Although WannaCry infections have slowed, hackers are still using the publicly accessible NSA exploits to infect computers to mine cryptocurrency.
This report, from Zack Whittaker at TechCrunch, says there's really no endpoint in sight for the unintended consequences of exploit hoarding. But at this point, it's really no longer the NSA or Microsoft to blame for the continued rampage. Stats from Shodan show more than 300,000 unpatched machines in the United States alone.
EternalBlue-based malware still runs rampant, but the focus has shifted from ransom to cryptocurrency. An unnamed company recently watched the NSA's exploit turn its computers into CPU ATMs.
Nobody knows that better than one major Fortune 500 multinational, which was hit by a massive WannaMine cryptocurrency mining infection just days ago.
“Our customer is a very large corporation with multiple offices around the world,” said Amit Serper, who heads the security research team at Boston-based Cybereason.
“Once their first machine was hit the malware propagated to more than 1,000 machines in a day,” he said, without naming the company.
Fun stuff. And all made possible by the US government. Sure, indirectly, but it's not like no one in the private sector ever expressed concerns about the agency's vulnerability hoarding and the possibility of exactly this sort of thing happening. The exploit the NSA thought was too good to give up was taken from it and handed over to the malware-crafting masses to inflict misery around the world. Enemies were made -- and not all of them were software and hardware developers.
There will never be a full accounting of the damage done. Yes, the NSA never thought its secret stash would go public, but that doesn't excuse its informal policy of never disclosing massive vulnerabilities until it's able to wring every last piece of intel from their deployment. And there's a chance this will happen again in the future if the agency isn't more proactive on the disclosure front. It was foolhardy to believe its tools would remain secret indefinitely. It's especially insane to believe this now.
So if you haven't noticed, the entire cryptocurrency mining thing has become a bit of an absurd stage play over the last few months. From gamers being unable to buy graphics cards thanks to miners hoping to cash in on soaring valuations, to hackers using malware to covertly infect websites with cryptocurrency miners that use visitors' CPU cycles without their knowledge or consent. As an additional layer of intrigue, some websites have also begun using such miners as an alternative to traditional advertising, though several have already done so without apparently deeming it necessary to inform visitors.
At the heart of a lot of this drama is crypotcurreny mining software company Coinhive, whose software is popping up in both malware-based and above board efforts to cash in on the cryptocurrency mining craze. Coinhive specifically focuses on using site visitor CPU cycles to help mine Monero. The company's website insists that their product can help websites craft "an ad-free experience, in-game currency or whatever incentives you can come up with." The company says its project has already resulted in the mining of several million dollars worth of Monero (depending on what Monero's worth any given day).
The folks behind the company told Motherboard this week they were blindsided by the way their software has quickly been adopted by both non-transparent websites, and malware authors looking to make some additional money:
"We were quite overwhelmed by the extremely fast adoption,” a member of the Coinhive team told Motherboard in an email. “In hindsight, we were also quite naive in our assumptions on how the miner would be used. We thought most sites would use it openly, letting their users decide to run it for some goodies, as we did with our test implementation on pr0gramm.com before the launch. Which is not at all what happened in the first few days with Coinhive."
You developed a technology with the capability of covertly hijacking a user's CPU cycles to make additional money, sold it to an industry with longstanding problems with both transparency and self defeating practices during an era where everything but the kitchen sink is hackable, and you're honestly surprised it's being abused? While it's obvious the malware itself isn't Coinhive's fault, this seems like either a notable lack of foresight, or a dash of disingenuous denial.
One team member attempted to downplay the scope of the problem, hoping nobody would notice the new reports this week indicating that over 4,000 UK and U.S. websites have been compromised by malware that embeds the Coinhive software:
"'Cryptojacking’ will probably be here to stay for a while. At least until the rising difficulty in the Monero network (and others) makes it impracticable or Browser vendors somehow block CPU heavy websites,” the Coinhive team member said. They caveated that reports of malicious Coinhive use “have slowed down tremendously, as ‘hackers’ realize there's not much to gain with our service."
