Feed aggregator

Matt Glaman: DrupalCon: friends, family & fun in Nashville

Drupal Planet -

DrupalCon: friends, family & fun in Nashville mglaman Tue, 04/17/2018 - 21:00

DrupalCon is always something I look forward to, ever since attending my first one at DrupalCon Los Angeles 2015. As I wrote over a week ago, I drove down from Wisconsin with my wife and two boys to Nashville. We came down for the weekend before and stayed for the weekend after to do some touristing and vacationing. I tried to write one blog about DrupalCon but realized I couldn't really condense everything I had to say. So I plan on pushing out a few post-Nashville blogs.

Former FCC Broadband Panel Chair Arrested For Fraud

Slashdot -

An anonymous reader quotes a report from DSLReports: The former chair of a panel built by FCC boss Ajit Pai to advise the agency on broadband matters has been arrested for fraud. Elizabeth Ann Pierce, former CEO of Quintillion Networks, was appointed by Pai last April to chair the committee, but her tenure only lasted until September. Pierce resigned from her role as Quintillion CEO last August after investigators found she was engaged in a scam that tricked investors into pouring money into a multi-million dollar investment fraud scheme. According to the Wall Street Journal, Pierce convinced two investment firms that the company had secured contracts for a high-speed fiber-optic system that would generate hundreds of millions of dollars in future revenue. She pitched the system as a way to improve Alaska's connectivity to the rest of the country, but the plan was largely a fabrication, law enforcement officials say. "As it turned out, those sales agreements were worthless because the customers had not signed them," U.S. Attorney Geoffrey Berman said in prepared remarks. "Instead, as alleged, Pierce had forged counterparty signatures on contract after contract. As a result of Pierce's deception, the investment companies were left with a system that is worth far less than Pierce had led them to believe." Quintillion says it began cooperating with lawmakers as soon as allegations against Pierce surfaced last year. Pierce was charged with wire fraud last Thursday and faces a maximum sentence of 20 years in prison.

Read more of this story at Slashdot.

Facebook Admits To Tracking Users, Non-Users Off-Site

Slashdot -

Facebook said in a blog post yesterday that they tracked users and non-users across websites and apps for three main reasons: providing services directly, securing the company's own site, and "improving our products and services." The statement comes as the company faces a U.S. lawsuit over a controversial facial recognition feature launched in 2011. The Guardian reports: "When you visit a site or app that uses our services, we receive information even if you're logged out or don't have a Facebook account. This is because other apps and sites don't know who is using Facebook," Facebook's product management director, David Baser, wrote. "Whether it's information from apps and websites, or information you share with other people on Facebook, we want to put you in control -- and be transparent about what information Facebook has and how it is used." But the company's transparency has still not extended to telling non-users what it knows about them -- an issue Zuckerberg also faced questions over from Congress. Asked by Texas representative Gene Green whether all information Facebook holds about a user is in the file the company offers as part of its "download your data" feature, Zuckerberg had responded he believed that to be the case. Privacy campaigner Paul-Olivier Dehaye disagreed, noting that, even as a Facebook user, he had been unable to access personal data collected through the company's off-site tracking systems. Following an official subject access request under EU law, he told MPs last month, Facebook had responded that it was unable to provide the information.

Read more of this story at Slashdot.

More Than 95% of World's Population Breathing Unhealthy Air, Says New Report

Slashdot -

More than 95% of the world's population is breathing unhealthy air and the poorest nations are the hardest hit, a new report has found. From the report: According to the annual State of Global Air Report, published Tuesday by the Health Effects Institute (HEI), long-term exposure to air pollution contributed to an estimated 6.1 million deaths across the globe in 2016. The report says exposure to air pollution led to strokes, heart attacks, lung cancer and chronic lung disease, causing many of those premature deaths. It also says that air pollution is the fourth-highest cause of death among all health risks globally, coming in below high blood pressure, diet and smoking.

