Two years ago when “Michael,” an owner of cryptocurrency, contacted Joe Grand to help recover access to about $2 million worth of bitcoin he stored in encrypted format on his computer, Grand turned him down.
Michael, who is based in Europe and asked to remain anonymous, stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool called TrueCrypt. At some point, that file got corrupted and Michael lost access to the 20-character password he had generated to secure his 43.6 BTC (worth a total of about €4,000, or $5,300, in 2013). Michael used the RoboForm password manager to generate the password but did not store it in his manager. He worried that someone would hack his computer and obtain the password.
“At [that] time, I was really paranoid with my security,” he laughs.
Grand is a famed hardware hacker who in 2022 helped another crypto wallet owner recover access to $2 million in cryptocurrency he thought he’d lost forever after forgetting the PIN to his Trezor wallet. Since then, dozens of people have contacted Grand to help them recover their treasure. But Grand, known by the hacker handle “Kingpin,” turns down most of them, for various reasons.
Grand is an electrical engineer who began hacking computing hardware at age 10 and in 2008 cohosted the Discovery Channel’s Prototype This show. He now consults with companies that build complex digital systems to help them understand how hardware hackers like him might subvert their systems. He cracked the Trezor wallet in 2022 using complex hardware techniques that forced the USB-style wallet to reveal its password.
But Michael stored his cryptocurrency in a software-based wallet, which meant none of Grand’s hardware skills were relevant this time. He considered brute-forcing Michael’s password—writing a script to automatically guess millions of possible passwords to find the correct one—but determined this wasn’t feasible. He briefly considered that the RoboForm password manager Michael used to generate his password might have a flaw in the way it generated passwords, which would allow him to guess the password more easily. Grand, however, doubted such a flaw existed.
Michael contacted multiple people who specialize in cracking cryptography; they all told him “there’s no chance” of retrieving his money. But last June he approached Grand again, hoping to convince him to help, and this time Grand agreed to give it a try, working with a friend named Bruno in Germany who also hacks digital wallets.
Grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number generator used to generate passwords in that version—and subsequent versions until 2015—did indeed have a significant flaw that made the random number generator not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user’s computer—it determined the computer’s date and time, and then generated passwords that were predictable. If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past.
If Michael knew the day or general time frame in 2013 when he generated it, as well as the parameters he used to generate the password (for example, the number of characters in the password, including lower- and upper-case letters, figures, and special characters), this would narrow the possible password guesses to a manageable number. Then they could hijack the RoboForm function responsible for checking the date and time on a computer and get it to travel back in time, believing the current date was a day in the 2013 time frame when Michael generated his password. RoboForm would then spit out the same passwords it generated on the days in 2013.
There was one problem: Michael couldn’t remember when he created the password.
According to the log on his software wallet, Michael moved bitcoin into his wallet for the first time on April 14, 2013. But he couldn’t remember if he generated the password the same day or some time before or after this. So, looking at the parameters of other passwords he generated using RoboForm, Grand and Bruno configured RoboForm to generate 20-character passwords with upper- and lower-case letters, numbers, and eight special characters from March 1 to April 20, 2013.
It failed to generate the right password. So Grand and Bruno lengthened the time frame from April 20 to June 1, 2013, using the same parameters. Still no luck.
Michael says they kept coming back to him, asking if he was sure about the parameters he’d used. He stuck to his first answer.
“They really annoyed me, because who knows what I did 10 years ago,” he recalls. He found other passwords he generated with RoboForm in 2013, and two of them did not use special characters, so Grand and Bruno adjusted. Last November, they reached out to Michael to set up a meeting in person. “I thought, ‘Oh my God, they will ask me again for the settings.”
Instead, they revealed that they had finally found the correct password—no special characters. It was generated on May 15, 2013, at 4:10:40 pm GMT.
“We ultimately got lucky that our parameters and time range was right. If either of those were wrong, we would have … continued to take guesses/shots in the dark,” Grand says in an email to WIRED. “It would have taken significantly longer to precompute all the possible passwords.”
Grand and Bruno created a video to explain the technical details more thoroughly.
When the Brazilian nutritional scientist Carlos Monteiro coined the term “ultra-processed foods” 15 years ago, he established what he calls a “new paradigm” for assessing the impact of diet on health.
Monteiro had noticed that although Brazilian households were spending less on sugar and oil, obesity rates were going up. The paradox could be explained by increased consumption of food that had undergone high levels of processing, such as the addition of preservatives and flavorings or the removal or addition of nutrients.
