Ars Technica

Democrats slam EPA head, want to understand his climate inquiry

Ars Technica
image

Enlarge / Texas' Eddie Bernice Johnson. (credit: Getty Images/Tom Williams)

Lamar Smith, head of the House Committee on Science, Space, and Technology, has a penchant for releasing letters in which he complains about issues related to climate change. He has targeted everyone from state attorneys general who are investigating fossil fuel companies to NOAA scientists (and their e-mails).

But Eddie Bernice Johnson (D-Texas), the ranking Democrat on the committee, has released a letter or two herself, including one in which she sharply questioned whether Smith was appropriately overseeing scientific research. Now, Johnson and two other Democrats on the committee have turned their attention to Scott Pruitt, head of the Environmental Protection Agency. The subject? Pruitt's plan to have the EPA engage in a show debate over our understanding of climate science.

For the letter, Johnson was joined by Don Beyer (D-Va.) and Suzanne Bonamici (D-Ore.), fellow members of the Science Committee. The letter cites a Reuters report about Pruitt's idea of creating a "red team" with the goal of poking holes in our current scientific understanding of climate change. The letter notes that Pruitt has claimed that "there are lots of questions that have not been asked and answered" about climate change, though he hasn't clearly specified what those are.

Read 5 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Zuckerberg and Musk are both wrong about AI

Ars Technica
image

Enlarge / Enjoy your little squabbles. You foolish men know nothing about AI. (credit: Universal Pictures)

Back in 2015, a group of business leaders and scientists published an "open letter" about how controlling artificial superintelligence might be the most urgent task of the twenty-first century. Signed by luminaries like Elon Musk and Stephen Hawking, the letter has defined debates over AI in the years since. Bill Gates said in a Reddit AMA that he agrees with the letter. But, at last, there is a high-profile skeptic: Facebook giant Mark Zuckerberg, who has just come out strongly against the idea that AI is a threat to humanity.

At a backyard barbecue over the weekend, Zuckerberg fielded questions from Facebook Live. One asked about AI, and the social media mogul launched into a passionate rant:

I have pretty strong opinions on this. I am optimistic. I think you can build things and the world gets better. But with AI especially, I am really optimistic. And I think people who are naysayers and try to drum up these doomsday scenarios—I just, I don't understand it. It's really negative and in some ways I actually think it is pretty irresponsible

In the next five to 10 years, AI is going to deliver so many improvements in the quality of our lives... Whenever I hear people saying AI is going to hurt people in the future, I think, "yeah, you know, technology can generally always be used for good and bad, and you need to be careful about how you build it, and you need to be careful about what you build and how it is going to be used."

But people who are arguing for slowing down the process of building AI, I just find that really questionable. I have a hard time wrapping my head around that.

Zuckerberg was clearly referring to Musk and Gates here, and he is trying to set himself up in the reasonable alternative position. He mentioned that AI is right on the cusp of improving healthcare with disease diagnosis and saving lives with self-driving cars that get into fewer accidents. Musk has already replied dismissively on Twitter, saying that Zuckerberg has little understanding of AI.

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Moto Z2 Force hands-on—Motorola bets the farm on Moto Mods, loses

Ars Technica
image

Remember the Moto Z? The Lenovo-controlled redesign of Motorola's flagship smartphone bet the farm on a modular phone idea, and the modular system kind of sucked. The modules were expensive, only worked with brand-new Motorola smartphones, and didn't offer anything useful over a non-modular version of the same accessory. To limit the effect the bulky modules would have on the phone, Motorola slimmed the phone down as much as possible, resulting in the removal of the headphone jack. Motorola sacrificed a lot to make the modular phone idea work, but at the end of the day the modular system never delivered a compelling use case.

Motorola committed to the modular "Moto Mod" system for at least "two more generations" after the Moto Z, which doesn't leave the company much room to course correct. The "backpack" modular design demands an identical back shape to the Moto Z, with the same size camera bump and massive modular connector in the same place. So say hello to the Moto Z2 Force, the 2017 flagship for Motorola. It looks a lot like the Moto Z(1).

Read 16 remaining paragraphs | Comments

  • open
  • next
Ars Technica

What is the car industry’s problem with over-the-air software updates?

Ars Technica
image

Enlarge (credit: Aurich Lawson / Thinkstock)

General Motors has announced plans to offer over-the-air (OTA) software updates "before 2020." The company's CEO, Mary Barra, announced the plan on an analyst call on Tuesday. The capability will require the deployment of a new electric vehicle architecture and a new infotainment system. OTA updates are high on the tech-savvy car buyer's wishlist, but here in the US, most new cars are locked out of receiving them thanks to a legal and contractual landscape between the OEMs and their dealer networks that is highly beneficial to the latter.

