To see exactly how inscrutable they have become, I analyzed the length and readability of privacy policies from nearly 150 popular websites and apps. Facebook’s privacy policy, for example, takes around 18 minutes to read in its entirety – slightly above average for the policies I tested.
The comparison is between websites with a focus on Facebook and Google, but the main takeaway I think is that almost all privacy policies are complex, because they’re not there for the users.
A novel magnet half the size of a cardboard toilet tissue roll usurped the title of “world’s strongest magnetic field” from the metal titan that had held it for two decades at the Florida State University-headquartered National High Magnetic Field Laboratory.
And its makers say we ain’t seen nothing yet: By packing an exceptionally high-field magnet into a coil you could pack in a purse, MagLab scientists and engineers have shown a way to build and use electromagnets that are stronger, smaller and more versatile than ever before.
Their work is outlined in an article published today in the journal Nature.
“We are really opening a new door,” said MagLab engineer Seungyong Hahn, the mastermind behind the new magnet and an associate professor at the FAMU-FSU College of Engineering. “This technology has a very good potential to entirely change the horizons of high-field applications because of its compact nature.”
[…]
Both the 45-T magnet and the 45.5-T test magnet are built in part with superconductors, a class of conductors boasting special properties, including the ability to carry electricity with perfect efficiency.
The superconductors used in the 45-T are niobium-based alloys, which have been around for decades. But in the 45.5-T proof-of-principle magnet, Hahn’s team used a newer compound called REBCO (rare earth barium copper oxide) with many advantages over conventional superconductors.
Notably, REBCO can carry more than twice as much current as a same-sized section of niobium-based superconductor. This current density is crucial: After all, the electricity running through an electromagnet generates its field, so the more you can cram in, the stronger the field.
Also critical was the specific REBCO product used—paper-thin, tape-shaped wires manufactured by SuperPower Inc.
Credit: Florida State University
MagLab Chief Materials Scientist David Larbalestier, who is also a professor at the FAMU-FSU College of Engineering, saw the product’s promise to pack more power into a potential world-record magnet, and encouraged Hahn to give it a go.
The other key ingredient was not something they put in, but rather something they left out: insulation.
Today’s electromagnets contain insulation between conducting layers, which directs the current along the most efficient path. But it also adds weight and bulk.
Hahn’s innovation: A superconducting magnet without insulation. In addition to yielding a sleeker instrument, this design protects the magnet from a malfunction known as a quench. Quenches can occur when damage or imperfections in the conductor block the current from its designated path, causing the material to heat up and lose its superconducting properties. But if there is no insulation, that current simply follows a different path, averting a quench.
“The fact that the turns of the coil are not insulated from each other means that they can share current very easily and effectively in order to bypass any of these obstacles,” explained Larbalestier, corresponding author on the Nature paper.
There’s another slimming aspect of Hahn’s design that relates to quenches: Superconducting wires and tapes must incorporate some copper to help dissipate heat from potential hot spots. His “no-insulation” coil, featuring tapes a mere 0.043-mm thick, requires much less copper than do conventional magnets.
Britain’s Home Secretary Sajid Javid told BBC Radio today that he has signed the extradition order for Julian Assange, paving the way for the WikiLeaks founder to be sent to the U.S. to face charges of computer hacking and espionage.
“There’s an extradition request from the U.S. that is before the courts tomorrow, but yesterday I signed the extradition order, certified it, and that will be going in front of the courts tomorrow,” Javid said according to Australia’s public broadcaster, the ABC.
Assange is scheduled to appear in a UK court on Friday, though it’s not clear whether he’ll appear by video link or in person.
“It’s a decision ultimately for the courts but there is a very important part of it for the Home Secretary and I want to see justice done at all times, and we’ve got a legitimate extradition request so I’ve signed it, but the final decision is now with the courts,” Javid continued.
Curiously, Home Secretary Javid signed the extradition paperwork despite not being on the best terms with the U.S. government right now. Javid wasn’t invited to attend formal ceremonies when President Donald Trump recently visited the UK and some believe it’s because Javid criticized Trump’s treatment of Muslims in 2017 as well as the American president’s retweets of the far right group Britain First. Javid has a Muslim background, though he insists he doesn’t know why he wasn’t invited to the recent U.S.-focused events in Britain.
Assange is currently being held in Belmarsh prison in southern London and is serving a 50-week sentence for jumping bail in 2012. Assange sought asylum during the summer of 2012 at Ecuador’s embassy in London, where he lived for almost seven years until this past April. Ecuador revoked Assange’s asylum and the WikiLeaks founder was physically dragged out of the embassy by British police.
WikiLeaks founder Julian Assange, a 47-year-old Australian national, appears to be one step closer to being sent to the United States, but the deal is not done, as Javid notes. Not only does the extradition order need final approval by the UK court, there’s still the question of whether Assange could be sent to Sweden to face sexual assault charges.