Read more of this story at Slashdot.

Tandem's Drupal Blog: Tandem Named Leading Drupal Developer

Drupal Planet -

April 18, 2018 Clutch has named Tandem one of the leading Drupal development agencies in SF for 2018. Last month, the B2B ratings and reviews platform Clutch named the top San Francisco agencies and developers in 2018. We are proud to announce that Tandem was recognized for our expertise and made the list! While we have experience with a variety...

Amazon Shelves Plan To Sell Prescription Drugs

Slashdot -

Major Blud writes: CNBC is reporting that Amazon Business, which considered selling pharmaceutical products last year, has put its plans to do so on hiatus. "The change in plan comes partly because Amazon has not been able to convince big hospitals to change their traditional purchasing process, which typically involves a number of middlemen and loyal relationships," reports CNBC. Amazon was able to gain licensing in 47 out of the 50 U.S. states, but has struggled to land contracts with large hospital networks. "The setback illustrates the challenges of getting into the medical supply and pharmaceutical space, even for a company as big as Amazon," reports CNBC. "Several health-care and pharmaceutical distribution companies saw their stock take a nosedive following recent reports of Amazon potentially getting into the space, but it will likely take some time before those concerns turn into real threats."

Read more of this story at Slashdot.

New York's Attorney General Is Investigating Bitcoin Exchanges

Slashdot -

The office of New York Attorney General Eric Schneiderman announced today that it has launched an investigation into bitcoin exchanges. He's reportedly looking into thirteen major exchanges, including Coinbase, Gemini Trust, and Bitfinex, requesting information on their operations and what measures they have in place to protect consumers. The Verge reports: "Too often, consumers don't have the basic facts they need to assess the fairness, integrity, and security of these trading platforms," Schneiderman said in a statement. His office sent detailed questionnaires to the thirteen exchanges, asking them to disclose who owns and controls them, and how their basic operation and transaction fees work. The questionnaire also asks for specific details on how exchanges might suspend trading or delay orders, indicating Schneiderman is particularly concerned with exchanges manipulating the timing of public orders. The investigation will attempt to shed more transparency on how platforms combat market manipulation attempts and suspicious trading, as well as bots, theft, and fraud. Many of the exchanges Schneiderman is targeting, such as Beijing-based Huobi, have headquarters located outside the U.S., but the attorney general has jurisdiction over any foreign business operating in New York. Coin Center's director of research Peter Van Valkenburgh tells The Verge that the new investigation might be overkill, given the existing rules already in place for bitcoin exchanges. "Far from being unregulated," he says, "these businesses must contend with state money transmission licensing laws, federal anti-money laundering law, CFTC scrutiny for commodities spot market manipulation, SEC scrutiny for securities trading (should any tokens traded be securities), and in this case, state consumer protection investigations from the several attorneys general."

Read more of this story at Slashdot.

Selling Full Autonomy Before It's Ready Could Backfire For Tesla

Slashdot -

An anonymous reader quotes a report from Ars Technica: Tesla has an Autopilot problem, and it goes far beyond the fallout from last month's deadly crash in Mountain View, California. Tesla charges $5,000 for Autopilot's lane-keeping and advanced cruise control features. On top of that, customers can pay $3,000 for what Tesla describes as "Full Self-Driving Capability." "All you will need to do is get in and tell your car where to go," Tesla's ordering page says. "Your Tesla will figure out the optimal route, navigate urban streets (even without lane markings), manage complex intersections with traffic lights, stop signs and roundabouts, and handle densely packed freeways with cars moving at high speed." None of these "full self-driving" capabilities are available yet. "Self-Driving functionality is dependent upon extensive software validation and regulatory approval, which may vary widely by jurisdiction," the page says. "It is not possible to know exactly when each element of the functionality described above will be available, as this is highly dependent on local regulatory approval." But the big reason full self-driving isn't available yet has nothing to do with "regulatory approval." The problem is that Tesla hasn't created the technology yet. Indeed, the company could be years away from completing work on it, and some experts doubt it will ever be possible to achieve full self-driving capabilities with the hardware installed on today's Tesla vehicles. "It's a vastly more difficult problem than most people realize," said Sam Abuelsamid, an analyst at Navigant Research and a former auto industry engineer. Tesla has a history of pre-selling products based on optimistic delivery schedules. This approach has served the company pretty well in the past, as customers ultimately loved their cars once they ultimately showed up. But that strategy could backfire hugely when it comes to Autopilot.

