"A secret cyberattack against Iran in June wiped out a critical database used by Iran's paramilitary arm to plot attacks against oil tankers and degraded Tehran's ability to covertly target shipping traffic in the Persian Gulf, at least temporarily," reports The New York Times, citing senior American officials. From the report: Iran is still trying to recover information destroyed in the June 20 attack and restart some of the computer systems -- including military communications networks -- taken offline, the officials said. Senior officials discussed the results of the strike in part to quell doubts within the Trump administration about whether the benefits of the operation outweighed the cost -- lost intelligence and lost access to a critical network used by the Islamic Revolutionary Guards Corps, Iran's paramilitary forces.

The United States and Iran have long been involved in an undeclared cyberconflict, one carefully calibrated to remain in the gray zone between war and peace. The June 20 strike was a critical attack in that ongoing battle, officials said, and it went forward even after President Trump called off a retaliatory airstrike that day after Iran shot down an American drone. Iran has not escalated its attacks in response, continuing its cyberoperations against the United States government and American corporations at a steady rate, according to American government officials.

pgmrdlm shares a report from StudyFinds: Could the very air we breathe have an impact on our mental health? That's the suggestion coming out of a new international study conducted in the United States and Denmark. After analyzing long-term data sets from both countries, researchers from the University of Chicago say they have identified a possible link between exposure to environmental pollution, specifically polluted air, and an increase in the onset of psychiatric and mental health problems in a population. According to the findings, air pollution is associated with increased rates of depression and bipolar disorder among both U.S. and Danish populations. That association was actually found to be even greater in Denmark, where poor air quality exposure during the first 10 years of a person's life was found to predict a two-fold increase in the likelihood of developing schizophrenia or a personality disorder.

For the study, researchers analyzed two population data sets. The first was a U.S. health insurance claims database housing 11 years worth of claims across 151 million people. The second data set included all 1.4 million people born in Denmark between 1979-2002 who were still alive, and still living in Denmark by their 10th birthday. Air pollution levels in specific areas were measured using the air quality standards set by both countries, respectively. For example, for the U.S. the EPA's air quality measurements were used. As far as estimating each person's exposure to polluted air, it was a bit easier for researchers to track individual Danes because they had access to each Danish participants' citizen ID number. For Americans, air pollution exposure estimates were limited to county areas. The study has been published in the journal PLOS Biology.

XKCD cartoonist Randall Munroe says he received "a huge number of submissions" in a contest to choose an additional city for his upcoming book tour. The challenge? "Write the best story using nothing but book covers... You'll get extra credit for including as many books and people as possible." And the winning entry involved 98 people in an earnest community project featuring Alaskans young and old, in a series of four YouTube videos that lasts nearly three minutes. ("Listen to me. This idea is brilliant. Stop staring at screens. If you love me, get a life...!")

Munroe applauded their efforts in a blog post announcing their winning entry. I'm a sucker for (a) public libraries, and (b) people who get so excited about glaciers that they lose their train of thought."
Several runners-up will receive a personalized drawing of their bookstore or library -- or a signed book. Runners up include the Content Bookstore in Northfield, Minnesota, who assembled over 60 people for a story in the form of a choose-your-own adventure flowchart. And Naitian Zhou of Ann Arbor, Michigan built an interactive tool that generates arbitrary grammatical sentences by running a database of book titles through Python language tools. ("Don't judge a book by its cover," jokes its web page. "Judge it by its linguistic productivity instead!")

The How To book tour starts on September 3rd in Cambridge, and Munroe says "I'll be appearing in conversation with some very cool people, including researchers, journalists, and cartoonists. We'll be discussing How To, science, comics, the destruction of the universe, and the ethics of hitting drones with tennis balls."

"The fight for space internet supremacy is on," writes the consumer policy expert at BroadbandNow, calculating the benefits of these additional broadband competitors: Low Earth orbit (LEO) satellites for broadband internet access are beginning to display signs of real potential. Recently, Amazon chief Jeff Bezos' Blue Origin pulled back the curtain on its space intentions by announcing Project Kuiper, a 3,236-satellite constellation. Additionally, Elon Musk's SpaceX Starlink recently launched a rocket containing 60 satellites from Florida's Cape Canaveral... Both players, alongside others like OneWeb, are spending billions in space in hopes of making further billions annually once the satellites go into service for consumers in the US and around the globe. SpaceX will initially launch service to North America, but once its full array is in place, the company has plans to roll the service out across the entire planet. Ostensibly, anywhere with access to open skies could be covered. Amazon has global aspirations for its project as well...

