Medicine

Global Network of Labs Will Test Security of Medical Devices (securityledger.com) 30

chicksdaddy shares a report from The Security Ledger: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The "World Health Information Security Testing Labs (or "WHISTL") will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers "address the public health challenges" created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. "MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders," said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like "fuzzing," static code analysis and penetration testing of devices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC). The group says it plans for 10 new device testing labs by the end of the year including in the U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

Earth

World's First Floating Wind Farm Emerges Off Coast of Scotland (bbc.co.uk) 90

AmiMoJo writes: The world's first full-scale floating wind farm has started to take shape off the north-east coast of Scotland. The revolutionary technology will allow wind power to be harvested in waters too deep for the current conventional bottom-standing turbines. The manufacturer hopes to cash in on a boom in the technology, especially in Japan and the west coast of the U.S., where waters are deep. The tower, including the blades, stretches to 175m and weighs 11,500 tons. The price of energy from bottom-standing offshore wind farms has plummeted 32% since 2012, and is now four years ahead of the government's expected target. Another big price drop is expected, taking offshore wind to a much lower price than new nuclear power.
Biotech

Wisconsin Company Will Let Employees Use Microchip Implants To Buy Snacks, Open Doors (theverge.com) 74

A Wisconsin company called Three Square Market will soon offer employees implantable chips to open doors, buy snacks, log in to computers, and use office equipment like copy machines. The chips use near field communication (NFC) technology and will be implanted between the thumb and forefinger of participating employees. According to The Verge, around 50 people are supposedly getting the optional implants. From the report: NFC chips are already used in a couple of workplaces in Europe; The Los Angeles Times reported on startup workspace Epicenter's chip program earlier this year. In the US, installing them is also a form of simple biohacking. They're essentially an extension of the chips you'd find in contactless smart cards or microchipped pets: passive devices that store very small amounts of information. A Swedish rail company also lets people use implants as a substitute for fare cards. 32M CEO Todd Westby is clearly trying to head off misunderstandings and paranoia by saying that they contain "no GPS tracking at all" -- because again, it's comparable to an office keycard here.
Businesses

Unemployment in the UK is Now So Low It's in Danger of Exposing the Lie Used To Create the Numbers (businessinsider.com) 291

Unemployment in Britain is now just 4.5 percent. There are only 1.49 million unemployed people in the UK, versus 32 million people with jobs. This is almost unheard of. Unemployment was most recently this low in December 1973, when the UK set an unrepeated record of just 3.4 percent. From a report: The problem with this record is that the statistical definition of "unemployment" relies on a fiction that economists tell themselves about the nature of work. As the rate gets lower and lower, it tests that lie. Because -- as anyone who has studied basic economics knows -- the official definition of unemployment disguises the true rate. In reality, about 21.5 percent of all working-age people (defined as ages 16 to 64) are without jobs, or 8.83 million people, according to the Office for National Statistics. That's more than four times the official number. For decades, economists have agreed on an artificial definition of what unemployment means. Their argument is that people who are taking time off, or have given up looking for work, or work at home to look after their family, don't count as part of the workforce.
Bug

DNS Lib Underscore Bug Bites Everyone's Favorite Init Tool, Blanks Netflix (theregister.co.uk) 223

Reader OneHundredAndTen writes and shares a report: Systemd doing what it does best. From a report on The Register: A few Penguinistas spent a weekend working out why they can't get through to Netflix from their Linux machines, because when they tried, their DNS lookups failed. The issue emerged over the weekend, when Gentoo user Dennis Schridde submitted a bug report to the Systemd project. Essentially, he described a failure within systemd-resolve, a Systemd component that turns human-readable domain names into IP addresses for software, like web browsers, to connect to. The Systemd resolver couldn't look up Netflix's servers for Schridde's web browser, according to the report. In his detailed post, Schridde said he expected this to happen: ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net gets resolved to 37.77.187.142 or 2a00:86c0:5:5::142. When in reality, that wasn't happening, so Netflix couldn't be reached on his box. His speculation that libidn2, which adds internationalised domain names support to the resolver, was at fault turned out to be accurate. Rebuilding Systemd without that library cleared the problem.
Wireless Networking

Ask Slashdot: How Can You Avoid Routers With Locked Firmware? 301

thejynxed writes: Awhile ago the FCC in the USA implemented a rule that required manufacturers to restrict end-users from tampering with the radio outputs on wi-fi routers. It was predicted that manufacturers would take the lazy way out by locking down the firmware/bootloaders of the routers entirely instead of partitioning off access to the radio transmit power and channel ranges. This has apparently proven to be the case, as even now routers that were previously marketed as "Open Source Ready" or "DD-WRT Compatible" are coming with locked firmware.

