News about Kansas environmental issues

Apple’s AR windshields could soothe anxious passengers and let you FaceTime with friends

Self-driving cars from Apple could have AR displays.Image: ROBYN BECK/AFP/Getty Images Your car could […]

read more
Post

Be Careful What You Wish For: The Way Cards Against Humanity Responded To This Girls Complaint Is Hilarious

June was pride month and to celebrate this ‘Cards Against Humanity’ brought out a special edition ‘Pride Pack,’ with the option of glitter added. Unfortunately when Kait Johnson went to order her glitter bomb pride pack, it was unavailable. Cards Against Humanity had run out of glitter.

“I play cards against humanity all the time I love it so much,” Kait told Bored Panda. “My friends and I all have sick senses of humor so it’s always a fun time!”

They really wanted that glitter, so what to do? Email the company and get it, obviously. So that’s just what Kait did, and to their credit, Cards Against Humanity responded, being the kickass customer service company that they’ve become known for. However, the response still left Kait lacking in sparkle. So she upped the stakes. How would they respond this time? “I honestly didn’t expect a response, let alone a box of glitter,” she told us. And what is she going to do with all that glitter now? “I’m actually trying to look for a school that might need extra glitter for their art class.”

Not to burst your bubble but glitter has come under scrutiny lately for its environmental impact, it is a microplastic that can eventually find its way into oceans and the creatures that live there. Most glitter is made of aluminium and a plastic called PET, which can disrupt hormones in the bodies of animals and humans when broken down. Some are even calling for it to be banned completely, although some more environmentally friendly alternatives do exist. So if you do choose to use glitter, use it responsibly!

Scroll down below to check out how Kait’s story unfolded for yourself, and let us know what you think in the comments!

This woman wanted to get glitter with her ‘pride pack’ but they ran out

So she decided to email Cards Against Humanity

“Should I be afraid?”

“CAH responded. Their response turned my anxiety dial to 10”

“It came in today. Small white envelope hummm…..”

“Tiny amount of glitter and they admit they f**ked up. Not gonna lie I’m kinda disappointed”

But this wasn’t the end

“So my girlfriend got this in the mail today. From CAH????”

“She’s a little thick on the sides”

“Trolled again, just a grey plastic sleeve filled with more glitter and a card”

“So after some small packages reddit user u/cd247 suggested my girlfriend send this to CAH”

“So she did this was the reply they sent back. Now I’m terrified”

“We walk up to the house saying, what the hell is that?”

“Hhuummmmm I see glitter and a big box”

“I wonder why they left the mail Box?”

“If you find glitter on your packages I’m so not sorry”

“That’s box was filled with glitter, weight about 5LBs. But no spring trap, or trap of any kind”

“Seen the Mail Lady down the street and she said keep the box, they don’t want it back”

The final emails of defeat

Here’s how people responded

Read more: http://www.boredpanda.com/woman-asks-extra-glitter-cards-against-humanity-kait-johnson/

Post

A New Pacemaker Hack Puts Malware Directly on the Device

The first pacemaker hacks emerged about a decade ago. But the latest variation on the terrifying theme depends not on manipulating radio commands, as many previous attacks have, but on malware installed directly on an implanted pacemaker.

For nearly two years, researchers Billy Rios of the security firm Whitescope and Jonathan Butts of QED Secure Solutions have gone back and forth with pacemaker manufacturer Medtronic, which makes Carelink 2090 pacemaker programmers and other relevant equipment that the researchers say contain potentially life-threatening vulnerabilities. The Department of Homeland Security and the Food and Drug Administration have gotten involved as well. And while Medtronic has remediated some of the issues the researchers discovered, Rios and Butts say that too much remains unresolved, and that the risk remains very real for pacemaker patients. The pair will walk through their findings Thursday at the Black Hat security conference.

Rios and Butts say that they've discovered a chain of vulnerabilities in Medtronic's infrastructure that an attacker could exploit to control implanted pacemakers remotely, deliver shocks patients don't need or withhold ones they do, and cause real harm.

"The time period Medtronic spent discussing this with us, if they had just put that time into making a fix they could have solved a lot of these issues," Butts says. "Now we’re two years down the road and there are patients still susceptible to this risk of altering therapy, which means we could do a shock when we wanted to or we could deny shocks from happening. It’s very frustrating."

