Tag: ars

Patreon was warned of serious website flaw 5 days before it was hacked

Enlarge / Results of a Shodan search performed on September 11 made it clear Patreon was vulnerable to code-execution attacks. (credit: Detectify) Five days before Patreon.com officials said their donations website was plundered by hackers, researchers at a third-party security firm notified them that a serious programming error could lead to disastrous results. The researchers now believe the vulnerability was the entry point for attackers who went on to publish almost 15 gigabytes’ worth of source code, user password data, and private messages . The error was nothing short of facepalm material. Patreon developers allowed a Web application tool known as the Werkzeug utility library to run on a public-facing subdomain. Specifically, according to researchers at Swedish security firm Detectify , one or more of Patreon’s live Web apps on zach.patreon.com was running Werkzeug debugging functions. A simple query on the Shodan search service brought the goof to the attention of Detectify researchers, who in turn notified Patreon officials on September 23. Adding to their concern, the same Shodan search shows thousands of other websites making the same game-over mistake. Remote code execution by design The reason for the alarm was clear. The Werkzeug debugger allows visitors to execute code of their choice from within the browser. Werkzeug developers have long been clear about this capability and the massive risks that stem from using it in production environments . But in case anyone missed the warning, an independent blogger called attention to the threat last December. Read 6 remaining paragraphs | Comments

Follow this link:
Patreon was warned of serious website flaw 5 days before it was hacked

Sprint continues decline, plans job cuts and cost cuts of $2.5 billion

(credit: Sprint) Sprint’s place among the big four US wireless carriers continues to be a precarious one, with news reports saying the company now aims to reduce its number of employees and cut between $2 billion and $2.5 billion in costs over the next six months. A memo from Sprint management to staff said there will be a hiring freeze and “job reductions,” according to   The Wall Street Journal . Sprint announced days ago that it will skip a major auction of low-band spectrum, a decision that could push the company further behind its rivals. Sprint has licenses to more spectrum than any other carrier, but AT&T and Verizon control a large majority of low-band spectrum, which is ideal for providing coverage over long distances and indoors. T-Mobile says it intends to buy enough low-band spectrum to cover the entire nation; Sprint says it can improve coverage with its existing spectrum by increasing the number of cell towers. Read 4 remaining paragraphs | Comments

Read the article:
Sprint continues decline, plans job cuts and cost cuts of $2.5 billion

Utility-scale solar costs down by half in last five years alone

Earlier this week, Lawrence Berkeley National Labs released a report on the state of utility-scale solar installations in the US. Just about everything in the report is remarkable for anyone who’s followed the solar market closely. Over the past five years, prices have dropped by half, while the capacity factors are approaching that of wind. As a result, the most recent installations are offering power at prices that are competitive with natural gas—not the cost of the plant and fuel, but the fuel alone. In 2014, utility-scale solar projects added about 4GW of capacity to the US grid. Slightly more than 6GW of solar capacity was added in total, with the remainder split between commercial and residential installs. Due to the rapid drop in prices, the majority of this capacity is in the form of photovoltaic panels. One of the issues with utility-scale solar has been that some of the earlier plants were built outside the Southwest. This has meant less overall generation and a lower capacity factor, meaning that the panels are only producing power at a fraction of their maximal rate. Both of these raise the cost of the electricity generated. But installations in the Southwest have boomed to over 90 percent of the total installed hardware. This has capacity factors up and costs down. More recently, large projects have been getting more popular in the Southeast, which may change this dynamic in the future. Read 5 remaining paragraphs | Comments