It's not a technical issue; companies like Harman and others have the right systems to push out OTA updates to vehicles; the OEMs just aren't allowed to deploy them.

Boiled down to its essence, OEMs can't offer existing customers new features for their vehicles without the car dealerships getting their cut. This is in contrast to Tesla, which has done much to highlight the utility of OTA updates.

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Study: US is slipping toward measles being endemic once again

Ars Technica
image

Enlarge / Child with a classic four-day rash from measles. (credit: CDC)

With firm vaccination campaigns, the US eliminated measles in 2000. The highly infectious virus was no longer constantly present in the country—no longer endemic. Since then, measles has only popped up when travelers carried it in, spurring mostly small outbreaks—ranging from a few dozen to a few hundred cases each year—that then fizzle out.

But all that may be about to change. With the rise of non-medical vaccine exemptions and delays, the country is backsliding toward endemic measles, Stanford and Baylor College of Medicine researchers warn this week. With extensive disease modeling, the researchers make clear just how close we are to seeing explosive, perhaps unshakeable, outbreaks.

According to results the researchers published in JAMA Pediatrics, a mere five-percent slip in measles-mumps-and-rubella (MMR) vaccination rates among kids aged two to 11 would triple measles cases in this age group and cost $2.1 million in public healthcare costs. And that’s just a small slice of the disease transmission outlook. Kids two to 11 years old only make up about 30 percent of the measles cases in current outbreaks. The number of cases would be much larger if the researchers had sufficient data to model the social mixing and immunization status of adults, teens, and infants under two.

Read 9 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Matt Groening’s first Netflix series will go all Futurama on Game of Thrones

Ars Technica
image

Seems like the most appropriate use of this modified meme ever. (credit: Know Your Meme)

We don't often get buzzy about a new Netflix series announcement, especially one without any teaser footage, but Tuesday's Netflix news shook up the perfect jar of nerd bees.

Simpsons/Futurama co-creator Matt Groening is the latest showrunner to join the online streaming platform, and he's bringing a substantial number of Futurama staffers and voice actors to a new project: Disenchantment, set to premiere in "2018." From what we're hearing, this will put the Groening-series spin on fantasy series like Game of Thrones and Lord of the Rings—meaning, equal parts mockery and reverence. Twenty episodes have been ordered, and they will premiere in 10-episode chunks.

A ton of Futurama voice actors are participating, including Billy West, John DiMaggio, Maurice LaMarche, and Tress MacNeille. The show as announced will revolve around a "hard-drinking young princess" named Bean, voiced by Broad City star Abbi Jacobson, and her primary companions will include a personal demon voiced by Adult Swim super-weirdo Eric Andre and an elf voiced by comedian Nat Faxon. Longtime Simpsons showrunner Josh Weinstein will join Groening as an executive producer, while Futurama animation company Rough Draft Studios is currently working on the new series. (That series' final episode aired on Comedy Central in 2013.)

Read 1 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Get the NES Classic on ThinkGeek while you can [Updated: You can’t]

Ars Technica
image

ThinkGeek

Update: The three bundles that cost $150 and under have sold out as of 3:37 pm Eastern time, roughly 12 minutes after they were first posted. Three other bundles priced at $169, $170, and $220 are still available.

Further update: All six bundles are out of stock as of 3:47 pm, just over 20 minutes after going up.

Read 5 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Google tells judge: Don’t let Canada force us to alter US search results

Ars Technica
image

Enlarge (credit: Getty Images/Ulrich Baumgartgen)

Google is taking legal action in the US to stop Canada's Supreme Court from controlling its search results worldwide.

Last month, the Supreme Court of Canada ordered Google to remove links to webpages owned by a company called Datalink Technologies on all of its search websites, worldwide. Canadian courts had previously found that Datalink was illegally re-labeling products and infringing the intellectual property of a Vancouver tech firm called Equustek.

Yesterday, Google filed a lawsuit (PDF) in California, asking a judge to rule that the Canadian order is unenforceable in the US. Google lawyers argue that the order violates both the First Amendment and Section 230 of the Communications Decency Act, which prevents online platforms from being held responsible for most user behavior.

Read 13 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Dealmaster: Lenovo Y700 Core i5 laptop for only $569, restocked AirPods, and other deals

Ars Technica

Greetings, Arsians! Courtesy of our friends at TechBargains, we're back with a big new list of deals to share. Of note is a the Lenovo Y700 gaming notebook, complete with a Core i5 processor, a 14-inch 1080p display, 4GB AMD R9 M375 GPU, 128GB SSD, and 1TB HDD, for just $569 (over $200 off its original price). Apple's AirPods are also back in stock, so now's your chance to get your hands on the popular wireless earbuds before the sell out again.

Check out the full list of deals below.

Ars Technica may earn compensation for sales from links on this post through affiliate programs.

