Author name: Ryan Harris


“Outrageously” priced weight-loss drugs could bankrupt US health care

Collision course —

Prices would need to be dramatically slashed to avoid increasing the national deficit.

Packaging for Wegovy, manufactured by Novo Nordisk, is seen in this illustration photo.

Enlarge / Packaging for Wegovy, manufactured by Novo Nordisk, is seen in this illustration photo.

With the debut of remarkably effective weight-loss drugs, America’s high obesity rate and its uniquely astronomical prescription drug pricing appear to be set on a catastrophic collision course—one that threatens to “bankrupt our entire health care system,” according to a new Senate report that modeled the economic impact of the drugs in different uptake scenarios.

If just half of the adults in the US with obesity start taking a new weight-loss drug, such as Wegovy, the collective cost would total an estimated $411 billion per year, the analysis found. That’s more than the $406 billion Americans spent in 2022 on all prescription drugs combined.

While the bulk of the spending on weight-loss drugs will occur in the commercial market—which could easily lead to spikes in health insurance premiums—taxpayer-funded Medicare and Medicaid programs will also see an extraordinary financial burden. In the scenario that half of adults with obesity go on the drug, the cost to those federal programs would total $166 billion per year, rivaling the programs’ total 2022 drug costs of $175 billion.

In all, by 2031, total US spending on prescription drugs is poised to reach over $1 trillion per year due to weight-loss drugs. Without them, the baseline projected spending on all prescription drugs would be just under $600 billion.

The analysis was put together by the Senate’s Health, Education, Labor, and Pensions (HELP) committee, chaired by staunch drug-pricing critic Bernie Sanders (I-Vt). And it’s quick to knock down a common argument about the high prices for smash-hit weight-loss drugs. That is, with their high effectiveness, the drugs will improve people’s health in wide-ranging ways, including controlling diabetes, improving cardiovascular health, and potentially more. And, with those improvements, people won’t need as much health care, generally, lowering health care costs across the board.

But, while the drugs do appear to have wide-ranging, life-altering benefits for overall health, the prices of the drugs are still set too high to be entirely offset by any savings in health care use. The HELP committee analysis cited a March Congressional Budget Office (CBO) report that found: “at their current prices, [anti-obesity medicines] would cost the federal government more than it would save from reducing other health care spending—which would lead to an overall increase in the deficit over the next 10 years.” Moreover, in April, the head of the CBO said that the drugmakers would have to slash prices of their weight-loss drugs by 90 percent to “get in the ballpark” of not increasing the national deficit.

The HELP committee report offered a relatively simple solution to the problem: Drugmakers should set their US prices to match the relatively low prices they’ve set in other countries. The report focused on Wegovy because it currently accounts for the most US prescriptions in the new class of weight-loss drugs (GLP-1 drugs). Wegovy is made by Denmark-based Novo Nordisk.

In the US, the estimated net price (after rebates) of Wegovy is $809 per month. In Denmark, the price is $186 per month. A study by researchers at Yale estimated that drugs like Wegovy can be profitably manufactured for less than $5 per month.

If Novo Nordisk set its US prices for Wegovy to match the Danish price, spending to treat half of US adults with obesity would drop from $411 billion to $94.5 billion, a roughly $316.5 billion savings.

Without a dramatic price cut, Americans will likely face either losing access to the drugs or shouldering higher overall health care costs, or some of both. The HELP committee report highlighted how this recently played out in North Carolina. In January, the board of trustees for the state employee health plan voted to end all coverage of Wegovy and other GLP-1 drugs due to the cost. Estimates found that if the plan continued to cover the drugs, the state would need to nearly double health insurance premiums to offset the costs.

“Outrageously” priced weight-loss drugs could bankrupt US health care Read More »


Everything Your Parents Told You About Posture Is True! Even For Data Security

Sit up straight! Shoulders back, chest out! We all heard these wise words about the importance of physical posture growing up. For those who did sit up straight and find themselves in positions of influence when it comes to IT, they are still hearing about the importance of posture, but in this case, it’s the importance of security posture.

Data security is an essential part of the day-to-day mission for any diligent business, but it is also a challenge because of the complexity of how we store, access, and use data while continuing to grow. Therefore, finding effective ways to secure it has been a priority, which has led to the development of data security posture management (DSPM) solutions.

What Value Does a DSPM Solution Provide?

DSPM solutions help organizations build a detailed view of their data environment and associated security risks across three key areas:

  • Discovery and classification: This is the fundamental first step, as you can’t secure what you don’t know exists. Solutions look across cloud repositories—platform as a service (PaaS), infrastructure as a service (IaaS), and software as a service (SaaS)—as well as on-premises sources to discover and classify data, looking for sensitive information that could be misused.
  • Access reviews: Monitoring who is using critical data, what they’re doing with it, and where they’re doing it from is the next step. It’s also important to track the ways in which sensitive data moves through and out of an organization. DSPM solutions review this information looking for misconfigurations, patterns, poorly configured repositories, and over-provisioned rights.
  • Risk analysis: Once the above analysis is complete, DSPM solutions present a clear proposed security posture. They highlight risks, report on compliance against security frameworks, and offer guidance on how to lower these risks. Without insight into these areas, it’s impossible to apply robust data security.

