In January, the National Enquirer published a special edition that revealed an intimate relationship Bezos was having. He asked me to learn who provided his private texts to the Enquirer, and why. My office quickly identified the person whom the Enquirer had paid as a source: a man named Michael Sanchez, the now-estranged brother of Lauren Sanchez, whom Bezos was dating. What was unusual, very unusual, was how hard AMI people worked to publicly reveal their source’s identity. First through strong hints they gave to me, and later through direct statements, AMI practically pinned a “kick me” sign on Michael Sanchez.
“It was not the White House, it was not Saudi Arabia,” a company lawyer said on national television, before telling us more: “It was a person that was known to both Bezos and Ms. Sanchez.” In case even more was needed, he added, “Any investigator that was going to investigate this knew who the source was,” a very helpful hint since the name of who was being investigated had been made public 10 days earlier in a Daily Beast report.
Much was made about a recent front-page story in the Wall Street Journal, fingering Michael Sanchez as the Enquirer’s source—but that information was first published almost seven weeks ago by The Daily Beast, after “multiple sources inside AMI” told The Daily Beast the exact same thing. The actual news in the Journal article was that its reporters were able to confirm a claim Michael Sanchez had been making: It was the Enquirer who first contacted Michael Sanchez about the affair, not the other way around.
AMI has repeatedly insisted they had only one source on their Bezos story, but the Journal reports that when the Enquirer began conversations with Michael Sanchez, they had “already been investigating whether Mr. Bezos and Ms. Sanchez were having an affair.” Michael Sanchez has since confirmed to Page Six that when the Enquirer contacted him back in July, they had already “seen text exchanges” between the couple. If accurate, the WSJ and Page Six stories would mean, clearly and obviously, that the initial information came from other channels—another source or method.
[On Sunday, AMI issued a statement insisting that “it was Michael Sanchez who tipped the National Enquirer off to the affair on Sept. 10, 2018, and over the course of four months provided all of the materials for our investigation.” Read the full statement here. — ed.]
“Bezos directed me to ‘spend whatever is needed’ to learn who may have been complicit in the scheme, and why they did it. That investigation is now complete.”
Reality is complicated, and can’t always be boiled down to a simple narrative like “the brother did it,” even when that brother is a person who certainly supplied some information to a supermarket tabloid, and even when that brother is an associate of Roger Stone and Carter Page. Though interesting, it turns out those truths are also too simple.
Why did AMI’s people work so hard to identify a source, and insist to the New York Times and others that he was their sole source for everything?
My best answer is contained in what happened next: AMI threatened to publish embarrassing photos of Jeff Bezos unless certain conditions were met. (These were photos that, for some reason, they had held back and not published in their first story on the Bezos affair, or any subsequent story.) While a brief summary of those terms has been made public before, others that I’m sharing are new—and they reveal a great deal about what was motivating AMI.
An eight-page contract AMI sent for me and Bezos to sign would have required that I make a public statement, composed by them and then widely disseminated, saying that my investigation had concluded they hadn’t relied upon “any form of electronic eavesdropping or hacking in their news-gathering process.”
Note here that I’d never publicly said anything about electronic eavesdropping or hacking—and they wanted to be sure I couldn’t.
They also wanted me to say our investigation had concluded that their Bezos story was not “instigated, dictated or influenced in any manner by external forces, political or otherwise.” External forces? Such a strange phrase. AMI knew these statements did not reflect my conclusions, because I told AMI’s Chief Content Officer Dylan Howard (in a 90-minute recorded phone call) that what they were asking me to say about external forces and hacking “is not my truth,” and would be “just echoing what you are looking for.”
(Indeed, an earlier set of their proposed terms included AMI making a statement “affirming that it undertook no electronic eavesdropping in connection with its reporting and has no knowledge of such conduct”—but now they wanted me to say that for them.)
The contract further held that if Bezos or I were ever in our lives to “state, suggest or allude to” anything contrary to what AMI wanted said about electronic eavesdropping and hacking, then they could publish the embarrassing photos.
Todd Williamson/Getty
I’m writing this today because it’s exactly what the Enquirer scheme was intended to prevent me from doing. Their contract also contained terms that would have inhibited both me and Bezos from initiating a report to law enforcement.
Things didn’t work out as they hoped.
When the terms for avoiding publication of personal photos were presented to Jeff Bezos, he responded immediately: “No thank you.” Within hours, he wrote an essay describing his reasons for rejecting AMI’s threatening proposal. Then he posted it all on Medium, including AMI’s actual emails and their salacious descriptions of private photos. (After the Medium post, AMI put out a limp statement saying it “believed fervently that it acted lawfully in the reporting of the story of Mr. Bezos.”)
The issues Bezos raised in his Medium post have nothing whatsoever to do with Michael Sanchez, any more than revealing the name of a low-level Watergate burglar sheds light on the architects of the Watergate cover-up. Bezos was not expressing concerns about the Enquirer’s original story; he was focused on what he called “extortion and blackmail.”
Next, Bezos directed me to “spend whatever is needed” to learn who may have been complicit in the scheme, and why they did it.
That investigation is now complete. As has been reported elsewhere, my results have been turned over to federal officials. Since it is now out of my hands, I intend today’s writing to be my last public statement on the matter. Further, to respect officials pursuing this case, I won’t disclose details from our investigation. I am, however, comfortable confirming one key fact:
Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information. As of today, it is unclear to what degree, if any, AMI was aware of the details.
WASHINGTON (Reuters) – The security chief for Amazon chief executive Jeff Bezos said on Saturday that the Saudi government had access to Bezos’ phone and gained private information from it.
Gavin De Becker, a longtime security consultant, said he had concluded his investigation into the publication in January of leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating.
Last month, Bezos accused the newspaper’s owner of trying to blackmail him with the threat of publishing “intimate photos” he allegedly sent to Sanchez unless he said in public that the tabloid’s reporting on him was not politically motivated.
In an article for The Daily Beast website, De Becker said the parent company of the National Enquirer, American Media Inc., had privately demanded that De Becker deny finding any evidence of “electronic eavesdropping or hacking in their newsgathering process.”
“Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information,” De Becker wrote. “As of today, it is unclear to what degree, if any, AMI was aware of the details.”