But health authorities and food companies resisted the link, Monteiro tells the FT. “[These are] people who spent their whole life thinking that the only link between diet and health is the nutrient content of foods … Food is more than nutrients.”
Monteiro’s food classification system, “Nova,” assessed not only the nutritional content of foods but also the processes they undergo before reaching our plates. The system laid the groundwork for two decades of scientific research linking the consumption of UPFs to obesity, cancer, and diabetes.
Studies of UPFs show that these processes create food—from snack bars to breakfast cereals to ready meals—that encourages overeating but may leave the eater undernourished. A recipe might, for example, contain a level of carbohydrate and fat that triggers the brain’s reward system, meaning you have to consume more to sustain the pleasure of eating it.
In 2019, American metabolic scientist Kevin Hall carried out a randomized study comparing people who ate an unprocessed diet with those who followed a UPF diet over two weeks. Hall found that the subjects who ate the ultra-processed diet consumed around 500 more calories per day, more fat and carbohydrates, less protein—and gained weight.
The rising concern about the health impact of UPFs has recast the debate around food and public health, giving rise to books, policy campaigns, and academic papers. It also presents the most concrete challenge yet to the business model of the food industry, for whom UPFs are extremely profitable.
The industry has responded with a ferocious campaign against regulation. In part it has used the same lobbying playbook as its fight against labeling and taxation of “junk food” high in calories: big spending to influence policymakers.
FT analysis of US lobbying data from non-profit Open Secrets found that food and soft drinks-related companies spent $106 million on lobbying in 2023, almost twice as much as the tobacco and alcohol industries combined. Last year’s spend was 21 percent higher than in 2020, with the increase driven largely by lobbying relating to food processing as well as sugar.
In an echo of tactics employed by cigarette companies, the food industry has also attempted to stave off regulation by casting doubt on the research of scientists like Monteiro.
“The strategy I see the food industry using is deny, denounce, and delay,” says Barry Smith, director of the Institute of Philosophy at the University of London and a consultant for companies on the multisensory experience of food and drink.
So far the strategy has proved successful. Just a handful of countries, including Belgium, Israel, and Brazil, currently refer to UPFs in their dietary guidelines. But as the weight of evidence about UPFs grows, public health experts say the only question now is how, if at all, it is translated into regulation.
“There’s scientific agreement on the science,” says Jean Adams, professor of dietary public health at the MRC Epidemiology Unit at the University of Cambridge. “It’s how to interpret that to make a policy that people aren’t sure of.”
Sav-Rx has started notifying about 2.8 million people that their personal information was likely stolen during an IT intrusion that happened more than seven months ago.
The biz provides prescription drug management services to more than 10 million US workers and their families, via their employers or unions. It first spotted the network “interruption” on October 8 last year and notes the break-in likely occurred five days earlier, according to a FAQ page about the incident posted on the Sav-Rx website.
Sav-Rx says it restored the IT systems to normal the following business day, and says all prescriptions were shipped on time and without delay. It also notified the police and called in some experts for a deeper dive into the logs.
An “extensive review” completed by a third-party security team on April 30 confirmed “some of the data accessed or acquired by the unauthorized third party may have contained personal information.”
The security breach affected 2,812,336 people, according to an incident notification filed with the Maine attorney general by A&A Services, doing business as Sav-Rx. Potentially stolen details include patients’ names, dates of birth, social security numbers, email addresses, mailing addresses, phone numbers, eligibility data, and insurance identification numbers.
“Please note that other than these data elements, the threat actor did not have access to clinical or financial information,” the notice reads.
While there’s no indication that the crooks have “made any use of your data as a result of this security incident,” Sav-Rx is providing everyone with two years of free credit and identity monitoring, as seems to be standard practice.
There’s also an oddly worded line about what happened that notes, “in conjunction with third-party experts, we have confirmed that any data acquired from our IT system was destroyed and not further disseminated.”
The Register contacted Sav-Rx with several questions about the network breach — including how it confirmed the data was destroyed and if the crooks demanded a payment — and did not receive a response. We will update this story when we hear back. It seems like some form of ransomware or extortion.
Either anticipating, or already receiving, inquiries about why the lag between discovering the intrusion and then notifying affected parties, the FAQ also includes a “Why wasn’t I contacted sooner?” question.
“Our initial priority was restoring systems to minimize any interruption to patient care,” it answers.
