Catalin Cimpanu, reporting at Record: Security researchers have found a new set of vulnerabilities that impact hundreds of millions of servers, smart devices, and industrial equipment. Called NAME:WRECK, the vulnerabilities have been discovered by enterprise IoT security firm Forescout as part of its internal research program named Project Memoria -- which the company describes as "an initiative that aims at providing the cybersecurity community with the largest study on the security of TCP/IP stacks." Although never visible to end-users, TCP/IP stacks are libraries that vendors add to their firmware to support internet connectivity and other networking functions for their devices. These libraries are very small but, in most cases, underpin the most basic functions of a device, and any vulnerability here exposes users to remote attacks. The NAME:WRECK research is the fifth set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past three years, and the third set disclosed part of Project Memoria.

Professional political trolling is still a thriving underground industry around the world, despite crackdowns from the biggest tech firms. From a report: Coordinated online disinformation efforts offer governments and political actors a fast, cheap way to get under rivals' skin. They also offer a paycheck to people who are eager for work, typically in developing countries. "It's a more sophisticated means of disinformation to weaken your advisories," said Todd Carroll, CISO and VP of Cyber Operations at CybelAngel. Facebook last week said it had uncovered a massive troll farm in Albania, linked to an Iranian militant group. The operation had the the hallmarks of a typical troll farm, which Facebook defines as "a physical location where a collective of operators share computers and phones to jointly manage a pool of fake accounts as part of an influence operation." "The main thing we saw was strange signals centralized coordination between different fake accounts," said Ben Nimmo, Facebook's global influence operations threat intelligence lead. Like numerous troll farms uncovered over the past few years, there was one easy giveaway: content from the network targeted Iran, but was posted on social media during normal working hours on Central European Time.

An Indian security researcher has published today proof-of-concept exploit code for a recently discovered vulnerability impacting Google Chrome, Microsoft Edge, and other Chromium-based browsers like Opera and Brave. From a report: The researcher, Rajvardhan Agarwal, told The Record today that the exploit code is for a Chromium bug that was used during the Pwn2Own hacking contest that took place last week. During the contest, security researchers Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security used a vulnerability to run malicious code inside Chrome and Edge, for which they received $100,000. Per contest rules, details about this bug were handed over to the Chrome security team so the bug could be patched as soon as possible. While details about the exact nature of the bug were never publicly disclosed, Agarwal told The Record he spotted the patches for this bug by looking at the source code commits to the V8 JavaScript engine, a component of the Chromium open-source browser project, which allowed him to recreate the Pwn2Own exploit, which he uploaded earlier today on GitHub, and shared on Twitter. However, while Chromium developers have patched the V8 bug last week, the patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge, and others, which are still vulnerable to attacks.

Google has announced that the Google Play Movies and TV app will no longer be available on any Roku set-top box or any Samsung, LG, Vizio or Roku smart TV starting July 15th. The Verge reports: If you have movies or TV shows purchased or rented through the service, you'll still be able to access them through the "Your movies and shows" section of the YouTube app on those devices. This change will also affect you if if you used the Movies and TV app to access Movies Anywhere, the service that allows you to redeem codes from DVDs and Blu-rays so you can access your media digitally. Google has confirmed to The Verge that users who relied on Play Movies and TV to access that content will be able to do so through YouTube.

There are a few other caveats to note in the transition to YouTube. Your Watchlist will no longer be viewable in the app (though it can still be seen on the web by Googling "my watchlist"), and while your family can still share the content you bought from the Movie and TV store, any purchases made in the YouTube app won't be shared with your family. [The Verge's article breaks down all the various ways you can access the content you purchased through the Play Store after July 15th.]

The New York Times explores whether Substack is just a company that makes it easy to charge for newsletters — or a new direct-to-consumer media that's part of a larger cultural shift? This new ability of individuals to make a living directly from their audiences isn't just transforming journalism. It's also been the case for adult performers on OnlyFans, musicians on Patreon, B-list celebrities on Cameo. In Hollywood, too, power has migrated toward talent, whether it's marquee showrunners or actors. This power shift is a major headache for big institutions, from The New York Times to record labels. And Silicon Valley investors, eager to disrupt and angry at their portrayal in big media, have been gleefully backing it. Substack embodies this cultural shift, but it's riding the wave, not creating it...