Read 5 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Toyota in “production engineering” for a solid state battery, WSJ says

Ars Technica
image

Enlarge / A power cable sits in the charge point of a Toyota Motor Corp. FT- EV III concept electric vehicle on display during the China (Guangzhou) International Automobile Exhibition in Guangzhou, China, on Saturday, November 21, 2015. Photographer: Qilai Shen/Bloomberg via Getty Images (credit: Bloomberg / Getty Images)

According to reports in The Wall Street Journal and Japan’s Chunichi Shimbun, Toyota is in the “production engineering” stage of building an electric vehicle (EV) battery with a solid electrolyte. Reports suggest the new battery will debut in Japan in a model 2022 car with an all-new platform.

So-called “solid state” batteries have both solid electrodes and solid electrolytes. Solid-state batteries can be made smaller and lighter than the lithium-ion batteries that currently power electric vehicles, but engineering such a battery at an attractive price point for mass production has been a challenge. The Chunichi Shimbun reported that Toyota’s battery will be able to charge in a few minutes and have a long range, but the article did not list specifics.

A solid-state battery would also reduce the fire risk that comes with lithium-ion batteries that use a liquid electrolyte. And, because the electrolyte wouldn’t be in danger of freezing, it could withstand a wider range of temperatures.

Read 2 remaining paragraphs | Comments

  • open
  • next
Ars Technica

India’s transport minister vows to ban self-driving cars to save jobs

Ars Technica
image

Enlarge / Nitin Jairam Gadkari, minister of Road Transport, Highways and Shipping of India at the India Economic Summit 2016 in New Delhi, India. Copyright by World Economic Forum / Benedikt von Loebell (credit: World Economic Forum)

Companies in the United States, Germany, Japan, and other countries are racing to develop self-driving cars. But India's top transportation regulator says that those cars won't be welcome on Indian streets any time soon.

"We won’t allow driverless cars in India," said Nitin Gadkari, India's minister for Road Transport, Highways, and Shipping, according to the Hindustan Times. "I am very clear on this. We won’t allow any technology that takes away jobs."

In recent years, new technology has mostly created jobs for drivers. In India, the leading ride-sharing services, Ola and Uber, completed 500 million rides in 2016, creating work for Indian drivers. But Uber's ultimate goal is to introduce fully self-driving cars that will make these driving jobs obsolete.

Read 3 remaining paragraphs | Comments

  • open
  • next
Ars Technica

The science of why eyewitness testimony is often wrong

Ars Technica
image

Enlarge (credit: Gramercy Pictures)

The advent of DNA testing has made it uncomfortably clear that our criminal justice system often gets things wrong. Things go wrong for a variety of reasons, but many of them touch on science, or rather the lack of a scientific foundation for a number of forensic techniques. But in 70 percent of the cases where DNA has overturned a conviction, it also contradicted the testimony of one or more eyewitnesses to the events at issue.

According to a new perspective published in PNAS, that shouldn't surprise us. The paper's author, Salk neuroscientist Thomas Albright, argues that we've learned a lot about how humans perceive the world, process information, and hold on to memories. And a lot of it indicates that we shouldn't value eyewitness testimony as much as we do. Still, Albright offers some suggestions about how we can tailor the investigative process to compensate a bit for human limitations.

Persistence of memory

Albright has some history in this area, as he co-chaired a study group at the National Academies of Science on the topic. His new perspective is largely a summary of the report that resulted from the group, and it's an important reminder that we have sound, evidence-based recommendations for improving the criminal justice system. Failure to implement them several years after the report is problematic.

Read 11 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Adobe ending Flash support at the end of 2020

Ars Technica
image

Enlarge (credit: Aurich / Thinkstock)

Back in 2012, Adobe recognized that Flash's end was near, with a five- to 10-year timeframe for its eventual phasing out. Today, the company got specific: Flash will be supported through to the end of 2020, after which the Flash player will cease to be developed and distributed.

In the early days of the Web, Flash served an essential role, offering graphical and interactive capabilities that simply had no equivalent in plain HTML and JavaScript. Since then, a raft of technologies—canvas for 2D graphics, WebGL for 3D graphics, HTML5's video and audio tags, JavaScript interfaces for microphones and webcams, among others—have piece by piece eliminated the need for Flash. With, most recently, support for DRM-protected video being incorporated into HTML5, the need for Flash is largely eliminated.

As such, Adobe, together with Apple, Facebook, Google, Microsoft, and Mozilla, has planned to end-of-life the browser plugin. The plugin will be fully supported and maintained until the end of 2020, with browsers such as Chrome and Edge continuing to embed and patch the plugin. Adobe also says that in "certain [unspecified] geographies" it will move to end the support and use of the plugin more aggressively, due to widespread use of outdated versions of the software.