Yes, not much to gain outside of, well, making money off of countless IT and server admins who don't realize this is even a threat yet in hundreds of countries around the world. It's worth noting that some in the security community have accused Coinhive of being complicit because they take a 30% cut of all of the cryptocurrency mining that occurs with their product, regardless of whether it's via malware implementations:
As such there's little motivation on their end to thwart the trend of poorly implemented or downright hostile applications of the outfit's product, and it's not quite the kind of company journalism funding revolutions should probably be built upon. One anonymous Coinhive developer half-jokingly told Motherboard the company was doing websites a service by forcing them to be more aware of sloppy code or outdated server configurations:
"Food for thought; and we only mean this half serious: embedded miners in compromised websites are usually detected way sooner than other malicious browser scripts. Website owners recognize the breach and are finally forced to update their shitty WordPress installations."
Again, poor, non-transparent implementation of Coinhive's product by legitimate websites isn't necessarily Coinhive's fault. Nor is malware authors embedding Coinhive into their own, more malicious work. But Coinhive's lack of foresight and casual response to some fairly major issues--as well as the fact it's taking a cut of malware implementations--would seemingly open the door to other, similar companies which may be eager to elbow in on Coinhive's success with a bit more foresight and a dash more professionalism.
As we've been discussing, the rise of stealth cryptocurrency miners embedded on websites has become a notable problem. In some instances, websites are being hacked and embedded with stealth cryptocurrency miners that quickly gobble up visitors' CPU cycles without their knowledge. That's what happened to Showtime recently when two different domains were found to be utilizing the Coinhive miner to hijack visitor broswers without users being informed. Recent reports indicate that thousands of government websites have also been hijacked and repurposed in this fashion via malware.
But numerous websites are also now exploring such miners voluntarily as an alternative revenue stream. One major problem however: many aren't telling site visitors this is even happening. And since some implementations of such miners can hijack massive amounts of CPU processing power while sipping a non-insubstantial amount of electricity, that's a problem.
The Pirate Bay for example was forced to stop using visitor CPUs and browsers to mine Monero last fall after Reddit users complained the miner was slowing down their PCs and eating up 80% of their CPU cycles. The website stated that it was simply exploring new revenue streams to keep the website afloat:
"As you may have noticed we are testing a Monero javascript miner. This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running."
This week Salon joined the fun, informing users that they'd be happy to suppress advertisements if site visitors are willing to help mine cryptocurrency:
never seen this before: Salon now offers to "suppress ads" if you lease out your PC's "unused computing power" 🤔 pic.twitter.com/3oK78dPahN
Creative exploration of alternative revenue streams is obviously necessary, and there's numerous examples where site-driven cryptocurrency miners could be used to help bolster scientific research. Salon pretty clearly understands this decision is controversial, offering up an entire website explaining how making money from journalism is hard, and the company needed to explore some new, creative solutions in order to stay afloat:
"Salon is instructing your processor to run calculations. Think of it like borrowing your calculator for a few minutes to figure out the answer to math problems, then giving it back when you leave the site. We automatically detect your current processing usage and assign a portion of what you are not using to this process. Should you begin a process that requires more of your computer’s resources, we automatically reduce the amount we are using for calculations."
That said, security researchers have similarly warned that this is a very slippery slope, and for every website that's being transparent about the process and respectful of the possible impact on computer performance, there're countless others who quite obviously won't give much of a damn about either. These are, after all, the same websites that are now engaging in ham fisted and annoying ad blocker blocking, frequently oblivious to how their own obnoxious ad decisions drove the rise of ad blockers in the first place.
As Malwarebytes researchers recently noted, there's no limit of websites that are already pushing their luck on this front:
"The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice...publishers ought to be more transparent with their audience because no-one likes unannounced guests. Unfortunately, there will always be publishers that care very little about what kind of traffic they push, so long as it generates good revenues; for those, cryptominers are just an added income to their existing advertising portfolio."