NSO and a competitor, the Emirati firm DarkMatter, exemplify the proliferation of privatized spying. A monthslong examination by The New York Times, based on interviews with current and former hackers for governments and private companies and others as well as a review of documents, uncovered secret skirmishes in this burgeoning world of digital combat.
A former top adviser to the Saudi crown prince, Mohammed bin Salman, spoke of using NSO’s products abroad as part of extensive surveillance efforts.CreditGiuseppe Cacace/Agence France-Presse — Getty Images
Image
A former top adviser to the Saudi crown prince, Mohammed bin Salman, spoke of using NSO’s products abroad as part of extensive surveillance efforts.CreditGiuseppe Cacace/Agence France-Presse — Getty Images
The firms have enabled governments not only to hack criminal elements like terrorist groups and drug cartels but also in some cases to act on darker impulses, targeting activists and journalists. Hackers trained by United States spy agencies caught American businesspeople and human rights workers in their net. Cybermercenaries working for DarkMatter turned a prosaic household item, a baby monitor, into a spy device.
The F.B.I. is investigating current and former American employees of DarkMatter for possible cybercrimes, according to four people familiar with the investigation. The inquiry intensified after a former N.S.A. hacker working for the company grew concerned about its activities and contacted the F.B.I., Reuters reported.
NSO and DarkMatter also compete fiercely with each other, paying handsomely to lure top hacking talent from Israel, the United States and other countries, and sometimes pilfering recruits from each other, The Times found.
The Middle East is the epicenter of this new era of privatized spying. Besides DarkMatter and NSO, there is Black Cube, a private company run by former Mossad and Israeli military intelligence operatives that gained notoriety after Harvey Weinstein, the disgraced Hollywood mogul, hired it to dig up dirt on his accusers. Psy-Group, an Israeli company specializing in social media manipulation, worked for Russian oligarchs and in 2016 pitched the Trump campaign on a plan to build an online army of bots and avatars to swing Republican delegate votes.
Last year, a wealthy American businessman, Elliott Broidy, sued the government of Qatar and a New York firm run by a former C.I.A. officer, Global Risk Advisors, for what he said was a sophisticated breach of his company that led to thousands of his emails spilling into public. Mr. Broidy said that the operation was motivated by hard-nosed geopolitics: At the beginning of the Trump administration, he had pushed the White House to adopt anti-Qatar policies at the same time his firm was poised to receive hundreds of millions of dollars in contracts from the United Arab Emirates, the archrival to Qatar.
A judge dismissed Mr. Broidy’s lawsuit, but suspicions have grown that Qatar had a hand in other operations, including the hacking and leaking of the emails of Yousef al-Otaiba, the influential Emirati ambassador in Washington.
The rapid expansion of this global high-tech battleground, where armies of cybermercenaries clash, has prompted warnings of a dangerous and chaotic future.
Rob Wisse, eye doctor at the University Medical Centre of Utrecht used the application on 100 people and compared the results with that of an optometrist. He presented his results at the NOG congres.
Academic and scientific research needs to be accessible to all. The world’s most pressing problems like clean water or food security deserve to have as many people as possible solving their complexities. Yet our current academic research system has no interest in harnessing our collective intelligence. Scientific progress is currently thwarted by one thing: paywalls.
Paywalls, which restrict access to content without a paid subscription, represent a common practice used by academic publishers to block access to scientific research for those who have not paid. This keeps £19.6bn flowing from higher education and science into for-profit publisher bank accounts. My recent documentary, Paywall: The Business of Scholarship, uncovered that the largest academic publisher, Elsevier, regularly has a profit margin between 35-40%, which is greater than Google’s. With financial capacity comes power, lobbyists, and the ability to manipulate markets for strategic advantages – things that underfunded universities and libraries in poorer countries do not have.
Furthermore, university librarians are regularly required to sign non-disclosure agreements on their contract-pricing specifics with the largest for-profit publishers. Each contract is tailored specifically to that university based upon a variety of factors: history, endowment, current enrolment. This thwarts any collective discussion around price structures, and gives publishers all the power.
This is why open access to research matters – and there have been several encouraging steps in the right direction. Plan S, which requires that scientific publications funded by public grants must be published in open access journals or platforms by 2020, is gaining momentum among academics across the globe. It’s been recently backed by Italy’s Compagnia di San Paolo, which receives €150m annually to spend on research, as well as the African Academy of Science and the National Science and Technology Council (NSTC) of Zambia. Plan S has also been endorsed by the Chinese government.
Equally, although the US has lagged behind Europe in taking a stand on encouraging open access to research, this is changing. The University of California system has just announced that it will be ending its longstanding subscription to Elsevier. The state of California also recently passed AB 2192, a law that requires anything funded by the state to be made open access within one year of publication. In January, the US President, Donald Trump, signed into law the Open, Public, Electronic and Necessary (OPEN) Government Data Act, which mandates that US federal agencies publish all non-sensitive government data under an open format. This could cause a ripple effect in other countries and organisations.
But there is a role for individual academics to play in promoting open access, too. All academics need to be familiar with their options and to stop signing over copyright unnecessarily. Authors should be aware they can make a copy of their draft manuscript accessible in some form in addition to the finalised manuscript submitted to publishers. There are helpful resources, such as Authors Alliance which helps researchers manage their rights, and Sherpa/RoMEO, which navigates permissions of individual publishers and author rights. In many cases, researchers can also make their historical catalogue of articles available to the public.
Without an academic collective voice demanding open access to their research, the movement will never completely take off. It’s a case of either giving broad society access to scientific advances or allowing these breakthroughs to stay locked away for financial gain. For the majority of academics, the choice should be easy.
The personal information of roughly 3.1 million Toyota customers may have been leaked following a security breach of multiple Toyota and Lexus sales subsidiaries, as detailed in a breach notification issued by the car maker today.
As detailed in a press release published on Toyota’a global newsroom, unauthorized access was detected on the computing systems of Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.
“It turned out that up to 3.1 million items of customer information may have been leaked outside the company. The information that may have been leaked this time does not include information on credit cards,” says the data breach notification.
[…]
Security experts consider the attacks targeting Toyota’s subsidiaries and dealers to be part of a large scale coordinated operation attributed to the Vietnamese-backed APT32 hacking group, also known as OceanLotus and Cobalt Kitty, says ZDNet.