Read 2 remaining paragraphs | Comments

  • open
  • next
Security Week

Adobe to Kill Flash Player, End Support by 2020

Security Week

[Breaking] Adobe on Tuesday said that it would kill its Flash Player and stop providing security updates by the end of 2020.

read more

image image image image image image image image
  • open
  • next
Security Week

IBM Launches Security Testing Services For Cars, IoT

Security Week

IBM Security announced on Monday that the services provided by its X-Force Red penetration testing group have been expanded to include connected vehicles and Internet of Things (IoT) devices.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Net neutrality faceoff: Congress summons ISPs and websites to hearing

Ars Technica
image

Enlarge / Netflix took an active role in fighting for net neutrality rules in 2014. (credit: Yuri Victor)

The biggest websites and the biggest Internet service providers are being summoned to Congress to testify about net neutrality.

US Rep. Greg Walden (R-Ore.), chair of the House Energy and Commerce Committee, said he is scheduling a full committee hearing titled, "Ground rules for the Internet ecosystem," for September 7.

"Today I'm sending formal invitations to the top executives of the leading technology companies including Facebook, Alphabet, Amazon, and Netflix, as well as broadband providers including Comcast, AT&T, Verizon, and Charter Communications, inviting each of them to come and testify before our full Energy and Commerce Committee," Walden said during a Federal Communications Commission oversight hearing this morning.

Read 6 remaining paragraphs | Comments

  • open
  • next
Krebs on Security

How a Citadel Trojan Developer Got Busted

Krebs on Security

A U.S. District Court judge in Atlanta last week handed a five year prison sentence to Mark Vartanyan, a Russian hacker who helped develop and sell the once infamous and widespread Citadel banking trojan. This fact has been reported by countless media outlets, but far less well known is the fascinating backstory about how Vartanyan got caught.

For several years, Citadel ruled the malware scene for criminals engaged in stealing online banking passwords and emptying bank accounts. U.S. prosecutors say Citadel infected more than 11 million computers worldwide, causing financial losses of at least a half billion dollars.

Like most complex banking trojans, Citadel was marketed and sold in secluded, underground cybercrime markets. Often the most time-consuming and costly aspect of malware sales and development is helping customers with any tech support problems they may have in using the crimeware.

In light of that, one innovation that Citadel brought to the table was to crowdsource some of this support work, easing the burden on the malware’s developers and freeing them up to spend more time improving their creations and adding new features.

Citadel users discuss the merits of including a module to remove other parasites from host PCs.

Citadel users discuss the merits of including a module to remove other parasites from host PCs.

Citadel boasted an online tech support system for customers designed to let them file bug reports, suggest and vote on new features in upcoming malware versions, and track trouble tickets that could be worked on by the malware developers and fellow Citadel users alike. Citadel customers also could use the system to chat and compare notes with fellow users of the malware.

It was this very interactive nature of Citadel’s support infrastructure that FBI agents would ultimately use to locate and identify Vartanyan, who went by the nickname “Kolypto.” The nickname of the core seller of Citadel was “Aquabox,” and the FBI was keen to identify Aquabox and any programmers he’d hired to help develop Citadel.

In June 2012, FBI agents bought several licenses of Citadel from Aquabox, and soon the agents were suggesting tweaks to the malware that they could use to their advantage. Posing as an active user of the malware, FBI agents informed the Citadel developers that they’d discovered a security vulnerability in the Web-based interface that Citadel customers used to keep track of and collect passwords from infected systems (see screenshot below).

A screenshot of the Citadel botnet panel.

A screenshot of the Web-based Citadel botnet control panel.

Aquabox took the bait, and asked the FBI agents to upload a screen shot of the bug they’d found. As noted in this September 2015 story, the FBI agents uploaded the image to file-sharing giant Sendspace.com and then subpoenaed the logs from Sendspace to learn the Internet address of the user that later viewed and downloaded the file.

The IP address came back as the same one they had previously tied to Aquabox. The other address that accessed the file was in Ukraine and tied to Vartanyan. Prosecutors said Vartanyan’s address soon after was seen uploading to Sendspace a patched version of Citadel that supposedly fixed the vulnerability identified by the agents posing as Citadel users.

Mark Vartanyan. Source: Twitter.

Mark Vartanyan. Source: Twitter.

“In the period August 2012 to January 2013, there were in total 48 files uploaded from Marks IP to Sendspace,” reads a story in the Norwegian daily VG that KrebsOnSecurity had translated into English here (PDF). “Those files were downloaded by ‘Aquabox’ with 2 IPs (193.105.134.50 and 149.154.155.81).”

Investigators would learn that Vartanyan was a Russian citizen who’d grown up in Ukraine. At the time of his arrest, Mark was living in Norway, which later extradited him to the United States for prosecution. In March 2017, Vartanyan pleaded guilty to one count of computer fraud, and was sentenced on July 19 to five years in federal prison.