And then, after securing the IT systems and hiring the incident response team, Sav-Rx launched an investigation to determine who had been affected, and what specific personal information had been stolen for each of them.
Then, it sounds like there was some back-and-forth between healthcare bodies and Sav-Rx as to who would notify people that their data had been stolen. Here’s what the company says to that point:
We prioritized this technological investigation to be able to provide affected individuals with as much accurate information as possible. We received the results of that investigation on April 30, 2024, and promptly sent notifications to our health plan customers whose participant data was affected within 48 hours.
We offered to provide affected individuals notification, and once we confirmed that their respective health plans wanted us to provide notice to their participants, we worked expediently to mail notices to the affected individuals.
It’s unclear if this will be enough to satisfy affected customers. But in a statement to reporters, Roger Grimes, of infosec house KnowBe4, said the short answer is probably not.
“I don’t think the eight months it took Sav-Rx to notify impacted customers of the breach is going to fly with anyone, least of all their customers,” Grimes said.
“Today, you’ve got most companies notifying impacted customers in days to a few weeks,” he added. “Eight months? Whoever decided on that decision is likely to come under some heat and have explaining to do.”
Sav-Rx claims to have implemented a “number of detailed and immediate mitigation measures” to improve its security after the digital break-in. This includes “enhancing” its always-on security operations center, and adding new firewalls, antivirus software, and multi-factor authentication.
The organization also says it has since implemented a patching cycle and network segmentation and taken other measures to harden its systems. Hopefully it can also speed up its response times if it happens again.
A trove of documents that appear to describe how Google ranks search results has appeared online, likely as the result of accidental publication by an in-house bot.
The leaked documentation describes an old version of Google’s Content Warehouse API and provides a glimpse of Google Search’s inner workings.
The material appears to have been inadvertently committed to a publicly accessible Google-owned repository on GitHub around March 13 by the web giant’s own automated tooling. That automation tacked an Apache 2.0 open source license on the commit, as is standard for Google’s public documentation. A follow-up commit on May 7 attempted to undo the leak.
The material was nonetheless spotted by Erfan Azimi, CEO of search engine optimization (SEO) biz EA Digital Eagle and were then disclosed on Sunday by fellow SEO operatives Rand Fishkin, CEO of SparkToro and Michael King, CEO of iPullRank.
These documents do not contain code or the like, and instead describe how to use Google’s Content Warehouse API that’s likely intended for internal use only; the leaked documentation includes numerous references to internal systems and projects. While there is a similarly named Google Cloud API that’s already public, what ended up on GitHub goes well beyond that, it seems.
The files are noteworthy for what they reveal about the things Google considers important when ranking web pages for relevancy, a matter of enduring interest to anyone involved in the SEO business and/or anyone operating a website and hoping Google will help it to win traffic.
Among the 2,500-plus pages of documentation, assembled for easy perusal here, there are details on more than 14,000 attributes accessible or associated with the API, though scant information about whether all these signals are used and their importance. It is therefore hard to discern the weight Google applies to the attributes in its search result ranking algorithm.
But SEO consultants believe the documents contain noteworthy details because they differ from public statements made by Google representatives.
“Many of [Azimi’s] claims [in an email describing the leak] directly contradict public statements made by Googlers over the years, in particular the company’s repeated denial that click-centric user signals are employed, denial that subdomains are considered separately in rankings, denials of a sandbox for newer websites, denials that a domain’s age is collected or considered, and more,” explained SparkToro’s Fishkin in a report.
iPullRank’s King, in his post on the documents, pointed to a statement made by Google search advocate John Mueller, who said in a video that “we don’t have anything like a website authority score” – a measure of whether Google considers a site authoritative and therefore worthy of higher rankings for search results.
But King notes that the docs reveal that as part of the Compressed Quality Signals Google stores for documents, a “siteAuthority” score can be calculated.
Several other revelations are cited in the two posts.
One is the importance of clicks – and different types of clicks (good, bad, long, etc.) – are in determining how a webpage rankings. Google during the US v. Google antitrust trial acknowledged [PDF] that it considers click metrics as a ranking factor in web search.
Another is that Google uses websites viewed in Chrome as a quality signal, seen in the API as the parameter ChromeInTotal. “One of the modules related to page quality scores features a site-level measure of views from Chrome,” according to King.
Additionally, the documents indicate that Google considers other factors like content freshness, authorship, whether a page is related to a site’s central focus, alignment between page title and content, and “the average weighted font size of a term in the doc body.”
