, NASA had to devise the complicated sky crane system that led to its "Seven Minutes of Terror." A Dragon would weigh much more, perhaps about 6,000kg. To solve this problem, SpaceX plans to use an upgraded spacecraft, a Dragon2 powered by eight SuperDraco engines, to land using propulsion.

Dan Goodin, reporting for Ars Technica: In less than two months, online businesses have paid more than $100,000 to scammers who set up a fake distributed denial-of-service (DDoS) gang that has yet to launch a single attack. The charlatans sent businesses around the globe extortion e-mails threatening debilitating DDoS attacks unless the recipients paid as much as $23,000 by Bitcoin in protection money, according to a blog post published Monday by CloudFlare, a service that helps protect businesses from such attacks. Stealing the name of an established gang that was well known for waging such extortion rackets, the scammers called themselves the Armada Collective.An excerpt from CloudFlare blog post:Given that the attackers can't tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them. To date, we've not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we're aware of not paying the extortion fee. We've compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats.

An anonymous reader points us to an Ars Technica report: For the most part, we think of rising levels of carbon dioxide as an environmental problem. But atmospheric CO2 can also boost agricultural productivity by helping plants grow. How do these potential issues balance out? In an investigation recently published in Nature Climate Change, scientists have looked into the global implications of carbon dioxide's ability to enhance agricultural productivity. Increased levels of CO2 can enhance photosynthesis and reduce leaf-level transpiration, the process by which some of the water that plants draw from the ground gets released back into the atmosphere. These changes can reduce growing seasons and water loss. The result could be an increase in what's called "crop water productivity," i.e. the amount of food produced for each unit of water expended. If elevated CO2 levels increase crop yield and reduce water consumption at large scales, this could help ensure water and food security despite the climate disruptions. By combining data from a massive network of field experiments and global crop models, the scientists claimed that depending on the crop type, global crop water productivity will increase by 10 to 27 percent by the 2080s. Arid regions exhibited large increases that were based on crop type.

Dan Goodin, reporting for Ars Technica: An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people, according to research scheduled to be published Monday. The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones. The exploit code appears to borrow heavily from, if not copy outright, some of these Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities.Blue Coat, a California-based provider of security and networking solutions writes: This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal "application permissions" dialog box that typically precedes installation of an Android application. After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach. Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the "futex" or "Towelroot" exploit that was first disclosed at the end of 2014.

Dan Goodin, reporting for Ars Technica: An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people, according to research scheduled to be published Monday. The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones. The exploit code appears to borrow heavily from, if not copy outright, some of these Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities.Blue Coat, a California-based provider of security and networking solutions writes: This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal "application permissions" dialog box that typically precedes installation of an Android application. After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach. Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the "futex" or "Towelroot" exploit that was first disclosed at the end of 2014.

The Wall Street Journal reported late last year that Google plans to merge Chrome OS and Android. The search giant, at the time, had refuted such claims while adding that it continues to work on "bringing together" the best of both operating systems. It appears, one such step is adding the Google Play (Android's marquee app store) to Chrome OS. Several users are reporting that they have seen an option -- "Enable Android apps to run on your Chromebook" -- which would understandably allow them to run mobile apps on the desktop platform. Unfortunately, the feature isn't working just yet. Bolstering this theory is another such instance in the source code, which says "over a million apps and games on Google Play" will be made available to Chromebook users.

A report on Ars Technica speculates this move as the demise of Chrome Web Store, the marketplace for extensions and themes for Chrome, which hasn't received any significant improvement or feature in years. At any rate, the timing of this discovery is interesting as Google's developer conference -- I/O -- is just around the corner (May 18-22).

The UK's intelligence agencies such as MI5, MI6, and GCHQ have been collecting personal information from citizens who are "unlikely to be of intelligence or security interest" since the 1990s, a thousand pages of documents published on Thursday revealed. The documents were published as a result of a lawsuit filed by Privacy International, a UK-based registered charity that defends and promotes the right to privacy across the world. According to the documents, GCHQ and others have been collecting bulk personal data sets since 1998 under the provisions of section 94 of the Telecommunications Act 1984. J.M. Porup, reports for Ars Technica: These records can be "anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities," Privacy International legal officer Millie Graham Wood said in a statement. "The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data." Nor, it seems, are BPDs only being used to investigate terrorism and serious crime; they can and are used to protect Britain's "economic well-being" -- including preventing pirate copies of Harry Potter books from leaking before their release date. The so-called "Bulk Personal Datasets," or BPDs are so powerful, in fact, that the normally toothless UK parliament watchdog that oversees intelligence gathering, the Intelligence and Security Committee (ISC), recommended in February that "Class Bulk Personal Dataset warrants are removed from the new legislation." These data sets are so large and collect so much information so indiscriminately that they even include information on dead people.