A New York Times opinion writer, Charlie Warzel, is departing to start a publication on Substack called Galaxy Brain... The Times wouldn't comment on his move, but is among the media companies trying to develop its own answer to Substack and recently brought the columnist Paul Krugman's free Substack newsletter to the Times platform... [T]he biggest threat to Substack is unlikely to be the Twitter-centric political battles among some of its writers. The real threat is competing platforms with a different model. The most technically powerful of those is probably Ghost, which allows writers to send and charge for newsletters, with monthly fees starting at $9. While Substack is backed by the venture capital firm Andreessen Horowitz, Ghost has Wikipedia vibes: It is open-source software developed by a nonprofit...

And it's easy to leave. Unlike on Facebook or Twitter, Substack writers can simply take their email lists and direct connections to their readers with them. Substack's model of taking 10 percent of its writers' subscriptions is "too greedy of a slice to take of anyone's business with very little in return," said Ghost's founder and chief executive, John O'Nolan, a tattooed, nomadic Irishman who is bivouacked in Hollywood, Fla. He said he believed subscription newsletter publishing was "destined to be commoditized."

But Ghost represents an even purer departure from legacy media. More than half of the sites on the platform simply run the software off their own servers. "The technology is designed to be decentralized, and there's no one institution or one corporation that can decide what is OK," he said.
The article also notes that Twitter recently bought the newsletter platform Revue, while Facebook "is developing ambitious plans for a rival that will provide a platform for local journalists, among other writers."

And in a section on indie spirit, it adds as an aside that Bustle Digital Group "confirmed to me that it's reviving the legendary blog Gawker under a former Gawker writer, Leah Finnegan."

Google "has utilized a secret program to track bids on its ad-buying platform," writes the New York Post, "and has been accused of using the information to gain an unfair market advantage that raked in hundreds of millions of dollars annually, according to a report." The initiative — dubbed "Project Bernanke" in an apparent reference to former Federal Reserve chairman Ben Bernanke — was detailed in court filings in an ongoing Texas-led antitrust suit, which were initially uploaded to an online docket with incomplete redactions, The Wall Street Journal reported Saturday... Lawyers for the Lone Star State argue, however, that the program was tantamount to insider trading, particularly when combined with Google's complicated, multi-layered role in the online advertising marketplace.

The company operates simultaneously as the operator of a major ad exchange, a representative of both buyers and sellers on the exchange — and a buyer in its own right, according to the suit. By using Project Bernanke's inside information on what other ad buyers were willing to pay for space, Google could tailor its operations to beat out rivals and bid the bare minimum to secure ad inventory, the state reportedly alleges...

Separately, the filings reveal more details about Jedi Blue — an alleged hush-hush deal in which Google allegedly guaranteed that Facebook would win a fixed percentage of advertising deals in which the social media giant bid... Google also admitted that the deal required Facebook to spend $500 million or more in Google's Ad Manager or AdMob bids in the pact's fourth year, and that Facebook agreed to make efforts to win 10 percent of the auctions in which it competed, the WSJ said.

The arrangement appeared "to allow Facebook to bid and win more often in auctions," lawyers for Texas alleged in their filings.

While difficult negotiations continue over a deal to curtail Iran's nuclear ambitions, this morning Iran suddenly experienced a blackout at its underground Natanz atomic facility, the Associated Press reports: While there was no immediate claim of responsibility, suspicion fell immediately on Israel, where its media nearly uniformly reported a devastating cyberattack orchestrated by the country caused the blackout. Israeli Prime Minister Benjamin Netanyahu later Sunday night toasted his security chiefs, with the head of the Mossad, Yossi Cohen, at his side on the eve of his country's Independence Day... Netanyahu, who also met Sunday with U.S. Defense Secretary Lloyd Austin, has vowed to do everything in his power to stop the nuclear deal...