In my case, having noticed this trend, I purchased three routers from Belkin, Buffalo, and Netgear in Canada, the UK, and Germany respectively, instead of the USA, and the results: All three routers had locked firmware/bootloaders, with no downgrade rights and no way to install Tomato, DD-WRT, OpenWRT, etc. It seems the FCC rule is an example of the wide-reaching effect of US law on the products sold in other nations, etc. So, does anyone know a good source of unlocked routers or other technical information on how to bypass this ridiculous outcome of FCC over-reach and manufacturer laziness?

The FCC later specified that they were not trying to block Open Source firmware modifications -- so leave your best suggestions in the comments. How can you avoid routers with locked firmware?
United Kingdom

UK To Require Drone Registration And Safety Exams (bloomberg.com) 92

An anonymous reader quotes Bloomberg: Drones will have to be registered and their users required to pass safety tests under new rules to be announced by the U.K.'s Department for Transport... Registration will be mandated for owners of drones 250 grams (8.8 ounces) or larger after research found that drones as small as 400 grams (14 ounces) could damage the windscreens of helicopters. Other security measures like "geo-fencing" -- GPS-based technology programmed into drones to prevent them from flying into sensitive areas such as prisons and airports -- are also under consideration, according to a statement from the department.
The BBC points out that "There is no time frame or firm plans as to how the new rules will be enforced and the Department of Transport admitted that 'the nuts and bolts still have to be ironed out.'"

"The UK government says 22 incidents involving commercial airliners and drones were investigated between January and April of this year," adds TechRadar, "with police unable to trace the owners of the drones -- one of the reasons for the new legislation."
Encryption

Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com) 198

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "

The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
The Almighty Buck

Norway, the Country Where No Salaries Are Secret (bbc.com) 211

In Norway, there are no such secrets. Anyone can find out how much anyone else is paid -- and it rarely causes problems. From a report: In the past, your salary was published in a book. A list of everyone's income, assets and the tax they had paid, could be found on a shelf in the public library. These days, the information is online, just a few keystrokes away. The change happened in 2001, and it had an instant impact. "It became pure entertainment for many," says Tom Staavi, a former economics editor at the national daily, VG. "At one stage you would automatically be told what your Facebook friends had earned, simply by logging on to Facebook. It was getting ridiculous." Transparency is important, Staavi says, partly because Norwegians pay high levels of income tax -- an average of 40.2 percent compared to 33.3 percent in the UK, according to Eurostat, while the EU average is just 30.1 percent. "When you pay that much you have to know that everyone else is doing it, and you have to know that the money goes to something reasonable," he says. "We [need to] have trust and confidence in both the tax system and in the social security system."
Programming

Drupal Developers Still Rebelling Against Drupal Leadership 92

New submitter cornholed writes: In an update to previous posts on Slashdot, prominent Drupal and PHP Developer Larry Garfield is still defending his reputation against allegations by Drupal leadership against sexual misconduct. As previously reported by a variety of news organizations, Larry was exiled from the Drupal project for adherence to the Gor sci-fi lifestyle.

In the latest round of allegations, Garfield was reportedly asked to resign because an autistic "woman who attended Drupal community events ... was allowed to contribute by him". While some have accused Dries Buytart and the Drupal Association of "Autism Shaming", the leader of the Drupal project claims "this person could be vulnerable and may have been subject to exploitation", hence raising the risk of legal damage to the Drupal project. Larry refutes these allegations, saying these claims are post-hoc and has shared police reports purporting his innocence.

There is still much debate in the Drupal community around why Larry was ejected from his leadership positions. While there's much speculation over Larry's ouster, there is one thing for certain: become a leader in the OSS community and a dossier on your public statements just might be made about you.
Communications

AlphaBay Owner Used Email Address For Both AlphaBay and LinkedIn Profile. 146

BarbaraHudson writes: The Register is reporting that Alexandre Cazes, the 25-year-old Canadian running the dark web site AlphaBay, was using a hotmail address easily connected to him via his Linkdin profile to administer the site. From the report: "[A]ccording to U.S. prosecutors, he used his real email address, albeit a Hotmail address -- Pimp_Alex_91@hotmail.com -- as the administrator password for the marketplace software. As a result, every new user received a welcome email from that address when they signed up to the site, and everyone using its password recovery tool also received an email from that address. However, rather than carefully set up and then abandon that email address, it turns out that Alexandre Cazes -- Pimp Alex -- had been using that address for years. Cazes had also used his Pimp Alex Hotmail address as well as an email address from his own business -- EBX Technologies -- to set up online bank accounts and crypto-currency accounts. How did law enforcement know that Cazes was behind EBX Technologies? It was on his LinkedIn profile."

