Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Updated: 24 min 42 sec ago
4,000 years ago in the northern steppes of Eurasia, in the shadow of the Ural Mountains, a tiny settlement stood on a natural terrace overlooking the Samara River. In the late twentieth century, a group of archaeologists excavated the remains of two or three structures that once stood here, surrounded by green fields where sheep and cattle grazed. But the researchers quickly discovered this was no ordinary settlement. Unusual burials and the charred remains of almost fifty dogs suggested this place was a ritual center for at least 100 years.
Hartwick College anthropologist David Anthony and his colleagues have excavated for several years at the site, called Krasnosamarskoe, and have wondered since that time what kind of rituals would have left this particular set of remains behind. Anthony and his Hartwick College colleague Dorcas Brown offer some ideas in a paper published recently in the Journal of Anthropological Archaeology.
The people who lived at Krasnosamarskoe were part of an Indo-European cultural group called Srubnaya, with Bronze Age technology. The Srubnaya lived in settlements year-round, but were not farmers. They kept animals, hunted for wild game, and gathered plants to eat opportunistically. Like many Indo-European peoples, they did not have what modern people would call an organized religion. But as Krasnosamarskoe demonstrates, they certainly had beliefs that were highly spiritual and symbolic. And they engaged in ritualistic practices over many generations.
A well-known computer security researcher, Morgan Marquis-Boire, has been publicly accused of sexual assault.
On Sunday, The Verge published a report saying that it had spoken with 10 women across North America and Marquis-Boire's home country of New Zealand who say that they were assaulted by him in episodes going back years.
A woman that The Verge gave the pseudonym "Lila," provided The Verge with "both a chat log and a PGP signed and encrypted e-mail from Morgan Marquis-Boire. In the e-mail, he apologizes at great length for a terrible but unspecified wrong. And in the chat log, he explicitly confesses to raping and beating her in the hotel room in Toronto, and also confesses to raping multiple women in New Zealand and Australia."
OAKLAND, Calif.—Seated at a dimly-lit bar, a gregarious man dressed in a scarf and beanie reflecting his favorite local sports team, explained to Ars last week why he and some of his fellow Instacart shoppers plan on not working this Sunday and Monday.
"We’re going to sign up for shifts and then when it’s time, if I’m working from 10am to 1pm on [November 19], the first order, I’m going to decline it, not accept the batch," he said, using Instacart’s term for multiple pickups at a single retail location. "They’ll kick us off and we’ll continue to do that until they kick us off [for the day]."
The man, who goes by Ike, declined to let Ars use his full name for fear of reprisal—he also doesn’t want unwanted scrutiny from his colleagues at his full-time public sector job.
At this point, I don't have much patience for the argument that eSports fans should stop watching other people play video games and just play those games themselves.
For one, it's an argument that few people make about spectator sports like basketball and football, where the skill difference between a pro and a novice is roughly the same as in eSports. For another, the thrill of watching a competitor at the top of his or her game is entirely distinct (and better in some ways) from competing yourself.
The tasty Japanese seaweed nori is ubiquitous today, but that wasn't always true. Nori was once called “lucky grass” because every year's harvest was entirely dependent on luck. Then, during World War II, luck ran out. No nori would grow off the coast of Japan, and farmers were distraught. But a major scientific discovery on the other side of the planet revealed something unexpected about the humble plant and turned an unpredictable crop into a steady and plentiful food source.
Nori is most familiar to us when it's wrapped around sushi. It looks less familiar when floating in the sea, but for centuries, farmers in Japan, China, and Korea knew it by sight. Every year, they would plant bamboo poles strung with nets in the coastal seabed and wait for nori to build up on them.
At first it would look like thin filaments. Then, with luck, it grew into healthy, harvestable plants with long, green leaves. The farmers never saw seeds or seedlings, so no one could cultivate it. The filaments simply appeared every year. That is, they appeared until after World War II, when pollution, industrialization along the coast, and a series of violent typhoons led to a disastrous drop in harvests. By 1951, nori production in Japan had been all but wiped out.