This type of analysis can be done with native tools and skilled operations teams, but DSPM solutions bring all of these actions and insights into one tool, automating the effort and providing additional intelligence along the way—often more quickly and more accurately than a human.

How Will AI Impact the DSPM Market?

The original purchase drivers of data security tools were the introduction of GDPR, the European Union regulation, and a flurry of other data privacy legislation. Organizations needed to understand their data and where it presented regulatory risk, driving an increased adoption of discovery, classification, and security tools.

It’s likely that artificial intelligence (AI) will drive a new wave of DSPM adoption. AI learning models present a range of opportunities for businesses to mine their data for new insights, creativity, and efficiency, but they also present risks. Given the wrong access to data or even access to the wrong data, AI tools can introduce a range of security and commercial business risks. For example, if tools surface information to users that they would not normally be able to access or present inaccurate information to customers and partners, this could result in negative commercial and legal impacts.

Therefore, it’s essential for organizations to take steps to ensure that the data models that AI is using are both accurate and appropriate. How do they do that? They need insight into their data and to understand when and what information AI learning models are accessing and whether that data is still valid. AI usage should have us thinking about how to ensure the quality and security of our data. DSPM may just be the answer.

Are DSPM Solutions Worth the Investment?

The reality is “it depends.” It’s useful to realize that while DSPM solutions can definitely deliver value, they are complex and come with a cost that’s more than financial. Fully adopting the technology, as well as an effective DSPM process, requires operational and cultural change. These types of changes do not come easily, so it’s important that a strong use case exists before you begin looking at DSPM.

The most important thing you should consider before adoption is the business case. Data security is fundamentally a business problem, so adopting DSPM cannot be an IT project alone; it must be part of a business process.

The strongest business case for deployment comes from organizations in heavily regulated industries, such as finance, healthcare, critical infrastructure, and pharma. These usually demand compliance with strict regulations, and businesses must demonstrate their compliance to boards, regulators, and customers.

The next most common business case is companies for which data is the business, such as those involved in data exchange and brokering. They demand the most stringent controls because any failures in security could lead to business failure.

If you’re not in one of those types of organizations, it doesn’t mean that you shouldn’t adopt a DSPM solution, but you do need to consider your business case carefully and ensure there’s buy-in from senior management before you begin a DSPM project.

Stand Up Straight, and Get your Data Security Posture Right

A good data security posture is essential to all businesses. A DSPM tool will give you the insight, guidance, and controls you need and do it more quickly and effectively than pulling together information from several different tools and resources, improving your organization’s posture more quickly and saving on costs at the same time.

So, don’t slouch, sit up straight, and improve your data security posture.

Next Steps

To learn more, take a look at GigaOm’s DSPM Key Criteria and Radar reports. These reports provide a comprehensive overview of the market, outline the criteria you’ll want to consider in a purchase decision, and evaluate how a number of vendors perform against those decision criteria.

Everything Your Parents Told You About Posture Is True! Even For Data Security Read More »


Netflix gets the NFL: Three-year deal starts this season on Christmas

Who’s next to get a game? Apple TV? Hulu? Crackle? —

The NFL brings eyeballs like no other content, and subscribers actually stick around.

The San Francisco 49ers' star quarterback Brock Purdy celebrates during a blowout 35-7 win over the Tom Brady-led Buccaneers.

Enlarge / The San Francisco 49ers’ star quarterback Brock Purdy celebrates during a blowout 35-7 win over the Tom Brady-led Buccaneers.

Getty Images/Thearon W. Henderson

Hey, football fans! You’re already watching the NFL on CBS, NBC, Fox, ABC, ESPN, ESPN Plus, Peacock, Amazon Prime Video, NFL Network, and YouTube TV, right? Well, get ready for one more: Netflix! The biggest streaming provider that wasn’t showing NFL games is now jumping into the pile. The NFL and Netflix have signed a three-year deal that will put exclusive Christmas games on the streaming service.

The first Netflix Christmas games will be this season, on December 25, 2024, (that’s a Wednesday, by the way). Netflix will get two Christmas games this year, with exact times and teams to be announced later tonight at the NFL’s live schedule unveiling extravaganza (even the schedule is an event now). The NFL says 2025 and 2026 will see “at least one” game on the service each Christmas. The exact terms of the deal were not disclosed.

In the quickly changing landscape of TV, the NFL has long been one of the few things left that is still appointment television. Of the top 100 highest-rated US TV broadcasts in 2023, 93 percent of them were NFL games. In the hyper-fragmented world of streaming, landing a few exclusive NFL games is a great way to hook people into your service. NBC’s exclusive Peacock playoff game brought in 23 million viewers last year. And even if that was a bit low by NFL standards, NBC called it “the most streamed event ever in US history” and “a milestone moment in media and sports history.” You might think NFL fans would immediately cancel after the final kneel-down, but one study showed a shocking 71 percent of users that signed up for the NFL game were still on Peacock seven weeks later.

Netflix has been dipping its toe into the NFL content stream with special reality-style documentaries like Quarterback and the upcoming Receiver, which star current NFL players, but this will be the first time the streamer will air live football. With NFL Sunday Ticket on YouTube TV and Thursday Night Football games on Amazon Prime, the NFL is moving online more than ever. In a few years, things will get even wilder: In 2029, the NFL can cancel all the TV deals at the same time if it wants. That would lead to an unprecedented bidding war among all the TV and streaming providers and would upend the entire NFL content world.