An anonymous reader quotes a report from Ars Technica: A study published Tuesday in Environmental Science and Technology is the first to validate the long-held suspicion that pharmaceuticals may get trapped in infinite pee-to-food-to-pee loops, exposing consumers to drug doses with unknown health effects. In a randomized, single-blind pilot study, researchers found that anti-convulsive epilepsy drug carbamazepine, which is released in urine, can accumulate in crops irrigated with recycled water -- treated sewage -- and end up in the urine of produce-eaters not on the drugs. While the amounts of the drug in produce-eater's pee were four orders of magnitude lower than what is seen in the pee of patients purposefully taking the drugs, researchers speculate that the trace amounts could still have health effects in some people, such as those with a genetic sensitivity to the drugs, pregnant women, children, and those who eat a lot of produce, such as vegetarians. And with the growing practice of reclaiming wastewater for crop irrigation -- particularly in places that face water shortages such as California, Israel, and Spain --- the produce contamination could become more common and more potent, the authors argue.

An anonymous reader cites an article on USA Today: The new chip-enabled cards flowing into the U.S. marketplace have already made a dent in fraud, with some of the biggest merchants seeing a dip of more than 18% in counterfeit transactions, according to Visa. Among the 25 merchants who were suffering the most instances of counterfeit fraud at the end of 2014, five that began processing credit and debit cards equipped with the new EMV technology saw those infractions fall 18.3% as of the final quarter of 2015, says Stephanie Ericksen, vice president of risk products at Visa. Meanwhile, five of those merchants who were not yet equipped to handle chip-enabled cards saw an increase in fraudulent transactions of 11.4%. "We're seeing EMV is having a positive impact on counterfeit fraud," Ericksen says. "Merchants who implement chip, their counterfeit fraud is going down, while those still finalizing plans, their counterfeit fraud is going up."Also from the report, "Visa on Tuesday also announced a software upgrade that will shave the amount of time spent on chip card transactions. With 'Quick Chip,' consumers can dip their chip cards into the terminal and withdraw it in two seconds or less, instead of waiting until their purchase is authorized. The consumer can 'put the card in the terminal and put it right back in your wallet and . . . move to get their coffee, or hamburger or start bagging their groceries,' Ericksen says. Ars Technica has more details.

Reader rudy_wayne writes: A person who was using Venmo, an app that allows people to send money to each other via their phones, sent $42 to repay a friend, and jokingly labelled it "ISIS Beer Fund". He immediately got an e-mail from Venmo questioning the purpose of the money. Although he tried to explain "The $42 was payment to a dear friend for two pitchers of Samuel Adams Boston Lager" he was informed "Due to OFAC regulations, we are not allowed to give the funds back to you or issue a refund." The Treasury Department's Office of Foreign Assets Control is a 54-year-old institution, quietly working to keep money out of the hands of America's enemies.From the report, "It turns out -- shockingly -- this isn't the first time someone's Venmo transaction was cut off at the knees with a reference to subjects that are a matter of national security. Venmo won't explicitly say what words will trigger blockage, Gawker pointed out in October.

An anonymous reader writes: Buzzfeed is reporting that "An online merchant has accused the Bernie Sanders campaign of 'trademark bullying'. after a Bernie 2016, Inc. attorney sent him a cease and desist letter regarding t-shirts, mugs, and sweatshirts depicting the candidate with historic communist leaders..." The t-shirt's designer tells Buzzfeed "He didn't seem to be the type of candidate, the type of guy, who would do something like this... I would think Bernie, or one of his staff members will step in and put an end to it. It appears to be pretty silly."
In January Ars Technica reported that lawyers for the Sanders campaign had demanded their logo be removed from pages on Wikipedia -- before later withdrawing that DMCA notice.

An anonymous reader cites an article on Ars Technica: More than 3 million Internet-accessible servers are at risk of being infected with crypto ransomware because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application, researchers from Cisco Systems said Friday. About 2,100 of those servers have already been compromised by webshells that give attackers persistent control over the machines, making it possible for them to be infected at any time, the Cisco researchers reported in a blog post. The compromised servers are connected to about 1,600 different IP addresses belonging to schools, governments, aviation companies, and other types of organizations. Some of the compromised servers belonged to school districts that were running the Destiny management system that many school libraries use to keep track of books and other assets. Cisco representatives notified officials at Destiny developer Follett Learning of the compromise, and the Follett officials said they fixed a security vulnerability in the program. Follett also told Cisco the updated Destiny software also scans computers for signs of infection and removes any identified backdoors.