Welcome to Ars Cardboard, our weekend look at tabletop games! Check out our complete board gaming coverage at cardboard.arstechnica.com.
How do you follow the most popular board game ever made?
In a world where three separate versions of Smurfs Monopoly exist, Pandemic Legacy: Season One (PL:S1) isn’t the biggest-selling game of all time—but it has topped the popularity charts at Board Game Geek since it was released. It’s as close to “universally loved” as it’s possible to get in this contrarian world.
A Pentagon contractor left a vast archive of social-media posts on a publicly accessible Amazon account in what appears to be a military-sponsored intelligence-gathering operation that targeted people in the US and other parts of the world.
The three cloud-based storage buckets contained at least 1.8 billion scraped online posts spanning eight years, researchers from security firm UpGuard's Cyber Risk Team said in a blog post published Friday. The cache included many posts that appeared to be benign, and in many cases those involved from people in the US, a finding that raises privacy and civil-liberties questions. Facebook was one of the sites that originally hosted the scraped content. Other venues included soccer discussion groups and video game forums. Topics in the scraped content were extremely wide ranging and included Arabic language posts mocking ISIS and Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan.
The scrapings were left in three Amazon Web Servers S3 cloud storage buckets that were configured to allow access to anyone with a freely available AWS account. It's only the latest trove of sensitive documents left unsecured on Amazon. In recent months, UpGuard has also found private data belonging to Viacom, security firm TigerSwan, and defense contractor Booz Allen Hamilton similarly exposed. In Friday's post, UpGuard analyst Dan O'Sullivan wrote:
John Draper, a legendary figure in the world of pre-digital phone hacking known as "phreaking," has been publicly accused of inappropriate sexual behavior going back nearly two decades.
According to a new Friday report by BuzzFeed News, Draper, who is also known as "Captain Crunch," acted inappropriately with six adult men and minors between 1999 and 2007 during so-called "energy" exercises, which sometimes resulted in private invitations to his hotel room. There, Draper allegedly made unwanted sexual advances.
As a result of the new revelations, Draper, 74, is now no longer welcome at Defcon. Michael Farnum, the founder of HOU.SEC.CON, told Ars on Friday afternoon that Draper, who had been scheduled to speak in April 2018, was disinvited.
If you didn't have any weekend plans yet—or maybe even if you did—and you're interested in scratching your programming itch, there's something to add to your calendar. Codewarz, a programming competition that presents participants with 24 coding challenges, is running its first live event starting at 1pm Eastern on November 18 and ending at 9pm on November 20.
This is not a hacking competition—it’s strictly coding. Participants can use their language of choice as long as it's one of the 15 supported by the event: the various flavors of C, Python, Node.js, Scala, PHP, Go, Ruby, and even BASH. (Sorry, no one has asked them to support ADA or Eiffel yet.) There's no compiling required, either. Each submitted solution is run in an interpreted sandbox on a Linux machine for evaluation and scoring. And the challenges run the gamut from beginner (things like text parsing, math and basic networking) to advanced (more advanced parsing and math, hashing, cryptography, and forensics challenges).
Scoring is straightforward. Each of the challenges has an expected output (checked through hash-matching), and matching that output equals success for whatever number of points a challenge is worth. The easiest challenges (such as a "Hello World" tutorial challenge) are worth 10 points, while the hardest are worth 250 points.
Update (9/19/2017 11:20 AM ET): Updated to mark various deals that have gone live since this article's publication.
Original post: Brace yourself for Walmart fights and snarky tweets about capitalism, because Black Friday is nearly here. Once again, the day after Thanksgiving—and in many cases the days before that—will see retailers across the country pushing an avalanche of sales to the gift-needy public.
And once again, many of those “discounts” won’t be discounts at all. Year after year, the corporate holiday isn’t quite the deals bonanza it proclaims to be. Many of the devices on sale either won’t be priced significantly lower than they are at other points in the year or just won’t be worth buying to begin with.
