What Really Motivated the Breaches of Twitch and Epik? Slashdotby EditorDavid on security at January 1, 1970, 1:00 am (cached at October 10, 2021, 11:05 pm)

The Washington Post explores recent breaches at Twitch and Epik — and asks whether they really signal an upsurge in "hacktivism": The perpetrators of these hacks are distancing themselves from financially driven cybercriminals and ransomware gangs by portraying their attacks as moral crusades against what they said were the companies' sins. In celebratory notes released alongside their data dumps, the Epik hackers said they were sick of the company serving hateful websites, while the Twitch hackers used a hashtag criticizing company efforts to confront harassment and said the site had become a "disgusting cesspool...." Allan Liska, a senior intelligence analyst with the cybersecurity firm Recorded Future, said the growing accessibility and sophistication of hacking tools and the ease with which social media can draw attention to a major hack has contributed to a dramatic upsurge in attacks by "hacktivists..." [The attacks] also showcase how weak the world's cybersecurity defenses remain despite an eruption of concern after this year's major ransomware attacks, including the crippling cyberattack on Colonial Pipeline that brought panic to fuel markets on the East Coast... Troy Hunt, a security consultant in Australia who created the data-breach notification site Have I Been Pwned, said many such hacks are actually crimes of opportunity, with a loftier mission applied later. He recalled a popular information security joke: "The definition of hacktivist is you hack someone, then make up a reason they deserve it." "Very often the politically motivated reasons we see are convenient excuses," Hunt said.

Read more of this story at Slashdot.

All Linux and Mac Computers Get Their Time Zones From the Same Database Slashdotby EditorDavid on internet at January 1, 1970, 1:00 am (cached at October 10, 2021, 10:05 pm)

"All Linux and Mac-based computers pull their time zones from a massively important database — the time zone database," explains Medium's tech site OneZero. And this vastly crucial project is ultimately overseen by one man who Medium calls "The Time Zone King." The process of defining time zones is centralized. This is actually quite a big deal in its own right because people tend to grossly underestimate how pivotal Linux is to ... the entire internet and technology as we know it... The time zone database — which is sometimes called the Olson data or zoneinfo database — has a fascinating history... Not only are time zones apparently a longstanding menace for computer developers, but the time zone maintenance community is currently, it seems, mired among some procedural dispute regarding how this essential database should best be maintained. Of course that's an interesting fact in its own right: there is a world time zone data community. In fact, The Register recently described them as being no less than " up in arms " about the direction the project was proceeding down... A difference of vision among time zone enthusiasts might be the neatest summary anybody can advance.... Not only can't the time zone titans currently agree on the best way to carry the timezone database forward, it seems. But the entire process of codifying and standardizing time zones is also decidedly contentious political business with a long and tumultuous history to go with it. Those who enter the fray need to be therefore not only technical heavyweights but also prepared to have the occasional audacity to stand up to countries like the Hashemite Republic of Jordan and tell them that their attempt to prematurely end DST is unacceptable and will not be promulgated in the database... Weary time zone mavericks are bursting to the seams with horror stories of African states who made rash time zone decisions on only four days' notice... Time zone data insiders say that every single one of these high stakes deliberations represents a near Y2K disaster that must be averted... At the helm of this project is one individual. One guy. Paul Eggert, a computer scientist who teaches at the Department of Computer Science at the University of California's LA Campus... This is a man, after all, whose codebase helps hundreds of millions of users know what time zone they're in and who — for the past ten years — has gone to bed knowing that hundreds of millions of computers are using his code to know what time zone they're in. He's lived under that pressure for over a decade. And by all accounts thrived... Untold millions have been made by startups announcing dubious advents upon existing technologies heralded with the breathless fanaticism of companies announcing that they have found a way to turn air water into oil. Many of these will vanish into oblivion within a few short years. The time zone database won't. Because it can't. And those at the very bottom of the tech stack — those tirelessly and thanklessly maintaining open source projects upon which so much of the world's computing derives — languish in comparable obscurity... In recent years, the project has fallen under the purview of ICANN [through its Internet Assigned Numbers Authority]. Its code reads like a cross between a JSON file and a historical novel. And while I'm sure the project has many noteworthy contributors, there's ultimately one guy who's responsible for maintaining it. The Time Zone King. His name is Paul Eggert. And he's a computer scientist based out of UCLA. We probably all owe him a 'thank you'.

Read more of this story at Slashdot.

Frida Kahlo Scripting News(cached at October 10, 2021, 9:02 pm)

Self portrait with a braid, 1941.