The arrival of this technology is likely to drive down monthly internet prices for hundreds-of-millions of Americans... According to further analysis of our market-wide pricing database covering plans and pricing from more than 2,000 ISPs, the average "lowest available monthly price" for the estimated 104 million Americans with only one wired broadband provider is $68. For the 75 million Americans with two choices, that average lowest price drops to $59. For the lucky 15 million Americans with five or more choices, it's $47. Because LEO technology will ostensibly be available everywhere in the US, as well as globally, this indicates the powerful influence the entrance of the technology will have on internet prices as new markets gain access to an additional true "broadband" option and competition heats-up.

Our projections show that that low-latency, LEO satellite internet is likely to have a similar impact on average regional prices as wired, low-latency wired providers. Extrapolating this additional competitor across all US households, the introduction of LEO satellite internet could save Americans over $30 billion... Shortly after, these same transformative benefits could spread to countries across the globe, permanently altering the landscape of the internet as we know it.

Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects. ZDNet reports: The malicious code was first discovered yesterday inside four versions of rest-client, an extremely popular Ruby library. According to an analysis by Jan Dintel, a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine. "Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider," Dintel said.

The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands. A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code. RubyGems staff also uncovered similar code in 10 other projects. All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name. All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.

New submitter sizzlinkitty writes: Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company's many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Many of the records were normal computer-generated logging messages used to ensure the running of the service -- but many also included sensitive user information, such as MoviePass customer card numbers. These MoviePass customer cards are like normal debit cards: they're issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies.

The New York Times explains a new issue by describing what happened when Xavier Einaudi tried to close his Wells Fargo checking account. For weeks after the date the bank said the accounts would be closed, it kept some of them active. Payments to his insurer, to Google for online advertising and to a provider of project management software were paid out of the empty accounts in July. Each time, the bank charged Einaudi a $35 overdraft fee... By the middle of July, he owed the bank nearly $1,500. "I don't even know what happened," he said.

Current and former bank employees said Einaudi was charged because of the way Wells Fargo's computer system handles closed accounts: An account the customer believes to be closed can stay open if it has a balance, even one below zero. And each time a transaction is processed for an overdrawn account, Wells Fargo tacks on a fee. The problem has gone unaddressed by the bank despite complaints from customers and employees, including one in the bank's debt-collection department who grew concerned after taking in an estimated $100,000 in overdraft fees over eight months...

Most banks program their systems to stop honoring transactions on the specified date, but Wells Fargo allows accounts to remain open for two more months, according to current and former employees. Customers usually learn what happened only after their overdrawn accounts are sent to Wells Fargo's collections department. If the customers do not pay the overdraft fees, they are reported to a national database like Early Warning Services, which compiles names of delinquent bank customers. That often means a customer cannot open a new bank account anywhere, and getting removed from the lists can take hours' worth of phone calls.

YouTube is making a change to its copyright enforcement policies around music used in videos, which may result in an increased number of blocked videos in the shorter term -- but overall, a healthier ecosystem in the long-term. From a report: Going forward, copyright owners will no longer be able to monetize creator videos with very short or unintentional uses of music via YouTube's "Manual Claiming" tool. Instead, they can choose to prevent the other party from monetizing the video or they can block the content. However, YouTube expects that by removing the option to monetize these sorts of videos themselves, some copyright holders will instead just leave them alone. "One concerning trend we've seen is aggressive manual claiming of very short music clips used in monetized videos. These claims can feel particularly unfair, as they transfer all revenue from the creator to the claimant, regardless of the amount of music claimed," explained YouTube in a blog post.

To be clear, the changes only involve YouTube's Manual Claiming tool which is not how the majority of copyright violations are handled today. Instead, the majority of claims are created through YouTube's Content ID match system. This system scans videos uploaded to YouTube against a database of files submitted to the site by copyright owners. Then, when a match is found, the copyright holder owner can choose to block the video or monetize it themselves, and track the video's viewership stats.