Netflix gets the NFL: Three-year deal starts this season on Christmas Read More »


Cable TV providers ruined cable—now they’re coming for streaming

Cable 2.0 —

Comcast wants to tie its cable/Internet to your streaming subscriptions.

Cable TV providers ruined cable—now they’re coming for streaming

In an ironic twist, cable TV and Internet provider Comcast has announced that it, too, will sell a bundle of video-streaming services for a discounted price. The announcement comes as Comcast has been rapidly losing cable TV subscribers to streaming services and seeks to bring the same type of bundling that originally drew people away from cable to streaming.

Starting on an unspecified date this month, the bundle, called Streamsaver, will offer Peacock, which Comcast owns, Apple TV+, and Netflix to people who subscribe to Comcast’s cable TV and/or broadband. Comcast already offers Netflix or Apple TV+ as add-ons to its cable TV, but Streamsaver expands Comcast’s streaming-related bundling efforts.

Comcast didn’t say how much the streaming bundle would cost, but CEO Brian Roberts said that it will “come at a vastly reduced price to anything in the market today” when announcing the bundle on Tuesday at MoffettNathanson’s 2024 Media, Internet and Communications Conference in New York, per Variety. If we factor in Peacock’s upcoming price hike, subscribing to Apple TV+, Netflix, and Peacock separately would cost $39.47 per month without ads, or $24.97/month with ads.

According to Roberts, Comcast is hoping that the upcoming package will help Comcast “add value to consumers” and “take some of the dollars out of” other streaming businesses.

For subscribers, the more immediate effect is the continuing and rapid blurring of the lines between cable and streaming services. And Comcast knows that.

As Roberts notes: “We’ve been bundling video successfully and creatively for 60 years, and so this is the latest iteration of that.”

Comcast is hemorrhaging subscribers

Last month, Comcast said it lost 487,000 cable TV subscribers in Q1 2024. It ended the quarter with 13,600,000 subscribers, compared to 14,106,000 at the end of 2023 and 16,142,000 at the end of 2022.

Comcast’s broadband subscriber base also decreased from 32,253,000 at the end of 2023 to 32,188,000.

Peacock, Comcast’s flagship streaming service, hasn’t made any money since launching in 2020 and lost $2.7 billion in 2023. However, in April, Comcast said that Peacock’s Q1 losses lessened from $704 million in Q1 2023 to $639 million in Q1 2024.

It’s worth noting that in January, Comcast raised prices for its cable and Internet services by 3 percent, blaming the price hikes on broadband investments and an increase in programming costs.

Déjà vu

One of the common reasons people abandoned cable TV were bundled packages that forced people to pay for services, like phone or Internet, or channels that they didn’t want. Now, Comcast is looking to save its shrinking subscriber base by bundling its cable TV or Internet service with some of its biggest competitors. Like streaming services, Comcast is hoping that bundling its products will deter people from canceling their subscriptions since they’re tied to each other.

Subscriber churn is also a problem in the streaming industry. Antenna, a subscription analyst company, estimates that around 25 percent of video-streaming subscribers in the US have canceled at least three such subscriptions in the last two years. These high-churn subscribers represent around 40 percent of new subscriptions and cancellations last year, Antenna told The New York Times in April.

But Comcast’s announcement hints at déjà vu as Comcast blatantly seeks to re-create the cable bundle or triple-play package using the very streaming services that are eating away at Comcast’s cable business. Ironically, Comcast is seeking to bandage a declining business by feeding some of the biggest contributors to that decline, using the same tactics that drove many customers away in the first place.

We’re expected to hear a lot more about bundled services. Last month, we learned that a Disney+, Hulu, and Max bundle would be released this summer, for example. And there’s already a lengthy list of streaming bundle packages available from third parties like Verizon and T-Mobile.

But for people who left cable to avoid overloaded bundled packages and to get away from companies like Comcast, which group cable TV or Internet with streaming services that often raise prices, limit show and movie availability and features, and increasingly focus on ads, it just isn’t worth the monthly savings.

Cable TV providers ruined cable—now they’re coming for streaming Read More »


DOJ says Boeing faces criminal charge for violating deal over 737 Max crashes

Criminal prosecution —

DOJ determined that Boeing violated 2021 agreement spurred by two fatal crashes.

Relatives hold a poster with faces of the victims of Ethiopia flight 302 outside a courthouse in Fort Worth, Texas, on January 26, 2023.

Enlarge / Relatives hold a poster with faces of the victims of Ethiopia flight 302 outside a courthouse in Fort Worth, Texas, on January 26, 2023.

Getty Images | Shelby Tauber

The US Department of Justice yesterday said it has determined that Boeing violated a 2021 agreement spurred by two fatal crashes and is now facing a potential criminal prosecution.

Boeing violated the agreement “by failing to design, implement, and enforce a compliance and ethics program to prevent and detect violations of the US fraud laws throughout its operations,” the DOJ said in a filing in US District Court for the Northern District of Texas. Because of this, “Boeing is subject to prosecution by the United States for any federal criminal violation of which the United States has knowledge,” the DOJ said.

