Slashdot
How Bug Bounty Platform HackerOne Handled Its Own 'Internal Threat' Actor

Bug bounty platform HackerOne has "a steadfast commitment to disclosing security incidents," according to a new blog post, "because we believe that sharing security information far and wide is essential to building a safer internet." But now they've had an incident of their own: On June 22nd, 2022, a customer asked us to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer. Additionally, the submitter's disclosure was similar to an existing disclosure previously submitted through HackerOne... Upon investigation by the HackerOne Security team, we discovered a then-employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties. This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future. Subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate. The blog post includes a detailed timeline of HackerOne's investigation. (They remotely locked the laptop, later taking possession of it for analysis, along with reviewing all data accessed "during the entirety of their two and a half months of employment" and notification of seven customers "known or suspected to be in contact with threat actor.") "We are confident the insider access is now contained," the post concludes — outlining how they'll respond and the lessons learned. "We are happy that our previous investments in logging enabled an expedient investigation and response.... To ensure we can proactively detect and prevent future threats, we are adding additional employees dedicated to insider threats that will bolster detection, alerting, and response for business operations that require human access to disclosure data...." "We are allocating additional engineering resources to invest further in internal models designed to identify anomalous access to disclosure data and trigger proactive investigative responses.... We are planning additional simulations designed to continuously evaluate and improve our ability to effectively resist insider threats."

Read more of this story at Slashdot.

How the Higgs Boson Particle Ruined Peter Higgs's Life

93-year-old Peter Higgs was awarded a Nobel Prize nine years ago after the Large Hadron Collider experiments finally confirmed of the existence Higgs boson particles he'd predicted back in 1964. "This discovery was a seminal moment in human culture," says physicist Frank Close, who's written the new book Elusive: How Peter Higgs Solved the Mystery of Mass . But Scientific American reports there's more to the story: For years, the significance of the prediction was lost on most scientists, including Higgs himself. But gradually it became clear that the Higgs boson was not just an exotic sideshow in the particle circus but rather the main event. The particle and its associated Higgs field turned out to be responsible for giving all other particles mass and, in turn, creating the structure of galaxies, stars and planets that define our universe and enable our species... Yet the finding, however scientifically thrilling, pushed a press-shy Peter Higgs into the public eye. When he shared the Nobel Prize in Physics the next year, Higgs left his home in Edinburgh and camped out at a pub across town on the day of the announcement so the prize committee wouldn't be able to reach him. Physicist Close shares more details in an interview with Scientific American: Close: One of the biggest shocks I had when I was interviewing him was when he said the discovery of the boson "ruined [his] life." I thought, "How can it ruin your life when you have done some beautiful mathematics, and then it turns out you had mysteriously touched on the pulse of nature, and everything you've believed in has been shown to be correct, and you've won a Nobel Prize£ How can these things amount to ruin£" He said, "My relatively peaceful existence was ending. My style is to work in isolation and occasionally have a bright idea." He is a very retiring person who was being thrust into the limelight. That, to my mind, is why Peter Higgs the person is still elusive to me even though I've known him for 40 years... Higgs had spent two to three years really trying to understand a particular problem. And because he had done that hard work and was still trying to deepen his understanding of this very profound concept, when a paper turned up on his desk posing a related question, Higgs happened to have the answer because of the work he'd done. He sometimes says, "I'm primarily known for three weeks of my life." I say, "Yes, Peter, but you spent two years preparing for that moment." Q: The discovery of the Higgs boson came nearly 50 years after Higgs's prediction, and he said he never expected it to be found in his lifetime. What did it mean to him that the particle was finally detected£ He said to me that his first reaction was one of relief that it was indeed confirmed. At that moment he knew [the particle existed] after all, and he felt a profound sense of being moved that that was really the way it was in nature — and then panic that his life was going to change.

Read more of this story at Slashdot.