When a company like Microsoft needs to fix a security flaw in one of its products, the process is normally straightforward: determine where the bug lies, change the program's source code to fix the bug, and then recompile the program. But it looks like the company had to step outside this typical process for one of the flaws it patched this Tuesday. Instead of fixing the source code, it appears that the company's developers made a series of careful changes directly to the buggy program's executable file.
Bug CVE-2017-11882 is a buffer overflow in the ancient Equation Editor that comes with Office. The Equation Editor allocates a fixed-size piece of memory to hold a font name and then copies the font name from the equation file into this piece of memory. It doesn't, however, check to ensure that the font name will fit into this piece of memory. When provided with a font name that's too long, the Equation Editor overflows the buffer, corrupting its own memory, and an attacker can use this to execute arbitrary malicious code.
For residents of our nation’s capital, news of a fire on the city’s rapid transit system—the Washington Metro—is not surprising. It catches fire and smokes quite regularly. At some points last year, there were reports of more than four fires per week (although there’s some dispute about that rate). There’s even the handy site—IsMetroOnFire.com—to check the current blaze status.
Yet, despite the common occurrence, residents may be surprised to learn a potential contributor to the system-wide sizzling: their own hair.
According to a safety specialist with the Amalgamated Transit Union (ATU), a thick, felt-like layer of human hair, skin, and other debris has collected on the aging tracks of the city’s rails. In particular, hair has built up on insulators supporting the transit system’s electrified third rails, which run cables carrying 750 Volts of electricity to power the trains. The hair coating delivers a real threat of electrical sparks and fire.
The US Navy and NASA have joined the search for an Argentine Armada (navy) diesel-electric attack submarine—the ARA San Juan (S-42)—and its crew of 44 sailors missing in the Southern Argentine Sea. The last contact with the TR-1700 class sub, built in 1983 by the German shipbuilder Thyssen Nordseewerke, was on November 15.
NASA has dispatched a modified P-3 Orion patrol plane—previously used by the Navy for submarine hunting—to aid in the search. The P-3 is equipped with a magnetic anomaly detector (or magnetometer), a gravimeter for detecting small fluctuations in the Earth's gravity, infrared cameras, and other sensors for measuring ice thickness. With that array, the P-3 may be able to detect the submerged submarine.
Yesterday, the US House of Representatives passed its version of a tax bill that would drop corporate tax rates and alter various deductions. While most of the arguments about the bill have focused on which tax brackets will end up paying more, an entire class of individuals appears to have been specifically targeted with a measure that could raise their tax liability by 300 percent or more: graduate student researchers. If maintained, the changes could be crippling for research in the US.Tuition waivers
Many graduate programs in areas like business, medicine, and law can afford to charge high tuitions. That's in part because these degrees are in high demand and in part because the students know that they'll have the potential to earn very large salaries after graduation.
PhD programs are nothing like this. Despite typically taking five to six years to complete, a PhD student is only likely to earn in the area of $44,000 after graduation if they're funded by the National Institutes of Health. Even four years of additional experience doesn't raise the salary above $50,000. As such, charging them tuition would leave them with no way to possibly pay back their student loans. Doing so would almost certainly discourage anyone but the independently wealthy from attending research-focused graduate programs.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money.""Hacker?"
DJI launched its bug bounty this fall shortly after the US Army issued a ban on using DJI drones for any military purpose due to "operational security" concerns. There were also spreading reports of people hacking the firmware of DJI drones—some have even posted hacks to GitHub by Finisterre. But according to Finisterre, the program was clearly rushed out. The company did not, and has yet to, define the scope of the bounty program publicly. So when Finisterre discovered that DJI's SSL certificates and firmware AES encryption keys had been exposed through searches on GitHub—in some cases for as long as four years—he contacted the company to see if its servers were within the scope of the bug bounty program. He was told they were—a statement that would later be walked back from by DJI officials.