The US government is still determining whether to initiate a prosecution and said it will make a decision by July 7. Under terms of the 2021 agreement, Boeing has 30 days to respond to the government’s notice.

The DOJ court filing did not list any specific incidents. But the notice came after a January 2024 incident in which a 737 Max 9 used by Alaska Airlines had to make an emergency landing because a door plug blew off the aircraft in mid-flight. Boeing also recently said that some workers skipped required tests on the 787 Dreamliner planes but falsely recorded the work as having been completed.

Boeing itself referred to the Alaska Airlines flight in a statement the company provided to Ars today. Boeing confirmed that it received a communication “from the Justice Department, stating that the Department has made a determination that we have not met our obligations under our 2021 deferred prosecution agreement, and requesting the company’s response.”

“We believe that we have honored the terms of that agreement and look forward to the opportunity to respond to the Department on this issue,” Boeing said. “As we do so, we will engage with the Department with the utmost transparency, as we have throughout the entire term of the agreement, including in response to their questions following the Alaska Airlines 1282 accident.”

Deal struck after crash deaths of 346 passengers

Yesterday’s DOJ court filing said that Boeing could be prosecuted for the charge listed in the one-count criminal information that was filed at the same time as the deferred prosecution agreement in 2021. That document alleged that Boeing defrauded the Federal Aviation Administration in connection with the agency’s evaluation of the Boeing 737 Max. The DOJ filing yesterday said Boeing could also be prosecuted for other offenses.

In January 2021, the DOJ announced that Boeing signed the deferred prosecution agreement “to resolve a criminal charge related to a conspiracy to defraud the Federal Aviation Administration’s Aircraft Evaluation Group (FAA AEG) in connection with the FAA AEG’s evaluation of Boeing’s 737 Max airplane.”

This occurred after 346 passengers died in two Boeing 737 Max crashes in 2018 and 2019 in Indonesia and Ethiopia. Boeing agreed to pay $2.5 billion, including $1.77 billion in compensation for airline customers and $500 million for the heirs, relatives, and legal beneficiaries of the crash victims.

“The tragic crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302 exposed fraudulent and deceptive conduct by employees of one of the world’s leading commercial airplane manufacturers,” Acting Assistant Attorney General David Burns said when the 2021 deal was struck. “Boeing’s employees chose the path of profit over candor by concealing material information from the FAA concerning the operation of its 737 Max airplane and engaging in an effort to cover up their deception.”

US Attorney Erin Nealy Cox said then that “misleading statements, half-truths, and omissions communicated by Boeing employees to the FAA impeded the government’s ability to ensure the safety of the flying public.”

The nonprofit Foundation for Aviation Safety, which is led by former Boeing employee Ed Pierson, recently accused Boeing of violating the deferred prosecution agreement. Pierson alleged in a December 2023 court filing that “Boeing has deliberately provided false, incomplete, and misleading information to the FAA, the flying public, airline customers, regulators, and investors.”

Meeting with victims’ families

The DOJ court filing yesterday said the department is continuing to confer with the airlines and family members of the crash victims.

“To that end, the Government separately notified the victims and the airline customers today of the breach determination,” the DOJ wrote. “The Government also has already scheduled a conferral session for May 31, 2024, with the victims. The Government last conferred with the victims on April 24, 2024, to discuss the issue of whether Boeing breached the [deferred prosecution agreement].”

Paul Cassell, an attorney for victims’ families, said the DOJ filing “is a positive first step, and for the families, a long time coming. But we need to see further action from DOJ to hold Boeing accountable and plan to use our meeting on May 31 to explain in more detail what we believe would be a satisfactory remedy to Boeing’s ongoing criminal conduct.”

DOJ says Boeing faces criminal charge for violating deal over 737 Max crashes Read More »


Android 15 gets “Private Space,” theft detection, and AV1 support

The best theft prevention is “owning an Android phone” —

Android 15 Beta 2 is out for Pixels and several third-party devices.

The Android 15 logo. This is

Enlarge / The Android 15 logo. This is “Android V,” if you can’t tell from the logo.


Google’s I/O conference is still happening, and while the big keynote was yesterday, major Android beta releases have apparently been downgraded to Day 2 of the show. Google really seems to want to be primarily an AI company now. Android already had some AI news yesterday, but now that the code-red requirements have been met, we have actual OS news.

One of the big features in this release is “Private Space,” which Google says is a place where users can “keep sensitive apps away from prying eyes, under an additional layer of authentication.” First, there’s a new hidden-by-default portion of the app drawer that can hold these sensitive apps, and revealing that part of the app drawer requires a second round of lock-screen authentication, which can be different from the main phone lock screen.

Just like “Work” apps, the apps in this section run on a separate profile. To the system, they are run by a separate “user” with separate data, which your non-private apps won’t be able to see. Interestingly, Google says, “When private space is locked by the user, the profile is paused, i.e., the apps are no longer active,” so apps in a locked Private Space won’t be able to show notifications unless you go through the second lock screen.

Another new Android 15 feature is “Theft Detection Lock,” though it’s not in today’s beta and will be out “later this year.” The feature uses accelerometers and “Google AI” to “sense if someone snatches your phone from your hand and tries to run, bike, or drive away with it.” Any of those theft-like shock motions will make the phone auto-lock. Of course, Android’s other great theft prevention feature is “being an Android phone.”