Natanz has been targeted by sabotage in the past. The Stuxnet computer virus, discovered in 2010 and widely believed to be a joint U.S.-Israeli creation, once disrupted and destroyed Iranian centrifuges at Natanz amid an earlier period of Western fears about Tehran's program. Natanz suffered a mysterious explosion at its advanced centrifuge assembly plant in July that authorities later described as sabotage. Iran now is rebuilding that facility deep inside a nearby mountain. Iran also blamed Israel for the November killing of a scientist who began the country's military nuclear program decades earlier.

Multiple Israeli media outlets reported Sunday that an Israeli cyberattack caused the blackout in Natanz. Public broadcaster Kan said the Mossad was behind the attack. Channel 12 TV cited "experts" as estimating the attack shut down entire sections of the facility. While the reports offered no sourcing for their information, Israeli media maintains a close relationship with the country's military and intelligence agencies...

On Tuesday, an Iranian cargo ship said to serve as a floating base for Iran's paramilitary Revolutionary Guard forces off the coast of Yemen was struck by an explosion, likely from a limpet mine. Iran has blamed Israel for the blast. That attack escalated a long-running shadow war in Mideast waterways targeting shipping in the region.

Angel investor Balaji S. Srinivasan (also the former CTO of Coinbase) is now focused on 1729.com, which wants to give you money to do his bidding — or something like that. He's calling it "the first newsletter that pays you.

"It has a regular feed of paid tasks and tutorials with $1000+ in crypto prizes per day, and doubles as a vehicle for distributing a new book I've been writing called The Network State."

His latest post? "How to Start a New Country" (which envisions starting with a "cloud first" digital community): We recruit online for a group of people interested in founding a new virtual social network, a new city, and eventually a new country. We build the embryonic state as an open source project, we organize our internal economy around remote work, we cultivate in-person levels of civility, we simulate architecture in VR, and we create art and literature that reflects our values.

Over time we eventually crowdfund territory in the real world, but not necessarily contiguous territory. Because an under-appreciated fact is that the internet allows us to network enclaves. Put another way, a cloud community need not acquire all its territory in one place at one time. It can connect a thousand apartments, a hundred houses, and a dozen cul-de-sacs in different cities into a new kind of fractal polity with its capital in the cloud. Over time, community members migrate between these enclaves and crowdfund territory nearby, with every individual dwelling and group house presenting an independent opportunity for expansion...

[Cloud countries] are set up to be a scaled live action role-playing game (LARP), a feat of imagination practiced by large numbers of people at the same time. And the experience of cryptocurrencies over the last decade shows us just how powerful such a shared LARP can be...

The cloud country concept "just" requires stacking together many existing technologies, rather than inventing new ones like Mars-capable rockets or permanent-habitation seasteads. Yet at the same time it avoids the obvious pathways of election, revolution, and war — all of which are ugly and none of which provide much venue for individual initiative...

Could a sufficiently robust cloud country with, say, 1-10M committed digital citizens, provable cryptocurrency reserves, and physical holdings all over the earth similarly achieve societal recognition from the United Nations?
For the "do his bidding" part, the post promises that up to ten $100 prizes will be awarded to people who share constructive reviews on their sites/social media pages (including proposals for extensions).

Previously the site had offered $100 for the ten best hirelings "running a newsletter for technological progressives at your own domain, as a way to begin incentivizing the decentralization of media." (It cited a tweet that argues succinctly that "The NYT is telling anti-longevity stories for us. We must take control of our own story.") In general the site describes itself as "a newsletter for technological progressives. That means people who are into cryptocurrencies, startup cities, mathematics, transhumanism, space travel, reversing aging, and initially-crazy-seeming-but-technologically-feasible ideas." So the newsletter-creating task had envisioned them all "constantly pushing for technology in general and reversing aging in particular, writing like their lives depended on it. In other words, blog or die!"

Other rewards went to the first 10 people to complete three Elixir problems, the 100 people who posted the best inspiring proof-of-exercising photos, and 40 people who helped identify people and places "where the ascending world is surpassing the declining world."

For one of his latest "tasks," Srinivasan wants you to read a long essay on quantum computing (and answer questions), with an optional series of "review emails". $10 in bitcoin will be awarded only to the first and last 50 readers/question-answerers, while another $100 in bitcoin will be awarded to the first and last 5 review-email readers who "persist for a month."