An anonymous reader quotes a report from the New York Times: The defense lawyer minced no words as he addressed a room full of plastic-industry executives. Prepare for a wave of lawsuits with potentially “astronomical” costs. Speaking at a conference earlier this year, the lawyer, Brian Gross, said the coming litigation could “dwarf anything related to asbestos,” one of the most sprawling corporate-liability battles in United States history. Mr. Gross was referring to PFAS, the “forever chemicals” that have emerged as one of the major pollution issues of our time. Used for decades in countless everyday objects — cosmetics, takeout containers, frying pans — PFAS have been linked to serious health risks including cancer. Last month the federal government said several types of PFAS must be removed from the drinking water of hundreds of millions of Americans. “Do what you can, while you can, before you get sued,” Mr. Gross said at the February session, according to a recording of the event made by a participant and examined by The New York Times. “Review any marketing materials or other communications that you’ve had with your customers, with your suppliers, see whether there’s anything in those documents that’s problematic to your defense,” he said. “Weed out people and find the right witness to represent your company.”
A wide swath of the chemicals, plastics and related industries are gearing up to fight a surge in litigation related to PFAS, or per- and polyfluoroalkyl substances, a class of nearly 15,000 versatile synthetic chemicals linked to serious health problems. […] PFAS-related lawsuits have already targeted manufacturers in the United States, including DuPont, its spinoff Chemours, and 3M. Last year, 3M agreed to pay at least $10 billion to water utilities across the United States that had sought compensation for cleanup costs. Thirty state attorneys general have also sued PFAS manufacturers, accusing the manufacturers of widespread contamination. But experts say the legal battle is just beginning. Under increasing scrutiny are a wider universe of companies that use PFAS in their products. This month, plaintiffs filed a class-action lawsuit against Bic, accusing the razor company for failing to disclose that some of its razors contained PFAS. Bic said it doesn’t comment on pending litigation, and said it had a longstanding commitment to safety.
The Biden administration has moved to regulate the chemicals, for the first time requiring municipal water systems to remove six types of PFAS. Last month, the Environmental Protection Agency also designated two of those PFAS chemicals as hazardous substances under the Superfund law, shifting responsibility for their cleanup at contaminated sites from taxpayers to polluters. Both rules are expected to prompt a new round of litigation from water utilities, local communities and others suing for cleanup costs. “To say that the floodgates are opening is an understatement,” said Emily M. Lamond, an attorney who focuses on environmental litigation at the law firm Cole Schotz. “Take tobacco, asbestos, MTBE, combine them, and I think we’re still going to see more PFAS-related litigation,” she said, referring to methyl tert-butyl ether, a former harmful gasoline additive that contaminated drinking water. Together, the trio led to claims totaling hundreds of billions of dollars. Unlike tobacco, used by only a subset of the public, “pretty much every one of us in the United States is walking around with PFAS in our bodies,” said Erik Olson, senior strategic director for environmental health at the Natural Resources Defense Council. “And we’re being exposed without our knowledge or consent, often by industries that knew how dangerous the chemicals were, and failed to disclose that,” he said. “That’s a formula for really significant liability.”
YouTube has been at war with adblockers for quite some time now and has employed various tactics to keep users off those extensions. Its most recent defense strategy is to skip right to the end of the video you’re playing. If you try replaying it, it’ll do that again. If you tap anywhere on the timeline, your video will buffer indefinitely. Here’s what it looks like in action.
[…]
one of its first moves was to send a pop-up warning saying, “Video playback is blocked unless YouTube is allowlisted or the ad blocker is disabled.” However, users could close that pop-up and resume watching their videos.
Next, it tried to make videos unplayable by showing a never-ending loading screen. Then it refused to do even that and would pop up an immovable prompt to disable the adblocker.
[…]
This latest move is frustrating, and that’s the point. There was a time when its ads were tolerable, but with the recent increase of ads on the video platform, users are finding it extremely hard to sit through a 20-second unskippable ad followed by a 5-second skippable one. Ad runtime isn’t proportionate to a video’s length, which adds to the bizarreness.
Google is aware of its monopoly over the video-sharing industry and has jacked up its ad-free Premium tier prices to $14 monthly. It has also extended its crackdown on mobile, resulting in buffering issues and error messages for users who dare to use an adblocker on their phones.
[…]
Users have also figured out workarounds. Some are switching to AdBlock alternatives, such as uBlock Origin, while others recommend browser substitutes like Brave to fix the issue. A few disappointed consumers are also considering bidding farewell to the platform.