Read more of this story at Slashdot.

Online Tax Filers Will Get Extension After IRS Payment Website Outage

Slashdot -

An anonymous reader quotes a report from CNBC: The IRS will give last-minute filers additional time to file their tax returns after the page for paying their tax bills using their bank accounts crashed, Treasury Secretary Steven Mnuchin told the Associated Press. The IRS "Direct Pay" page allows filers to transfer funds from their checking or savings account to pay what they owe. As of 5 p.m. ET on April 17 -- Tax Day -- the page was still unavailable. Direct Pay is a free service. The "Payment Plan" page, where filers can pay their tax bill in installments also appears to have crashed. "I'd strongly advise folks who owe any federal taxes and cannot pay online to mail a check or money order to the IRS to the appropriate address," said Patrick Thomas, director of Notre Dame Law School's Tax Clinic. According to a TurboTax spokesperson, the IRS's technical difficulties are affecting all tax preparers and tax returns. "Taxpayers should go ahead and continue to prepare and file their taxes as normal with TurboTax," the spokesperson said. "TurboTax has uninterrupted service and is available and accepting e-filed returns," she said. "We will hold returns until the IRS is ready to begin accepting them again." H&R Block said it will continue to accept returns from filers.

Read more of this story at Slashdot.

Windows 10 Update Will Support More Password-Free Logins

Slashdot -

An anonymous reader writes: It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.

Read more of this story at Slashdot.

NASA Planet-Hunter Set For Launch

Slashdot -

The US space agency is about to launch a telescope that should find thousands of planets beyond our Solar System. From a report: The Tess mission will go up on a SpaceX's Falcon rocket from Cape Canaveral in Florida and survey nearly the entire sky over the course of the next two years. It will stare at stars, hoping to catch the dip in brightness as their faces are traversed by orbiting worlds. Tess will build a catalogue of nearby, bright stars and their planets that other telescopes can then follow up. Key among these will be the successor to Hubble -- the James Webb space observatory, due in orbit from 2020. Its powerful vision will have the capability to analyse the atmospheres of some of Tess's new worlds, to look for gases that might hint at the presence of life. James Webb will "tease out the chemical compositions of those atmospheres and look for whatever's there," said Paul Hertz, the astrophysics director at Nasa. "People are very interested in looking for, what on Earth, are bio-signatures, such as methane, carbon dioxide, water vapour and oxygen." Tess follows in the footsteps of Kepler, a groundbreaking space telescope launched in 2009. It also used the "transit technique" to confirm more than 2,000 so-called exoplanets. But Kepler, for its primary mission at least, only looked at a very small patch of sky, and many of its discoveries were simply too far away or too dim for other telescopes to pursue with further analysis. The launch of TESS was scheduled to Monday evening, but it has been postponed until Wednesday. SpaceX tweeted Monday afternoon that it is "standing down today to conduct additional GNC [guidance navigation control] analysis, and teams are now working towards a targeted launch of @NASA_TESS on Wednesday, April 18."

Read more of this story at Slashdot.

Dries Buytaert: Acquia blocks 500,000 attack attempts for SA-CORE-2018-002

Drupal Planet -

On March 28th, the Drupal Security Team released a bug fix for a critical security vulnerability, named SA-CORE-2018-002. Over the past week, various exploits have been identified, as attackers have attempted to compromise unpatched Drupal sites. Hackers continue to try to exploit this vulnerability, and Acquia's own security team has observed more than 100,000 attacks a day.