Android 12L added a desktop-like taskbar to the tablet UI, showing recent and favorite apps at the bottom of the screen, but it was only available on the home screen and recent apps. Third-party OEMs immediately realized that this bar should be on all the time and tweaked Android to allow it. In Android 15, an always-on taskbar will be a normal option, allowing for better multitasking on tablets and (presumably) open foldable phones. You can also save split-screen-view shortcuts to the taskbar now.

  • Left: private space appears at the bottom of the app drawer. Middle: tapping on it brings up a biometric prompt. Right: passing the prompt reveals more apps.


  • Theft detection will lock the phone if it detects a rough movement.


  • The predictive back gesture will show you where “back” goes.


An Android 13 developer feature, predictive back, will finally be turned on by default. When performing the back gesture, this feature shows what screen will show up behind the current screen you’re swiping away. This gives a smoother transition and a bit of a preview, allowing you to cancel the back gesture if you don’t like where it’s going.

Android is only now getting around to implementing this, despite it being a feature that iOS has had for years. It will still be a long road, as individual app developers must opt into it. At least you no longer have to dig into the developer settings to turn it on. Have Android’s third-party developers used the two-year rollout to implement the feature in their apps? Mostly no, but we’re hoping the Android system apps should at least support it now, and maybe even some Google apps will, too.

Because this is a developer release, there are tons of under-the-hood changes. Google is a big fan of its own next-generation AV1 video codec, and AV1 support has arrived on various devices thanks to hardware decoding being embedded in many flagship SoCs. If you can’t do hardware AV1 decoding, though, Android 15 has a solution for you: software AV1 decoding.

You’ll never guess who built it: VideoLAN, aka the people who make the extremely popular, plays-everything, open-source VLC media player. Google says, “This support is standardized and backported to Android 11 devices that receive Google Play system updates.” That means basically every Android device will now support AV1, which is great not just for phones but cheaper TV boxes as well.

Finally, the second beta isn’t just for Pixels. Google says Honor, iQOO, Lenovo, Nothing, OnePlus, OPPO, Realme, Sharp, Tecno, Vivo, and Xiaomi are all shipping betas for certain phones, too. For Pixels, Android 15 Beta 2 should go live sometime today.

Android 15 gets “Private Space,” theft detection, and AV1 support Read More »


Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach


Ebury backdoors SSH servers in hosting providers, giving the malware extraordinary reach.

A cartoon door leads to a wall of computer code.

Infrastructure used to maintain and distribute the Linux operating system kernel was infected for two years, starting in 2009, by sophisticated malware that managed to get a hold of one of the developers’ most closely guarded resources: the /etc/shadow files that stored encrypted password data for more than 550 system users, researchers said Tuesday.

The unknown attackers behind the compromise infected at least four servers inside, the Internet domain underpinning the sprawling Linux development and distribution network, the researchers from security firm ESET said. After obtaining the cryptographic hashes for 551 user accounts on the network, the attackers were able to convert half into plaintext passwords, likely through password-cracking techniques and the use of an advanced credential-stealing feature built into the malware. From there, the attackers used the servers to send spam and carry out other nefarious activities. The four servers were likely infected and disinfected at different times, with the last two being remediated at some point in 2011.

Stealing’s keys to the kingdom

An infection of came to light in 2011, when kernel maintainers revealed that 448 accounts had been compromised after attackers had somehow managed to gain unfettered, or “root,” system access to servers connected to the domain. Maintainers reneged on a promise to provide an autopsy of the hack, a decision that has limited the public’s understanding of the incident.

Besides revealing the number of compromised user accounts, representatives of the Linux Kernel Organization provided no details other than saying that the infection:

  • Occurred no later than August 12, 2011, and wasn’t detected for another 17 days
  • Installed an off-the-shelf rootkit known as Phalanx on multiple servers and personal devices belonging to a senior Linux developer
  • Modified the files that both servers and end user devices inside the network used to connect through OpenSSH, an implementation of the SSH protocol for securing remote connections.

In 2014, ESET researchers said the 2011 attack likely infected servers with a second piece of malware they called Ebury. The malware, the firm said, came in the form of a malicious code library that, when installed, created a backdoor in OpenSSH that provided the attackers with a remote root shell on infected hosts with no valid password required. In a little less than 22 months, starting in August 2011, Ebury spread to 25,000 servers. Besides the four belonging to the Linux Kernel Organization, the infection also touched one or more servers inside hosting facilities and an unnamed domain registrar and web hosting provider.

A 47-page report summarizing Ebury’s 15-year history said that the infection hitting the network began in 2009, two years earlier than the domain was previously thought to have been compromised. The report said that since 2009, the OpenSSH-dwelling malware has infected more than 400,000 servers, all running Linux except for about 400 FreeBSD servers, a dozen OpenBSD and SunOS servers, and at least one Mac.