Another Citadel developer, Dimitry Belorossov (a.k.a. “Rainerfox”), was arrested and sentenced in 2015 to four years and six months in prison after pleading guilty to distributing Citadel.

Early in its heydey, some text strings were added to the Citadel Trojan which named Yours Truly as the real author of Citadel (see screenshot below). While I obviously had no involvement in writing the trojan, I have written a great deal about its core victims — mainly dozens of small businesses here in the United States who saw their bank accounts drained of hundreds of thousands or millions of dollars after a Citadel infection.

A text string inside of the Citadel trojan. Source: AhnLab

A text string inside of the Citadel trojan. Source: AhnLab

  • open
  • next
Ars Technica

MAME devs are cracking open arcade chips to get around DRM

Ars Technica
image

Enlarge / A look inside the circuitry of a "decapped" arcade chip. (credit: Caps0ff)

The community behind the Multiple Arcade Machine Emulator (MAME) has gone to great lengths to preserve thousands of arcade games run on hundreds of different chipsets through emulation over the years. That preservation effort has now grown to include the physical opening of DRM-protected chips in order to view the raw code written inside them—and it's an effort that could use your crowdsourced help.

While dumping the raw code from many arcade chips is a simple process, plenty of titles have remained undumped and unemulated because of digital-rights-management code that prevents the ROM files from being easily copied off of the base integrated circuit chips. For some of those protected chips, the decapping process can be used as a DRM workaround by literally removing the chip's "cap" with nitric acid and acetone.

With the underlying circuit paths exposed within the chip, there are a few potential ways to get at the raw code. For some chips, a bit of quick soldering to that exposed circuitry can allow for a dumped file that gets around any DRM further down the line. In the case of chips that use a non-rewritable Mask ROM, though, the decappers can actually look through a microscope (or high-resolution scan) to see the raw zeroes and ones that make up the otherwise protected ROM code.

Read 5 remaining paragraphs | Comments

  • open
  • next
Security Week

Bot vs Bot in Never-Ending Cycle of Improving Artificial intelligence

Security Week

Artificial intelligence, usually in the form of machine learning (ML), is infosecurity's current buzz. Many consider it will be the savior of the internet, able to defeat hackers and malware by learning and responding to their behavior in all-but real time.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Pyre review: A brilliant reinvention of the term “fantasy sports”

Ars Technica
image

Enlarge (credit: Supergiant Games)

Role-playing games and sports video games have more in common than you think. Decades ago, series like Sensible World of Soccer and Tony La Russa Baseball (on PC, not console) filled their career modes with lots of money- and roster-management menus. Modern major-league games and soccer games like FIFA 17 have carried those traditions over, sporting enough card-slotting and story-driven career modes to make them a hat and a wizard robe away from being a full-blown adventure.

But what if a sports game went further with its RPG elements? What if it had a high-stakes, internal-drama story, where relationships between teammates—along with the winners and losers you confront along the way—affected everything from the storytelling to the number-crunching min-max possibilities? I invite the big dogs at EA Sports, 2K Games, and Sony San Diego to look at a tremendous example of that experiment: Pyre, out today from Supergiant Games.

Pyre is a departure from the top-down, world-roaming adventures of Supergiant's previous games Bastion and Transistor. It's definitely not a Zelda-like quest with gritty narration, but it does see Supergiant continuing its streak of taking an established genre and saying, "we're gonna build a helluva narrative and aesthetic world in there."

Read 24 remaining paragraphs | Comments

  • open
  • next
Ars Technica

A new deal could end Bitcoin’s long-running civil war

Ars Technica
image

Enlarge (credit: BTC Keychain)

The price of Bitcoin surged late last week as it became clear that a proposal to expand the Bitcoin network's capacity had the support it needed to go into effect. Supporters of the proposal hope that it will put an end to a two-year-old feud that has been tearing the Bitcoin community apart.

The core dispute is over how to accommodate the payment network's growing popularity. A hard-coded limit in Bitcoin software—1 megabyte per blockchain block—prevents the network from processing more than about seven transactions per second. The network started to bump up against this limit last year, resulting in slow transactions and soaring transaction fees.

Some prominent figures in the Bitcoin community saw an easy fix: just increase that 1MB limit. But Bitcoin traditionalists argued that the limit was actually a feature, not a bug. Keeping blocks small ensures that anyone can afford the computing power required to participate in Bitcoin's consensus-based process for authenticating Bitcoin transactions, preventing a few big companies from gaining de facto control over the network.