Freshly Exhumed shares a report from The Guardian: Automatic license plate readers, which use networked surveillance cameras and simple image recognition to track the movements of cars around a city, may have met their match, in the form of a T-shirt. Or a dress. Or a hoodie. The anti-surveillance garments were revealed at the DefCon cybersecurity conference in Las Vegas on Saturday by the hacker and fashion designer Kate Rose, who presented the inaugural collection of her Adversarial Fashion line.

To human eyes, Rose's fourth amendment T-shirt contains the words of the fourth amendment to the U.S. constitution in bold yellow letters. The amendment, which protects Americans from "unreasonable searches and seizures," has been an important defense against many forms of government surveillance: in 2012, for instance, the U.S. supreme court ruled that it prevented police departments from hiding GPS trackers on cars without a warrant. But to an automatic license plate reader (ALPR) system, the shirt is a collection of license plates, and they will get added to the license plate reader's database just like any others it sees. The intention is to make deploying that sort of surveillance less effective, more expensive, and harder to use without human oversight, in order to slow down the transition to what Rose calls "visual personally identifying data collection." "It's a highly invasive mass surveillance system that invades every part of our lives, collecting thousands of plates a minute. But if it's able to be fooled by fabric, then maybe we shouldn't have a system that hangs things of great importance on it," she said.

Researchers said they have found a publicly accessible database containing almost 28 million records -- including plain-text passwords, face photos, and personal information -- that was used to secure buildings around the world. Ars Technica reports: Researchers from vpnMentor reported on Wednesday that the database was used by the Web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people authorized to enter warehouses, municipal buildings, businesses, and banks. vpnMentor said the system has more than 1.5 million installations in a wide range of countries including the U.S., the UK, Indonesia, India, and Sri Lanka. According to vpnMentor, the 23-gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The data included usernames, passwords and user IDs in plaintext, building access logs, employee records including start dates, personal details, mobile device data, and face images. The researchers said the data also included more than 1 million records containing actual fingerprint scans, but the report provided no data to support the claim.

"The vpnMentor researchers said they discovered the exposed database on August 5 and privately reported the finding two days later," reports Ars Technica. "The data wasn't secured until Tuesday, six days later."

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks, The Guardian reported Wednesday. From the report: Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings. Last month, Suprema announced its Biostar 2 platform was integrated into another access control system -- AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police. The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies' systems that could potentially lead to data breaches. In a search last week, the researchers found Biostar 2's database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

The ACLU tested Rekognition, Amazon's facial recognition technology, on photographs of California lawmakers. It matched 26 of them to mugshots. From a report: In a recent test of Amazon's facial recognition software, the American Civil Liberties Union of Northern California revealed that it mistook 26 California lawmakers as people arrested for crimes. The ACLU used Rekognition, Amazon's facial recognition software, to evaluate 120 photos of lawmakers against a database of 25,000 arrest photos, ACLU attorney Matt Cagle said at a press conference on Tuesday. One in five lawmaker photographs were falsely matched to mugshots, exposing the frailties of an emerging technology widely adopted by law enforcement. The ACLU used the default Rekognition settings, which match identity at 80 percent confidence, Cagle said. Assembly member Phil Ting was among those whose picture was falsely matched to an arrest photo. He's also an active advocate for limiting facial recognition technology: in February, he introduced a bill, co-sponsored by the ACLU, that bans the use of facial recognition and other biometric surveillance on police-worn body cameras.

Choosing NULL as your license plate might seem like a funny idea. But as an infosec researcher discovered recently, the cool-looking NULL vanity plate comes with its own consequences. Researcher Droogie, that's his handle, who presented at this year's DEF CON in Las Vegas, said he has been on the receiving end of thousands of dollars worth of tickets that aren't his. From a report: Droogie registered a vanity California license plate consisting solely of the word "NULL" -- which in programming is a term for no specific value -- for fun. And, he admitted to laughs, on the off chance it would confuse automatic license plate readers and the DMV's ticketing system. "I was like, 'I'm the shit,'" he joked to the crowd. "'I'm gonna be invisible.' Instead, I got all the tickets." Things didn't go south immediately. As Droogie explained, he's a cautious driver and didn't get any tickets for the first year he owned the vanity plate. Then he went to reregister his tags online, and, when prompted to input his license plate, broke the DMV webpage. It seemed the DMV site didn't recognize the plate "NULL" as an actual input.