Amazon Bars Off-Duty Warehouse Workers from Its Buildings

The Associated Press spoke to an Amazon warehouse worker in North Carolina who wants to unionize. "On our days off, we come to work and we engage our co-workers in the break rooms," he said. But now the Associated Press reports "Amazon is barring off-duty warehouse workers from the company's facilities, a move organizers say can hamper union drives." Under the policy shared with workers on Amazon's internal app, employees are barred from accessing buildings or other working areas on their scheduled days off, and before or after their shifts. An Amazon spokesperson said the policy does not prohibit off-duty employees from engaging their co-workers in "non-working areas" outside the company's buildings. "There's nothing more important than the safety of our employees and the physical security of our buildings," Amazon spokesperson Kelly Nantel said.... The notice of the new policy, dated Thursday, says the off-duty rule "will not be enforced discriminatorily" against employees seeking to unionize. But organizers say the policy itself will hinder their efforts to garner support from co-workers during campaigns. The article notes Amazon told employees their move was instead motivated partly by a need to, in an emergency situation, know exactly which employees were still in the building.

Read more of this story at Slashdot.

NASA Funds a Robot That Could Explore the Caves of Mars

CNN reports that a professor and his students at Stanford's Autonomous Systems Lab have received "phase II" funding from NASA's Innovative Advanced Concepts Program (which supports space robotics research) after proving the feasibility of their plan for robots to crawl through space caves. "The team will use the next two years to work on 3D simulations, a robot prototype, develop strategies that help the robot avoid risk, and test out [their cave robot] in a realistic mission environment — likely a cave site in New Mexico or California." One of the students explains to CNN that "Caves are risky environments, but they're scientifically interesting. Our idea for this robot is to go far before people would get there to do interesting science and scope out the area." CNN explains why space caves are so crucial: New research suggests that the best chance of finding past or present evidence of life on Mars requires going below its surface — at least 6.6 feet (2 meters) below. Mars has an incredibly thin atmosphere, which means that the surface of the red planet is bombarded by high energy radiation from space, and that could quickly degrade substances like amino acids that provide fragile evidence of life. Those harsh surface conditions also present a challenge for astronauts, which is one reason scientists have suggested that caves on other planets could be the key to future exploration. Vast cave systems on the moon and Mars could act as shelters for future space travelers. Caves could also contain resources like water, reveal more about the history of a planet — and be havens for evidence of microbial life. On Earth, there are a varied range of cave systems, many of which remain unexplored, and they support diverse groups of microorganisms. But caves are dangerous — and since we've never peered inside a Martian cave, it's difficult to know what to expect. The cave robot would presumably to be equipped with cameras, microscopes and LIDAR remote sensing, and the team envisions it will be tethered to a power-supplying rover on the surface. One team member even told CNN the robots could be adapted to perform maintenance and upkeep on the planned "Gateway" lunar outpost between Earth and the moon.

Read more of this story at Slashdot.

Countries Form New NATO-Like 'Mineral Security' Alliance to Ensure EV Supplies

"A metallic NATO is starting to take shape," writes the senior metals columnist at Reuters, "though no-one is calling it that just yet." The Minerals Security Partnership is in theory open to all countries that are committed to "responsible critical mineral supply chains to support economic prosperity and climate objectives". But the coalition assembled by the United States is one of like-minded countries such as Australia, Canada, the United Kingdom, France and Germany with an Asian axis in the form of Japan and South Korea. [Also the European Commission, as well as Finland and Sweden.] It is defined as much as anything by who is not on the invite list — China and Russia. China's dominance of key enabling minerals such as lithium and rare earths is the single biggest reason why Western countries are looking to build their own supply chains. Russia, a major producer of nickel, aluminium and platinum group metals, is now also a highly problematic trading partner as its war in Ukraine that the Kremlin calls a "special military operation" grinds on. A previously highly globalised minerals supply network looks set to split into politically polarised spheres of influence, a tectonic realignment with far-reaching implications. The United States and Europe have realised that they can't build out purely domestic supply chains quickly enough to meet demand from the electric vehicle transition.... The process was already well underway before the U.S. State Department announced the formation of the Minerals Security Partnership on June 14. U.S. and Canadian officials have been working closely as Canada fleshes out a promised C$3.8 billion ($3.02 billion) package to boost production of lithium, copper and other strategic minerals. European Commission Vice-President Maros Sefcovic has just been in Norway to seal "a strategic partnership" on battery technologies and critical raw materials. The article points out America's Department of Defense is already investing $120 million in a new plant for heavy rare earths separation — and has chosen an Australian company as its partner. Shortly thereafter the Defense Department noted an online disinformation campaign against its new partner (according to U.S.-based cybersecurity firm Mandiant), disinformation which Reuters describes as "a pro-China propaganda campaign" using fake social media accounts to try to stir up opposition.

