Sci-Hub

There is no doubt that Sci-Hub, the infamous—and, according to a U.S. court, illegal—online repository of pirated research papers, is enormously popular. (See Science’s investigation last year of who is downloading papers from Sci-Hub.) But just how enormous is its repository? That is the question biodata scientist Daniel Himmelstein at the University of Pennsylvania and colleagues recently set out to answer, after an assist from Sci-Hub.

Their findings, published in a preprint on the PeerJ journal site on 20 July, indicate that Sci-Hub can instantly provide access to more than two-thirds of all scholarly articles, an amount that Himmelstein says is “even higher” than he anticipated. For research papers protected by a paywall, the study found Sci-Hub’s reach is greater still, with instant access to 85% of all papers published in subscription journals. For some major publishers, such as Elsevier, more than 97% of their catalog of journal articles is being stored on Sci-Hub’s servers—meaning they can be accessed there for free.

Given that Sci-Hub has access to almost every paper a scientist would ever want to read, and can quickly obtain requested papers it doesn’t have, could the website truly topple traditional publishing? In a chat with Science Insider, Himmelstein concludes that the results of his study could mark “the beginning of the end” for paywalled research…

Sci-Hub

Panama Papers & Ransomware

Before we dive into ransomware, we thought you might enjoy a readable overview of the latest and largest data breach. Have fun.

Panama Papers & Ransomware

We’ve mentioned before the reason most people don’t get hacked is they’re too poor. It’s far more lucrative to go after banks, to include the IMF et alia, where the hackers can be sure they’ll score actual money and not just overdraft fees. 1

Where the lumpen masses are affected is the hyper local – their own PC/laptop, via ransomware. And this works surprisingly well even on a larger scale: Short of banks and idiotic companies like Target, the easy money turns out to be in…hospitals.

That’s right – hospitals. They are increasingly becoming prime targets for ransomware. Last month it was Hollywood Presbyterian Medical Center that dolled out the coin…bitcoins, that is, in order to regain control over their network. $17k worth.

Two weeks ago another three hospitals were nailed.

And just last week a whole hospital chain was attacked by ransomware, holding hostage the entirety of the MedStar server network in Maryland and WDC.

Naturally, the FBI was called in. 2

Interestingly the ransomware forced the MedStar hospitals to reroute ER patients to outside hospitals; the attack prevents patients from receiving timely care. It’s also possible some of thos patients may suffer a negative outcome does that make the hack more? Does the act morph into, say…assault and battery? Then there’s the fact that hospitals are considered part of our “critical infrastructure”: does this ransomware attempt now get classified as terrorism?

Panama Papers & Ransomware

Show 2 footnotes

  1. This doesn’t include CC theft/identity impersonation, which is its own distinct sub-genus.
  2. It’s too early yet to know if the FBI will issue yet another subpoena to Apple. Naw…who was I kidding? Of COURSE they’re going after Apple again.

Chaos Communications Congress

Yesterday I checked the logs on one of my personal servers and discovered the following:

151.217.177.200 – – [30/Dec/2015:02:54:11 +0000] “DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you’re out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0” 400 2593 “-” “masspoem4u/1.0”
151.217.177.200 – – [30/Dec/2015:02:54:11 +0000] […same…]

WTF, over?

A quick bit of research showed the event to be the work of massscan…but recompiled to run as masspoem. Looks to have been a world-wide prank by the CCC; this is what they told VICE:

“We attempted connections to the entire public IPv4 space (excluding private/reserved ranges and other blocks excluded in the default masscan exclude list), meaning that we reached out to almost 4 billion servers (though many of these packets may have been filtered by a firewall before reaching their intended destination),” Masspoem4u said.

The actual number of systems reached would be lower. “There appear to be approximately 55 million servers open to connections on port 80 (the standard port for HTTP),” the group continued — these servers could have recognised the communication being sent. Of those, around 30 million returned “non-empty responses” and therefore “would be likely to have logged our poem.”

We are proud to have been in that “exclusive” 30 million club….

Chaos Communications Congress

CANtact

The average automobile today isn’t necessarily secured against hackers, so much as obscured from them: Digitally controlling a car’s electronics remains an arcane, specialized skill among security researchers. But that’s changing fast. And soon, it could take as little as $60 and a laptop to begin messing around with a car’s digital innards.

Tomorrow at the Black Hat Asia security conference in Singapore, 24-year-old Eric Evenchick plans to present a new device he calls the CANtact. The open source board, which he hopes to sell for between $60 and $100, connects on one end to a computer’s USB port, and on the other to a car or truck’s OBD2 port, a network port under its dashboard. That makes the CANtact a cheap interface between any PC and a vehicle’s controller area network or CAN bus, the collection of connected computers inside of every modern automobile that control everything from its windows to its brakes.

With just that go-between gadget and the open source software that Evenchick is releasing for free, he hopes to make car hacking a far cheaper and more automated process for amateurs. “I realized that there were no good tools for me to play around with this stuff outside of what the auto industry uses, and those are incredibly expensive,” Evenchick says, referring to products sold by companies like Vector that can cost tens of thousands of dollars. “I wanted to build a tool I can get out there, along with software to show that this stuff isn’t terribly complicated.”

CANtact

Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users…

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

WNBTv - Good TV!