Researcher Marc-Etienne M. Léveillé wrote:

In our 2014 paper, we mentioned that there was evidence that, hosting the source code of the Linux kernel, had been a victim of Ebury. Data now at our disposal reveals additional details about the incident. Ebury had been installed on at least four servers belonging to the Linux Foundation between 2009 and 2011. It seems these servers acted as mail servers, name servers, mirrors, and source code repositories at the time of the compromise. We cannot tell for sure when Ebury was removed from each of the servers, but since it was discovered in 2011 it is likely that two of the servers were compromised for as long as two years, one for one year and the other for six months.

The perpetrator also had copies of the /etc/shadow files, which overall contained 551 unique username and hashed password pairs. The cleartext passwords for 275 of those users (50%) are in possession of the attackers. We believe that the cleartext passwords were obtained by using the installed Ebury credential stealer, and by brute force.

The researcher said in an email that the Ebury and Phalanx infections appear to be separate compromises by two unrelated threat groups. Representatives of the Linux Kernel Organization didn’t respond to emails asking if they were aware of the ESET report or if its claims were accurate. There is no indication that either infection resulted in tampering with the Linux kernel source code.

Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach Read More »


Connected cars’ illegal data collection and use now on FTC’s “radar”

wipe your data when you sell —

The regulator is warning OEMs to respect data privacy or it will get mad.

An image of cars in traffic, with computer-generated bounding boxes over each one, representing the idea of data collection

Getty Images

The Federal Trade Commission’s Office of Technology has issued a warning to automakers that sell connected cars. Companies that offer such products “do not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service,” it wrote in a blog post on Tuesday. Just because executives and investors want recurring revenue streams, that does not “outweigh the need for meaningful privacy safeguards,” the FTC wrote.

Based on your feedback, connected cars might be one of the least-popular modern inventions among the Ars readership. And who can blame them? Last January, a security researcher revealed that a vehicle identification number was sufficient to access remote services for multiple different makes, and yet more had APIs that were easily hackable.

Later, in 2023, the Mozilla Foundation published an extensive report examining the various automakers’ policies regarding the use of data from connected cars; the report concluded that “cars are the worst product category we have ever reviewed for privacy.”

Those were rather abstract cases, but earlier this year, we saw a very concrete misuse of connected car data. Writing for The New York Times, Kash Hill learned that owners of connected vehicles made by General Motors had been unwittingly enrolled in OnStar’s Smart Driver program and that their driving data had been shared with their insurance company, resulting in soaring insurance premiums.

The FTC is not taking specific action against any automaker at this point. Instead, the blog post is meant to be a warning to the industry. It says that “connected cars have been on the FTC’s radar for years,” although the agency appears to have done very little other than hold workshops in 2013 and 2018, as well as publishing guidance for consumers reminding them to wipe the data from their cars before selling them.

(By contrast, the California Privacy Protection Agency announced last year that its enforcement division had begun making inquiries with automakers to ensure they complied with the state’s 2018 Consumer Privacy Act.)

The FTC says that automakers and other businesses must protect users’ data against illegal collection, use, and disclosure. It points to recent enforcement actions against companies in other sectors that have illegally collected or used geolocation data, surreptitiously disclosed sensitive user data, and illegally used sensitive data for automated decisions.

The FTC says the easiest way to comply is to not collect the data in the first place.

Connected cars’ illegal data collection and use now on FTC’s “radar” Read More »


Scholars discover rare 16th-century tome with handwritten notes by John Milton

“Wow. Bingo!” —

Poet crossed out one racy passage, deeming it “an unbecom[ing] tale for a hist[ory]”

Annotation by John Milton citing Spenser on the recent history of Ireland

Enlarge / John Milton citing Spenser on the recent history of Ireland in his 1587 edition of Raphael Holinshed’s Chronicles. Note Milton’s italic e, hooks and curls on letters and distinctive s’s.

Phoenix Public Library

John Milton is widely considered to be one of the greatest English poets who ever lived—just ask such luminaries as John Dryden, Alexander Pope, Samuel Jonson, and Voltaire, who once declared, “Milton remains the glory and the wonder of England.” But while Milton’s own books continue to be widely read and studied, there are only a handful of books in collections today known to have been part of his personal library.

Add one more title to that small list, as scholars recently discovered a copy of Holinshed’s Chronicles of England, Scotland, and Ireland in the Phoenix Public Library, containing handwritten notes in Milton’s distinctive hand. This makes the volume extra-special, since only two other books once owned by Milton also contain handwritten notes. The scholars detailed their findings in a new article published in the Times Literary Supplement.

Holinshed’s Chronicles is a hugely influential and comprehensive three-volume history of Great Britain, first published in 1577; it was followed by a second edition in 1587. A London printer named Reginald Wolfe started the project and hired Raphael Holinshed and William Harrison to help him create a “universal cosmography of the whole world.” Wolfe died before the book could be completed, and the project was eventually scaled down to a history of England, Scotland, and Ireland, complete with maps and illustrations.

The Chronicles is perhaps best known today as the primary source for William Shakespeare’s history plays, as well as Macbeth and parts of King Lear and Cymbeline. But plenty of other writers found it to be a useful resource, including Edmund Spenser, Shakespeare’s contemporary, Christopher Marlow, and John Milton. Milton is best known for his epic poem Paradise Lost, but he also wrote many other poems and prose; references to Holinshed’s Chronicles abound in the latter, including Of Reformation (1641), The History of Britain (1670), and Milton’s commonplace book (essentially a personal journal).