WheezyJoe writes: A court in Nebraska has officially ruled that Pastafarianism is not a real religion, and therefore a prison inmate with "several tattoos proclaiming his faith" will not get $5 million or privileges to order and wear religious clothing and pendants, nor meet for weekly worship services and classes and receive communion. The Federal judge ruled that The Gospel of the Flying Spaghetti Monster is not a "real" religion eligible for protection under the First Amendment...

In ruling against the inmate and the church of Pastafarianism, the judge wrote "there must be a line beyond which a practice is not 'religious' simply because a plaintiff labels it as such... A prisoner could just as easily read the works of Vonnegut or Heinlein and claim it as his holy book, and demand accommodation of Bokononism or the Church of All Worlds [citing Kurt Vonnegut's Cat's Cradle and Robert A. Heinlein's Stranger in a Strange Land]. The Flying Spaghetti Monster Gospel is plainly a work of satire, meant to entertain while making a pointed political statement," and thus not a "real" religion.

An anonymous cites an article on Ars Technica: Two security researchers have published research exposing the potential privacy problems connected to using Web address shortening services. When used to share data protected by credentials included in the Web address associated with the content, these services could allow an attacker to gain access to data simply by searching through the entire address space for a URL-shortening service (PDF) in search of content, because of how predictable and short those addresses are. Both Microsoft and Google have offered URL shortening services embedded in various cloud services. Microsoft included the 1drv.ms URL shortening service in its OneDrive cloud storage service and a similar service (binged.it) for Bing Maps -- "branded" domains of the bit.ly domain shortening service. Microsoft has stopped offering the OneDrive embedded shortener, but existing URLs are still accessible. Google Maps has an embedded a tool that creates URLs with the goo.gl domain. Vitaly Shmatikov of Cornell Tech and visiting researcher Martin Georgiev conducted an 18-month study in which they focused on OneDrive and Google Maps. "We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary)," Shmatikov wrote in a blog post today, "but we sampled enough to discover interesting information and draw important conclusions." One of those conclusions was that Microsoft's OneDrive shortened URLs were entirely too easy to traverse.

MarkWhittington quotes a report from Blasting News: Elon Musk and the people at SpaceX are rightly basking in the afterglow of finally landing the first stage of the Falcon 9 rocket on a drone barge in the Atlantic. The same flight delivered an expandable module built by Bigelow Aerospace to the International Space Station. But, as Ars Technica points out, the launch, landing, and arrival at the space station would not have taken place had it not been for the generosity of NASA. George W. Bush began the Commercial Orbital Transportation Services (COTS) program, which commercialized first cargo and then crew flights to and from the ISS. Four years later, SpaceX, having endured a number of launch failures of its small Falcon 1 rocket, was running out of cash. They were teetering on the brink of financial ruin as they were trying to develop a much larger and more complex Falcon 9 that would compete with more established launch vehicles such as the Atlas 5 and the Delta 4. Then NASA announced the initial contracts for COTS cargo flights. SpaceXâ(TM)s share was $1.6 billion. The NASA contract saved the company and allowed it to press on with building the Falcon 9 and the Dragon and then successfully compete for the Commercial Crew contracts.

An anonymous reader writes: Cellebrite, the company many believe helped the FBI crack into the iPhone 5c belonging to a San Bernardino terrorist, is developing a roadside "textalyzer" device to help law enforcement determine whether someone involved in a motor vehicle accident was unlawfully driving while distracted. As reported from Ars Technica: "Under the first-of-its-kind legislation proposed in New York, drivers involved in accidents would have to submit their phone to roadside testing from a textalyzer to determine whether the driver was using a mobile phone ahead of a crash." The textalyzer allegedly would keep conversations, contacts, numbers, photos, and application data private in an effort to get around the Fourth Amendment right to privacy. "Cellebrite has been leading the adoption of field mobile forensics solutions by law enforcement for years, culminating in the formal introduction of our UFED FIELD series product line a year ago," Jim Grady, Cellebrite's CEO, said in a statement. "We look forward to supporting DORCs and law enforcement -- both in New York and nationally to curb distracted driving."