Read more of this story at Slashdot.

Remember RadioShack£ It's Now a Crypto Company with Wild Tweets

"Gen Z may not be familiar with the RadioShack of their grandparents, but they're getting to know its replacement," writes the Washington Post. "The 100-year-old retailer reintroduced itself on Twitter this week with a stream of often-profane tweets — some since deleted — filled with crude comments and drug references." Variations of, "What in the world is going on£" peppered the comment threads, but a glance of the company's Twitter profile partly held the answer: RadioShack is no longer the electronics store Americans ran to for generations, but rather an online cryptocurrency company that also happens to sell batteries. "It's our voice, a new voice, one for the people," said Abel Czupor, the chief marketing officer. "RadioShack's audience used to be only an older demographic, but as times have changed and e-commerce has taken over, the old voice of RadioShack is no longer relevant." Following a decade of decline, RadioShack was delisted by New York Stock Exchange in 2015. In its struggle to find a brand identity, the chain filed for bankruptcy twice, and went from having roughly 5,200 U.S. stores in 2014 to about 400 when private equity firm Retail Ecommerce Ventures (REV) purchased it in 2020. REV was formed by Alex Mehr, the co-founder of online dating site Zoosk.com, and Tai Lopez, an online influencer known for coaching about his lavish lifestyle. They launched RadioShack Swap, a decentralized crypto exchange platform that allows users to swap coins or tokens, a format that comes with more flexibility and lower transaction fees than trading... In a May statement, the company reported trading volume of $40 million, with a daily average of $500,000 to $2 million.... Yet with its latest marketing strategy on Twitter, the reactions were mixed. One day the platform itself "randomly shut down our account and locked us out." Czupor said, though some tweets were later restored. The new RadioShack tells the Post that "Sales have actually grown since we started upping our Twitter game over the past several weeks." And the founder of social media marketing consultancy Flying Hare Social told the newspaper that RadioShack's tweets may help them gain visibility — because "Everybody who's interested in crypto is interested in this kind of humor."

Read more of this story at Slashdot.

Reuters: 'How Mercenary Hackers Sway Litigation Battles'

Reuters shares the results of its investigation into what it calls "mercenary hackers": Reuters identified 35 legal cases since 2013 in which Indian hackers attempted to obtain documents from one side or another of a courtroom battle by sending them password-stealing emails. The messages were often camouflaged as innocuous communications from clients, colleagues, friends or family. They were aimed at giving the hackers access to targets' inboxes and, ultimately, private or attorney-client privileged information. At least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of these hacking attempts, Reuters found. The Reuters report is based on interviews with victims, researchers, investigators, former U.S. government officials, lawyers and hackers, plus a review of court records from seven countries. It also draws on a unique database of more than 80,000 emails sent by Indian hackers to 13,000 targets over a seven-year period. The database is effectively the hackers' hit list, and it reveals a down-to-the-second look at who the cyber mercenaries sent phishing emails to between 2013 and 2020.... The targets' lawyers were often hit, too. The Indian hackers tried to break into the inboxes of some 1,000 attorneys at 108 different law firms, Reuters found.... "It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles," said Anthony Upward, managing director of Cognition Intelligence, a UK-based countersurveillance firm. The legal cases identified by Reuters varied in profile and importance. Some involved obscure personal disputes. Others featured multinational companies with fortunes at stake. From London to Lagos, at least 11 separate groups of victims had their emails leaked publicly or suddenly entered into evidence in the middle of their trials. In several cases, stolen documents shaped the verdict, court records show. Reuters spoke to email experts including Linkedin, Microsoft and Google to help confirm the authenticity of the data they'd received, and reports that one high-profile victim was WeWork co-founder Adam Neumann. (After Reuters told him he'd been targetted starting in 2017, Neumann hired a law firm.) "Reuters reached out to every person in the database — sending requests for comment to each email address — and spoke to more than 250 individuals. Most of the respondents said the attempted hacks revealed in the email database occurred either ahead of anticipated lawsuits or as litigation was under way." America's FBI has been investigating the breachers since at least early 2018, Reuters reports, adding that pressure is now increasing on private eyes who acted as go-betweens for interested clients. Meanwhile, Reuters found former employees of the mercenary firms, who told them that the firms employed dozens of workers — though "a month's salary could be as low as 25,000 rupees (then worth about $370), according to two former workers and company salary records... "Asked about the hacker-for-hire industry, an official with India's Ministry of Justice referred Reuters to a cybercrime hotline, which did not respond to a request for comment."