Milton refers to ‘the booke of Provenzall poets’ discussing Richard the Lionheart's poetry and mistresses.

Enlarge / Milton refers to ‘the booke of Provenzall poets’ discussing Richard the Lionheart’s poetry and mistresses.

Phoenix Public Library

Real estate magnate and philanthropist Alfred Knight purchased an 1857 edition of Holinshed in 1942 from Beverly Hills, California, bookseller Maxwell Huntley for $38.60—including shipping to Phoenix, where Knight lived. It was added to Knight’s extensive rare book collection particularly focused on what the authors of the TLS article term “Shakespeareana.” Knight also owned a first edition of Paradise Lost and a 1697 first edition of Milton’s collected prose. He bequeathed his collection to the people of Phoenix under the care of the public library.

In March, Arizona State University hosted a forum at the library, and custodians brought out the Holinshed—consisting of two bound tomes incorporating the original three volumes—so those in attendance could examine it. Aaron Pratt of the University of Texas was among the attendees and noticed that an “e'” in handwritten notes in the margins seemed familiar. “I was like, ‘God, there’s no way in hell this is true, but it kind of looks like this stupid way Milton writes ‘e,’” Pratt said. Early on, Milton used the letter epsilon for his e’s (ε), but sometime in the late 1630s, he switched to using an italic e.

Naturally, Pratt was intrigued and examined the handwritten marginalia more closely, finding “scratchy brackets” with notations that looked very much like ones known to be written by Milton in a Shakespeare First Folio discovered in the Philadelphia Free Library in 2019. He and co-author Claire Bourne of Penn State, who was also in attendance, excitedly began comparing the annotations in the Holinshed and the folio.

Bourne then texted photographs of the handwriting to co-author Jason Scott-Warren, director of the Cambridge Center for Material Texts in England. Scott-Warren was the one who had verified Milton’s handwriting in the Shakespeare folio in 2019. Known to be conservative in his assessments, Scott-Warren compared the handwritten Holinshed notes to Milton’s handwriting in two of the poet’s handwritten manuscripts. He confirmed that the Holinshed handwriting was indeed Milton’s with an exclamatory, “Wow. Bingo!

Raphael Holinshed's lewd anecdote about the mother of William the Conqueror, Arlete. Milton crossed out the passage with a diagonal line and added a note:

Enlarge / Raphael Holinshed’s lewd anecdote about the mother of William the Conqueror, Arlete. Milton crossed out the passage with a diagonal line and added a note: “an unbecom[ing] / tale for a hist[ory] / and as pedlerl[y] / expresst.”

Phoenix Public Library

In addition to the italic e, the Holinshed notations contain the poet’s distinctive hooks and curls on certain letters, as well as his unevenness in forming lowercase s’s. Textual analysis between the marked Holinshed passages and Milton’s Commonplace Book also indicates the poet owned this particular copy. More than 90 percent of references to Holinshed correspond to marked passages in the Knight Collection copy of the second bound volume. And several of the handwritten notes in the latter cite other books scholars know were once part of Milton’s personal library.

Of particular interest is where Milton crossed out a particularly racy passage about the mother of William the Conqueror, Arlete (Herleva), mistress of Duke Robert I of Normandy. The anecdote describes how the duke noticed Arlete dancing and brought her to bed, whereupon she tore her dress rather than allow him to lift it himself because “it would be immodest for her ‘dependant’ garments to be ‘mountant’ to the duke’s mouth.” Milton added a note decrying the anecdote as “an unbecom[ing]/ tale for a hist[ory],” in a style more fitting to peddling wares on the street. “Milton is renowned as an enemy of press censorship, but here we see he was not immune to prudishness,” said Scott-Warren.

As for the provenance of this copy of Holinshed, the authors note that most of Milton’s personal books were sold in batches around the time he died in 1674, but there’s no record of the Holinshed for over a century. The volumes were rebound in red leather with marbled endpapers around 1800, and historian and collector William Maskell signed the book and made his own notes starting around 1847. While most of Maskell’s books were sold at various auctions, it seems the Holinshed remained in the family’s private collection until it showed up in Beverly Hills in 1942.

Scholars discover rare 16th-century tome with handwritten notes by John Milton Read More »


VMware Fusion, Workstation now free for home use, subscription-only for businesses

i’ve got good news and bad news —

Free for personal use, but businesses will have to fork over $120 per year.

VMware Fusion, Workstation now free for home use, subscription-only for businesses


Broadcom’s acquisition of VMware last year has led to widespread upheaval at the company, including layoffs, big changes to how it approaches software licensing, and general angst from customers and partners. Broadcom also discontinued the free-to-use version of VMware’s vSphere Hypervisor, also known as ESXi, earlier this year, forcing home users to find alternatives.

But today there’s a bit of good news—for home users, at least. Broadcom is making VMware Fusion Pro 13 and VMWare Workstation Pro free for personal use.

Fusion Pro and Workstation Pro certainly aren’t the only free-to-use virtualization products—VirtualBox has existed for years, and there are many indie projects that make use of Apple’s virtualization frameworks for macOS. But VMware’s products are a bit more polished and easier to learn than some of those alternatives, and VMware’s file formats are also commonly used when redistributing virtual machines for retrocomputing purposes.