That was the first sign that something was amiss. The next sign was, well, a little more serious: After receiving a legitimate parking ticket, thousands of dollars in random tickets starting arriving in the mail at his house, addressed to him. It seemed that a privately operated citation processing center had a database of outstanding tickets, and, for some reason -- possibly due to incomplete data on their end -- many of those tickets were assigned to the license plate "NULL." In other words, the processing center was likely trying to tell its systems it didn't know the plates of the offending cars. Instead, with Droogie's vanity plate now in play, it pegged all those outstanding tickets on him. Specifically, over $12,000 worth of outstanding tickets. Long story short, Droogie went on the painstaking process to explain the situation to the DMV and the LAPD, both of whom advised him to change his plate. At any rate, the DMV reached out to the private vendor and sorted the issue.

An anonymous reader quotes a report from TechCrunch: New research just presented at the Def Con security conference reveals how companies, startups and governments are inadvertently leaking their own files from the cloud. You may have heard of exposed S3 buckets -- those Amazon-hosted storage servers packed with customer data but often misconfigured and inadvertently set to "public" for anyone to access. But you may not have heard about exposed EBS snapshots, which poses as much, if not a greater, risk. These elastic block storage (EBS) snapshots are the "keys to the kingdom," said Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox, in a call with TechCrunch ahead of his Def Con talk. EBS snapshots store all the data for cloud applications. "They have the secret keys to your applications and they have database access to your customers' information," he said.

Morris built a tool using Amazon's own internal search feature to query and scrape publicly exposed EBS snapshots, then attach it, make a copy and list the contents of the volume on his system. It took him two months to build up a database of exposed data and just a few hundred dollars spent on Amazon cloud resources. Once he validates each snapshot, he deletes the data. Morris found dozens of snapshots exposed publicly in one region alone, he said, including application keys, critical user or administrative credentials, source code and more. He found several major companies, including healthcare providers and tech companies. He also found VPN configurations, which he said could allow him to tunnel into a corporate network. Morris said he did not use any credentials or sensitive data, as it would be unlawful.

The Entertainment Software Association, which runs the E3 video game expo, accidentally made phone numbers, emails, names, and addresses of over 2,000 attendees public on their website. "A copy of the list was archived on several popular message boards for trolls, and includes the home addresses of many reporters," reports BuzzFeed News. From the report: The leaked list was discovered by journalist and YouTube creator Sophia Narwitz. Narwitz made a video about the database, titled "The Entertainment Software Association just doxxed over 2000 journalists and content creators," last week. Narwitz told BuzzFeed News that some members of the media criticized her following her video, accusing her of drawing attention to the list. Making Narwitz's role in this more complicated is her history with the pro-GamerGate subreddit, r/KotakuInAction. She's currently arguing publicly with members of the gaming site Kotaku. Based on screenshots Narwitz tweeted, however, she did attempt to notify ESA about the leak before making her video about it. "I think this whole event shows a stunning level of incompetence on the ESA's part. The file wasn't password protected, it was just in the open for anyone to download with a single click," she said. Harassment against those included on the list appears to have already begun. "ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public," the ESA wrote in a statement provided to Kotaku. "Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again."

An anonymous reader writes: "The voter information of more than 14.3 million Chileans, which accounts to nearly 80% of the country's entire population, was left exposed and leaking on the internet inside an Elasticsearch database," reports ZDNet. "The database contained names, home addresses, gender, age, and tax ID numbers (RUT, or Rol Único Tributario) for 14,308,151 individuals...including many high-profile Chilean officials."

A spokesperson for the Chile Electoral Service said the data appears to have been scraped without authorization from its website, from a section that allows users to update their voting data. Chile now joins countries as the US, Mexico, Turkey, and the Philippines, whose voter information was gathered in bulk and then published online in one big pile, easy to access for any crooks.

