Microsoft Employees Exposed Own Company’s Internal Logins

Multiple people who appear to be employees of Microsoft have exposed sensitive login credentials to the company’s own infrastructure on GitHub, potentially offering attackers a gateway into internal Microsoft systems, according to a cybersecurity research firm that found the exposed credentials. Motherboard reports: “We continue to see that accidental source code and credential leakages are part of the attack surface of a company, and it’s becoming more and more difficult to identify in a timely and accurate manner. This is a very challenging issue for most companies these days,” Mossab Hussein, chief security officer at cybersecurity firm spiderSilk which discovered the issue, told Motherboard in an online chat. Hussein provided Motherboard with seven examples in total of exposed Microsoft logins. All of these were credentials for Azure servers. Azure is Microsoft’s cloud computer service and is similar to Amazon Web Services. All of the exposed credentials were associated with an official Microsoft tenant ID. A tenant ID is a unique identifier linked to a particular set of Azure users. One of the GitHub users also listed Microsoft on their profile.

Three of the seven login credentials were still active when spiderSilk discovered them, with one seemingly uploaded just days ago at the time of writing. The other four sets of credentials were no longer active but still highlighted the risk of workers accidentally uploading keys for internal systems. Microsoft refused to elaborate on what systems the credentials were protecting when asked multiple times by Motherboard. But generally speaking, an attacker may have an opportunity to move onto other points of interest after gaining initial access to an internal system. One of the GitHub profiles with exposed and active credentials makes a reference to the Azure DevOps code repository. Highlighting the risk that such credentials may pose, in an apparently unrelated hack in March attackers gained access to an Azure DevOps account and then published a large amount of Microsoft source code, including for Bing and Microsoft’s Cortana assistant. “We’ve investigated and have taken action to secure these credentials,” said a Microsoft spokesperson in a statement. “While they were inadvertently made public, we haven’t seen any evidence that sensitive data was accessed or the credentials were used improperly. We’re continuing to investigate and will continue to take necessary steps to further prevent inadvertent sharing of credentials.”

Read more of this story at Slashdot.

Drought-Stricken States To Get Less From Colorado River

For the second year in a row, Arizona and Nevada will face cuts in the amount of water they can draw from the Colorado River as the West endures an extreme drought, federal officials announced Tuesday. The Associated Press reports: The cuts planned for next year will force states to make critical decisions about where to reduce consumption and whether to prioritize growing cities or agricultural areas. The cuts will also place state officials under renewed pressure to plan for a hotter, drier future and a growing population. Mexico will also face cuts. “We are taking steps to protect the 40 million people who depend on the Colorado River for their lives and livelihoods,” said Camille Touton, commissioner of the Bureau of Reclamation.

The river provides water across seven states and in Mexico and helps feed an agricultural industry valued at $15 billion a year. Cities and farms are anxiously awaiting official estimates of the river’s future water levels that will determine the extent and scope of cuts to their water supply. That’s not all. In addition to those already-agreed-to cuts, the Bureau of Reclamation said Tuesday that states had missed a deadline to propose at least 15% more cuts needed to keep water levels at the river’s storage reservoirs from dropping even more. For example, officials have predicted that water levels at Lake Mead, the nation’s largest reservoir, will plummet further. The lake is currently less than a quarter full. “The states collectively have not identified and adopted specific actions of sufficient magnitude that would stabilize the system,” Touton said.

Read more of this story at Slashdot.

New US Privacy Law May Give Telecoms Free Pass On $200 Million Fines

An anonymous reader quotes a report from Motherboard: The American Data Privacy and Protection Act (ADPPA), a new federal privacy bill that has actually a chance of becoming law, is designed to introduce new privacy protections for Americans. But it may also have the side effect of wiping out $200 million worth of fines proposed against some of the country’s biggest telecommunications companies as part of a major location-data selling scandal in which the firms sold customer data that ended up in the hands of bounty hunters and other parties. The issue centers around the ADPPA’s shift of enforcement for privacy related matters from the Federal Communications Commission (FCC), which proposed the fines, to the Federal Trade Commission (FTC). The news highlights the complex push and pulls when developing privacy legislation, and some of the pitfalls along the way.

