Paywalls are justified, even though they are annoying. It costs money to produce good writing, to run a website, to license photographs. A lot of money, if you want quality. Asking people for a fee to access content is therefore very reasonable. You don’t expect to get a print subscription  to the newspaper gratis, why would a website be different? I try not to grumble about having to pay for online content, because I run a magazine and I know how difficult it is to pay writers what they deserve. 

Source: Current Affairs

I’d rather say “Proper news are paywalled while opinions are free”. News require analysis and research. Both is expensive, so since opinions are free and everyone has one, it’s quite easy to spread that opinion and claim it’s news.

Two studies investigated how people react to research describing a sex difference, depending on whether that difference favours males or females, and how accurately people can predict how the average man and woman will react. In Study 1, Western participants viewed a fictional popular‐science article describing either a male‐favouring or a female‐favouring sex difference (i.e., men/women draw better; women/men lie more). Both sexes reacted less positively to the male‐favouring differences, judging the findings to be less important, less credible, and more offensive, harmful, and upsetting. Participants predicted that the average man and woman would react more positively to sex differences favouring their own sex. This was true of the average woman, although the level of own‐sex favouritism was lower than participants predicted. It was not true, however, of the average man, who – like the average woman – reacted more positively to the female‐favouring differences. Study 2 replicated these findings in a Southeast Asian sample. Our results are consistent with the idea that both sexes are more protective of women than men, but that both exaggerate the level of same‐sex favouritism within each sex – a misconception that could potentially harm relations between the sexes.

Source: British Journal of Psychology

It’s not the cliché of the bad buy, but that of the good woman.

San Diego Comic-Con—like just about every large conference, convention, and gathering in 2020—has had to switch to an online-only, virtual format this year due to the continuing pandemic. Media companies that usually have a large presence at events like SDCC worked hard to create streaming alternative content—but it seems they forgot to tell their copyright bots.

ViacomCBS kicked things off today with an hour-long panel showing off its current slew of current and upcoming Star Trek projects: DiscoveryPicardLower Decks, and Strange New Worlds.

The panel included the cast and producers of Discovery doing a read-through of the first act of the season 2 finale, “Such Sweet Sorrow, Part 2.” The “enhanced” read-through included sound effects, effects shots, and storyboard images meant to bolster the actors as they delivered lines from their living rooms and home offices.

Even if the presentation didn’t look like a real episode of Discovery to the home viewer, it apparently sounded close enough: after the Star Trek Universe virtual panel began viewers began to lose access to the stream. In place of the video, YouTube displayed a content ID warning reading: “Video unavailable: This video contains content from CBS CID, who has blocked it on copyright grounds.”

Source: arstechnica

A compelling case of suicide among bots.

Users on the Facebook-owned Instagram in the United States whose activity on the app suggested they were Black were about 50 percent more likely under the new rules to have their accounts automatically disabled by the moderation system than those whose activity indicated they were white

Source: NBC News

Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity.

Bob Diachenko, who leads Comparitech’s security research team, uncovered the exposure, which affects both free and paid users of UFO VPN. He immediately alerted the company upon discovering the exposed data on July 1, 2020.

Source: Comparitech

“Use a VPN!”, they said, “It’s secure and anonymous and there are no logs ever.”

What if I told you that all this VPN stuff is actually crap you should not trust? Oh wait, I did!

Hundreds of unsecured databases exposed on the public web are the target of an automated ‘meow’ attack that destroys data without any explanation.

The activity started recently by hitting Elasticsearch and MongoDB instances without leaving any explanation, or even a ransom note. Attacks then expanded to other database types and to file systems open on the web.

A quick search by BleepingComputer on the IoT search engine Shodan initially found dozens of databases that have been affected by this attack. Recently, the number of wiped databases increased to over 1,800.

Source: Bleeping Computer

First off all overwriting exposed databases is better than selling that data to scammers and spammers. Second destroying data which may harm those whose data has been (maybe illegally) collected (or at least without their knowledge or consent) is also a good thing. But what about destroying data in order to hide evidence? I’m not sure what to think about these meow attacks.

However putting unsecured databases into the web is always bad practice. Don’t do that. Never. If you need data to be publicly available properly secure the database and create an API to securely access and/or manage that data. It’s not that hard.

Absolutely insane!

Hours-long waits, problems with new voting machines and a lack of available ballots plagued voters in majority minority counties in Georgia on Tuesday — conditions the secretary of state called “unacceptable” and vowed to investigate.

Democrats and election watchers said voting issues in a state that has been plagued for years by similar problems, along with allegations of racial bias, didn’t bode well for the November presidential election, when Georgia could be in play.

“This seems to be happening throughout Atlanta and perhaps throughout the county. People have been in line since before 7:00 am this morning,” Atlanta Mayor Keisha Lance Bottoms, a Democrat, tweeted shortly after polls were supposed to open — and in some cases still hadn’t.

Source: NBC News

So, basically the color of your skin defines if you’re allowed to vote. Un-fucking-believable!

The demand to reform police departments is causing some local governments to look at new regulations and laws. In San Francisco, the board of supervisors is considering a resolution introduced last week that would urge the civil service commission there to prohibit hiring officers with a history of serious misconduct. San Francisco Supervisor Shamann Walton joins Hari Sreenivasan to discuss.

Source: PBS

So, you’re telling me that was not already the case? What the fuck is going on there!?

A critical vulnerability in the Saltstack configuration management software that was discovered in March by the F-Secure company was recently used for widespread attacks. Among the affected hosts was one of the Certificate Transparency logs operated by DigiCert.

The attackers had access to the private key of the CT2 log. According to DigiCert, other logs operated by the company were not affected.

The Google Chrome browser requires two so-called signed certificate timestamps (SCTs) for every valid TLS certificate. These SCTs have to come from different logs. Therefore, in a case like this in which one log is compromised, there is always a second SCT that is unaffected.

Devon O’Brien explained Google’s response to this incident. Certificates can have SCTs embedded or they can be delivered via TLS extensions or OCSP. For cases in which the SCTs from the compromised CT2 log are embedded, Chrome will continue to accept the certificates with SCTs from this log if they were issued before the incident. However, certificates that deliver their SCTs via TLS extensions or OCSP need to get a new SCT from a different log if they relied on the compromised log.

Source: Feisty Duck

DigiCert acquired Symantec’s scroungy PKI business in 2017. See here for details. I still cannot believe Symantec found some dumbass to buy their shit. Un-fucking-believable!


  • About

    We never asked for this.