An anonymous reader quotes a report from The Record: The FBI has arrested on Thursday a Texas man who planned to blow up one of the Amazon Web Services (AWS) data centers in an attempt to "kill of about 70% of the internet." Seth Aaron Pendley, 28, of Wichita Falls, Texas, was arraigned in front of a Texas judge today and formally indicted with a malicious attempt to destroy a building with an explosive.

The US Department of Justice said Pendley was arrested on Thursday after he tried to acquire C-4 plastic explosives from an undercover FBI employee in Fort Worth, Texas. The FBI said they learned of Pendley's plans after the suspect confided in January 2021 via Signal, an encrypted communications app, to a third-party source about plans to blow up one of Amazon's Virginia-based data centers. The source alerted the FBI and introduced the suspect to the undercover agent on March 31. "The suspect allegedly told an FBI agent that he wanted to attack Amazon's data center because the company was providing web servers to the FBI, CIA, and other federal agencies and that he hoped to bring down 'the oligarchy' currently in power in the United States," the report says.

Pendley could face up to 20 years in federal prison if he's found guilty and convicted.

An anonymous reader quotes a report from Bloomberg: IOUpay, a fintech firm that went into overdrive on a social media-backed retail trading frenzy, has plummeted in the past two months. The stock is set for more declines as the firm's newly launched buy-now-pay-later services -- which allows customers to purchase goods and then pay for them in installments -- faces intensified competition in Southeast Asia from larger Australian rival Afterpay, say analysts. IOUpay had drawn comparisons to U.S. videogame retailer GameStop after surging 6,400% in the past year as it has been the subject of several discussion threads on Reddit. The Reddit-fueled day-trading crowd turned the first quarter of 2021 into one of the wildest periods of stock market frenzy in modern history. Despite a more than 40% slump since mid-February, IOUpay remains Asia's top-performing interactive media and services stock over the past year.

The wild ride by IOUpay, which lists Standard Chartered Plc and Citigroup as its clients, began in June after it was touted by investors on Reddit. Its shares continued gaining on a "buy now, pay later" deal with Malaysian online marketplace Easystore. That partnership inked in February sparked a more than 200% rally in its stock over a three-day period. "We may see the price subdued for a long period of time as retail investors get bored waiting and sell out to find something more exciting," said Carl Capolingua, an analyst at online brokerage ThinkMarkets Australia. "The question will be if they can get traction in the Asian markets they're targeting before the bigger players come in."

Data from 500 million LinkedIn users has been scraped and is for sale online, according to a report from Cyber News. A LinkedIn spokesperson confirmed to Insider that there is a dataset of public information that was scraped from the platform. From a report: "While we're still investigating this issue, the posted dataset appears to include publicly viewable information that was scraped from LinkedIn combined with data aggregated from other websites or companies," a LinkedIn spokesperson told Insider in a statement. "Scraping our members' data from LinkedIn violates our terms of service and we are constantly working to protect our members and their data." LinkedIn has 740 million users, according to its website, so the reported data scraping of 500 million users means about two-thirds of the platform's user base could be affected. The data includes account IDs, full names, email addresses, phone numbers, workplace information, genders, and links to other social media accounts.

A second senior Australian government minister has revealed his mobile phone was hacked through the Telegram messaging app, with a media report saying the phishing scam was aimed at revealing contact details of pro-democracy activists in Hong Kong. From a report: Health Minister Greg Hunt's office said in an emailed statement on Thursday that "a cyber security attempt to impersonate the minister has been referred to the Australian Federal Police and investigations are underway." That follows Monday's statement by Finance Minister Simon Birmingham that he had been targeted. The Australian newspaper reported late Wednesday that the details of pro-democracy Hong Kongers were provided to someone impersonating Birmingham, with one of the recipients being asked: "Do you have any contacts in Hong Kong?" The person handed over details of Hong Kongers without realizing they were speaking to a cyber-hacker, the paper said, citing the person who it didn't identify.