The FCC proposed the $200 million fines in February 2020. The fines came after Motherboard revealed that the carriers sold phone location data to a complex supply chain of companies which then provided it to hundreds of bounty hunters and other third parties, including someone that allowed Motherboard to track a phone for just $300. The fines also came after The New York Times and the office of Sen. Ron Wyden found that the carriers sold location data in a similar method to a company called Securus, which allowed law enforcement officials to track the location of phones without a warrant. A former sheriff abused the tool to spy on judges and other officials. The offending telecoms — AT&T, T-Mobile, Sprint, Verizon — said they stopped the sale of location data at varying points in time in response to the investigations. The FCC then found that the carriers broke the law by selling such data.

FCC Press Secretary Paloma Perez told Motherboard in an emailed statement that “our real-time location information is some of the most sensitive data there is about us, and it deserves the highest level of privacy protection. That is why the FCC has proposed more than $200 million in fines against the nation’s largest wireless carriers for selling their customers’ location data. Through our continued oversight we have ensured that these carriers are no longer monetizing their consumers’ real-time location in this way, and we are continuing our investigation into these practices and expect to reach a conclusion very soon.” In July FCC Chairwoman Jessica Rosenworcel sent letters to a host of U.S. telecommunications, tech, and retail companies to ask about their use of location data.

Read more of this story at Slashdot.

WeWork’s Former CEO Has a New Startup, Reportedly Valued At More Than $1 Billion

Nearly three years after Adam Neumann stepped down as CEO of WeWork following a failed attempt to take the company public, he is said to once again be in charge of a billion-dollar real estate startup. CNN Business reports: Andreessen Horowitz, the prominent venture capital firm known for its early investments in Twitter and Airbnb, has pumped about $350 million into Neumann’s newest venture, called Flow, according to The New York Times, citing unnamed sources briefed on the deal. The investment valued the startup at more than $1 billion, according to the report. In a blog post Monday, Marc Andreessen, cofounder and general partner at the VC firm, announced the investment, without disclosing financial details. He also explained his thinking for backing Flow, a residential real estate company, and Neumann despite the founder’s high-profile fall from grace at WeWork.

“Adam is a visionary leader who revolutionized the second largest asset class in the world — commercial real estate — by bringing community and brand to an industry in which neither existed before,” Andreessen wrote in his post Monday. “Adam, and the story of WeWork, have been exhaustively chronicled, analyzed, and fictionalized — sometimes accurately. For all the energy put into covering the story, it’s often under appreciated that only one person has fundamentally redesigned the office experience and led a paradigm-changing global company in the process: Adam Neumann.” It’s not immediately clear how Flow seeks to revolutionize the residential housing industry. Flow currently has a bare bones website, with the slogan “Live life in flow” and two words stating it will launch in 2023.

Andreessen positioned the new company as a long-awaited solution to the nation’s “housing crisis.” He used a mix of jargon-filled terms — “community-driven, experience-centric service” — to explain how the new startup would “create a system where renters receive the benefits of owners.” “We think it is natural that for his first venture since WeWork, Adam returns to the theme of connecting people through transforming their physical spaces and building communities where people spend the most time: their homes,” Andreessen wrote. “Residential real estate — the world’s largest asset class — is ready for exactly this change.”

Read more of this story at Slashdot.