FireEye says that APT32 is targeting “foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors.”
APT32 also targeted research institutes from around the world, media organizations, various human rights organizations, and even Chinese maritime construction firms in the past. [1, 2, 3, 4, 5, 6, 7]
Researchers at the Black Hat Asia conference this week disclosed a previously unknown way to tap into the inner workings of Intel’s chip hardware.
The duo of Mark Ermolov and Maxim Goryachy from Positive Technologies explained how a secret Chipzilla system known as Visualization of Internal Signals Architecture (VISA) allows folks to peek inside the hidden workings and mechanisms of their CPU chipsets – capturing the traffic of individual signals and snapshots of the chip’s internal architecture in real time – without any special equipment.
To be clear, this hidden debug access is not really a security vulnerability. To utilize the channel, you must exploit a 2017 elevation-of-privilege vulnerability, or one similar to it, which itself requires you to have administrative or root-level access on the box. In other words, if an attacker can even get at VISA on your computer, it was already game over for you: they need admin rights.
Rather, Ermolov and Goryachy explained, the ability to access VISA will largely be of interest to researchers and chip designers who want to get a window into the lowest of the low-level operations of Chipzilla’s processor architecture.
What lies within
VISA is one of a set of hidden, non-publicly or partially publicly documented, interfaces called Trace Hub that Intel produced so that its engineers can see how data moves through the chips, and to help debug the flow of information between the processor and other hardware components. Specifically, the Platform Controller Hub, which hooks up CPU cores to the outside world of peripherals and other IO hardware, houses Trace Hub and VISA.
“This technology allows access to the internal CPU bus used to read and write memory,” the duo told The Register. “Using it, anyone now can investigate various aspects of hardware security: access control, internal addressing, and private configuration.”
Alongside VISA is an on-chip logic analyzer, and mechanisms for measuring architecture performance, inspecting security fuses, and monitoring things like speculative execution and out-of-order execution.
So, if the VISA controller isn’t much help to directly pwn someone else’s computer, where would it have use for non-Intel folks? Goryachy and Ermolov say that hardware hackers and researchers focused on the inner-workings of Intel chips would find VISA of great use when trying to suss out possible side-channel or speculative execution issues, secret security configurations, and so on.
“For example, the main issue while studying the speculative execution is getting feedback from the hardware,” they explained. “This technology provides an exact way to observe the internal state of the CPU or system-on-chip, and confirm any suppositions.”
Many other cars download and store data from users, particularly information from paired cellphones, such as contact information. The practice is widespread enough that the US Federal Trade Commission has issued advisories to drivers warning them about pairing devices to rental cars, and urging them to learn how to wipe their cars’ systems clean before returning a rental or selling a car they owned.
But the researchers’ findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via “event data recorders” there, should they need this for legal, insurance or other reasons.
At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car’s computer and knows how to extract it.
[…]
In general, cars have become rolling computers that slurp up personal data from users’ mobile devices to enable “infotainment” features or services. Additional data generated by the car enables and trains advanced driver-assistance systems. Major auto-makers that compete with Tesla’s Autopilot include GM’s Cadillac Super Cruise, Nissan Infiniti’s ProPilot Assist and Volvo’s Pilot Assist system.
But GreenTheOnly and Theo noted that in Teslas, dashboard cameras and selfie cameras can record while the car is parked, even in your garage, and there is no way for an owner to know when they may be doing so. The cameras enable desirable features like “sentry mode.” They also enable wipers to “see” raindrops and switch on automatically, for example.
GreenTheOnly explained, “Tesla is not super transparent about what and when they are recording, and storing on internal systems. You can opt out of all data collection. But then you lose [over-the-air software updates] and a bunch of other functionality. So, understandably, nobody does that, and I also begrudgingly accepted it.”
Theo and GreenTheOnly also said Model 3, Model S and Model X vehicles try to upload autopilot and other data to Tesla in the event of a crash. The cars have the capability to upload other data, but the researchers don’t know if and under what circumstances they attempt to do so.
[…]
The company is one of a handful of large corporations to openly court cybersecurity professionals to its networks, urging those who find flaws in Tesla systems to report them in an orderly process — one that gives the company time to fix the problem before it is disclosed. Tesla routinely pays out five-figure sums to individuals who find and successfully report these flaws.
[…]
However, according to two former Tesla service employees who requested anonymity, when owners try to analyze or modify their own vehicles’ systems, the company may flag them as hackers, alerting Telsa of their skills. Tesla then ensures that these flagged people are not among the first to get new software updates.
Doctors have identified a new mutation in a woman who is barely able to feel pain or stress after a surgeon who was baffled by her recovery from an operation referred her for genetic testing.
Jo Cameron, 71, has a mutation in a previously unknown gene which scientists believe must play a major role in pain signalling, mood and memory. The discovery has boosted hopes of new treatments for chronic pain which affects millions of people globally.
Cameron, a former teacher who lives in Inverness, has experienced broken limbs, cuts and burns, childbirth and numerous surgical operations with little or no need for pain relief. She sometimes leans on the Aga and knows about it not from the pain, but the smell.
[…]
But it is not only an inability to sense pain that makes Cameron stand out: she also never panics. When a van driver ran her off the road two years ago, she climbed out of her car, which was on its roof in a ditch, and went to comfort the shaking young driver who cut across her. She only noticed her bruises later. She is relentlessly upbeat, and in stress and depression tests she scored zero.
[…]
In a case report published on Thursday in the British Journal of Anaesthesia, the UCL team describe how they delved into Cameron’s DNA to see what makes her so unusual. They found two notable mutations. Together, they suppress pain and anxiety, while boosting happiness and, apparently, forgetfulness and wound healing.
The first mutation the scientists spotted is common in the general population. It dampens down the activity of a gene called FAAH. The gene makes an enzyme that breaks down anandamide, a chemical in the body that is central to pain sensation, mood and memory. Anandamide works in a similar way to the active ingredients of cannabis. The less it is broken down, the more its analgesic and other effects are felt.