'We were talking about bringing a live pig because we have an app where you could kill it from your iPhone remotely.'

Jonathan Butts, QED Secure Solutions

Rios and Butts originally disclosed bugs they had discovered in Medtronic's software delivery network, a platform that doesn't communicate directly with pacemakers, but rather brings updates to supporting equipment like home monitors and pacemaker programmers, which health care professionals use to tune implanted pacemakers. Since the software delivery network is a proprietary cloud infrastructure, it would have been illegal for Butts and Rios to knowingly break into the system to confirm the authentication issues and lack of integrity checks they suspected. So they instead created a proof of concept that the vulnerabilities existed by mapping the platform from the outside, and creating their own replica environment to test on.

Medtronic took 10 months to vet the submission, at which point it opted not to take action to secure the network. "Medtronic has assessed the vulnerabilities per our internal process," the company wrote in February. "These findings revealed no new potential safety risks based on the existing product security risk assessment. The risks are controlled, and residual risk is acceptable." The company did acknowledge to the Minnesota Star Tribune in March that it took too long to assess Rios and Butts' findings.

That didn't allay the researchers' initial concerns. But unable to fully vet the proprietary cloud infrastructure, they moved on to investigating other aspects of the Medtronic system, buying some of the company equipment from medical supply distributors and third-party resellers to tinker with directly. At Black Hat, Rios and Butts will demonstrate a series of vulnerabilities in how pacemaker programmers connect to Medtronic's software delivery network. The attack also capitalizes on a lack of "digital code signing"—a way of cryptographically validating the legitimacy and integrity of software—to install tainted updates that let an attacker control the programmers, and then spread to implanted pacemakers.

"If you just code sign, all these issues go away, but for some reason they refuse to do that," Rios says. "We’ve proven that a competitor actually has these mitigations in place already. They make pacemakers as well, their programmer literally uses the same operating system [as Medtronic's], and they have implemented code signing. So that’s what we recommend for Medtronic and we gave that data to the FDA." The programmers run the Windows XP operating system. (Yes, Windows XP.)

"All devices carry some associated risk, and, like the regulators, we continuously strive to balance the risks against the benefits our devices provide," Medtronic spokesperson Erika Winkels told WIRED in a statement. "Medtronic deploys a robust, coordinated disclosure process and takes seriously all potential cybersecurity vulnerabilities in our products and systems. … In the past, WhiteScope, LLC has identified potential vulnerabilities which we have assessed independently and also issued related notifications, and we are not aware of any additional vulnerabilities they have identified at this time."

Medtronic did resolve a cloud vulnerability Rios and Butts found, in which an attacker could remotely access and modify patients' pacemaker data. And their disclosures are also documented in Department of Homeland Security industrial control system advisories—including a separate Medtronic insulin pump vulnerability the researchers discovered that could allow an attacker to remotely dose a patient with extra insulin.

Butts and Rios say, though, that many of the advisories are vaguely worded, and seem to downplay the potential severity of the attacks. For example, all of them say that the "vulnerabilities are not exploitable remotely," even when possible attacks hinge on things like connecting to HTTP web servers over the internet, or manipulating wireless radio signals. "We were talking about bringing a live pig because we have an app where you could kill it from your iPhone remotely and that would really demonstrate these major implications," Butts says. "We obviously decided against it, but it’s just a mass scale concern. Almost anybody with the implantable device in them is subject to the potential implications of exploitation."

DHS did not return a request for comment by publication. In a statement, the FDA said it "values the important work of security researchers. The FDA is engaged with security researchers, industry, academia and the medical community in ongoing efforts to ensure the safety and effectiveness of medical devices as they face potential cyber threats, at all stages in the device’s lifecycle."1 The agency also noted in an April Medical Device Safety Action Plan that it is considering establishing a "CyberMed Safety Expert Analysis Board, which would presumably provide a neutral vetting and review process for this type of disclosure.

Meanwhile, Medtronic maintains that it has evaluated the concerns and has robust defenses in place to defend patients. "We'll just demonstrate the exploits in action and let people decide for themselves," Rios says.

1UPDATE 8/9 2:55 PM: This story has been updated to include comment from the FDA.


More Great WIRED Stories

Read more: https://www.wired.com/story/pacemaker-hack-malware-black-hat/