If implemented with respect for the end user and transparency, such miners may not be a bad thing. But bad actors could very quickly create an environment where users feel they're being accosted by sites that don't respect either, resulting in another layer of cat and mouse gamesmanship between sites publishers and readers. So while there's certainly potential here, escalating an already adversarial relationship in the adblocker era isn't likely to excite readers, forge community, or save journalism anytime soon.
Yesterday we wrote about coal company Murray Energy and its CEO, Bob Murray, actually following through and suing John Oliver -- something that Murray's lawyers had threatened to do when Oliver and his team had reached out to Murray for a piece Oliver was doing on coal. The result of being threatened was that Oliver spent nearly half of the 24 minute segment on Murray, carefully detailing some of Murray's history and positions. If you missed it, watch it again here:
Anyway, when we wrote about the case yesterday, we noted that we had to do it based solely on the reporting of the Daily Beast, as they broke the story and -- for reasons I still don't understand -- refused to post the actual complaint. However, now we've obtained the full complaint and can dig in on how incredibly silly it is. It appears to be a quintessential SLAPP lawsuit, where the entire point is not to bring a legitimate cause of action, but to chill free speech that criticizes Bob Murray. As Ken "Popehat" White notes, it's "lawsuit as theater" and "an unapologetic political screed" -- that is, apparently designed to rile people up, rather than to present a reasonable legal argument.
Let's dig in. It certainly starts out on a high note with the rhetoric:
On June 18, 2017, Defendants executed a meticulously planned attempt to assassinate the character and reputation of Mr. Robert E. Murray and his companies, including Murray Energy Corporation and those in West Virginia, on a world stage. They did so for their personal financial gain by knowingly broadcasting false, injurious, and defamatory comments to HBO's approximately 134 million paying subscribers, while also knowing that their malicious broadcast would be repeated to countless more individuals through various outlets (including other media owned by certain Defendants.
I've now watched the video four times and I fail to see anywhere that it goes after "those in West Virginia." Indeed, it's actually quite sympathetic to the plight of miners and former miners in the area who have run into problems or lost their jobs. The only people that it holds out as problematic... are the CEOs of various mining companies and the President of the United States. And even if Murray's reputation is mocked in the piece, as long as there aren't false statements of fact, presented with knowledge of their falsity or reckless disregard for the truth, it's all perfectly legal. Making Bob Murray look foolish or mean isn't illegal, as long as it's based on statements of opinion or those backed up with evidence.
But, Murray's lawyers appear to suggest that because Murray is in poor health, that somehow makes this entirely different. It's... an odd sympathy play in a lawsuit:
They did this to a man who needs a lung transplant, a man who does not expect to live to see the end of this case. They attacked him in a forum in which he had no opportunity to defend himself, and so he has brought this suit to try to set the record straight.
The health stuff is pure "theater" as Ken noted. The "no opportunity to defend" himself is weird, because I thought Republicans like Murray were completely 100% against a "fairness doctrine" that required equal time for political opponents (which is the right position to take). But, even beyond that, the idea that Murray had no choice but to file a lawsuit to defend himself or to set the record straight is laughable. As Oliver's report clearly showed, Murray is regularly on TV and could easily get a message onto the various TV news programs that have him on as a guest. And, either way (again) that's got absolutely nothing to do with defamation law and how it works.
The sob story continues:
Worse yet, Defendants employed techniques designed solely to harass and embarrass Plaintiffs, including Mr. Murray, a seventy-seven year old citizen in ill health and dependent on an oxygen tank for survival, who, despite the foregoing, continuously devotes his life, including by working seven days each week, to save the jobs and better the lives of the thousands of coal miners that he employs in West Virginia and elsewhere. Defendants childishly demeaned and disparaged Mr. Murray and his companies, made jokes about Mr. Murray's age, health, and appearance, made light of a tragic mining incident, broadcasted false statements, and incited television and internet viewers to do harm to Mr. Murray and his companies, all before a worldwide audience--including the thousands of people that work for and do business with Mr. Murray and his companies in West Virginia. In fact, medical doctors have informed Mr. Murray that he should stop working because the stress is shortening his life. Mr. Murray must, however, continue working because of all those individuals who rely on him. But nothing has ever stressed him more than this vicious and untruthful attack.