The second mutation was a missing chunk of DNA that mystified scientists at first. Further analysis showed that the “deletion” chopped the front off a nearby, previously unknown gene the scientists named FAAH-OUT. The researchers think this new gene works like a volume control on the FAAH gene. Disable it with a mutation like Cameron has and FAAH falls silent. The upshot is that anandamide, a natural cannabinoid, builds up in the system. Cameron has twice as much anandamide as those in the general population
UK cops’ sharing of data with the Home Office will be probed by oversight bodies following a super-complaint from civil rights groups, it was confirmed today.
At the heart of the issue is the way that victims’ and witnesses’ data collected by the police are shared with central government immigration teams.
Liberty and Southall Black Sisters last year lodged a super-complaint against the “systemic and potentially unlawful” practices, which allowed criminals to “weaponise” their victims” immigration status.
An investigation by the rights groups found that victims and witnesses were “frequently reported to immigration enforcement after reporting very serious crimes to the police”.
This, Liberty said, risked deterring people – even those who do not have uncertain immigration statuses – from reporting crime, especially as the victims or witnesses “can be coerced into not reporting” crimes.
[…]
“The only acceptable solution is the formal creation of a ‘firewall’ – a cast-iron promise that personal information collected about victims and witnesses by public services like the police will not be shared with the Home Office for immigration enforcement purposes.”
Liberty proposed this “firewall” idea in its December report into public sector data sharing, arguing that this was the only way to mitigate against the negative impacts of the government’s hostile-environment policies.
The group has repeatedly emphasised these impacts go beyond undocumented migrants, but also affect migrants with regular status “who live in a climate of uncertainty and fear” as well as frontline workers in affected professions.
This was exemplified in last year’s battle to scrap a deal that saw non-clinical patient records shared with the Home Office as GPs voiced concerns it would break the doctor-patient confidentiality and could stop migrants seeking medical treatment
Canadian startup D-Wave Systems has extended the availability of its Leap branded cloud-based quantum computing service to Europe and Japan.
With Leap, researchers will be granted free access to a live D-Wave 2000Q machine with – it is claimed – 2,000 quantum bits, or qubits.
Developers will also be free to use the company’s Quantum Application Environment, launched last year, which enables them to write quantum applications in Python.
It is important to note that the debate on whether D-Wave’s systems can be considered “true” quantum computers has raged since the company released its first commercial product in 2011.
Rather than focusing on maintaining its qubits in a coherent state – like Google, IBM and Intel – the company uses a process called quantum annealing to solve combinatorial optimisation problems. The process is less finnicky but also less useful, which is why D-Wave claims to offer a 2,000-qubit machine, and IBM presents a 20-qubit computer.
And yet D-Wave’s systems are being used by Google, NASA, Volkswagen, Lockheed Martin and BAE – as well as Oak Ridge and Los Alamos National Laboratories, among others.
Speed limiting technology looks set to become mandatory for all vehicles sold in Europe from 2022, after new rules were provisionally agreed by the EU.
The Department for Transport said the system would also apply in the UK, despite Brexit.
Campaigners welcomed the move, saying it would save thousands of lives.
Road safety charity Brake called it a “landmark day”, but the AA said “a little speed” helped with overtaking or joining motorways.
Safety measures approved by the European Commission included intelligent speed assistance (ISA), advanced emergency braking and lane-keeping technology.
The EU says the plan could help avoid 140,000 serious injuries by 2038 and aims ultimately to cut road deaths to zero by 2050.
EU Commissioner Elzbieta Bienkowska said: “Every year, 25,000 people lose their lives on our roads. The vast majority of these accidents are caused by human error.
“With the new advanced safety features that will become mandatory, we can have the same kind of impact as when safety belts were first introduced.”
What is speed limiting technology and how does it work?
Under the ISA system, cars receive information via GPS and a digital map, telling the vehicle what the speed limit is.
This can be combined with a video camera capable of recognising road signs.
The system can be overridden temporarily. If a car is overtaking a lorry on a motorway and enters a lower speed-limit area, the driver can push down hard on the accelerator to complete the manoeuvre.
A full on/off switch for the system is also envisaged, but this would lapse every time the vehicle is restarted.
How soon will it become available?
It’s already coming into use. Ford, Mercedes-Benz, Peugeot-Citroen, Renault and Volvo already have models available with some of the ISA technology fitted.
However, there is concern over whether current technology is sufficiently advanced for the system to work effectively.
In particular, many cars already have a forward-facing camera, but there is a question mark over whether the sign-recognition technology is up to scratch.
Other approved safety features for European cars, vans, trucks and buses include technology which provides a warning of driver drowsiness and distraction, such as when using a smartphone while driving, and a data recorder in case of an accident.
Media captionTheo Leggett: ‘The car brought us to a controlled halt’
What does it all mean in practice?
Theo Leggett, business correspondent
The idea that cars will be fitted with speed limiters – or to put it more accurately, “intelligent speed assistance” – is likely to upset a lot of drivers. Many of us are happy to break limits when it suits us and don’t like the idea of Big Brother stepping in.
However, the new system as it’s currently envisaged will not force drivers to slow down. It is there to encourage them to do so, and to make them aware of what the limit is, but it can be overridden. Much like the cruise control in many current cars will hold a particular speed, or prevent you exceeding it, until you stamp on the accelerator.
So it’ll still be a free-for-all for speeding motorists then? Not quite. Under the new rules, cars will also be fitted with compulsory data recorders, or “black boxes”.
So if you have an accident, the police and your insurance company will know whether you’ve been going too fast. If you’ve been keeping your foot down and routinely ignoring the car’s warnings, they may take a very dim view of your actions.
In fact, it’s this “spy on board” which may ultimately have a bigger impact on driver behaviour than any kind of speed limiter. It’s easy to get away with reckless driving when there’s only a handful of traffic cops around to stop you. Much harder when there’s a spy in the cab recording your every move.
Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says.
ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm.
The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines.
Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore. In the meantime, Kaspersky has published some of the technical details on its website.
A rigorous new study has examined the large-scale brain activity of a number of human subjects while sleeping, presenting one of the most detailed investigations into sleep phases conducted to date. The study suggests that instead of the traditional four sleep stages we generally understand the brain moves through, there are in fact at least 19 different identifiable brain patterns transitioned through while sleeping.