More:
Utility-scale solar costs down by half in last five years alone

Los Angeles schools reach $6.4 million settlement with Apple, Lenovo

(credit: Brad Flickinger ) Last week, the Los Angeles Unified School District (LAUSD) reached a settlement with Apple and Lenovo over a conflict involving software from curriculum provider Pearson. Although the conflict involves Pearson and LAUSD primarily, the curriculum provider was a subcontractor under Apple and Lenovo, so the settlement is between the hardware companies and LAUSD, the Los Angeles Times reports . Apple has agreed to pay LAUSD $4.2 million for the Pearson curriculum, and Lenovo, which also charged the school district for Pearson curriculum, will give the school district $2.2 million in credit for its purchase of laptops. Last year, LAUSD halted the $1.3 billion project to give every student in the massive district an iPad loaded with Pearson’s educational material. The about-face was announced after the Los Angeles Times reported that there had been improprieties in the bidding process for the contract with the school district. In December, the FBI opened an investigation into the iPad program and seized 20 boxes of documents from the LAUSD, just as the school district’s superintendent resigned. Four months later, LAUSD said it would no longer accept shipments of Pearson’s curriculum, and it added that it wanted a “multi-million dollar refund” for copies of Pearson’s software that had already been delivered. Read 2 remaining paragraphs | Comments

View post:
Los Angeles schools reach $6.4 million settlement with Apple, Lenovo

Windows 10 will soon be more environmentally friendly with updated dialog box

Gone, but not forgotten. For the longest time, one of the things that people liked to poke fun at in Windows was a dialog box used to add fonts to the system. The rarely used dialog used Windows 3.1-era icons and fonts, even in Windows Vista, making it a weird anachronism. Microsoft tidied up that bit of Windows legacy in Windows 7 by removing the box entirely, but other relics remain. One of the most annoying is the environment variables dialog. This box hasn’t been updated for what feels like millennia, and it’s cramped and awkward to use as a result. Environment variables can be lengthy, and they almost never fit in the current dialog. This is particularly acute for one of the most important variables, PATH. The PATH variable stores the names of all the directories that the system should search when hunting for executables, and many applications and development tools like to add their directories to the PATH. It quickly gets unwieldy. The current annoying dialog. And unlike the add font dialog, which people only ever looked at just to point and laugh—it was rarely used to actually install fonts—the environment variables box is actually useful, as it’s the easiest and best way of changing Windows environment variables. Read 3 remaining paragraphs | Comments

Read the original:
Windows 10 will soon be more environmentally friendly with updated dialog box

Backblaze to sell cloud storage for a quarter the price of Azure, Amazon S3

Online backup provider Backblaze is branching out today with a new business: an infrastructure-as-a-service-style cloud storage API that’s going head to head with Amazon’s S3, Microsoft’s Azure, and Google Cloud Storage. But where those services charge 2¢ or more per gigabyte per month, Backblaze is pricing its service at just half a cent per gigabyte per month. Backblaze’s business is cheap storage. We’ve written about the company’s hard disk reliability data a few times over the years ; the company has found that regular consumer hard drives are more than up to the demands of providing cloud storage, though there is substantial variation between the different manufacturers and models. Backblaze has designed (and documented ) its storage hardware for the lowest possible cost, using software to provide the necessary protection against failures. It currently has more than 150 petabytes of storage. This low-cost storage means that the company can offer its $5/month unlimited size backup plan profitably. Now the company plans to sell that same cheap storage to developers. Its new B2 product is very much in the same vein as Amazon’s S3: cloud storage with an API that can be used to build a range of other applications. And the price difference is significant. Amazon S3’s cheapest online storage—reduced redundancy, for customers storing more than 5 petabytes—costs 2.2¢ per gigabyte per month. Backblaze’s B2 storage costs 0.5¢ per gigabyte per month, with the first 10GB free. This is cheaper even than Amazon’s Glacier and Google’s Nearline storage, at 1¢ per gigabyte per month, neither of which supports immediate access to data. Bandwidth costs are the same; inbound bandwidth is free, outbound is charged at 5¢ per gigabyte. Read 3 remaining paragraphs | Comments

Read the original post:
Backblaze to sell cloud storage for a quarter the price of Azure, Amazon S3