Bravo! Quite a performance there. This seems clearly targeted towards pulling at the heartstrings of folks in West Virginia, but, again seems to have little to nothing to do with the actual law. Again, Murray's health is not an issue here -- and if this has caused him more stress than anything else in his life ever, then Mr. Murray has led an incredibly low stress life. Is he really saying that a late night British comedian on a premium channel has caused him more stress than the time that one of his mines collapsed and killed a group of his employees? If so... that's... weird. Separately, making fun of someone's age, health or appearance (and I don't recall any actual jokes about his age or health...) is, again, not defamation. It's sort of protected by the First Amendment. The only thing that could be defamation is "false statements" and notice how the lawsuit seems to be playing up everything else, rather than that?
When you start to dig into the actual meat of the lawsuit... there's almost nothing there. It complains that Oliver's staff may have contacted Murray Energy under false pretenses, saying that they "were under the false impression that Defendants would use this supplied information to accurately and responsibly broadcast the facts and circumstances regarding the topics," but that, again, makes little difference to the question of defamation. Just because a news company doesn't present your version of the events exactly as you want it presented, doesn't make it defamation. Not by any stretch of the imagination.
The lawsuit does provide plenty of additional bits of information concerning the Crandall Canyon mine collapse and how Murray reacted to it. And all of that is perhaps interesting, but again, none of it requires Oliver to portray the story in the way that Murray Energy likes. And, again, if you go back and review the actual story that Oliver did, he does not contradict any of the factual claims laid out by Murray's lawyers. Rather, he highlights the stories of miners or families of miners who were impacted by the collapse and were not happy with how Murray responded. The crux of the argument on Murray's side is "but we tried real hard." And, great. But highlighting how others felt about the effort and actions is not defamation. It's presenting other viewpoints.
The only possible "factual" point where there could be some controversy is over whether or not the mine collapsed due to an earthquake, as Murray has insisted since the day of the collapse itself. Oliver pointed to the US government report on the incident put together by the Mine Safety and Health Administration (MSHA), a part of the US Department of Labor. That report concluded: "The August 6 catastrophic accident was the result of an inadequate mine design," and, on top of it: "MSHA found no evidence that a naturally occurring earthquake caused the collapse on August 6."
In the lawsuit, Murray's evidence that this is false seems to focus on semantics and making fun of the MSHA inspectors (you know they're making fun of them because it puts "experts" in quote marks):
The Federal Mine Safety and Health Administration's report regarding the collapse (the "MSHA Report") contained multiple concessions that a sudden change in stresses due to a "slip along a joint" or "joint slip in the overburden," which is very similar to the United States Geological Survey's definition of an "earthquake" (i.e., "both sudden slip on a fault, and the resulting ground shaking and radiated seismic energy caused by the slip"), "could have been a factor in triggering the collapse" and was one of the "likely candidates" for triggering the collapse, but MSHA and its "experts" chose not to analyze the seismic data of the triggering event and instead focused on the secondary collapse, which was a disservice to the lost miners, their families and the truth.
Studies have shown that the Mine collapse was a seismic event originating in the Joe's Valley Fault Zone. More specifically, these studies indicated that the triggering event for the seismic disturbance, which was not consistent with normal mining-induced seismicity resulting in the collapse, occurred on a subsidiary fault parallel to the Joe's Valley Fault. This is a more technical manner of stating that the collapse was caused by what many would characterize as an earthquake.
So that first paragraph is nonsense. It's not "actual malice" if you have clear evidence to back up your statements, and the official MSHA report sure seems like pretty good evidence to support that Oliver and his team believed what Oliver said was true. The fact that Murray doesn't like the MSHA "experts" doesn't magically make using their report "defamation." Second, notice that all of the talk about the earthquake comes with qualifying language: "very similar to... definition of an 'earthquake'", "what many would characterize as an earthquake." Even beyond the other stuff, this further undermines any defamation claim over the one sort of "fact" the lawsuit focuses on: if there's a dispute over whether or not what happened was truly an earthquake, then choosing a side in that dispute is not defamation. It's an opinion. That's protected.