Traditionally scientists have identified four distinct stages our brain transitions through in a general sleep cycle – three non-REM sleep phases (N1-3) that culminate in an REM phase. The four stages have been classically determined and delineated using electroencephalographic (EEG) brainwave recordings.
“This way of dividing sleep into stages is really based on historical conventions, many of which date back to the 1930s,” explains Angus Stevner, one of the researchers on the project from the Center for Music in the Brain at Aarhus University. “We’ve come up with a more precise and detailed description of sleep as a higher number of brain networks which change their communication patterns and dynamic characteristics during sleep.”
The new research set out to more comprehensively record whole-brain activity in a number of subjects by using functional magnetic resonance imaging (fMRI). The study began by studying 57 healthy subjects in an fMRI scanner. Each subject was asked to lie in the scanner for 52 minutes with their eyes closed. At the same time, each subject was tracked using an EEG. This allowed the researchers to compare traditional brainwave sleep cycle data with that from the fMRI.
Due to the limited duration of the fMRI data, no subjects were found to enter REM sleep, however, 18 subjects did completely transition from wakefulness through the three non-REM sleep phases according to the EEG data. Highlighting the complexity of brain activity during our wake-to-sleep cycle the researchers confidently chronicled 19 different recurring whole-brain network states.
Mapping these whole-brain states onto traditional EEG-tracked sleep phases revealed a number of compelling correlations. Wakefulness, N2 sleep and N3 sleep all could be represented by specific whole brain states. The range of different fMRI-tracked brain states did reduce as subjects fell into deeper sleep phases, with two different fMRI brain states correlating with N2 sleep, and only one with N3. However, N1 sleep as identified by EEG data, the earliest and least clearly defined sleep phase, did not consistently correspond with any fMRI brain state.
The researchers conclude from this data that N1 is actually a much more complex sleep phase than previously understood. This phase, a strange mix of wakefulness and sleep, seemed to encompass a large range of the 19 different whole-brain network states identified in the fMRI data.
On Tuesday, after years of negotiation and lobbying, and outcry and protests by activists online, members of the EU parliament voted to adopt the Directive on copyright in the Digital Single Market, [PDF] – a collection of rules that ostensibly aim “to ensure that the longstanding rights and obligations of copyright law also apply to the internet,” as the European Parliament puts it.
By “internet,” EU officials are talking mainly about Facebook and Google, though not exclusively. Everyone using the internet in Europe and every company doing business there will be affected in some way, though no one is quite sure how. And therein lies the problem.
“When this first came up, even the original language was so difficult to imagine being successfully implemented, that it was hard to believe anyone would even try to pass it into law,” said Danny O’Brien, international director of the Electronic Frontier Foundation (EFF) in a phone interview with The Register. “Now after it has gone through the mincing machine of the negotiation, it’s even more incoherent.”
What’s in a name?
Among the rules adopted, two have received the lion’s share of attention: Article 15 and Article 17, which used to be called Article 13 and Article 15 until someone had the clever idea to renumber them.
Article 15 (née 13) will require news aggregators like Google News that want to display content from news providers to obtain a license for anything more than “very short extracts.” Google, predictably, has opposed the plan.
Article 15 has been derided as a “link tax” that will damage small publishers and news-related startups.
That’s not true, the European Parliament insists, noting that hyperlinking has explicitly been exempted in the directive.
As for paying up, Google and other content aggregators may choose to shun publishers that demand payment or bestow a competitive advantage (e.g. ranking) to publishers offering favorable licensing terms. Given how publishers in Europe have regretted the loss of visitor traffic that follows from Google excommunication, they may prefer low- or no-cost licensing to obscurity.
Article 17 (née 15) allows websites to be sued for copyright violations by their users, which websites in the US can avoid thanks to Section 230 of the Communications Decency Act.
Article 17, it’s been said, will require internet companies to adopt upload filters to prevent copyright liability arising from users. Essentially, filters may be needed to stop folks submitted copyrighted work to social networks, forums, online platforms, and other sites. That’s a possibility, but not a certainty.
“The draft directive however does not specify or list what tools, human resources or infrastructure may be needed to prevent unremunerated material appearing on the site,” the European Commission explains.
“There is therefore no requirement for upload filters. However, if large platforms do not come up with any innovative solutions, they may end up opting for filters.”
The Federal Emergency Management Agency may have put the personally identifying information of millions of disaster survivors at risk of fraud and identity theft, according to a recent report from the Department of Homeland Security’s Office of Inspector General.
The March 15 report said that during an audit of FEMA’s Transitional Sheltering Assistance program, it found that the agency shared and subsequently exposed the personal data of 2.3 million survivors of a number of natural disasters that included the 2017 California wildfires as well as hurricanes Harvey, Irma, and Maria.
Survivors of these incidents provided their private information to FEMA in order to obtain assistance such as temporary housing. The audit found that FEMA jeopardized private information that the agency collected about applicants when it “unnecessarily” released some of that information to an undisclosed contractor handling its TSA program.
FEMA, the report stated, shared with the contractor “more than 20 unnecessary data fields for survivors participating in the TSA program,” including bank names, account numbers, and home addresses.
The CheapAir.com 2019 Annual Airfare Study is based on an analysis of 917 million airfares in more than 8,000 markets. Following the recommendations could save you hundreds of dollars on your travel this year.
This report will break down:
The average “best day” to buy your airline ticket
The airfare booking “zones” – what you can expect to pay for an airfare depending on when you buy
How to identify the Prime Booking Window™ – the range of dates you’ll be most likely to find a low price
The best and worst days of the week to fly based on price
How seasonality affects the price of your airline ticket
As you can see, this is a ton of information. But don’t worry. We’re going to break it down in digestible and easy-to-understand bites.
We’ve already done the research and we’re serving it up free. Before you know it, you’ll be buying those flights with understanding and confidence!
For 2018, the “best day to buy a flight” domestically (within the continental U.S.) was 76 days out from your travel date. That’s slightly higher than it was in last year’s report (70 days). Let’s take a bit of a deep dive into the different “booking zones” as airfares fall and rise. Each zone has benefits and risks.
The 6 Airfare Booking Zones
We came up with booking zones to easily chart what an airfare looks like from the approximate time it is published about 11 months out, all the way up to the very last minute you can buy your ticket. Over the years we refined these zones to reflect the subtle differences between each. And we think this system is solid for showing you what you pay (depending on when you buy). Let’s dig in.