BarbaraHudson adds: "His laptop wasn't encrypted, so expect more arrests as AlphaBay users are tracked down."
Android

Some OnePlus 5s Are Reportedly Rebooting After Dialing 911 (theverge.com) 59

The OnePlus 5, dubbed "the best sub-$500 phone you can buy" when it launched, is having a few problems. Earlier this month, some owners of the new device complained about a weird jelly-like effect that appears when scrolling through apps. OnePlus went on to claim that the effect is normal and not the result of any manufacturing issues. Now, a handful of users are reporting that the OnePlus 5 will reboot itself once 911 is called, preventing them from reaching emergency services. The Verge reports: Reddit user Nick Morrelli noticed the glitch after he tried to call 911 to report a building fire in Seattle, and other users have reported that the OnePlus 5 is unable to dial 911 (or 999 in the UK, as another user reported) without rebooting. While most users haven't reported having the issue, any percentage of devices not being able to reach emergency services is a major issue for OnePlus. In a statement to The Verge, OnePlus says it's looking into the problem. "We have contacted the customer and are currently looking into the issue. We ask anyone experiencing a similar situation to contact us at support@oneplus.net."
Security

Hacks 'Probably Compromised' UK Industry (bbc.com) 19

Some industrial software companies in the UK are "likely to have been compromised" by hackers, according to a document reportedly produced by British spy agency GCHQ. A copy of the document from the National Cyber Security Centre (NCSC) -- part of GCHQ -- was obtained by technology website Motherboard. From a report: A follow-up by the BBC indicated that the document was legitimate. There have been reports about similar cyber-attacks around the world lately. Modern, computer-based industrial control systems manage equipment in facilities such as power stations. And attacks attempting to compromise such systems had become more common recently, one security researcher said. The NCSC report specifically discusses the threat to the energy and manufacturing sectors. It also cites connections from multiple UK internet addresses to systems associated with "advanced state-sponsored hostile threat actors" as evidence of hackers targeting energy and manufacturing organisations.
Medicine

Long Working Days Can Cause Heart Problems, Study Says (theguardian.com) 75

According to a major new study, long days at the office can be bad for your heart. While the risk of stroke is increased from working too many hours in the office, it seems that working more than 55 hours a week means a 40% higher chance of developing an irregular heartbeat (atrial fibrillation), when compared to those with a better work-life balance. The Guardian reports: The research team, led by Professor Mika Kivimaki from the department of epidemiology at University College, London, analysed data on the working patterns of 85,494 mainly middle-aged men and women drawn from the UK, Denmark, Sweden and Finland. Participants were put into groups according to their work pattern, with 35-40 hours a week regarded as the control group. No one had AF at the start of the study, published in the European Heart Journal. After 10 years of follow-up, an average of 12.4 per 1,000 people had developed AF, but among those working 55 hours or more, this figure was higher at 17.6 per 1,000 people. Those working the longest hours were more overweight, had higher blood pressure, smoked more and and consumed more alcohol. But the team's conclusions about longer working hours and AF still remained after taking these factors into account.
United Kingdom

Porn Websites in UK Ordered To Introduce Age Checks From Next Year (bbc.com) 105

Reader dryriver shares an article: A nine-month countdown to the introduction of compulsory age checks on online pornography seen from the UK has begun. The April 2018 goal to protect under-18s was revealed as digital minister Matt Hancock signed the commencement order for the Digital Economy Act, which introduces the requirement. But details as to how the scheme will work have yet to be finalised. Experts who advised ministers said the targeted date seemed "unrealistic". The act also sets out other new laws including punishing the use of bots to snatch up scores of concert tickets, and mandating the provision of subtitles on catch-up TV. The age-check requirement applies to any website or other online platform that provides pornography "on a commercial basis" to people in the UK. It allows a regulator to fine any business that refuses to comply and to ask third-party payment services to withdraw support. The watchdog will also be able to force internet providers to block access to non-compliant services.
Australia

Crypto-Bashing Prime Minister Argues The Laws Of Mathematics Don't Apply In Australia (independent.co.uk) 328

An anonymous reader quotes the Independent:Australian Prime Minister Malcolm Turnbull has said the laws of mathematics come second to the law of the land in a row over privacy and encryption... When challenged by a technology journalist over whether it was possible to tackle the problem of criminals using encryption -- given that platform providers claim they are currently unable to break into the messages even if required to do so by law -- the Prime Minister raised eyebrows as he made his reply. "Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia," he said... "The important thing is to recognise the challenge and call on the companies for assistance. I am sure they know morally they should... They have to face up to their responsibility."
Facebook has already issued a statement saying that they "appreciate the important work law enforcement does, and we understand the need to carry out investigations. That's why we already have a protocol in place to respond to any requests we can.