"The New York Police Department (NYPD) has been loading thousands of arrest photos of children and teenagers into a facial recognition database despite evidence the technology has a higher risk of false matches in younger faces," reports The New York Times. Some of the children included in the database are as young as 11, but most are teenagers between 13 and 16 years old. From the report: Elected officials and civil rights groups said the disclosure that the city was deploying a powerful surveillance tool on adolescents -- whose privacy seems sacrosanct and whose status is protected in the criminal justice system -- was a striking example of the Police Department's ability to adopt advancing technology with little public scrutiny. Several members of the City Council as well as a range of civil liberties groups said they were unaware of the policy until they were contacted by The New York Times.

Police Department officials defended the decision, saying it was just the latest evolution of a longstanding policing technique: using arrest photos to identify suspects. The New York Police Department can take arrest photos of minors as young as 11 who are charged with a felony, depending on the severity of the charge. And in many cases, the department keeps the photos for years, making facial recognition comparisons to what may have effectively become outdated images. There are photos of 5,500 individuals in the juvenile database, 4,100 of whom are no longer 16 or under, the department said. Teenagers 17 and older are considered adults in the criminal justice system. Civil rights advocates say that including their photos in a facial recognition database runs the risk that an imperfect algorithm identifies them as possible suspects in later crimes. A mistaken match could lead investigators to focus on the wrong person from the outset, they said.

As open source software grows more popular, and important, developers face an existential question: How to make money from something you give away for free? An anonymous reader shares a report: The Open Source Initiative standards body says an open source license must allow users to view the underlying source code, modify it, and share it as they see fit. Independent developers and large companies alike now routinely release software under these licenses. Many coders believe open collaboration results in better software. Some companies open their code for marketing purposes. Open source software now underpins much technology, from smartphone operating systems to government websites.

Companies that release software under open source licenses generate revenue in different ways. Some sell support, including Red Hat, which IBM acquired for $34 billion earlier this month. Others, like cloud automation company HashiCorp, sell proprietary software based on the open source components. But with the rise of cloud computing, developers see their open source code being bundled into services and sold by other companies. Amazon, for example, sells a cloud-hosted service based on the popular open source database Redis, which competes with a similar cloud-hosted service offered by Redis Labs, the sponsor of the open source project. To protect against such scenarios, companies behind popular open source projects are restricting how others can use their software. Redis Labs started the trend last year when it relicensed several add-ons for its core product under terms that essentially prohibit offering those add-ons as part of a commercial cloud computing service.

That way, Amazon and other cloud providers can't use those add-ons in their competing Redis services. Companies that want the functionality provided by those add-ons need to develop those features themselves, or get permission from Redis Labs. [...] Analytics company Confluent and database maker CockroachDB added similar terms to their licenses, preventing cloud computing companies from using some or all of their code to build competing services. Taking a slightly different tack, MongoDB relicensed its flagship database product last year under a new "Server Side Public License" (SSPL) that requires companies that sell the database system as a cloud service also release the source code of any additional software they include.

An anonymous reader shares a report: Not all programming languages endure forever. In fact, even the most popular ones inevitably crumble away, as new generations of developers embrace other languages and frameworks they find easier to work with. In order to determine which programming languages are likely doomed in the medium- to long-term, we looked at the popularity rankings by TIOBE and RedMonk, as well as Dice's own database of job postings. If your career is based on any of the following languages, we suggest diversifying your skill-set at some point: Ruby, Haskell, Objective-C, R, and Perl.

Authorities in the United Kingdom have made unauthorized copies of data stored inside a EU database for tracking undocumented migrants, missing people, stolen cars, or suspected criminals. From a report: Named the Schengen Information System (SIS), this is a EU-run database that stores information such as names, personal details, photographs, fingerprints, and arrest warrants for 500,000 non-EU citizens denied entry into Europe, over 100,000 missing people, and over 36,000 criminal suspects. The database was created for the sole purpose of helping EU countries manage access to the passport-free Schengen travel zone. The UK was granted access to this database in 2015, even if it's not an official member of the Schengen zone. Further reading: EU Votes To Create Gigantic Biometrics Database.