First Dibs 315 to 203 Days in Advance (about 10 months to 6.5 months)
We like to recommend First Dibs for buyers with an agenda. You know who you are. You’re less motivated by price and more motivated by your flight preferences (such as a certain flight time or seat) and you want to lock in plans well in advance. Flights in the First Dibs zone do cost about $50 more per ticket than flights in the Prime Booking Window (the most affordable zone), on average. If you like to have many options, however, there’s no better time to buy.
Peace of Mind 202 to 116 Days in Advance (about 6.5 to 4 months)
Peace of Mind is where you might want to land if you’ve got anxiety surrounding big airfare purchases coupled with FOMO for a good deal. When you’re in the Peace of Mind zone, you’ll likely pay just about $20 more than flights in the Prime Booking Window and you’re still buying early enough to have a decent amount of choice.
Prime Booking Window 115 to 21 Days in Advance (about 4 months to 3 weeks)
This is where the magic happens, travelers. And while some of the other zones have shifted slightly from one year to the next, the Prime Booking Window stays pretty solid. What does this mean? Well, the data shows that the lowest airfares tend to pop up about 4 months to 3 weeks in advance of your travel dates. Fares in this zone are within 5% of their lowest point. Bargain shopping? Stay in the sweet spot – the Prime Booking Window.
Push Your Luck 20 to 14 Days in Advance (3 – 2 weeks)
We’re heading into gambling territory once you get within 2-3 weeks of your travel dates. The odds of getting a “cheap ticket” start to decrease heading into the Push Your Luck zone, though if you do like to roll the dice you may still find cheap tickets. One important factor to consider – though there could be lower priced fares in Push Your Luck, the quantity and quality of seats is more limited the closer we get to the travel date. You may find yourself paying slightly more for a subpar seat.
Playing with Fire 13 to 7 Days in Advance (2 – 1 weeks)
No matter how long we’re in the airfare prediction game, we find that some people just like to play with fire. Hence, we carved out the Playing with Fire zone. You’ll almost always pay more than Prime Booking Window buyers, but pay less (close to $135, on average) than people who wait until the very last minute to buy. In this zone, choice is even more limited.
Hail Mary 6 to 0 Days in Advance (less than a week)
How did we get here? Usually, people who are buying in the Hail Mary zone are doing so because of an unexpected trip, not because waiting until less than a week from your travel date was a conscious choice. You’re going to have to cope with the least amount of choice in the Hail Mary zone, and you’re apt to pay almost $220 more than you would have if this ticket was purchased in the Prime Booking Window.
Hawaii as Outlier
Our 50th state is a bit of a standalone. We do not include Hawaii in our main airfare data for a couple of reasons. Hawaii’s distance from the mainland in conjunction with its unique characteristic as a leisure destination means that is has a different dynamic. Check out our separate post on Buying Flights to Hawaii for the best tips and strategies for snagging a low fare to the islands.
There are other factors to consider aside from when you buy that will affect your travel budget. Let’s look at days of the week, for example.
Do Days of the Week Have an Effect on Price?
We can start by dispelling one myth. What day of week you purchase a flight has a negligible effect on flight cost. The average low fare only varies by $1 based on the purchase day of week. Whether you buy that ticket on Tuesday or Sunday it’s going to cost about the same.
On the other hand, there are definitely less expensive days and more expensive days to fly. Tuesday is the cheapest day of the week to fly, nearly $85 cheaper on average than the most expensive day of the week to travel, Sunday. Wednesdays are also great days for air travel. Friday is the second most expensive day of the week to fly. A good rule of thumb – weekends are more expensive and midweek flights save travelers cash.
Don’t Underestimate Seasonality
What time of year you travel can also have an impact on your flight cost. We broke down the seasons and included the most popular time frames in each, to offer travelers an easy reference for finding the best fares. This simple chart tells the story:
When to Buy Winter Flights
If you can avoid Christmas week and ski destinations, most winter destinations offer good value for the money.
The average best time to buy is 94 days from travel (just over 3 months)
The prime booking window is 74 to 116 days (about 2.5 months to nearly 4 months)
The average domestic fare for winter travel is $433, by far the most expensive time of the year for air travel
The difference between the best and worst priced days is $168, which is quite a bit lower than in other seasons. There is much less volatility in airfare pricing all season.
When to Buy Spring Flights
Plan ahead for spring flights. There are no major travel holidays in the spring, but both families and college students enjoy spring break for much of March and April. Take advantage of lower mid-week prices to help keep costs down.
The average best time to buy is 84 days from travel, or nearly 3 months
The prime booking window is 47 to 119 days (about 1.5 months to just under 4 months)
The average domestic fare for spring travel is $354
The difference between the best and worst priced days is $285
When to Buy Summer Flights
Americans travel a ton in the summer, and the peak summer dates of June 15 – August 15 are when the bulk of travel happens. You can find the best deals the closer you get to the end of the season (late August and September will give you the best odds to score low airfare.
The average best time to buy is 99 days out from travel
The prime booking window is 21 to 150 days (about 3 weeks to 5 months)
The average domestic fare for peak summer travel is $365
The difference between the best and worst priced days is $260
Late summer and early fall is shoulder season, and as such, offers great deals (Labor Day weekend notwithstanding). Flying the second half of August on into September is the sweet spot for these deals.
When to Buy Fall Flights
Overall, fall offers great value for budget travelers. Fall is shoulder season for a lot of destinations, and people simply do not travel as much. Of course, the one exception to this rule is Thanksgiving week. Traveling during Thanksgiving? Better buy on the early side.
The average best time to buy is 69 days from travel
The prime booking window is 20 to 109 days (about 3 weeks to 3.5 months)
The average domestic fare for fall travel is $342, which makes it the best season to find travel bargains
The difference between the best and worst priced days is $280
Takeaways
Airfares change all the time. Don’t get bogged down in watching the tiny, incremental fluctuations. We recommend buying an airline ticket when you see a good fare and not hesitating or waffling. Since fares change a lot, when shoppers go away to think about it “for a while,” they’re often disappointed when they come back to find that the good fare has disappeared. Be prepared to buy.