Mr. Murray and his companies warned Defendants to cease and desist from a broadcast of defamatory comments or any misguided attempt at humor regarding the tragic mine collapse and loss of life, which Plaintiffs believed would be cruel and heartless.
So, uh, earlier in the complaint, Murray's lawyers argue that they believed that when Oliver and his team reached out they were ordinary journalists, claiming that they reached out "under the guise of responsible and ethical journalism." And, yet, here they admit that that they knew that he's a comedian who regularly satirizes people and companies, thus they didn't want to see a humorous take on the situation. Also, there's no law against "misguided" humor (and, uh, many folks found the humor to be quite on target). Finally, there is nothing in defamation law about it being illegal for you to have "cruel and heartless" comedy. And, in actuality, Oliver's piece was neither cruel, nor heartless. Many would likely argue that it was incredibly sympathetic and empathetic to the plight of struggling coal miners, who are facing a radical transformation of their industry.
The complaint, once again, then hits on the idea that because Oliver's story didn't represent the collapse the way Bob Murray wanted it portrayed, that's defamation. That's... not how it works. It's not how any of this works.
In the ensuing broadcast, Defendants deliberately omitted the facts Plaintiffs provided regarding the Crandall Canyon Mine incident. There was no mention of the efforts Mr. Murray personally made to save the trapped miners. Defendant Oliver did not tell his audience that Mr. Murray arrived at the Crandall Canyon Mine in Utah within four hours of the collapse. Nor did Defendant Oliver say anything about the twenty-eight straight days Mr. Murray then spent on that mountain overseeing the massive rescue efforts, and administering to the families. Nor did he mention that Mr. Murray personally led the rescue efforts when rescue workers were injured and killed in a subsequent event ten days after the initial seismic event, in fact pulling rescue workers from the debris and attending to their injuries with his own hands and administering to them.
That's nice and all... but it's totally meaningless. Not reporting those things is not defamation. Murray has every right to then put out a statement, or go on TV, or get another reporter to tell these stories. But in a lawsuit? Just because the story is about Bob Murray doesn't mean that Bob Murray gets editorial control. That's not how it works, Bob.
Then it gets even more bizarre:
Instead, presumably to boost ratings, line their pockets with profits, and advance the show's anti-coal agenda, Defendant Oliver intentionally, falsely, and outrageously conveyed that Mr. Murray has no evidence to support his statements that an earthquake caused the tragedy that took the lives of Murray Energy miners during the course of their work for the organization.
Rather than fairly characterizing the evidence that he had in his possession on the subject, Defendant Oliver instead quoted an out-of-context snippet from a single report stating that there was "no evidence that a naturally occurring earthquake caused the collapse." Because Defendant Oliver omitted any mention of the other reports he was aware of that evidence that an earthquake caused the collapse, as Mr. Murray correctly stated following the collapse, Defendant Oliver's presentation intentionally and falsely implied that there is no such evidence.
Yeah. So, about that. The above just isn't true. Watch the video again. Oliver directly says that Murray relies on other evidence to support the earthquake claim ("to this day, Murray says the evidence proves that he was correct.") Then Oliver notes (correctly and accurately) that the government report says otherwise: "that was decidedly not the conclusion of the government's investigation." So, for Murray's lawyers to argue that Oliver ignored the evidence on the other side is... simply not accurate. Oliver notes that Murray points to evidence on his side, but he then points to the government's conclusions. Yes, Oliver makes it clear he believes the government's report, but, um, it's the US government. You're not going to win a defamation lawsuit by arguing that relying on the conclusions of a federal government investigation is defamation, just because you have "other evidence" that you claim disagrees with the government's evidence.
Worse still, as discussed, Defendant Oliver's Senior News Producer, Defendant Wilson, obtained from Plaintiffs detailed information evidencing an earthquake or earthquake-like event did trigger and cause the Crandall Canyon Mine collapse.
Note the immediate caveats of an "earthquake-like event." Again, this undermines the argument that saying a government report concluded it wasn't an earthquake is somehow defamation.