Read more of this story at Slashdot.

What Happened After Massachusetts Voters Approved a Right-to-Repair Law£

U.S. right-to-repair advocates hoped a district judge would finally rule Friday on Massachusetts' voter-approved right-to-repair referendum. But they were disappointed again, reports the Boston Globe, since instead the judge said he'd first have to consider a recent ruling by America's Supreme Court limiting the regulatory powers of the U.S. government's Environmental Protection Agency: The Massachusetts law was approved by 75 percent of voters in a 2020 referendum. But its implementation has been held up by court challenges ever since. It would require all automakers selling new cars in Massachusetts to provide buyers with access to "telematic" data â diagnostic information â via a wireless connection. That way, car owners could get their cars repaired at any independent repair shop, instead of being forced to have the work done at manufacturer-approved dealerships. But the Alliance for Automotive Innovation, an association of the world's top carmakers, sued to overturn the law, arguing that only the federal government, not states, may enact such a rule. In addition, carmakers said that they could not redesign the digital systems of their cars in time to comply with the law's 2022 model-year deadline. The lawsuit went to trial last summer, but the court's judgment has been repeatedly delayed. In the meantime, at least two auto manufacturers, Subaru and Kia, began selling cars in Massachusetts with their telematic features switched off, to avoid violating the law. The state's attorney general has now granted a two-week "grace period" during which the law won't be enforced, according to the article, while the district judge "said that he expected to rule before the end of a two-week grace period."

Read more of this story at Slashdot.

Citing Climate Concerns, New York Denies Permit to Bitcoin Mining Plant

An anonymous reader shares this report from NBC News: A controversial bitcoin mining operation on the largest of central New York's Finger Lakes does not meet the requirements of state climate laws, New York's Department of Environmental Conservation ruled Thursday, denying an air permit request the entity's owner, Greenidge Generation LLC., made in March 2021. Renewing the air permit for the Greenidge facility on Seneca Lake "would be inconsistent with or would interfere with the attainment of statewide greenhouse gas emission limits," the Department of Environmental Conservation, or DEC, said in its ruling. It added that the company, which burns natural gas at its plant, has "failed to demonstrate that the continued operation of the facility is justified notwithstanding this inconsistency, as it has not provided any electric system reliability or other ongoing need for the facility." Greenhouse gas emissions from the plant have increased "dramatically" since a previous permit was issued to Greenidge in 2016 and after the 2019 enactment of New York's Climate Leadership and Community Protection Act, DEC said. Local residents and environmental groups lauded the decision. Greenidge said it would continue to operate the plant under its current permit while it challenged the DEC ruling.... Greenidge took over a mothballed power plant on the shores of Seneca Lake in 2014 and requested permits to operate it as a so-called peaker plant, providing electricity to the grid in times of heavy use. While the operation initially supplied most of its power to the grid, DEC found its main purpose has become bitcoin mining. The article adds that the global usage of electricity for bitcoin mining "roughly equals the consumption of Pakistan, according to the University of Cambridge Bitcoin Electricity Consumption Index."