Since consumer-grade virtual reality became a thing last year, there has been some criticism over the lack of lengthy, meaty VR experiences that can draw players in an epic story for dozens of hours. As if to answer that criticism, Bethesda has released Skyrim VR, a PlayStation VR exclusive version of one of the meatiest RPGs of the last decade.
Consumer virtual reality was barely even a gleam in Palmer Luckey's eye when Skyrim came out in 2011, though, and that fact comes into stark relief when trying to play the game in a brand new medium. While Skyrim's world makes some impressive first impressions in VR, a few hours with the game is enough to show some significant problems with the conversion as well.Rough edges
To be sure, seeing and exploring Skyrim's world in VR brings some immediate and impressive improvements over playing on a monitor. From the jump, the stereoscopic 3D and head tracking of the PSVR headset make you feel like you're actually in Skyrim like never before.
On Thursday night, Elon Musk upstaged his own semi truck launch with the news that Tesla is going to build a new performance car, the Roadster. The specs certainly have the Internet ablaze this morning: a 200kWh battery and 620-mile (1,000km) range, 0-60mph in 1.9 seconds, the standing quarter-mile in 8.9 seconds, and a top speed of 250mph. That's truly impressive—particularly if it costs just $200,000. But Musk's claims that it will be the "fastest production car ever made, period" seem more than a little hyperbolic from where I'm sitting.
You see, we're entering another one of those automotive arms races, where engineers and designers attempt to outdo each other in the performance stakes with ever-more extreme hypercars. Tesla will not be the only game in town. In fact, it's only just getting ready to take to the pitch.Supercars are passé; it's all about the hypercar now
Supercars like the McLaren F1 and Ferrari Enzo used to be the last word in four-wheeled performance until a reborn Bugatti came along and rewrote the rules. The Veyron, which arrived in 2005, boasted an 8.0L W16 engine, 987hp (736kW), and a 253mph (407km/h) top speed. The supercar was dethroned, and the hypercar became king. But achieving massive power and bonkers performance from an internal combustion engine is old hat—even if Bugatti is sticking to the formula with the Chiron.
In a statement to CNBC this morning, Apple said its HomePod smart speaker will be released in 2018, not by the end of this year as originally announced.
Here is the company's statement:
We can't wait for people to experience HomePod, Apple's breakthrough wireless speaker for the home, but we need a little more time before it's ready for our customers... We'll start shipping in the US, UK and Australia in early 2018.
The 7''-tall HomePod was expected to launch in December. It will cost $349 and bring Siri into any room in your house that it wasn't already present, allowing for voice features like answering questions and managing your smart home. That said, Apple said the main focus of the HomePod is music. The device will feature an A8 processor—the same found in the iPhone 6—and will sense the layout of the room and adjust its audio output for optimal acoustics. It will also work in tandem with other HomePods wirelessly to provide home-wide coverage or deliver stereo sound.
In early September, one Bitcoin was worth almost $5,000. Then the Chinese government cracked down on cryptocurrency investments, and Bitcoin's value plunged 40 percent in a matter of days, reaching a low below $3,000.
But Bitcoin bounced back. By early November, one Bitcoin was worth almost $8,000. Then last week, a controversial effort to expand the Bitcoin network's capacity failed. Within days, Bitcoin's price had plunged 25 percent, while the value of a rival network called Bitcoin Cash doubled.
Today, Bitcoin has recovered all of last week's losses—one Bitcoin is now worth more than $7,800.
Phone companies are now authorized to be more aggressive in blocking robocalls before they reach customers' landlines or mobile phones, but you might have to pay for the new blocking capabilities.
The Federal Communications Commission yesterday issued an order to "expressly authorize voice service providers to block robocalls that appear to be from telephone numbers that do not or cannot make outgoing calls, without running afoul of the FCC's call completion rules."
Carriers will thus have greater ability to block calls in which the Caller ID has been spoofed or in which the number is invalid. Caller ID spoofing hides the caller's true identity and is one of the biggest sources of illegal robocalls.