They also did this despite knowing that determinations of causation are vastly complex and can take years before a reliable conclusion can be reached.
So, uh, yeah. About that. This is true, but remember, part of the joke here, from Oliver, was that Murray declared definitively in a press conference the day of the collapse that it was clearly an earthquake that caused this and not the company itself. So, if Murray's own lawyers are now admitting that this is vastly complex and "can take years," it sort of reinforces the key point that Oliver was making, that Murray himself immediately jumped to the conclusion that it was an earthquake and not his fault, when that was not at all clearly know. This filing seems to do more to undermine Murray than Oliver.
Defendants also aired a clip of congressional testimony of a relative of a former employee of Murray Energy that appeared to be dissatisfied with Mr. Murray's handling of the Crandall Canyon Mine collapse, when upon information and belief the statements of that employee were not his own, but were instead scripted by adverse counsel in a lawsuit against Murray Energy and given to the employee to further the agenda of such counsel and their clients.
Right, so this is similar to the whole dismissing the MSHA report by calling its experts "experts." Oliver accurately reported what this relative said. Who wrote it is immaterial. If what that relative said was defamatory, then Murray could go after that relative. But there's no defamation in Oliver playing a clip of Congressional testimony. Again, that's not how it works.
There's a lot more in the lawsuit, which you can read below, but it pretty much all falls into the same issues as the parts described above. It's no surprise that, looking over the website of Murray's lawyers, they don't list defamation as a specialty, but tend to focus on personal injury. There's a lot of complaining and theatricality, but very little of substance, and nothing that I can see that comes anywhere close to defamation. And that makes this a pretty clear SLAPP suit, designed to chill the speech not just of Oliver and HBO, but of any other reporters looking to cover Bob Murray and Murray Energy. This is the nature of chilling effects created by SLAPP suits. They try to punish people for actually speaking out and sharing their opinion while scaring off others from doing the same.
Once again: this is an example of why we need much stronger anti-SLAPP laws at the state and federal level. Laws that require plaintiffs to pay up for filing bogus SLAPP suits, as a deterrent. And, again, one hopes that now that he's facing such a lawsuit (which, as I've said from personal experience is no fun at all, no matter how sure you are that you're in the right), John Oliver will become as outspoken in favor of anti-SLAPP laws as he's been about other important issues.
Things that we use every day, like cell phones, computers, and other consumer electronics, actually contain a wide variety of valuable metals, such as europium, dysprosium, neodymium, terbium, and yttrium. When these electronics reach the end of their useful life, these metals are often lost to landfills if they're not properly recycled. Rather than let these useful materials go to waste, the U.S. Department of Energy is now working to recover rare earth elements from used consumer products, using methods employed in nuclear fuel reprocessing. Here are some other examples of ways to get at valuable metals.
Some folks are worried about Peak Oil. Others are worried about "Peak Helium" when most of the Earth's resources of the lightweight element have vanished into space. There are also all kinds of metals that are getting harder and harder to find. Where will we be able to replenish precious, finite materials? Duh, just go get some from other celestial bodies. You only need to be a billionaire with a few other billionaire friends to start this project. Estimated time for completion: 10 years in the future.
We've seen stories over the years about how applications like Microsoft's Flight Simulator not only are attracting a new generation of pilots to take up flying, but are getting them started with many more skills than those who haven't used Flight Simulator. It appears other industries may be taking notice. Apparently the industrial heavy equipment maker Caterpillar is pushing simulators of its earth movers, excavators and dump trucks as a way to better train miners to use that equipment. Using simulators to train people is nothing new, obviously -- but what's interesting is the undercurrent to the promotion, noting that there just aren't enough skilled operators of the equipment these days. However, by making it more fun via the simulators, perhaps they can attract more people to become skilled operators. The article notes how much fun a bunch of "hardened miners" were having playing with the simulators at a mining convention, to the point that they were "giggling like children." So perhaps we'll start seeing more "fun" simulations of other jobs that are having trouble attracting skilled practitioners.