Read 26 remaining paragraphs | Comments

  • open
  • next
Security Week

CrowdStrike Launches Cybersecurity Search Engine

Security Week

Cloud-based endpoint security firm CrowdStrike announced on Tuesday that it has expanded the capabilities of its Falcon platform by adding a powerful search engine.

read more

image image image image image image image image
  • open
  • next
Cert US

VU#838200: Telerik Web UI contains cryptographic weakness

Cert US

Vulnerability Note VU#838200

Telerik Web UI contains cryptographic weakness

Original Release date: 25 Jul 2017 | Last revised: 25 Jul 2017

Overview

The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys.

Description

CWE-326: Inadequate Encryption Strength - CVE-2017-9248

The Telerik.Web.UI.dll is vulnerable to a cryptographic weakness which allows the attacker to extract the Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey.
Versions R2 2017 (2017.2.503) and prior are vulnerable.

Impact

A remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the MachineKey, or compromise the ASP.NET ViewState.
Software vendors who use Telerik web components may also be impacted.

Solution

Apply an update
Please see the Telerik's support article for update information for specific versions.

The support article also provides information to those who are unable to update their software.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
DotNetNukeAffected-18 Jul 2017
TelerikAffected-19 Jul 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 7.5 E:ND/RL:ND/RC:ND
Environmental 5.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Telerik thanks to Erlend Leiknes, security consultant in Mnemonic AS, and Thanh Van Tien Nguyen for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

  • CVE IDs: CVE-2017-9248
  • Date Public: 26 Jun 2017
  • Date First Published: 25 Jul 2017
  • Date Last Updated: 25 Jul 2017
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

  • open
  • next
Ars Technica

The dramatic details of Steve Jobs’ life are playing out in a new opera

Ars Technica

The Making of The (R)evolution of Steve Jobs, The Santa Fe Opera

Steve Jobs has been the subject of all kinds of art over the years, and now scenes from his life will play out on stage with powerful vocals in a new opera. The (R)evolution of Steve Jobs highlights the "complicated and messy" life of the Apple cofounder and is the product of a partnership between composer Mason Bates and librettist/Pulitzer Prize winner Mark Campbell.

Pairing something as contemporary as the story of Steve Jobs and Apple with a classical medium such as opera may seem like a mismatch. But Bates was convinced he and Campbell could produce a compelling opera focusing on a big theme of Jobs' life—his need to control everything and make a perfect product, in contrast with the inherent uncontrollable nature of life.

The (R)evolution of Steve Jobs isn't a simple story, and that's not just due to Jobs' complexities. The stage production is nonlinear, recreating 18 scenes that occurred at various times during Jobs' life and career. It features important characters that made Jobs' who he was by the time he passed away in 2011, including business partner Steve Wozniak, his wife Laurene Powell, and Japanese priest Kobun Chino Otogawa, who helped guide Jobs' conversion to Buddhism.

Read 2 remaining paragraphs | Comments

  • open
  • next
Security Week

Ursnif Banking Trojan Gets Mouse-Based Anti-Sandboxing

Security Week

Recently discovered variants of the Ursnif banking Trojan include anti-sandboxing features based on a combination of mouse position and file timestamps, while also attempting to steal data from the Thunderbird email client, Forcepoint security researchers reveal.

read more

image image image image image image image image
  • open
  • next
Linux Security

Fedora 26: subversion Security Update

Linux Security
LinuxSecurity.com: This update includes the latest stable release of _Apache Subversion_, version **1.9.6**. ### User-visible changes: #### Client-side bugfixes: * cp/mv: improve error message when target is an unversioned dir * merge: reduce memory usage with large amounts of mergeinfo ([issue 4667](https://issues.apache.org/jira/browse/SVN-4667)) #### Server-side
  • open
  • next
Security Week

Iranian 'CopyKittens' Conduct Foreign Espionage

Security Week

CopyKittens Iran cyberspies

read more

image image image image image image image image
  • open
  • next
Schneier on Security

Alternatives to Government-Mandated Encryption Backdoors

Schneier on Security

Policy essay: "Encryption Substitutes," by Andrew Keane Woods:

In this short essay, I make a few simple assumptions that bear mentioning at the outset. First, I assume that governments have good and legitimate reasons for getting access to personal data. These include things like controlling crime, fighting terrorism, and regulating territorial borders. Second, I assume that people have a right to expect privacy in their personal data. Therefore, policymakers should seek to satisfy both law enforcement and privacy concerns without unduly burdening one or the other. Of course, much of the debate over government access to data is about how to respect both of these assumptions. Different actors will make different trade-offs. My aim in this short essay is merely to show that regardless of where one draws this line -- whether one is more concerned with ensuring privacy of personal information or ensuring that the government has access to crucial evidence -- it would be shortsighted and counterproductive to draw that line with regard to one particular privacy technique and without regard to possible substitutes. The first part of the paper briefly characterizes the encryption debate two ways: first, as it is typically discussed, in stark, uncompromising terms; and second, as a subset of a broader problem. The second part summarizes several avenues available to law enforcement and intelligence agencies seeking access to data. The third part outlines the alternative avenues available to privacy-seekers. The availability of substitutes is relevant to the regulators but also to the regulated. If the encryption debate is one tool in a game of cat and mouse, the cat has other tools at his disposal to catch the mouse -- and the mouse has other tools to evade the cat. The fourth part offers some initial thoughts on implications for the privacy debate.