The statute of limitation has expired for one of the sexual assault claims made against Assange in Sweden, but a rape claim could still be pursued if Swedish prosecutors decide to push the case. A Swedish court ruled earlier this month that Assange should not be detained in absentia, the first move under Swedish law that would have paved the way for his extradition.
Assange’s Swedish lawyer has previously claimed that Assange was too ill to even appear in court via video link, but secret video seemingly recorded by another inmate recently showed Assange looking relatively normal and healthy.
Assange has been charged with 18 counts by the U.S. Justice Department, including one under the Espionage Act, which potentially carries the death penalty. But American prosecutors supposedly gave Ecuador a “verbal pledge” that they won’t pursue death in Assange’s case, according to American news channel ABC. Obviously, a “verbal pledge” is not something that would hold up in court.
As far back as 2015, major companies like Sony and Intel have sought to crowdsource efforts to secure their systems and applications through the San Francisco startup HackerOne. Through the “bug bounty” program offered by the company, hackers once viewed as a nuisance—or worse, as criminals—can identify security vulnerabilities and get paid for their work.
On Tuesday, HackerOne published a wealth of anonymized data to underscore not only the breadth of its own program but highlight the leading types of bugs discovered by its virtual army of hackers who’ve reaped financial rewards through the program. Some $29 million has been paid out so far with regards to the top 10 most rewarded types of security weakness alone, according to the company.
HackerOne markets the bounty program as a means to safely mimic an authentic kind of global threat. “It’s one of the best defenses you can have against what you’re actually protecting against,” said Miju Han, HackerOne’s director of product management. “There are a lot of security tools out there that have theoretically risks—and we definitely endorse those tools as well. But what we really have in bug bounty programs is a real-world security risk.”
The program, of course, has its own limitations. Participants have the ability to define the scope of engagement and in some cases—as with the U.S. Defense Department, a “hackable target”—place limits on which systems and methods are authorized under the program. Criminal hackers and foreign adversaries are, of course, not bound by such rules.
“Bug bounties can be a helpful tool if you’ve already invested in your own security prevention and detection,” said Katie Moussouris, CEO of Luta Security, “in terms of secure development if you publish code, or secure vulnerability management if your organization is mostly just trying to keep up with patching existing infrastructure.”
“It isn’t suitable to replace your own preventative measures, nor can it replace penetration testing,” she said.
Not surprisingly, HackerOne’s data shows that overwhelmingly cross-site scripting (XSS) attacks—in which malicious scripts are injected into otherwise trusted sites—remain the top vulnerability reported through the program. Of the top 10 types of bugs reported, XSS makes up 27 percent. No other type of bug comes close. Through HackerOne, some $7.7 million has been paid out to address XSS vulnerabilities alone.
Cloud migration has also led to a rise in exploits such as server-side request forgery (SSRF). “The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http-enabled databases or perform post requests towards internal services which are not intended to be exposed,” HackerOne said.
Currently, SSRF makes up only 5.9 percent of the top bugs reported. Nevertheless, the company says, these server-side exploits are trending upward as more and more companies find homes in the cloud.
Other top bounties include a range of code injection exploits or misconfigurations that allow improper access to systems that should be locked down. Companies have paid out over $1.5 million alone to address improper access control.
“Companies that pay more for bounties are definitely more attractive to hackers, especially more attractive to top hackers,” Han said. “But we know that bounties paid out are not the only motivation. Hackers like to hack companies that they like using, or that are located in their country.” In other words, even though a company is spending more money to pay hackers to find bugs, it doesn’t necessarily mean that they have more security.
“Another factor is how fast a company is changing,” she said. “If a company is developing very rapidly and expanding and growing, even if they pay a lot of bounties, if they’re changing up their code base a lot, then that means they are not necessary as secure.”
According to an article this year in TechRepublic, some 300,000 hackers are currently signed up with HackerOne; though only 1-in-10 have reportedly claimed a bounty. The best of them, a group of roughly 100 hackers, have earned over $100,000. Only a couple of elite hackers have attained the highest-paying ranks of the program, reaping rewards close to, or in excess of, $1 million.
View a full breakdown of HackerOne’s “most impactful and rewarded” vulnerability types here.
The well-known and respected data breach notification website “Have I Been Pwned” is up for sale.
Troy Hunt, its founder and sole operator, announced the sale on Tuesday in a blog post where he explained why the time has come for Have I Been Pwned to become part of something bigger and more organized.
“To date, every line of code, every configuration and every breached record has been handled by me alone. There is no ‘HIBP team’, there’s one guy keeping the whole thing afloat,” Hunt wrote. “it’s time for HIBP to grow up. It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own.”
Over the years, Have I Been Pwned has become the repository for data breaches on the internet, a place where users can search for their email address and see whether they have been part of a data breach. It’s now also a service where people can sign up to get notified whenever their accounts get breached. It’s perhaps the most useful, free, cybersecurity service in the world.