Computer systems outage grounds American Airlines at major hubs

American Airlines’ information systems outage is affecting its website as well as flights. An information systems outage at Chicago’s O’Hare International has grounded many American Airlines flights today. As the company tries to restore service, flights from at least three major hub airports—O’Hare, Dallas-Fort Worth, and Miami—are on a “ground stop” because of the problem. At 1:32pm Eastern Time, the Federal Aviation Administration announced that American had requested a ground stop for flights out of the three airports: FAA Air Traffic Alert: @AmericanAir requested a ground stop for all of their traffic in and out of DFW/ORD/MIA due to their computer issue. — The FAA (@FAANews) September 17, 2015 During the issue, American’s Twitter feed was filling up with responses to customers: “We’re working to resolve technical issues and apologize for the inconvenience.” Some of the complaints had nothing to do specifically with the grounded flights, however—it appears the outage has also affected parts of American’s website, blocking access to frequent flyer accounts and other customer data. Read 1 remaining paragraphs | Comments

More:
Computer systems outage grounds American Airlines at major hubs

Google sues SEO company over harassing calls selling “Front Page Domination”

Getting companies’ names to show up higher in search engine results is the field of the lucrative business known as search engine optimization, or SEO. There’s a range of SEO practices, from “white hat” ones that are endorsed by search engines, to “black hat” practices that, while they may not be illegal, violate search engine rules. Now Google is taking a rare legal action against one Southern California SEO company it says went too far and broke the law. In its complaint (PDF) , Google says that Tustin, California-based Local Lighthouse has bombarded consumers with “incessant, unsolicited automated telephone calls” since mid-2014, making “false guarantees of first-page placement in Google search results.” Read 5 remaining paragraphs | Comments

See more here:
Google sues SEO company over harassing calls selling “Front Page Domination”

Malicious Cisco router backdoor found on 79 more devices, 25 in the US

ZMap.io The highly clandestine attacks hitting Cisco Systems routers are much more active than previously reported. Infections have hit at least 79 devices in 19 countries, including an ISP in the US that’s hosting 25 boxes running the malicious backdoor. That discovery comes from a team of computer scientists who probed the entire IPv4 address space for infected devices. As Ars reported Tuesday, the so-called SYNful Knock router implant is activated after receiving an unusual series of non-compliant network packets followed by a hardcoded password. By sending only the out-of-sequence TCP packets but not the password to every Internet address and then monitoring the response, the researchers were able to detect which ones were infected by the backdoor. Security firm FireEye surprised the security world on Tuesday when it first reported the active outbreak of SYNful Knock. The implant is precisely the same size as the legitimate Cisco router image, and it’s loaded each time the router is restarted. It supports up to 100 modules that attackers can tailor to the specific target. FireEye found it on 14 servers in India, Mexico, the Philippines, and Ukraine. The finding was significant, because it showed an attack that had long been theorized was in fact being actively used. The new research shows it’s being used much more widely, and it’s been found in countries including the US, Canada, the UK, Germany, and China. The researchers wrote: Read 5 remaining paragraphs | Comments

More:
Malicious Cisco router backdoor found on 79 more devices, 25 in the US

Chicago citizens sue to halt new “Netflix tax,” an increase of 9 percent

michel Six Chicagoans have sued the Windy City over its new 9 percent tax levied as part of the “Amusement Tax Ruling ” that went into effect on September 1. The tax, which the city of Chicago maintains is “not an expansion of the laws,” imposes an additional surcharge on various online services, including Netflix, Spotify, Hulu, Xbox Live, and others. “We will be adding it to the cost we charge subscribers,” Anne Marie Squeo, a Netflix spokeswoman, previously told Ars in a statement. “Jurisdictions around the world, including the US, are trying to figure out ways to tax online services. This is one approach.” Read 7 remaining paragraphs | Comments

See original article:
Chicago citizens sue to halt new “Netflix tax,” an increase of 9 percent