An Eye Implant Engineered From Proteins In Pigskin Restored Sight In 14 Blind People

According to a new study published in the journal Nature Biotechnology, researchers implanted corneas made from pig collagen to restore sight in 20 people who were blind or visually impaired. “Fourteen of the patients were blind before they received the implant, but two years after the procedure, they had regained some or all of their vision,” notes NBC News. “Three had perfect vision after the surgery.” From the report: The patients, in Iran and India, all suffered from keratoconus, a condition in which the protective outer layer of the eye progressively thins and bulges outward. “We were surprised with the degree of vision improvement,” said Neil Lagali, a professor of experimental ophthalmology at Linkoping University in Sweden who co-authored the study. Not all patients experienced the same degree of improvement, however. The 12 Iranian patients wound up with an average visual acuity of 20/58 with glasses; functional vision is defined as 20/40 or better with lenses. Nonetheless, Dr. Marian Macsai, a clinical professor of ophthalmology at the University of Chicago who wasn’t involved in the study, said the technology could be a game changer for those with keratoconus, which affects roughly 50 to 200 out of every 100,000 people. It might also have applications for other forms of corneal disease.

To create the implant, Lagali and his team dissolved pig tissue to form a purified collagen solution. That was used to engineer a hydrogel that mimics the human cornea. Surgeons then made an incision in a patient’s cornea for the hydrogel. “We insert our material into this pocket to thicken the cornea and to reshape it so that it can restore the cornea’s function,” Lagali said. Traditionally, human tissue is required for cornea transplants. But it’s in short supply, because people must volunteer to donate it after they die. So, Lagali said, his team was looking for a low-cost, widely available substitute. “Collagen from pigskin is a byproduct from the food industry,” he said. “This makes it broadly available and easier to procure.” After two years, the patients’ bodies hadn’t rejected the implants, and they didn’t have any inflammation or scarring.

But any experimental medical procedure comes with risk. In this case, Soiberman said, a foreign molecule like collagen could induce an immune reaction. The researchers prescribed patients an eight-week course of immunosuppressive eyedrops to lower the risk, which is less than the amount given to people who receive cornea transplants from human tissue. In those cases, patients take immunosuppressive medicine for more than a year, Lagali said. “There’s always a risk for rejection of the human donor tissue because it contains foreign cells,” he said. “Our implant does not contain any cells … so there’s a minimal risk of rejection.” The procedure itself was also quicker than traditional cornea transplants. The researchers said each operation took about 30 minutes, whereas transplants of human tissue can take a couple of hours. […] It’s not yet clear whether the surgery would work for patients who have other forms of corneal disease aside from keratoconus.

Read more of this story at Slashdot.

Thieves Stole $23 Million in One of the Largest YouTube Royalties Scams Ever

“Need an easy way to make $23 million?” asks Mashable.
“Have you ever considered just claiming music others uploaded to YouTube as your own and collecting the royalties?

That’s basically all two Phoenix men did to swindle Latin music artists like Daddy Yankee and Julio Iglesias out of millions of dollars in royalties, as detailed in a new piece from Billboard last week.

According to Kristin Robinson of Billboard, Jose “Chenel” Medina Teran and Webster Batista set up a media company called MediaMuv and claimed to own the rights to various Latin music songs and compositions. In total, MediaMuv claimed to own more than 50,000 copyrights since 2017, when Teran and Batista began their scheme.

In order for MediaMuv to claim these copyrights and collect royalties through YouTube’s Content ID system, the fraudulent company needed to partner with AdRev, a third-party company that has access to YouTube’s CMS and Content ID tools and helps artists manage their digital copyrights. MediaMuv created a few fake documents and provided AdRev with this paperwork in order to prove ownership over the music it claimed. From there, AdRev not only helped MediaMuv collect royalties for those copyrights but also provided Terana and Batista with direct access to YouTube’s CMS so they could claim copyrights on its own.

Teran and Batista’s four-year-long royalties heist came to an end late last year following an investigation from the IRS. According to Billboard, the two were indicted on “30 counts of conspiracy, wire fraud, money laundering and aggravated identity theft.”