Blog post.

  • open
  • next
Security Week

Tech Firms Target Domains Used by Russia-linked Threat Group

Security Week

Tech companies ThreatConnect and Microsoft are moving toward exposing and taking down domains associated with Russia-linked threat group known as Fancy Bear.

read more

image image image image image image image image
  • open
  • next
Security Week

Georgian News Site Serves New Version of Old Mac Trojan

Security Week

Researchers at security firm Volexity noticed that the website of a media organization based in the country of Georgia had been serving a new version of an old Mac Trojan to specific visitors.

read more

image image image image image image image image
  • open
  • next
Linux Security News

Linux file manager flaw leaves security "Bad Taste"

Linux Security News
LinuxSecurity.com: A recently patched flaw in the Linux-based GNOME Files file manager has been discovered that could enable hackers to create malicious Windows-based MSI files which would run malicious VBScript code on Linux.
  • open
  • next
Linux Security News

Pathetic patching leaves over 70,000 Memcached servers still up for grabs

Linux Security News
LinuxSecurity.com: If you're running the caching service Memcached, and particularly if you're exposing it to the public internet for some reason, please make sure you've patched it. Tens of thousands of vulnerable systems haven't.
  • open
  • next
Linux Security News

A Clever New Tool Shuts Down Ransomware Before It's Too Late

Linux Security News
LinuxSecurity.com: In the last few months, waves of ransomware attacks have pummeled the world, disrupting not just businesses but also vital services like hospital care, energy infrastructure, and telecoms. Which means the research Andrea Continella and his team have pursued recently couldn't be better timed: A tool that detects ransomware automatically, almost instantly, and restores your system from backups before hackers can fully lock it down.
  • open
  • next
Security Week

ICS Networks Not Immune To Insider Threats

Security Week

Organizations Need Specialized Monitoring and Control Technologies for ICS Networks 

read more

image image image image image image image image
  • open
  • next
Full Disclosure - Seclist

MEDHOST Connex contains hard-coded database credentials

Full Disclosure - Seclist

Posted by Allen F on Jul 24

Overview
------------

MEDHOST Connex for all versions contains hard-coded credentials that are
used for customer
database access. This is a new vulnerability not related to CVE-2016-4328.

Description
------------

MEDHOST Connex contains hard-coded credentials that are used for customer
database
access. An attacker with knowledge of the hard-coded credentials and the
ability
to communicate directly with the database may be able to obtain
or...
  • open
  • next
Full Disclosure - Seclist

Faraday v2.6: Collaborative Penetration Test and Vulnerability Management Platform

Full Disclosure - Seclist

Posted by Francisco Amato on Jul 24

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that helps users improve their
own work, the main purpose is to...
  • open
  • next
Full Disclosure - Seclist

SSD Advisory – Nitro Pro PDF Multiple Vulnerabilities

Full Disclosure - Seclist

Posted by Maor Shwartz on Jul 24

SSD Advisory – Nitro Pro PDF Multiple Vulnerabilities

Link: https://blogs.securiteam.com/index.php/archives/3251
Twitter: @SecuriTeam_SSD

*Vulnerabilities Summary*
The following advisory describes three vulnerabilities found in Nitro /
Nitro Pro PDF.

Nitro Pro is the PDF reader and editor that does everything you will ever
need to do with PDF files. The powerful but snappy editor lets you change
PDF documents with ease, and comes with a...
  • open
  • next
Full Disclosure - Seclist

CVE-2017-9457 CompuLab Intense PC lacks firmware signature validation

Full Disclosure - Seclist

Posted by Hal Martin on Jul 24

Credits: Hal Martin
Website: watchmysys.com
Source: https://watchmysys.com/blog/2017/07/cve-2017-9457-compulab-intense-pc-lacks-firmware-validation/

Vendor:
====================
CompuLab (compulab.com)

Product:
====================
Intense PC / MintBox 2

Vulnerability type:
====================
Platform lacks signature verification and does not validate firmware update before flashing

CVE Reference:
====================
CVE-2017-9457...
  • open
  • next
Ars Technica

Trump voting commission wins right to collect state voter data

Ars Technica
image

Enlarge (credit: Keith Ivey)

A federal judge on Monday refused to block President Donald Trump's advisory panel from demanding that the states hand over their registered voters' full names, political affiliations, addresses, dates of birth, criminal records, the last four digits of their Social Security numbers, and other personal identifying information, including whether they voted in elections the past decade.

