7 stories
·
0 followers

2021 Locus Awards Top Ten Finalists

1 Share

 

The Locus Science Fiction Foundation has announced the top ten finalists in each category of the 2021 Locus Awards. These results are from the February 1 to April 15 voting, done by readers on an open public ballot. Congratulations to all!

The Locus Awards winners will be announced June 26, 2021, during the virtual Locus Awards Weekend. Connie Willis will MC the awards ceremony. Additional weekend events include author ...Read More

Read the whole story
armamix
171 days ago
reply
Share this story
Delete

Ubiquiti Massively Downplayed a 'Catastrophic' Security Breach To Minimize Impact On Stock Price, Alleges Whistleblower

1 Comment and 2 Shares
In January, Ubiquiti Networks sent out a notification to its customers informing them of a security breach and asking all users to change their account passwords and turn on two-factor authentication. "We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider," Ubiquiti said at the time. Now, according to Krebs on Security, a whistleblower "alleges Ubiquiti massively downplayed a 'catastrophic' incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication." From the report: "It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers," [the source] wrote in a letter to the European Data Protection Supervisor. "The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk." According to [the source], the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged "third party" involved in the breach. Ubiquiti's breach disclosure, he wrote, was "downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack." In reality, [the source] said, the attackers had gained administrative access to Ubiquiti's servers at Amazon's cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there. "They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration," [the source] said. [The source] says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies. Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide. Instead of asking customers to change their passwords when they next log on, [the source] says Ubiquiti should've immediately invalidated all of its customer's credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems.

Read more of this story at Slashdot.

Read the whole story
armamix
203 days ago
reply
Providing network infrastructure requires trust, this does not build trust.
Share this story
Delete

Mafia fugitive caught after posting YouTube cooking video

1 Comment

Marc Feren Claude Biart was betrayed by failing to hide his distinctive tattoos in the clip

A mafia fugitive has been caught in the Caribbean after appearing on YouTube cooking videos in which he hid his face but inadvertently showed his distinctive tattoos.

Marc Feren Claude Biart, 53, led a quiet life in Boca Chica, in the Dominican Republic, with the local Italian expat community considering him a “foreigner”, police said in a statement on Monday.

Continue reading...
Read the whole story
armamix
205 days ago
reply
If you're in hiding, it might be smart to, I don't know, not seek out attention perhaps?
Share this story
Delete

Illegal Content and the Blockchain

3 Comments and 9 Shares

Security researchers have recently discovered a botnet with a novel defense against takedowns. Normally, authorities can disable a botnet by taking over its command-and-control server. With nowhere to go for instructions, the botnet is rendered useless. But over the years, botnet designers have come up with ways to make this counterattack harder. Now the content-delivery network Akamai has reported on a new method: a botnet that uses the Bitcoin blockchain ledger. Since the blockchain is globally accessible and hard to take down, the botnet’s operators appear to be safe.

It’s best to avoid explaining the mathematics of Bitcoin’s blockchain, but to understand the colossal implications here, you need to understand one concept. Blockchains are a type of “distributed ledger”: a record of all transactions since the beginning, and everyone using the blockchain needs to have access to — and reference — a copy of it. What if someone puts illegal material in the blockchain? Either everyone has a copy of it, or the blockchain’s security fails.

To be fair, not absolutely everyone who uses a blockchain holds a copy of the entire ledger. Many who buy cryptocurrencies like Bitcoin and Ethereum don’t bother using the ledger to verify their purchase. Many don’t actually hold the currency outright, and instead trust an exchange to do the transactions and hold the coins. But people need to continually verify the blockchain’s history on the ledger for the system to be secure. If they stopped, then it would be trivial to forge coins. That’s how the system works.

Some years ago, people started noticing all sorts of things embedded in the Bitcoin blockchain. There are digital images, including one of Nelson Mandela. There’s the Bitcoin logo, and the original paper describing Bitcoin by its alleged founder, the pseudonymous Satoshi Nakamoto. There are advertisements, and several prayers. There’s even illegal pornography and leaked classified documents. All of these were put in by anonymous Bitcoin users. But none of this, so far, appears to seriously threaten those in power in governments and corporations. Once someone adds something to the Bitcoin ledger, it becomes sacrosanct. Removing something requires a fork of the blockchain, in which Bitcoin fragments into multiple parallel cryptocurrencies (and associated blockchains). Forks happen, rarely, but never yet because of legal coercion. And repeated forking would destroy Bitcoin’s stature as a stable(ish) currency.