Bookmark this page or commit the Prime Booking Window to memory. It’s where you should focus the bulk of your shopping efforts. Keep in mind that there is still volatility within the prime booking window. Though you can expect peaks and valleys in price, the best fares on average will be found here.
Also, keep in mind that CheapAir.com will “protect” your purchase with Price Drop Payback. Should your fare drop after you buy, we’ll reimburse you up to $100 per ticket.
Need advice for your next vacation abroad? Check back soon for our International When to Buy study results.
Two years ago, Desmond Hughes heard so many of his favorite podcasters extolling AirPods, Apple’s tiny, futuristic $170 wireless headphones, that he decided they were worth the splurge. He quickly became a convert.
Hughes is still listening to podcasters talk about their AirPods, but now they’re complaining. The battery can no longer hold a charge, they say, rendering them functionally useless. Apple bloggers agree: “AirPods are starting to show their age for early adopters,” Zac Hall, an editor at 9to5Mac, wrote in a post in January, detailing how he frequently hears a low-battery warning in his AirPods now. Earlier this month, Apple Insider tested a pair of AirPods purchased in 2016 against a pair from 2018, and found that the older pair died after two hours and 16 minutes. “That’s less than half the stated battery life for a new pair,” the writer William Gallagher concluded.
Hughes, who is 35 and lives in Newport News, Virginia, has noticed a similar thing about his own set: At first, their charge lasted five hours, but now they sometimes last only half an hour. He frequently listens to one while charging the other—not optimal conditions for expensive headphones. He’s now gearing up to plunk down more money on another pair. “I just wish they would increase the battery life,” he told me. (On Wednesday, Apple announced it would soon release a new generation of AirPods, but did not say whether the devices would have longer lives.)
The lithium-ion batteries that power AirPods are everywhere. One industry report forecast that sales would grow to $109.72 billion by 2026, from $36.2 billion in 2018. They charge faster, last longer, and pack more power into a small space than other types of batteries do. But they die faster, too, often after just a few years, because every time you charge them, they degrade a little. They can also catch fire or explode if they become damaged, so technology companies make them difficult, if not impossible, for consumers to replace themselves.
The result: A lot of barely chargeable AirPods and wireless mice and Bluetooth speakers are ending up in the trash as consumers go through products—even expensive ones—faster than ever.
Hughes told me that he and his girlfriend upgrade their iPhones every two years, as they do their iPad. “I guess we don’t keep our technology super long,” he told me. And why should he? Every few months, new tech products come out boasting substantial updates and better batteries. A German environmental agency found that the proportion of products sold to replace a defective appliance grew from 3.5 percent in 2004 to 8.3 percent in 2012.
The European Union has been reconsidering its copyright laws for several years, and for months we’ve beentrudgingtowards a final vote. Well, that vote is scheduled for Tuesday, and if approved it could mean the end of the open internet as we know it.
Specifically, there are two troubling provisions in the EU’s new Copyright Directive: Articles 11 and 13. The former would impose a “link tax” on websites linking to external content they don’t own—which, on its face, is a solution to social giants freeloading on the work of news organizations without paying out any derived ad revenue. Article 13 would impose a content ID system on nearly all platforms to prevent the unauthorized uploading of copyrighted material.
In a perfect world, both of those ideas work to establish a fairer internet. But in the real world, it’s thought the link tax would be a slap on the wrist for major players and a death sentence for the small fry. A near-universal content ID system would also open up a raft of sites to the endless abuses of copyright trolls. My colleague Rhett Jones has a more expansive explanation of these Articles here.
To protest against the impending possibility of a stricter internet, a variety of major sites have engaged in blackouts or popover campaigns today, including Reddit, several EU-area Wikipedias, Twitch, and Pornhub. “Even though Reddit is an American company, we’d be highly impacted by changes to the law, as would our European users,” Reddit wrote in an announcement post today. “It could even impact the availability of services we provide to non-EU users.”
Internet pioneers Tim Berners-Lee and Vint Cerf have also come out in opposition to the EU Copyright Directive’s potential chilling effects on information freedom, as has the Electronic Frontier Foundation, and the United Nations’s special rapporteur on freedom of opinion and expression.
Protest banners and blackouts have become an increasingly common tactic for sites and platforms to push against sweeping legislation, and many of the aforementioned companies engaged in similar actions to preservenet neutrality and rebuke SOPA/PIPA. Given the glacial pace the EU Copyright Directive has been moving at, YouTube and Wikipedia Italy have previously protested the possible law change, while back in January Google threatened to kill its News service in Europe if the legislation goes through.
A Lithuanian man admitted he helped trick Facebook Inc. and Alphabet Inc.’s Google into sending more than $100 million through a phishing scheme.
Evaldas Rimasauskas, 50, pleaded guilty to one count of wire fraud before U.S. District Judge George Daniels on Wednesday under an agreement with prosecutors and will forfeit $49.7 million. Rimasauskas was extradited to New York in August 2017. He faces as many as 30 years in prison when he is sentenced July 24.
Prosecutors alleged that Rimasauskas, along with some unidentified co-conspirators, helped orchestrate a scheme in which fake emails were sent to employees and agents of the two tech giants. The thieves pretended to represent Taiwanese hardware maker Quanta Computer. They told Facebook and Google workers that the companies owed Quanta money, and then directed payments be sent to bank accounts controlled by the scammers.
[…]
Daniels asked Rimasauskas why the victims wired the money and whether they were promised anything in return.
“I’m not sure 100 percent because I was asked to open bank accounts,” Rimasauskas said. “After that I did not do anything with these accounts.”
Assistant U.S. Attorney Eun Young Choi told the judge that prosecutors don’t allege that Rimasauskas was the one who directly induced the companies to send the money.
“He created the infrastructure to further the fraudulent transfers,” Choi said.
The scheme netted about $23 million from Google in 2013 and about $98 million from Facebook in 2015, according to a person familiar with the case, who asked not to be named because the companies haven’t been publicly identified by prosecutors as the victims.
Researchers in Canada, the U.S., and Australia teamed up for the study, published Wednesday in the BMJ. They tested 24 popular health-related apps used by patients and doctors in those three countries on an Android smartphone (the Google Pixel 1). Among the more popular apps were medical reference site Medscape, symptom-checker Ada, and the drug guide Drugs.com. Some of the apps reminded users when to take their prescriptions, while others provided information on drugs or symptoms of illness.