California To Ban Gas-Powered Leaf Blowers and Mowers Slashdotby EditorDavid on earth at January 1, 1970, 1:00 am (cached at October 10, 2021, 8:35 pm)

"California will soon ban the sale of new gas-powered leaf blowers and lawn mowers," reports the Associated Press, calling it "a move aimed at curbing emissions from a category of small engines on pace to produce more pollution each year than passenger vehicles." California is the only state with the authority to regulate air quality this way, part of an exception carved out in federal law in the 1970s. While other states can't enact their own regulations, they can choose to follow California's lead. Last year, California regulators approved a first-of-its-kind rule to force automakers to sell more electric work trucks and delivery vans. Also last year, Newsom ordered regulators to ban the sale of all new gas-powered cars and trucks in California by 2035 — a date that has since been embraced by some of the world's largest automakers. California has more than 16.7 million of these small engines in the state, about 3 million more than the number of passenger cars on the road. California was the first government in the world to adopt emission standards for these small engines in 1990. But since then, emissions in cars have vastly improved compared with smaller engines. Now, state officials say running a gas-powered leaf blower for one hour emits the same amount of pollution as driving a 2017 Toyota Camry from Los Angeles to Denver, a distance of about 1,100 miles (1,770 kilometers). The law Newsom signed also orders regulators to offer rebates for people to change out their equipment, a move aimed at landscaping businesses that use these machines more often. The state budget, approved earlier this year, includes $30 million to pay for this effort.

Read more of this story at Slashdot.

Former Facebook Staffers React to Company's Unapologetic Response to Whistleblower Slashdotby EditorDavid on facebook at January 1, 1970, 1:00 am (cached at October 10, 2021, 7:35 pm)

"Facebook's efforts to undermine the testimony of whistleblower Frances Haugen began before she even left the Senate Commerce Committee hearing room Tuesday," reports Protocol.com: "Just pointing out the fact that @FrancesHaugen did not work on child safety or Instagram or research these issues and has no direct knowledge of the topic from her work at Facebook," spokesperson Andy Stone said in a tweet that ended up being read aloud by Republican Sen. Marsha Blackburn, during the hearing. Another statement from Policy Communications Director Lena Pietsch referred to Haugen dismissively as someone who "worked for the company for less than two years, had no direct reports" and "never attended a decision-point meeting with C-level executives." For Nu Wexler, a former Facebook policy communications staffer, the anti-Haugen spin was overkill. "The statement they put out about Frances Haugen was beyond the pale," said Wexler, who also worked in policy communications at Google and Twitter. "As a former employee, I disagreed with what they said, and as a communications professional, I think it was really bad PR." The counterattack strategy has differed dramatically from the regretful responses Facebook has offered in past episodes, like the Cambridge Analytica scandal. In those cases, the company often responded with an apology and a plan. This time around, from Mark Zuckerberg on down, the company has been decidedly less apologetic, with Haugen as a case study for the new approach. For some former Facebook employees watching from home, the experiment in public aggression is backfiring. From Wexler's point of view, Haugen demonstrated clear facility of the facts and familiarity with the industry. "They're going to have a hard time convincing people that she doesn't know what she's talking about," he said. Katie Harbath, a public policy director at Facebook for 10 years who left the company in March, said, "All these folks, whether they had direct reports or not, they all have perspective and expertise that should be heard...." Another former Facebook communications staffer called the company's response "a mistake." "It's not about her. The whole dialogue that's happening is not about whether she's a credible messenger or not," the former staffer said, before adding, "She is a pretty credible messenger...." The remarks from Stone and Pietsch have also prompted former employees, some of whom held more senior roles during their time at Facebook, to publicly rally to Haugen's defense. "Well I was there for over 6 years, had numerous direct reports, and led many decision meetings with C-level execs, and I find the perspectives shared on the need for algorithmic regulation, research transparency, and independent oversight to be entirely valid for debate," tweeted Samidh Chakrabarti, who founded the civic integrity team Haugen worked on, and whose breakup she noted in her Senate testimony.... Facebook didn't respond to a question about why it's taking such an unapologetic approach toward Haugen's disclosures. Harbath has a theory: "The other one wasn't working."

Read more of this story at Slashdot.

Screen shot of today's blog Scripting News(cached at October 10, 2021, 7:32 pm)

Today's Scripting News home page.