According to a new report, YouTube has dethroned Facebook to become the most popular social media platform. Engadget reports: According to the report, YouTube and Facebook are the most widely used platforms. But of the two, only YouTube is still growing, increasing its share of users from 73 percent of adults in 2019, to 81 percent in 2021. Facebook's numbers, meanwhile, remained unchanged from 2019 at 69 percent. "Facebook's growth has leveled off over the last five years, but it remains one of the most widely used social media sites among adults in the United States," Pew writes in its report.

Flat growth wasn't unique to just Facebook, either. According to Pew, the only other platform to see "statistically significant" growth since 2019 was Reddit, which grew from 11 percent in 2019 to 18 percent in 2021. "This represents a broader trend that extends beyond the past two years in which the rapid adoption of most of these sites and apps seen in the last decade has slowed," Pew says. The report also found that 49 percent of Facebook users say they check the site multiple times a day, compared to just over a third of YouTube users visiting the platform more frequently than once a day.

Another interesting insight is that YouTube is the most dominant platform among 18 to 29-year-olds at 95 percent, followed by Instagram with 71 percent, Facebook at 70 percent, Snapchat with 65 percent, and TikTok at 48 percent.

An anonymous reader quotes a report from The Record: The company behind the UseCrypt Messenger encrypted instant messaging application filed a lawsuit last month against a Polish security researcher for publishing an article that exposed a vulnerability in the app's user invite mechanism. The lawsuit targets Tomasz Zieliski, the editor of Informatyk Zakadowy, a Polish blog dedicated to IT topics, and denounces one of the site's articles, published in October 2020. The article describes how Zielinski found that in some cases, when UseCrypt Messenger users wanted to invite a friend to the app, the application used an insecure domain (autofwd.com) to send out user invitations. Zielinski found that besides running on an insecure HTTP connection, the AutoFWD.com website was also vulnerable to SQL injection and cross-site scripting (XSS) vulnerabilities that would have allowed anyone to hijack the site and then read or tamper with UseCrypt invitations. But while the authors of the AutoFWD.com website admitted to the security weaknesses in their service and shut down their website, Zieliski received a firm rebuttal of his research from V440 SA, the legal entity behind the UseCrypt Messenger.

In a message the company sent Zieliski a day after his blog post went live, they claimed his research contained "false information." In a message the company sent Zieliski a day after his blog post went live, they claimed his research contained "false information." V440 SA said their app did not use the AutoFWD.com service to handle user invitations but instead relied on an in-house solution hosted on the get.usecryptmessenger.com domain. But in a subsequent update, Zieliski claims that the UseCrypt team was lying and that, in reality, they silently patched their app to remove the AutoFWD.com from its user invite mechanism after his research was posted online and were merely trying to dismiss his findings, even after he notified them in advance of his research. To make matters worse, V440 SA had reportedly filed criminal complaints against not only Zielinksi's blog but also against Niebezpiecznik and Zaufana Trzecia Strona, two other Polish IT security blogs, claiming that the three were working as part of an "organized criminal group."

"Requests to remove articles, requests for apologies and other letters from law firms addressed to our editors will not make us stop being interested in a certain issue," the editors of the Polish blogs said in a joint statement. It's currently unknown if there is actually a criminal investigation underway against the three sites or if this is just an intimidation tactic.

Facebook did not notify the more than 530 million users whose details were obtained through the misuse of a feature before 2019 and recently made public in a database, and does not currently have plans to do so, a company spokesman said on Wednesday. Reuters: Business Insider reported last week that phone numbers and other details from user profiles were available in a public database. Facebook said in a blog post on Tuesday that "malicious actors" had obtained the data prior to September 2019 by "scraping" profiles using a vulnerability in the platform's tool for synching contacts. The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified. He said it also took into account that users could not fix the issue and that the data was publicly available in deciding not to notify users. Facebook has said it plugged the hole after identifying the problem at the time. Further reading: Facebook Says It's Your Fault That Hackers Got Half a Billion User Phone Numbers.