The SA-CORE-2018-002 security vulnerability is highly critical; it allows an unauthenticated attacker to perform remote code execution on most Drupal installations. When the Drupal Security Team made the security patch available, there were no publicly known exploits or attacks against SA-CORE-2018-002.

That changed six days ago, after Checkpoint Research provided a detailed explanation of the SA-CORE-2018-002 security bug, in addition to step-by-step instructions that explain how to exploit the vulnerability. A few hours after Checkpoint Research's blog post, Vitalii Rudnykh, a Russian security researcher, shared a proof-of-concept exploit on GitHub. Later that day, Acquia's own security team began to witness attempted attacks.

The article by Checkpoint Research and Rudnykh's proof-of-concept code have spawned numerous exploits, which are written in different programming languages such as Ruby, Bash, Python and more. As a result, the number of attacks have grown significantly over the past few days.

Fortunately, Acquia deployed a platform level mitigation for all Acquia Cloud customers one hour after the Drupal Security Team made the SA-CORE-2018-002 release available on March 28th. Over the past week, Acquia has observed over 500,000 attacks from more than 3,000 different IP addresses across our fleet of servers and customer base. To the best of our knowledge, every attempted exploitation of an Acquia customer has failed.



The scale and the severity of this attack suggests that if you failed to upgrade your Drupal sites, or your site is not supported by Acquia Cloud or another trusted vendor that provides platform level fixes, the chances of your site being hacked are very high. If you haven't upgraded your site yet, we recommend you do so as soon as possible, in addition to verifying that you haven't been compromised.

Drupal's responsible disclosure policy

It's important to keep in mind that all software has security bugs, and fortunately for Drupal, critical security bugs are rare. It's been nearly four years since the Drupal Security Team published a security release for Drupal core that is this critical.

What matters is how software projects or software vendors deal with security bugs. The Drupal Security Team follows a "coordinated disclosure policy": issues remain private until there is a published fix. A public announcement is made when the threat has been addressed and a secure version of Drupal core is also available. Even when a bug fix is made available, the Drupal Security Team is very thoughtful with its communication. The team is careful to withhold as many details about the vulnerability as possible to make it difficult for hackers to create an exploit, and to buy Drupal site owners as much time as possible to upgrade. In this case, Drupal site owners had two weeks before the first public exploits appeared.

Historically, many proprietary CMS vendors have executed a different approach, and don't always disclose security bugs. Instead, they often fix bugs silently. In this scenario, secrecy might sound like a good idea; it prevents sites from being hacked and it avoids bad PR. However, hiding vulnerabilities provides a false sense of security, which can make matters much worse. This approach also functions under the assumption that hackers can't find security problems on their own. They can, and when they do, even more sites are at risk of being compromised.

Drupal's approach to security is best-in-class — from fixing the bug, testing the solution, providing advance notice, coordinating the release, being thoughtful not to over communicate too many details, being available for press inquiries, and repeatedly reminding everyone to upgrade.

Acquia's platform level fix

In addition to the Drupal Security Team's responsible disclosure policy, Acquia's own security team has been closely monitoring attempted attacks on our infrastructure. Following the release of the Checkpoint Research article, Acquia has tracked the origin of the 500,000 attempted attacks:

This image captures the geographic distribution of SA-CORE-2018-002 attacks against Acquia's customers. The number denoted in each bubble is the total number of attacks that came from that location.