[no title] Scripting News(cached at October 10, 2021, 7:32 pm)

Another note and then I'll wait till tomorrow. In this case the Docs are a big part of the product. Back in February, I decided this time, rather than leave the docs as an afterthought, or hire someone else to write them, I would do it myself. For a couple of reasons. This could be the last big product ship I do in my career. Docs were always treated as an afterthought. I want to try, just once, making it not an afterthought. To let the docs have enough time to become something I'm proud of, and something I can invest more time in, like the software, after we ship. Instead of staying away from them, I wanted to reach in, and do it up. As a result I've done enough writing for a book this year, you'll see it not only in the docs linked into the sidebar of the docs pages, but also in the DocServer pages for each of the built-in scripting verbs. Lots and lots more to say.
[no title] Scripting News(cached at October 10, 2021, 7:32 pm)

And now, we can start talking about Drummer in concrete terms. Finally. The first thing you should try in Drummer is to write a few blog posts. Follow the first part of the Blogging howto, do the Hello World post. Then write some more, about whatever you like. Learn how to write publicly in Drummer first, in other words. It's the best demo we have right now, today, in Oct 2021, of the power of outlines for public writing.
New 'FontOnLake' Malware Family Can Target Linux Systems Slashdotby EditorDavid on security at January 1, 1970, 1:00 am (cached at October 10, 2021, 6:35 pm)

Security Week reports: A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday. Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile. What's more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits. Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia. The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report. The various trojanized applications that ESET's researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems. What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims. ESET's analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history. The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development. The second backdoor was also capable of file manipulation, updating itself, and uploading and downloading files, according to the article, while the third backdoor "accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials."

Read more of this story at Slashdot.

[no title] Scripting News(cached at October 10, 2021, 6:32 pm)

BTW, today is the 27th anniversary of this blog. That's really old for a blog. But we're still diggin. In fact, I'm releasing a new product today. A lot of work went into it. Just a couple of items on my todo list.
The other side of Agile Scripting News(cached at October 10, 2021, 6:02 pm)

My longtime friend and sometime collaborator Andrew Shell is part of a program to write 30 posts in 30 days. Yesterday he wrote a piece about his career, and I got an idea for him, that I initially posted in a comment on Facebook, but wanted to include here.

BTW, as far as I know Andrew is posting these ideas on FB and Twitter, as screen shots, but I don't see where it's posted on the web. If it is, I'll add a link here.

Chrome Attempts to Resurrect RSS With a New-Tab Feature That 'Follows' Your Favorite Slashdotby EditorDavid on chrome at January 1, 1970, 1:00 am (cached at October 10, 2021, 5:35 pm)

It's kind of like an RSS feed — and kind of not. Google now lets you "follow" your favorite web sites with Android versions of Chrome, reports Gizmodo: The feature has a similar effect to following an account on Twitter or Instagram, except you get content updates through Chrome on the new tab page. The ability is widely available to anyone on Android running the latest version of Chrome 94 that was pushed out to the Play Store at the end of September. Google introduced the ability earlier this year through the experimental Canary version of Chrome on Android. A Google spokesperson said at the time that the company planned to return to surfacing content through RSS feeds so that it could populate the aforementioned Following section for its users. The ability shows up in the overflow menu on the stable version of Chrome for Android. But since it's still rolling out, you might need to enable it manually. In Chrome for Android, type in chrome://flags in the link bar to reveal the browser's hidden settings. Then, search for web feed and select the singular enabled option to turn it on.... Chrome's director of engineering Adrienne Porter Felt tweeted on Friday that iOS users should expect the feature sometime next year.

Read more of this story at Slashdot.

[no title] Scripting News(cached at October 10, 2021, 5:32 pm)

I'm shopping for a refrigerator. I've spent some time with various web interfaces, on Home Depot, Consumer Reports, Loew's, Best Buy, Amazon. They're all pretty bad, and could make a simple improvement that would completely eclipse the others. Here's the idea. I have a fixed space to put a fridge, and it's unusually narrow. I wish the designer of the house had left more space but it is what it is. Now, they make fridges in this shape, but they don't always have them in stock, esp now, when the supply chain is so disrupted. Here's the feature, it's a very Doc Searls-like thing, btw. I want to say hey Home Depot, this is the space I have. Let me know when you have a fridge I can buy that can be delivered within a couple of weeks. Instead they send me links to their website for refrigerators (at least they remembered that I'm shopping for one, so has Amazon) but they make me start over from scratch every time. That really sucks. Esp if they, at the moment, have a fridge that fits my very easy requirements. It would also be good for energy savings, because my current fridge is not running efficiently at all.
New Studies Argue Distant Cosmic Gamma-Ray Explosion Was Actually Just Russian Space Slashdotby EditorDavid on space at January 1, 1970, 1:00 am (cached at October 10, 2021, 4:35 pm)