Read more of this story at Slashdot.

The Death of a YouTuber

"Effortlessly funny. Endlessly talented. Gone too soon," tweeted fellow YouTuber Ted Nivison after hearing the news. "Technoblade, a popular Minecraft YouTuber, has died from cancer age 23," writes the Verge. But before Technoblade left, he'd prepared a goodbye for his 11.9 million subscribers: In a video uploaded to his YouTube channel titled "so long nerds" and narrated by his father, Technoblade thanked his fans and fellow streamers for their support over the years... His father says Technoblade wrote the script for his final video from bed and died shortly afterwards. "I don't think he said everything he wanted to say, but I think he got the main points," says his father. "He finished that up and then he was done. He lived about another eight hours after that." "Hello, everyone! Technoblade here," the final message begins. "If you're watching this, I am dead. So let's sit down and have one final chat." My real name is Alex. I had one of my siblings call me 'Dave' one time in a deleted video from 2016, and it was one of the most successful pranks we've ever done. Thousands of creepy online dudes trying to get overly personal going 'Oh hey, Dave. How's it going£' Sorry for selling out so much in the past year. But thanks to everyone that bought hoodies, plushies, and channel memberships. My siblings are going to college! Well, if they want to. I don't want to put any dead-brother peer pressure on them. But that's all from me. Thank you all for supporting my content over the years. If I had another hundred lives, I think I would choose to be Technoblade every single time, as those were the happiest years of my life. I hope you guys enjoyed my content, and that I made some of you laugh. And I hope you all go on to live long, prosperous, and happy lives. Because I love you guys. Technoblade out. After reading the statement, the 23-year-old's father remembered that in those final hours, "We all said goodbye." Then he adds that "He was the most amazing — he was the most amazing kid anyone could ever ask for." He said he misses his son, and thanked his viewers "for everything. You meant a lot to him." And at the end of the video a message from "Techno's mom" appears on the screen. "My son's bravery on this path was a shining lesson to all of us who were privileged to walk it with him."

Read more of this story at Slashdot.

First RISC-V Laptop Announced

An anonymous reader quotes a report from Phoronix, written by Michael Larabel: RISC-V International has relayed word to us that in China the DeepComputing and Xcalibyte organizations have announced pre-orders on the first RISC-V laptop intended for developers. The "ROMA" development platform features a quad-core RISC-V processor, up to 16GB of RAM, up to 256GB of storage, and should work with most RISC-V Linux distributions. [...] DeepComputing and Xcalibyte say this laptop uses an "unannounced" quad-core RISC-V processor so is very light on the details. But frankly if it wasn't a RISC-V International PR contact relaying this to me, it sounds more like a satire announcement. The ROMA press release today goes on to note, "A Web3-friendly platform with NFT creation and publication plus integrated MetaMask-style wallet, ROMA will create an even more integrated experience with future AR glasses and AI speakers operating entirely on RISC-V software and powered by RISC-V hardware." Quantities are also said to be limited for this ROMA laptop, which likely will put a pricing premium on it. Their cringe-worthy press release filled with buzzwords and scant technical details goes on to note, "The first 100 customers to pre-order ROMA will receive a unique NFT to mark the birth of the world's first native RISC-V development platform laptop. And you can have your ROMA personally engraved with your name or company name." [...] So right now this announcement just raises a lot more questions than answers, but we are certainly looking forward to hearing more about RISC-V laptops... Further reading: Pine64 Is Working On a RISC-V Single-Board Computer

Read more of this story at Slashdot.