To date, over 50 percent of the attempted attacks Acquia has witnessed originate from the Ukraine:

At Acquia, we provide customers with automatic security patching of both infrastructure and Drupal code, in addition to platform level fixes for security bugs. Our commitment to keeping our customers safe is reflected in our push to release a platform level fix one hour after the Drupal Security Team made SA-CORE-2018-002 available. This mitigation covered all customers with Acquia Cloud Free, Acquia Cloud Professional, Acquia Cloud Enterprise, and Acquia Cloud Site Factory applications; giving our customers peace of mind while they upgraded their Drupal sites, with or without our help. This means that when attempted exploits and attacks first appeared in the wild, Acquia's customers were safe. As a best practice, Acquia always recommends that customers upgrade to the latest secure version of Drupal core, in addition to platform mitigations.

This blog post was co-authored by Dries Buytaert and Cash Williams.

NASA's Got a Plan For a 'Galactic Positioning System' To Save Astronauts Lost in Space

Slashdot -

From a report: Outer space glows with a bright fog of X-ray light, coming from everywhere at once. But peer carefully into that fog, and faint, regular blips become visible. These are millisecond pulsars, city-sized neutron stars rotating incredibly quickly, and firing X-rays into the universe with more regularity than even the most precise atomic clocks. And NASA wants to use them to navigate probes and crewed ships through deep space. A telescope mounted on the International Space Station (ISS), the Neutron Star Interior Composition Explorer (NICER), has been used to develop a brand new technology with near-term, practical applications: a galactic positioning system, NASA scientist Zaven Arzoumanian told physicists Sunday (April 15) at the April meeting of the American Physical Society. With this technology, "You could thread a needle to get into orbit around the moon of a disant planet instead of doing a flyby," Arzoumian told Live Science. A galactic positioning system could also provide "a fallback, so that if a crewed mission loses contact with the Earth, they'd still have navigation systems on board that are autonomous." Right now, the kind of maneuvers that navigators would need to put a probe in orbit around distant moons are borderline impossible.

Read more of this story at Slashdot.

Employees Who Worked at YouTube Say Violent Threats From Volatile 'Creators' Have Been Going on For Years

Slashdot -

Anonymous readers share a report: YouTube managers had no way to predict Nasim Aghdam would go on a bloody rampage, but they had plenty of reasons to fear that someone like her might one day show up, say former employees. Aghdam was the 38-year-old, disgruntled YouTube video creator who arrived at the company's San Bruno, California, headquarters on April 3 and began blasting away with a 9mm handgun. She wounded three staffers before she killed herself. Police say leading up to the shooting Aghdam, who was from San Diego, believed YouTube sought to censor her and ruin her life. This kind of violence is unprecedented in YouTube's 13-year-history, though Aghdam's anger and paranoia aren't unique among the millions of people who create and post videos to the site, according to five former YouTube employees. In exclusive interviews, they told Business Insider that going back to the service's earliest days, frustrated creators -- seething over one of YouTube's policy changes or the other -- have threatened staffers with violence. Typically the threats were delivered via email. At least once, a video creator confronted a YouTube employee face-to-face and promised he would "destroy" him.

Read more of this story at Slashdot.

Diamonds in Sudan Meteorite 'Are Remnants of Lost Planet'

Slashdot -

Diamonds found in a meteorite that exploded over the Nubian desert in Sudan a decade ago were formed deep inside a "lost planet" that once circled the sun in the early solar system, scientists say. From a report: Microscopic analyses of the meteorite's tiny diamonds revealed they contain compounds that are produced under intense pressure, suggesting the diamonds formed far beneath the surface of a planet. In this case, the mysterious world was calculated to be somewhere between Mercury and Mars in size. Astronomers have long hypothesised that dozens of fledgling planets, ranging in size from the moon to Mars, formed in the first 10m years of the solar system and were broken apart and repackaged in violent collisions that ultimately created the terrestrial planets that orbit the sun today.

Read more of this story at Slashdot.