The botnet’s designers are using this idea to create an unblockable means of coordination, but the implications are much greater. Imagine someone using this idea to evade government censorship. Most Bitcoin mining happens in China. What if someone added a bunch of Chinese-censored Falun Gong texts to the blockchain?<

What if someone added a type of political speech that Singapore routinely censors? Or cartoons that Disney holds the copyright to?

In Bitcoin’s and most other public blockchains there are no central, trusted authorities. Anyone in the world can perform transactions or become a miner. Everyone is equal to the extent that they have the hardware and electricity to perform cryptographic computations.

This openness is also a vulnerability, one that opens the door to asymmetric threats and small-time malicious actors. Anyone can put information in the one and only Bitcoin blockchain. Again, that’s how the system works.

Over the last three decades, the world has witnessed the power of open networks: blockchains, social media, the very web itself. What makes them so powerful is that their value is related not just to the number of users, but the number of potential links between users. This is Metcalfe’s law — value in a network is quadratic, not linear, in the number of users — and every open network since has followed its prophecy.

As Bitcoin has grown, its monetary value has skyrocketed, even if its uses remain unclear. With no barrier to entry, the blockchain space has been a Wild West of innovation and lawlessness. But today, many prominent advocates suggest Bitcoin should become a global, universal currency. In this context, asymmetric threats like embedded illegal data become a major challenge.

The philosophy behind Bitcoin traces to the earliest days of the open internet. Articulated in John Perry Barlow’s 1996 Declaration of the Independence of Cyberspace, it was and is the ethos of tech startups: Code is more trustworthy than institutions. Information is meant to be free, and nobody has the right — and should not have the ability — to control it.

But information must reside somewhere. Code is written by and for people, stored on computers located within countries, and embedded within the institutions and societies we have created. To trust information is to trust its chain of custody and the social context it comes from. Neither code nor information is value-neutral, nor ever free of human context.

Today, Barlow’s vision is a mere shadow; every society controls the information its people can access. Some of this control is through overt censorship, as China controls information about Taiwan, Tiananmen Square, and the Uyghurs. Some of this is through civil laws designed by the powerful for their benefit, as with Disney and US copyright law, or UK libel law.

Bitcoin and blockchains like it are on a collision course with these laws. What happens when the interests of the powerful, with the law on their side, are pitted against an open blockchain? Let’s imagine how our various scenarios might play out.

China first: In response to Falun Gong texts in the blockchain, the People’s Republic decrees that any miners processing blocks with banned content will be taken offline — their IPs will be blacklisted. This causes a hard fork of the blockchain at the point just before the banned content. China might do this under the guise of a “patriotic” messaging campaign, publicly stating that it’s merely maintaining financial sovereignty from Western banks. Then it uses paid influencers and moderators on social media to pump the China Bitcoin fork, through both partisan comments and transactions. Two distinct forks would soon emerge, one behind China’s Great Firewall and one outside. Other countries with similar governmental and media ecosystems — Russia, Singapore, Myanmar — might consider following suit, creating multiple national Bitcoin forks. These would operate independently, under mandates to censor unacceptable transactions from then on.

Disney’s approach would play out differently. Imagine the company announces it will sue any ISP that hosts copyrighted content, starting with networks hosting the biggest miners. (Disney has sued to enforce its intellectual property rights in China before.) After some legal pressure, the networks cut the miners off. The miners reestablish themselves on another network, but Disney keeps the pressure on. Eventually miners get pushed further and further off of mainstream network providers, and resort to tunneling their traffic through an anonymity service like Tor. That causes a major slowdown in the already slow (because of the mathematics) Bitcoin network. Disney might issue takedown requests for Tor exit nodes, causing the network to slow to a crawl. It could persist like this for a long time without a fork. Or the slowdown could cause people to jump ship, either by forking Bitcoin or switching to another cryptocurrency without the copyrighted content.

And then there’s illegal pornographic content and leaked classified data. These have been on the Bitcoin blockchain for over five years, and nothing has been done about it. Just like the botnet example, it may be that these do not threaten existing power structures enough to warrant takedowns. This could easily change if Bitcoin becomes a popular way to share child sexual abuse material. Simply having these illegal images on your hard drive is a felony, which could have significant repercussions for anyone involved in Bitcoin.