They then created four fake profiles that used each of the apps as intended. To establish a baseline of where network traffic related to user data was relayed during the use of the app, they used each app 14 times with the same profile information. Then, prior to the 15th use, they made a subtle change to this user information. On this final use, they looked for differences in network traffic, which would indicate that user data obtained by the app was being shared with third parties, and where exactly it was going to.
Overall, they found 79 percent of apps, including the three listed above, shared at least some user data outside of the app itself. While some of the unique entities that had access to the data used it to improve the app’s functions, like maintaining the cloud where data could be uploaded by users or handling error reports, others were likely using it to create tailored advertisements for other companies. When looking at these third parties, the researchers also found that many marketed their ability to bundle together user data and share it with fourth-party companies even further removed from the health industry, such as credit reporting agencies. And while this data is said to be made completely anonymous and de-identified, the authors found that certain companies were given enough data to easily piece together the identity of users if they wanted to.
Boeing will make standard on its troubled new airliner a safety feature that might have helped the crew of a jet that crashed shortly after takeoff last year in Indonesia, killing everyone on board.
The equipment, which had been offered as an option, alerts pilots of faulty information from key sensors. It will now be included on every 737 Max as part of changes that Boeing is rushing to complete on the jets by early next week, according to two people familiar with the changes.
[…]
The sensors measure whether the plane is pointed up, down or level in relation to the direction of onrushing air. Software on the Max can push the plane’s nose down if data from one of the sensors indicates the plane is tilted up so sharply that it could stall and fall from the sky.
In the Lion Air case, the sensors malfunctioned and gave wildly conflicting information, and the plane crashed minutes after takeoff. A preliminary report described a grim fight by the pilots to control the plane as it pitched downward more than two dozen times.
It is not known whether the same flight-control system played a role in the March 10 crash of the Ethiopian Airlines jet shortly after takeoff from Addis Ababa, but regulators say both planes had similar erratic flight paths, an important part of their decision to ground the roughly 370 Max planes around the world.
The Lion Air plane also lacked another optional feature: gauges or displays that would let pilots see at a glance the up-or-down direction of the plane’s nose. It was unclear whether such “angle of attack” or AOA gauges will also become standard equipment on the Max.
Boeing declined to say why the options were not standard equipment sooner.
[…]
Max jets flown by Lion Air and Ethiopian Airlines lacked both the sensor-disagreement warning and AOA gauges, according to the New York Times, which first reported Boeing’s decision to make the warning standard. Boeing declined to comment on details of customer orders.
The average list price for a 737 Max 8 is $121.6 million, according the company’s website, although airlines routinely receive deep discounts. Boeing charges extra for additional features but won’t discuss those numbers, calling it valuable proprietary information.
Low-cost carriers such as Indonesia’s Lion Air may be more likely than the larger airlines to turn down options to save money.
An undisclosed number of Nokia 7 Plus smartphones have been caught sending their identification numbers to a domain owned by a Chinese telecom firm.
The handsets spaffed the data in clear text over the internet to a server behind the domain vnet.cn, which appears to be owned by China Telecom. The HTTP POST requests from the devices included IMEI numbers, SIM numbers, and MAC identifiers, which can be potentially used to identify and track the cellphones.
According to HMD Global, which bought the Nokia phone business from Microsoft in 2016, a limited number of Nokia devices have been communicating by mistake to “a third party server.”
“We have analyzed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus,” an HMD Global spokesperson explained to The Register in an email. “Due to this mistake, these devices were erroneously trying to send device activation data to a third party server.”
The company’s spokesperson did not respond to requests to say how many phones are in “a small batch” or to confirm the software was intended for phone activation in China.
Microsoft has helped build the first device that automatically encodes digital information into DNA and back to bits again.
DNA storage: Microsoft has been working toward a photocopier-size device that would replace data centers by storing files, movies, and documents in DNA strands, which can pack in information at mind-boggling density.
According to Microsoft, all the information stored in a warehouse-size data center would fit into a set of Yahztee dice, were it written in DNA.
Demo device: So far, DNA data storage has been carried out by hand in the lab. But now researchers at the University of Washington who are working with the software giant say they created a machine that converts electronic bits to DNA and back without a person involved.
The gadget, made from about $10,000 in parts, uses glass bottles of chemicals to build DNA strands, and a tiny sequencing machine from Oxford Nanopore to read them out again.
Still limited: According to a publication on March 21 in the journal Nature Scientific Reports, the team was able to store and retrieve just a single word—“hello”—or five bytes of data. What’s more, the process took 21 hours, mostly because of the slow chemical reactions involved in writing DNA.
While the team considered that a success for their prototype, a commercially useful DNA storage system would have to store data millions of times faster.
Why now? It’s a good time for companies involved in DNA storage to show off their stuff. The National Intelligence Agency’s IARPA program is getting ready to hand out tens of millions toward radical new molecular information storage schemes.
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.
The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012.
My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way
The appearance of moralizing gods in religion occurred after—and not before—the emergence of large, complex societies, according to new research. This finding upturns conventional thinking on the matter, in which moralizing gods are typically cited as a prerequisite for social complexity.
Gods who punish people for their anti-social indiscretions appeared in religions after the emergence and expansion of large, complex societies, according to new research published today in Nature. The finding suggests religions with moralizing gods, or prosocial religions, were not a necessary requirement for the evolution of social complexity. It was only until the emergence of diverse, multi-ethnic empires with populations exceeding a million people that moralizing gods began to appear—a change to religious beliefs that likely worked to ensure social cohesion.
Belief in vengeful gods who punish populations for their indiscretions, such as failing to perform a ritual sacrifice or an angry thunderbolt response to a direct insult, are endemic in human history (what the researchers call “broad supernatural punishment”). It’s much rarer for religions, however, to involve deities who enforce moral codes and punish followers for failing to act in a prosocial manner. It’s not entirely clear why prosocial religions emerged, but the “moralizing high gods” hypothesis is often invoked as an explanation. Belief in a moralizing supernatural force, the argument goes, was culturally necessary to foster cooperation among strangers in large, complex societies.