Former Cambridge Analytica Employee Says Facebook Users Affected Could Be 'Much Greater Than 87 million'

Slashdot -

Cambridge Analytica and its partners used data from previously unknown "Facebook-connected questionnaires" to obtain user data from the social media service, according to testimony from a former Cambridge Analytica employee. From a report: Brittany Kaiser provided evidence to the British Parliament today as part of a hearing on fake news. Kaiser, who worked on the business team at Cambridge Analytica's parent company until January of this year, wrote in a statement that she was "aware in a general sense of a wide range of surveys" used by Cambridge Analytica or its partners, and she said she believes the number of people whose Facebook data may have been compromised is likely higher than the widely reported 87 million.

Read more of this story at Slashdot.

One Laptop Per Child's $100 Laptop Was Going To Change the World -- Then it All Went Wrong

Slashdot -

Adi Robertson, reporting for The Verge: In late 2005, tech visionary and MIT Media Lab founder Nicholas Negroponte pulled the cloth cover off a small green computer with a bright yellow crank. The device was the first working prototype for Negroponte's new nonprofit One Laptop Per Child (OLPC), dubbed "the green machine" or simply "the $100 laptop." And it was like nothing that Negroponte's audience -- at either his panel at a UN-sponsored tech summit in Tunis, or around the globe -- had ever seen. After UN Secretary-General Kofi Annan offered a glowing introduction, Negroponte explained exactly why. The $100 laptop would have all the features of an ordinary computer but require so little electricity that a child could power it with a hand crank. [...] But OLPC's overwhelming focus on high-tech hardware worried some skeptics, including participants in the Tunis summit. One attendee said she'd rather have "clean water and real schools" than laptops, and another saw OLPC as an American marketing ploy. "Under the guise of non-profitability, hundreds of millions of these laptops will be flogged off to our governments," he complained. In the tech world, people were skeptical of the laptop's design, too. Intel chairman Craig Barrett scathingly dubbed OLPC's toy-like prototype "the $100 gadget," and Bill Gates hated the screen in particular. "Geez, get a decent computer where you can actually read the text," he told reporters. [...] After announcing "the $100 Laptop," OLPC had one job to do: make a laptop that cost $100. As the team developed the XO-1, they slowly realized that this wasn't going to happen. According to Bender, OLPC pushed the laptop's cost to a low of $130, but only by cutting so many corners that the laptop barely worked. Its price rose to around $180, and even then, the design had major tradeoffs. [...]

Read more of this story at Slashdot.

What It's Like To Live in America Without Broadband Internet

Slashdot -

Motherboard has an interesting piece which serves as a reminder that even today in every single state, a portion of the population doesn't have access to broadband, and some have no access to the internet at all. From the piece: Wilfong (an anecdote used in the story) is one of the more than 24 million Americans, or about 8 percent of the country, who don't have access to high-speed internet, according to the Federal Communications Commission (FCC) -- and that's a conservative estimate. Most of them live in rural and tribal areas, though the problem affects urban communities, too. In every single state, a portion of the population doesn't have access to broadband. The reasons these communities have been left behind are as diverse as the areas themselves. Rural regions like Wilfong's hometown of Marlinton are not densely populated enough to get telecom companies to invest in building the infrastructure to serve them. Some areas can be labeled as "served" by telecoms even if many homes don't actually have internet access, as in Sharon Township, Michigan, just a short drive from the technology hub of Ann Arbor. Others are just really far away. These places are so geographically remote that laying cable is physically and financially prohibitive, so towns like Orleans, California, have started their own nonprofit internet services instead.

Read more of this story at Slashdot.

IRS 'Direct Pay' Option Not Working on Tax Day

Slashdot -

An anonymous reader shares a report: Online payments on IRS.gov are partially down. But the government still expects its money. A page on the IRS website that allows taxpayers to make a payment is not working for many as of Tuesday morning. Clicking on "Make a payment" on the payments page redirects the user to a page titled "unplannedOutagePage. Note that your tax payment is due although IRS Direct Pay may not be available," the page notes.

Read more of this story at Slashdot.

Pages

Subscribe to Heydon Consulting aggregator