Whichever scenario plays out, this may be the Achilles heel of Bitcoin as a global currency.

If an open network such as a blockchain were threatened by a powerful organization — China’s censors, Disney’s lawyers, or the FBI trying to take down a more dangerous botnet — it could fragment into multiple networks. That’s not just a nuisance, but an existential risk to Bitcoin.

Suppose Bitcoin were fragmented into 10 smaller blockchains, perhaps by geography: one in China, another in the US, and so on. These fragments might retain their original users, and by ordinary logic, nothing would have changed. But Metcalfe’s law implies that the overall value of these blockchain fragments combined would be a mere tenth of the original. That is because the value of an open network relates to how many others you can communicate with — and, in a blockchain, transact with. Since the security of bitcoin currency is achieved through expensive computations, fragmented blockchains are also easier to attack in a conventional manner — through a 51 percent attack — by an organized attacker. This is especially the case if the smaller blockchains all use the same hash function, as they would here.

Traditional currencies are generally not vulnerable to these sorts of asymmetric threats. There are no viable small-scale attacks against the US dollar, or almost any other fiat currency. The institutions and beliefs that give money its value are deep-seated, despite instances of currency hyperinflation.

The only notable attacks against fiat currencies are in the form of counterfeiting. Even in the past, when counterfeit bills were common, attacks could be thwarted. Counterfeiters require specialized equipment and are vulnerable to law enforcement discovery and arrest. Furthermore, most money today — even if it’s nominally in a fiat currency — doesn’t exist in paper form.

Bitcoin attracted a following for its openness and immunity from government control. Its goal is to create a world that replaces cultural power with cryptographic power: verification in code, not trust in people. But there is no such world. And today, that feature is a vulnerability. We really don’t know what will happen when the human systems of trust come into conflict with the trustless verification that make blockchain currencies unique. Just last week we saw this exact attack on smaller blockchains — not Bitcoin yet. We are watching a public socio-technical experiment in the making, and we will witness its success or failure in the not-too-distant future.

This essay was written with Barath Raghavan, and previously appeared on Wired.com.

Read the whole story
popular
218 days ago
reply
armamix
218 days ago
reply
Share this story
Delete
2 public comments
MotherHydra
217 days ago
reply
Information wants to be free, so does humanity. And people have a funny habit of finding a way so I don’t expect that any meaningful blocking is going to take place. I I do expect parallel crypto networks to spring up and that due to technocratic ambitions, people will be forced into said networks. Fuck censorship and copyright and all of that tosh. Some hope for bitcoins demise because they are anti-humanity.
Space City, USA
jgbishop
218 days ago
reply
Great read. Bitcoin is probably doomed in the long run.
Durham, NC
GaryBIshop
217 days ago
We can hope.

2020 Nebula Awards Ballot

1 Comment

The Science Fiction and Fantasy Writers of America (SFWA) have released the final ballot for the 2020 Nebula Awards.

Novel

  • Piranesi, Susanna Clarke (Bloomsbury US; Bloomsbury UK)
  • The City We Became, N.K. Jemisin (Orbit US & UK)
  • Mexican Gothic, Silvia Moreno-Garcia (Del Rey; Jo Fletcher)
  • The Midnight Bargain, C.L. Polk (Erewhon)
  • Black Sun, Rebecca Roanhorse (Saga; Solaris)
  • Network Effect, Martha Wells (Tordotcom)

Novella

  • “Tower
...Read More
Read the whole story
armamix
219 days ago
reply
That's a slightly boring shortlist, no? Only read the one science fiction novel here, which was good but nowhere near the best of the year. As always I'll make an effort to read the winner, which will be the Clarke or the Jemisin.
Share this story
Delete

Rover Landing Site Named for Butler

1 Comment

NASA has named the landing site of the Mars 2020 Perseverance rover after SF author Octavia E. Butler (1947-2006). The rover was launched from Cape Canaveral FL on July 30, 2020 and landed in Jezero Crater, Mars on February 18, 2021. The mission will spend at least one Mars year (two Earth years) exploring the landing site region.

For more information, see NASA’s website.

While you are here, please take ...Read More

Read the whole story
armamix
227 days ago
reply
Not a bad choice at all.
Share this story
Delete
Next Page of Stories