"At the same time, weakening encrypted systems for them would mean weakening it for everyone."
Television

Doctor Who's 13th Time Lord Announced: Actress Jodie Whittaker (bbc.co.uk) 508

Peter Capaldi, the 12th Doctor Who, had said that he wanted to see a woman replace him in the Tardis, and so did former Doctor Who stars Billie Piper and Karen Gillan. And today it's official: "the 13th incarnation of Doctor Who will be portrayed by an actress," writes Slashdot reader Coisiche -- specifically Jodie Whittaker, who American viewers may remember from her performance as CIA officer Sandra Grimes in the 2014 mini-series "The Assets." The BBC reports: She was revealed in a trailer that was broadcast on BBC One at the end of the Wimbledon men's singles final... She will make her debut on the sci-fi show when the Doctor regenerates in the Christmas Day show... Whittaker said: "I'm beyond excited to begin this epic journey...with every Whovian on this planet. It's more than an honour to play the Doctor. It means remembering everyone I used to be, while stepping forward to embrace everything the Doctor stands for: hope... Doctor Who represents everything that's exciting about change."
Doctor Who's new showrunner said the 13th Doctor was always going to be a woman -- and that Whittaker was their first choice. "Jodie is an in-demand, funny, inspiring, super-smart force of nature and will bring loads of wit, strength and warmth to the role." Doctor Who #12 added that Whittaker "has above all the huge heart to play this most special part. She's going to be a fantastic Doctor." And Will Howells, who writes for the Doctor Who magazine, said "I don't think it's a risky choice at all but if a show that can go anywhere and do anything can't take risks, what can?"
United Kingdom

UK Wifi Provider Tricks Customers Into Agreeing To Clean Sewers (upi.com) 71

An anonymous reader quotes UPI: Unwitting customers in the United Kingdom who didn't read the terms and conditions for use of a public WiFi hotspot agreed to perform 1,000 hours of community service, including unclogging sewers and scraping gum off the street. The gag was conceived by WiFi provider Purple. The company inserted the clause into its terms and conditions -- the technically legally binding agreement consumers approve in exchange for use of free Internet, though virtually few actually read the terms. The company said it did so to call attention to the fact consumers are regularly agreeing to terms that they may not actually like, including granting access to private information and data about their web browsing habits.
Other community service tasks agreed to by users included "providing hugs to stray cats and dogs" and "painting snail shells to brighten up their existence." The agreement also promised a prize to anyone who actually became aware of the prize's existences after reading the terms and conditions -- yet after two weeks only one person came forward to claim the prize.
Businesses

Dark Web Marketplace AlphaBay Shuts For Good After Police Raids (theregister.co.uk) 112

Dark web marketplace AlphaBay's closure last week followed an international law enforcement operation and multiple raids, it has emerged. It has also been reported that a key suspect who was arrested in the raids has died in custody. From a report: The world's biggest online drug bazaar dropped offline on 5 July, sparking fears that its administrators had disappeared taking a swag bag of digital currency with them, pulling an "exit scam" like other dark web marketplace kingpins before them. The Wall Street Journal reports that a Canadian suspected of running AlphaBay was arrested in Thailand on 5 July following an international police operation involving authorities in the US and Canada as well as Thailand. Alexandre Cazes, the 26-year-old who had been accused of being the site's admin, was found dead in a Thai jail cell on Wednesday, the WSJ adds. The Bangkok Post reported that Cazes had been resident in Thailand for about eight years and had a Thai wife. Thai authorities said they'd seized four Lamborghini cars and three upmarket residences with a combined value of $11.7m (400 million Thai Baht). US authorities had apparently been seeking to extradite Cazes at the time of his death.
Businesses

Visa Considers Extending 'War on Cash' Business Incentives Outside US (cnbc.com) 303

Visa is hoping to extend its "war on cash" agenda to businesses in the U.K. after announcing new incentives for U.S. businesses to go cashless. From a report: The payment technology company revealed on Wednesday that it was launching a "cashless challenge" which would see 50 U.S. businesses receive $10,000 each to help them convert to a cashless payment model. It is now aiming to roll the model out to the U.K., though is yet to set a timeframe for the launch, a Visa spokesperson confirmed to CNBC Friday. Under the scheme, businesses in the U.S. are invited to submit plans outlining what going cashless might mean for them, their employees and their customers. Recipients of the award will then be required to use the lump sum to upgrade their point-of-sale systems so they are completely cashless. Any remaining money can be put towards marketing, the company said. "We're declaring a war on cash," Andy Gerlt, a spokesman for Visa, said in the announcement Wednesday.

Slashdot Top Deals