"Last year, a team of astronomers made a blockbuster claim, saying they had captured the most distant cosmic explosion ever — a gamma ray burst in a galaxy called GN-z11," reports Science magazine. "But that flash of light — supposedly from the most distant galaxy known — has a far more prosaic explanation: It was a glinting reflection from a tumbling, spent Russian rocket that happened to photobomb observers at just the right moment, two new studies claim..." Although they happen all the time, the chances of catching one when a telescope is pointed at a particular galaxy are quite slim. So it was even more surprising when astronomer Linhua Jiang of Peking University and colleagues claimed — using data from the W. M. Keck Observatory in Hawaii — to find a burst coming from GN-z11, a galaxy dating back to a mere 420 million years after the big bang. Indeed, the team itself reported in December 2020 that the odds of catching such a burst were one in 10 billion. Those odds raised red flags for Charles Steinhardt, an astronomer at the University of Copenhagen. "You start asking," he says, "'Are there any other causes that are more likely?'" That's where the Russian rocket comes in. Humans have launched and left behind large numbers of objects in orbit around Earth, including satellites, rocket boosters, and even screwdrivers gone missing during spacewalks. Up to half a million bits of metal larger than 1 centimeter are thought to be tumbling around our planet. Glints of sunlight reflecting off this debris could be responsible for as many as 10,000 flashes of light per hour throughout the night sky, estimates Eran Ofek, an astrophysicist at the Weizmann Institute of Science who has published independent analyses of this phenomenon. The vast majority are invisible to the naked eye, he says, but they can be discernable to astronomical observatories. Given such potential light pollution, the possibility of finding a debris glint in a random telescope image is somewhere between one in 1000 and one in 10,000, Steinhardt and his collaborators calculate in one of the new studies, published today in Nature Astronomy. That seems more likely than the one-in-10-billion chance of a gamma ray burst, Steinhardt says. "If you have to pick between the two answers, yes they're both unlikely, but one of them is millions of times more likely."

Read more of this story at Slashdot.

Could Bitcoin Mining Really Provide Crucial Demand For Nuclear Power? Slashdotby EditorDavid on power at January 1, 1970, 1:00 am (cached at October 10, 2021, 1:35 pm)

Gizmodo takes a hard look at a "growing sense of excitement" about collaboration between bitcoin-mining operations and nuclear power plants (which are now plagued by high operating costs compared to renewables as well as natural gas): Of the three partnerships between bitcoin companies and nuclear energy that the Wall Street Journal mentioned, two involve bitcoin miners partnering with existing nuclear sources to power their operations... These are not companies investing in the future, but rather companies searching for anything that will help keep the profits flowing using existing power plants. It's pretty safe to say that some cash-strapped owners of nuclear plants will be using mining partnerships not to make any technological strides, but rather to simply keep the old plants operating. "The plants themselves are pretty well-run, and they know what they're doing," said Alex Gilbert, a project manager at the think tank Nuclear Innovation Alliance. "It really is a matter of the economics. There's a certain point where you're definitely unprofitable, and you're going to be likely to close because you're not getting enough money in power markets. But if a bitcoin operation takes 10 to 15 to 30 percent of your power at a reasonable price, that tips you into profitability." This profitability means the plants can stay open, giving miners a little carbon-free energy as a treat while keeping the U.S.'s biggest source of zero-emissions power operational. This is especially a good idea while we wait for more renewables — and policies that favor them — to come online, in what could be the first real-world proof bitcoin is doing some societal good instead of being a waste of energy and resources.... A few small-to-medium reactors should be ready for licensing in a few years and some over the next decade, he said, helped along by private and federal funding. To actually get to a point where the kinds of smaller reactors could be developed that would be competitive with the (rapidly falling) price of renewables, Gilbert said, would take a significantly larger bump from private capital — as well as more customers. "Providing early demand for advance reactors, especially microreactors, that's how bitcoin can most help the nuclear sector," he said.... I'm not a technofuturist who dreams of a libertarian paradise, but I have to admit that there's kind of a cool idea here. If the bitcoin community really believes cryptocurrencies are the money of the future, let them be the first to invest in a budding technology that could be the energy of the future. In the interim, however, they shouldn't be allowed to rest on their greenwashing laurels while continuing to churn out emissions as they wait for fast reactor technology to become feasible in 10 years. Government regulations are, of course, anathema to crypto true believers. But a mandate that any new mining facilities source power from nearby nuclear plants could go a long way toward cleaning up bitcoin's act and ensuring the carbon-free energy we desperately need stays on the grid while fancy fast reactors come online.

Read more of this story at Slashdot.