Mashable calls it “a huge reminder that online copyright is deeply flawed…”

“[J]ust think about how many more careful scammers are still skimming royalties off of an untold number of artists.”

Read more of this story at Slashdot.

Rust 1.63 Released, Adding Scoped Threads

This week the Rust team announced the release of Rust 1.63.

One noteable update? Adding scoped threads to the standard library:

Rust code could launch new threads with std::thread::spawn since 1.0, but this function bounds its closure with ‘static. Roughly, this means that threads currently must have ownership of any arguments passed into their closure; you can’t pass borrowed data into a thread. In cases where the threads are expected to exit by the end of the function (by being join()’d), this isn’t strictly necessary and can require workarounds like placing the data in an Arc.

Now, with 1.63.0, the standard library is adding scoped threads, which allow spawning a thread borrowing from the local stack frame. The std::thread::scope API provides the necessary guarantee that any spawned threads will have exited prior to itself returning, which allows for safely borrowing data.
The official Rust RFC book says “The main drawback is that scoped threads make the standard library a little bit bigger,” but calls it “a very common and useful utility…great for learning, testing, and exploratory programming.

“Every person learning Rust will at some point encounter interaction of borrowing and threads. There’s a very important lesson to be taught that threads can in fact borrow local variables, but the standard library [didn’t] reflect this.” And otherwise, “Implementing scoped threads is very tricky to get right so it’s good to have a reliable solution provided by the standard library.”

Read more of this story at Slashdot.

Researchers: It’s ‘Unlikely’ There’s Water- or Ice-Saturated Layers Below InSight Mars Lander

Did Mars ever support life? One clue might be quantifying just how much ice (and other minerals) are lurking just below the planet’s surface, a team of researchers argued this month. “If life exists on Mars, that is where it would be,” they said in a news release this week. “There is no liquid water on the surface,” but in a contrary scenario, “subsurface life would be protected from radiation.”

Locating ice and minerals has another benefit too, they write in the journal Geophysical Research Letters: to “prepare for human exploration.” And fortunately, there’s a tool on the InSight lander (which touched down in 2018) that can help estimate the velocity of seismic waves inside the geological crust of Mars — velocities which change depending on which rock types are present, and which materials are filling pores within rocks (which could be ice, water, gas, or other mineral cements).

That’s the good news. But after running computer models of applied rock physics thousands and thousands of times, the researchers believe it’s unlikely that there’s any layers saturated with water (or ice) in the top 300 meters (1,000 feet) of the crust of Mars. “Model results confirm that the upper 300 meters of Mars beneath InSight is most likely composed of sediments and fractured basalts.”

The researchers reached a discouraging conclusion, reports Space.com “The chances of finding Martian life appear poor at in the vicinity of NASA’s InSight lander.”
The subsurface around the landing zone — an equatorial site chosen especially for its flat terrain and good marsquake potential — appears loose and porous, with few ice grains in between gaps in the crust, researchers said…. The equatorial region where InSight is working, in theory, should be able to host subsurface water, as conditions are cold enough even there for water to freeze. But the new finding is challenging scientists’ assumptions about possible ice or liquid water beneath the subsurface near InSight, whose job is to probe beneath the surface.

While images from the surface have suggested there might be sedimentary rock and lava flows beneath InSight, researchers’ models have uncertainties about porosity and mineral content. InSight is helping to fill in some of those gaps, and its new data suggests that “uncemented material” largely fills in the region blow the lander. That suggests little water is present, although more data needs to be collected.

It’s unclear how representative the InSight data is of the Martian subsurface in general, but more information may come courtesy of future missions. NASA is considering a Mars Life Explorer that would drill 6 feet (2 meters) below the surface to search for possible habitable conditions. Additionally, a proposed Mars Ice Mapper Mission could search for possible water reservoirs for human missions.

And of course, as the researchers point out in their announcement, “big ice sheets and frozen ground ice remain at the Martian poles.”

Read more of this story at Slashdot.