US Hypersonic Missile Fails In Test In Fresh Setback For Program

A flight test of a hypersonic missile system in Hawaii ended in failure due to a problem that took place after ignition, the Department of Defense said, delivering a fresh blow to a program that has suffered stumbles. Bloomberg reports: It didn't provide further details of what took place in the Wednesday test, but said in a statement sent by email "the Department remains confident that it is on track to field offensive and defensive hypersonic capabilities on target dates beginning in the early 2020s." [...] The trial marked the second unsuccessful test flight of the prototype weapon known as Conventional Prompt Strike. There was a booster failure in its first flight test in October, which prevented the missile from leaving the launch pad. The Conventional Prompt Strike weapon is envisioned to be installed on Zumwalt destroyers and Virginia-class submarines. "An anomaly occurred following ignition of the test asset," Pentagon spokesman Navy Lieutenant Commander Tim Gorman said in the statement. "Program officials have initiated a review to determine the cause to inform future tests." he said. "While the Department was unable to collect data on the entirety of the planned flight profile, the information gathered from this event will provide vital insights."

Read more of this story at Slashdot.

California Late Start Law Aims To Make School Less of a Yawn

Hmmmmmm shares a report from the Associated Press: Beginning this fall high schools in the nation's most populous state can't start before 8:30 a.m. and middle schools can't start before 8 a.m. under a 2019 first-in-the-nation law forbidding earlier start times. Similar proposals are before lawmakers in New Jersey and Massachusetts. Advocates say teens do better on school work when they're more alert, and predict even broader effects: a reduction in suicides and teen car accidents and improved physical and mental health. The average start time for the nation's high schools was 8 a.m. in 2017-18 but about 42% started before then, including 10% that began classes before 7:30 a.m., according to the National Center for Education Statistics. Middle school start times in 2011-12, the most recent available from NCES, were similar. That's too early for adolescents whose bodies are wired to stay up later than at other ages because of a later release of the sleep hormone melatonin, scientists say. The American Academy of Pediatrics recommends that middle and high schools start at 8:30 a.m. or later. The Centers for Disease Control and Prevention recommends eight-10 hours of sleep per night for 13- to 18-year-olds.

Read more of this story at Slashdot.

Google To Pay $90 Million To Settle Legal Fight With App Developers

Google has agreed to pay $90 million to settle a legal fight with app developers over the money they earned creating apps for Android smartphones and for enticing users to make in-app purchases. Reuters reports: The app developers, in a lawsuit filed in federal court in San Francisco, had accused Google of using agreements with smartphone makers, technical barriers and revenue sharing agreements to effectively close the app ecosystem and shunt most payments through its Google Play billing system with a default service fee of 30%. As part of the proposed settlement, Google said in a blog post it would put $90 million in a fund to support app developers who made $2 million or less in annual revenue from 2016-2021. "A vast majority of U.S. developers who earned revenue through Google Play will be eligible to receive money from this fund, if they choose," Google said in the blog post. Google said it would also charge developers a 15% commission on their first million in revenue from the Google Play Store each year. It started doing this in 2021. "There were likely 48,000 app developers eligible to apply for the $90 million fund, and the minimum payout is $250," notes Reuters.

Read more of this story at Slashdot.

Pine64 Is Working On a RISC-V Single-Board Computer

Open hardware company Pine64 says it's preparing to launch a single-board computer (SBC) that will be its most powerful RISC-V powered device yet. Liliputing reports: While Pine64 hasn't provided detailed specs yet (some are still being worked out), the company says that the upcoming SBC have a RISC-V chip that offers comparable performance to the Rockchip RK3566 quad-core ARM Cortex-A55 processor at the heart of Pine64's Quartz64 board. The RISC-V board will be available with 4GB or 8GB of RAM and features support for USB 3.0, Gigabit Ethernet, and a PCIe slot. And while Pine64 hasn't revealed which RISC-V processor it's using yet, the company notes that that the chip features an Imagination Technologies BXE-2-32 GPU which is designed for "entry-level" and "mid-range" applications and for which Imagination plans to make source code available soon. Pine64 says the board will follow the "Model A" form factor, meaning it'll measure around 133 x 80 x 19mm (5.24" x 3.15" x 0.75"). That makes it a bit larger than a Raspberry Pi Model B, but the extra space means there's room for that PCIe slot and other I/O connectors.

Read more of this story at Slashdot.

Feed Fetched by RSS Dog.