Meta fined for storing user passwords with no encryption

Holy cow, I've been in this industry for decades and can't remember a time when everyone knew that you encrypted the damn passwords*:

Officials in Ireland have fined Meta $101 million for storing hundreds of millions of user passwords in plaintext and making them broadly available to company employees.

Meta disclosed the lapse in early 2019. The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.

This is such a rookie mistake that it makes you wonder what those 9 million queries were looking for.  Meta has such a horrible reputation for abusing its users privacy that the suspicion is that this was just one more wring on that rag.  That's only a suspicion, but Meta has certainly earned that suspicion over the years.

* Yeah, yeah I know - one-way hash.  I try not to use too much tech jargon.

KIA cars can be hacked with a smartphone

I hope you don't drive a KIA.  This is actually a failure of post manufacturing security processes, not that it makes things any better:

Sam Curry, who previously demonstrated remote takeover vulnerabilities in a range of brands – from Toyota to Rolls Royce – found this vulnerability in vehicles as old as model year 2014. The mess means the cars can be geolocated, turned on or off, locked or unlocked, have their horns honked and lights activated, and even have their cameras accessed – all remotely.

...

The issue originated in one of the Kia web portals used by dealerships. Long story short and a hefty bit of API abuse later, Curry and his band of far-more-capable Kia Boyz managed to register a fake dealer account to get a valid access token, which they were then able to use to call any backend dealer API command they wanted.

"From the victim's side, there was no notification that their vehicle had been accessed nor their access permissions modified," Curry noted in his writeup. "An attacker could resolve someone's license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk."

Security wags have long called this sort of architecture "broken by design" - it was intentionally set up to allow privileged access via a poorly authenticated system that has to scale through a big organization.  I don't have much confidence that KIA can fix this, or that they will likely want to.

And oh yeah - there's a smartphone app to help the Bad Guys.

All I can say is that 1968 Goat isn't vulnerable to this attack, and will never be.

 

Satellites are revolutionizing Mayan archaeology

I'm starting to tread on The Silicon Graybeard's turf, but this is really cool:

Satellites are helping scientists spot more ancient Mayan ruins than ever before, which is no small feat considering how thick the forest is in the indigenous group's ancestral lands.

"Archeologists have mapped more Mayan sites, buildings and features in the past 10 years than we had in the past — preceding — 150 years," Brett Houk, an archaeology professor at Texas Tech University, told attendees at a NASA-led space archaeology conference Sept. 18 to which Space.com received an exclusive invite.

Archaeologists are finding these ruins faster due to better satellite technology. Using a pulsed laser technique called lidar, or light detection and ranging, satellites can peer through the dense canopy surrounding typical Mayan sites, Houk explained at the two-day livestreamed NASA and Archaeology From Space symposium.

I found the arguments in Charles Mann's 1491 to be pretty convincing that American populations were much larger than previously thought prior to Columbus' voyage.  This seems to be evidence in favor of that thesis.

Other places this technique should be easily applicable are the Amazon basin (which Mann claims hosted a very large population) and likely Cambodia/Angkor Wat.

 

An appeal for baby Ty

A young couple near where we live both work at Lowe's.  Their baby was born in August, but has had some serious health problems and been hospitalized for weeks.  The family has posted a GoFundMe to raise money for the insurance deductable.  I know that things are tight for lots of folks, and people in the mountains are hurting from the hurricane, but they're a young couple just starting out - not making a lot of money - and their baby is really, really ill.

Help baby Ty.