Twitter held talks in recent months to acquire Clubhouse, the buzzy audio-based social network, Bloomberg reported Wednesday, citing people familiar with the matter. From the report: The companies discussed a potential valuation of roughly $4 billion for Clubhouse, the people said, asking not to be identified because the matter is private. Discussions are no longer ongoing, and it's unclear why they stalled, the people added. [...] Clubhouse is barely a year old but has drawn appearances from some of the biggest names in business and Hollywood. Established social media companies have quickly gone to work on their own versions of Clubhouse, including Twitter. Facebook is exploring one, too, and Microsoft's LinkedIn and Slack have also said they're working on similar features for their networks.

General Motors confirmed it's making an all-electric version of the Chevy Silverado pickup truck with around 400 miles of range on a full charge. The Verge reports: The company did not immediately say when the electric Silverado will go on sale, but GM president Mark Reuss said at an event on Tuesday that the company will also make commercial fleet-focused versions of the truck. The electric Silverado will be made at "Factory Zero," the recently rebranded Detroit-Hamtramck plant dedicated to EVs and AVs that GM is currently retooling at a cost of more than $2 billion. It's the same plant where GM will build the all-electric Hummer SUV and Hummer pickup.

The Silverado EV will undoubtedly be a flagship vehicle of the custom electric vehicle platform GM announced last year, called Ultium. Designed to be modular, the Ultium platform is what will power most of GM's forthcoming electric vehicles. The company has promised the platform will be able to provide as much as 400 miles of range in the biggest configurations, and that the trucks built on Ultium will feature 800-volt architecture that allows for really fast charging.

E3 will return in 2021 as a "reimagined, all-virtual" event, organizers announced Tuesday. E3 2021 will take place June 12-15, and will feature content from Nintendo, Xbox, Capcom, Konami, Ubisoft, Take-Two Interactive, Warner Bros. Games, and Koch Media, the Entertainment Software Association (ESA) said in a news release. From a report: Game developers and publishers will showcase their games at E3 2021 "directly to fans around the world," the ESA said. E3 2021 content will be free to access, thanks to unannounced global media partners. "We are evolving this year's E3 into a more inclusive event, but will still look to excite the fans with major reveals and insider opportunities that make this event the indispensable center stage for video games," said Stanley Pierre-Louis, president and CEO of the ESA. While this year's E3 will be virtual, organizers say they are planning for an in-person E3 2022.

Researchers at the Queen Mary University of London have shown that you can collect "environmental DNA" (eDNA) from the air. Engadget reports: The team used a peristaltic pump combined with pressure filters to grab samples of naked mole rat DNA for five to 20 minutes, and then used standard kits to find and sequence genes in the resulting samples. This method not only pinpointed the mole rats' DNA (both in their housing and in the room at large), but caught some human DNA at the same time.

Lead author Dr. Elizabeth Claire said the work was originally meant to help conservationists and ecologists study biological environments. With enough development, though, it could be used for considerably more. Forensics units could pluck DNA from the air to determine if a suspect had been present at the scene of a crime. It might also be useful in medicine -- virologists and epidemiologists could understand how airborne viruses (like the one behind COVID-19) spread.

A data leak involving personal details of hundreds of millions of Facebook users is being reviewed by Ireland's Data Protection Commission (DPC). The BBC reports: The database is believed to contain a mix of Facebook profile names, phone numbers, locations and other facts about more than 530 million people. Facebook says the data is "old," from a previously-reported leak in 2019. But the Irish DPC said it will work with Facebook, to make sure that is the case.

Ireland's regulator is critical to such investigations, as Facebook's European headquarters is in Dublin, making it an important regulator for the EU. The most recent data dump appears to contain the entire compromised database from the previous leak, which Facebook said it found and fixed more than a year and a half ago. But the dataset has now been published for free in a hacking forum, making it much more widely available. It covers 533 million people in 106 countries, according to researchers who have viewed the data. That includes 11 million Facebook users in the UK and more than 30 million Americans. The DPC's deputy commissioner Graham Doyle said the recent data dump "appears to be" from the previous leak -- and that the data-scraping behind it had happened before the EU's GDPR privacy legislation was in effect.

"However, following this weekend's media reporting we are examining the matter to establish whether the dataset referred to is indeed the same as that reported in 2019," he added.