An anonymous reader shares an article on Ars Technica: A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down. Sophisticated Mumblehard spamming malware flew under the radar for five years. Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service. "There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots," researchers from security firm Eset wrote in a blog post published Thursday. "If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn't work) was used to break the protection."

An anonymous reader shares an article on Ars Technica: A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down. Sophisticated Mumblehard spamming malware flew under the radar for five years. Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service. "There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots," researchers from security firm Eset wrote in a blog post published Thursday. "If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn't work) was used to break the protection."

An anonymous reader writes: Security researchers claim that NoScript and other popular Firefox add-on extensions are exposing millions of end users to a new type of vulnerability which, if exploited, can allow an attacker to execute malicious code and steal sensitive data. The vulnerability resides in the way Firefox extensions interact with each other. From a report on SlashGear, "The problem is that these extensions do not run sandboxed and are able to actually access data or functions from other extensions that are also enabled. This could mean, for example, that a malware masquerading as an add-on can access the functionality of one add-on to get access to system files or the ability of another add-on to redirect users to a certain web page, usually a phishing scam page. In the eyes of Mozilla's automated security checks, the devious add-on is blameless as it does nothing out of the ordinary." Firefox's VP of Product acknowledged the existence of the aforementioned vulnerability. "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative -- our project to introduce multi-process architecture to Firefox later this year -- we will start to sandbox Firefox extensions so that they cannot share code."

An anonymous reader writes: Oculus says in its privacy policy it will track information about your location, physical movements, and how you're using the Oculus Rift headset. Senator Al Franken, a consumer advocate who has made a point of pushing back against invasive privacy policies like Uber's, wrote a letter to Oculus CEO Brendan Iribe, pushing for more information about how, exactly, Oculus is using all of the data it collects. "I believe Americans have a fundamental right to privacy," Franken wrote. "And that right includes an individual's access to information about what data are being collected about them, how the data are being treated, and with whom the data are being shared." Oculus has not yet commented on the letter. As a result from Franken's letter, Oculus may offer a more detailed privacy policy, like what HTC has done for its Vive headset. Though, it's worth mentioning Oculus isn't collecting much more information than most technology companies. The biggest concern stems around what kind of information Facebook is collecting when the headset is not being used -- there's no off button, so it's always sitting in a semi-ready state.

An anonymous reader writes: Blizzard is threatening legal action against the popular "pirate" servers for World of Warcraft. The Nostalrius servers have been operating for nearly a year, running version 1.12 of the original World of Warcraft as it existed in 2006. Admins say that 800K registered accounts and 150K active players were working through quest progressions reproduced to precisely match the game of a decade ago. Nostalrius' team says its French hosting provider has been issued a formal letter asking it to shut down the servers or face a potential copyright infringement lawsuit as hosting private servers is explicitly against Blizzard's Terms of Use. Blizzard says the rule "isn't an issue because of 'lost' subscription fees from players choosing these illegitimate servers over the real WoW servers -- it simply boils down to the fact that private servers are illegal, and that's that." Nostalrius' servers will be shut down on April 10, but the team says it "will still be publicly providing everything needed in order to setup your own 'Nostalrius' if you are willing to."

An anonymous reader quotes a report from Ars Technica: Researchers report Tuesday that they were able to keep pig hearts alive and beating in the abdomens of five baboons for record amounts of time -- a median of 298 days and a max of 945 days. Previous benchmarks were set at a median of 180 and a max of 500 days, respectively. Currently in the US, 22 people die every day just waiting for organs, which are in constant short supply. To help solve the problem, researchers turned to pigs years ago to see if they could lend useful organs or at least provide temporary "bridge" tissue to those on wait-lists. Pigs were a good fit mainly because their organs' sizes are similar to that of human's. In early studies, successful survival time in pig-to-primate transplants, generally called xenotransplants, were measured in minutes. The swine substitutes naturally have a molecular marker, called alpha 1-3-galactosyltransferase (gal), which triggers deadly blood clots in primates. In the new study, researchers at the National Institutes of Health and colleagues, tweaked the approach; they engineered the gal-knock out pigs to have extra anti-clotting genetic features and used an antibody to selectively shut down the part of the primate's immune system that responds to pig organs. To avoid needlessly killing the baboons and doing extensive surgery, the researchers opted to transplant the pig hearts into the baboon's abdomens, leaving the primates' hearts in place. In the abdomen, the pig tickers hooked up to circulatory system and beat for a record-breaking amount of time.