The Presidential Advisory Commission on Election Integrity, which wants to make the data public, has been met with stiff resistance, including from at least 44 states which say they cannot comply with the complete demand because laws in their individual states prohibit them from doing so.

But in a lawsuit from the Electronic Privacy Information Center (EPIC), which challenged the demand on privacy and other grounds, US District Judge Colleen Kollar-Kotelly of the District of Columbia said Trump's commission is exempt from the usual requirement that agencies consider privacy impacts of their new databases. She said the commission—which at Trump's urging wants to study voting irregularities such as whether dead people have been voting—is not an agency. Therefore, it is exempt from a 2002 law requiring a privacy impact statement for newly created government data systems.

Read 9 remaining paragraphs | Comments

  • open
  • next
Ars Technica

“Perverse” malware infecting hundreds of Macs remained undetected for years

Ars Technica
image

Enlarge (credit: Tim Malabuyo)

A mysterious piece of malware that gives attackers surreptitious control over webcams, keyboards, and other sensitive resources has been infecting Macs for at least five years. The infections—known to number nearly 400 and possibly much higher—remained undetected until recently and may have been active for almost a decade.

Patrick Wardle, a researcher with security firm Synack, said the malware is a variant of a malicious program that came to light in January after circulating for at least two years. Dubbed Fruitfly by some, both malware samples capture screenshots, keystrokes, webcam images, and information about each infected Mac. Both generations of Fruitfly also collect information about devices connected to the same network. After researchers from security firm Malwarebytes discovered the earlier Fruitfly variant infecting four Macs, Apple updated macOS to automatically detect the malware.

The variant found by Wardle, by contrast, has infected a much larger number of Macs while remaining undetected by both macOS and commercial antivirus products. After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.

Read 7 remaining paragraphs | Comments

  • open
  • next
Linux Security

Fedora 25: krb5 Security Update

Linux Security
LinuxSecurity.com: Fix CVE-2017-11368 (remote triggerable assertion failure in krb5kdc)
  • open
  • next
Linux Security

Fedora 25: librsvg2 Security Update

Linux Security
LinuxSecurity.com: librsvg 2.40.18 release, fixing CVE-2017-11464 (division-by-zero in the Gaussian blur code). For details, see https://mail.gnome.org/archives/ftp-release- list/2017-July/msg00078.html
  • open
  • next
Linux Security

Fedora 25: GraphicsMagick Security Update

Linux Security
LinuxSecurity.com: Security fix for CVE-2017-11403
  • open
  • next
Linux Security

Fedora 25: yara Security Update

Linux Security
LinuxSecurity.com: bump to 3.6.3 release - bugfix CVE-2017-11328
  • open
  • next
Linux Security

Fedora 25: rubygem-rack-cors Security Update

Linux Security
LinuxSecurity.com: Security fix for CVE-2017-11173, new upstream version
  • open
  • next
Linux Security

Fedora 25: phpldapadmin Security Update

Linux Security
LinuxSecurity.com: Fix CVE-2017-11107 (#1471112)
  • open
  • next
Linux Security

Fedora 25: nodejs Security Update

Linux Security
LinuxSecurity.com: [Security update](https://nodejs.org/en/blog/vulnerability/july-2017-security- releases/)
  • open
  • next
Ars Technica

TSA: United made false announcement about comic book luggage ban

Ars Technica
image

Enlarge (credit: Adi Chappo)

Don’t worry Comic-Con fans, you don’t have to remove your comic books from your checked luggage, despite what a Sunday photo circulated on Twitter suggests.

The dust-up began after a person named Adi Chappo tweeted the above, tagging United Airlines, which responded on Twitter:

The restriction on checking comic books applies to all airlines operating out of San Diego this weekend and is set by the TSA. ^MD

— United (@united) July 23, 2017

But by Monday, the Transportation Security Administration was saying that no such restriction existed.

Read 6 remaining paragraphs | Comments

  • open
  • next
Linux Security

Ubuntu 3364-1: Linux kernel vulnerabilities

Linux Security
LinuxSecurity.com: Several security issues were fixed in the Linux kernel.
  • open
  • next
Full Disclosure - Seclist

SEC Consult SA-20170724-1 :: Open Redirect issue in multiple Ubiquiti Networks products

Full Disclosure - Seclist

Posted by SEC Consult Vulnerability Lab on Jul 24

SEC Consult Vulnerability Lab Security Advisory < 20170724-1 >
=======================================================================
title: Open Redirect in Login Page
product: Multiple Ubiquiti Networks products, e.g.
TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
AirGrid M2, AirGrid M5, AR, AR-HP,...
  • open
  • next
more
mark as read