Today’s announcement may be less welcome for businesses that prefer perpetually licensed versions of Fusion Pro or Workstation Pro. VMware is phasing these licenses out, offering support for current perpetually licensed products until “their existing End of Life and End of General Support dates” but shifting to a subscription-only model for future updates.

VMware is framing this as a “simplification” that “eliminates 40+ other SKUs,” and while this may be true, it’s also likely just a side effect of Broadcom’s wider push to end standalone software sales in favor of a more lucrative subscription-only model. Broadcom has already stopped selling perpetual licenses for many other VMware products.

A Desktop Hypervisor app subscription will run businesses $120 per year. The only difference between the free home version and the paid business version is a “this product is licensed for personal use only” message that appears in the home version; Broadcom says that the products are functionally identical.

Since the full apps are going the free-to-use route, Broadcom is discontinuing the VMware Workstation Player and Fusion Player apps. These apps could be used to fire up pre-existing VMs but generally couldn’t create new virtual machines from scratch. Workstation Player will continue on as a component of Workstation Pro, but it will no longer be offered as a standalone product. Users of Fusion Player will be able to upgrade in place to Fusion Pro by updating the app to version 13.5.2 or later and deleting the Fusion Player license key. Workstation Player users will need to download and install the Workstation Pro software separately.

Users who want to use Fusion Pro and Workstation Pro will need to sign up for a Broadcom account; once they do, Fusion Pro can be downloaded from here, and Workstation Pro can be downloaded from here.

VMware Fusion, Workstation now free for home use, subscription-only for businesses Read More »


Could your car power your home? GM makes it a reality in EV truck demo.

V2H is vehicle to home —

GM’s Ultium-based EVs can power your house during an outage.

2024 Chevrolet Silverado EV RST in a residential garage at dusk with GM Energy products.

Enlarge / GM used a Silverado EV to power a 10,000-square-foot house as a demo of its Home Energy system.

General Motors

LOS ANGELES—Let’s face it: The American power grid is a hot mess. The system is outdated and overstressed by amp-sucking appliances, air conditioning units, and extreme weather. Depending on where you live, it’s likely only a matter of time before your home will experience a blackout. GM Energy, a subsidiary of General Motors, is here to help.

At a demonstration in a swanky 10,000-square-foot mansion in Beverly Hills, California, where I counted 51 recessed lights in the great room, the new home products from GM Energy easily kept the electrons flowing, eschewing the grid and drawing power from the 200 kWh battery in a 2024 Chevrolet Silverado RST.

It all starts with the GM Energy PowerShift charger. On an 80 A circuit, the charger can charge your EV at a whopping 19.2 kW, and its bi-directional technology can push electrons from the truck’s battery into an inverter to convert it to the AC power your home requires. The happy little AC current then goes into the Home Hub that distributes the power to the appropriate circuits, and voilà—the lights are on.

But if the power goes out suddenly, how does the process start? GM Energy’s “Dark Start” battery holds just enough juice to get the whole thing running. At the demo, it took about 36 seconds from the main breaker being shut off to the system powering up, flooding the garage full of tech reporters and GM brass with steady, non-flickering lights. Oh, and of course, you can keep track of everything in the My Chevy app.

MyChevrolet mobile app displaying charging status of 2024 Chevrolet Silverado EV RST in a residential garage with GM Energy products.

Enlarge / MyChevrolet mobile app displaying charging status of 2024 Chevrolet Silverado EV RST in a residential garage with GM Energy products.

General Motors

Currently, the system only works with the Silverado EV RST. The company expects the EV versions of the 2024 Sierra Denali, Cadillac Lyriq, and Chevrolet Blazer and Equinox to come online soon, though some may require a dealership or over-the-air update. GM plans to include bidirectional technology on all its Ultium-based EVs by model-year 2026. As for the Honda Prologue and Acura ZDX EVs that were developed in partnership with GM—no dice. Owners of those cars will not be able to use this technology.

One further bugaboo was found on the GM Energy website, which says, in tiny print, that the products are only available in California, Florida, Michigan, New York, and Texas. However, the company says the tech will be available in all 50 states later this year.

How long can it last?

GM Energy engineer Brent Deep has been running the system for two years with no problems. He claims his family has not been trying to conserve power, instead running two air conditioning units, a hot tub, laundry machines, an electric range, an oven, and the myriad other appliances four people in Michigan would use to remain comfortable. In this case, a Silverado RST can power the house for four days.

Deep and his family are slightly heavy in their energy use, however. The US Energy Information Administration says the average house uses 899 kWh of energy every month, or about 30 kWh per day. By that math, the Silverado RST should provide juice for just over six days.

I, however, do not have a family of four. In fact, I’m a bit of an electricity miser, at least during the non-summer months. I live in the high desert of California but still keep the air conditioning at 80 degrees in my two-bedroom home during the hot season, turn off every light except the one I’m using, and if I can eke out another wear of a pair of jeans instead of throwing them in the laundry, I do it. How long could I power my house?

When I looked at my bill for the past 12 months, the least I’ve used was 126 kWh in April of 2024, for which Southern California Edison charged me $53.35. I used the most in July of 2023: 774 kWh for $325.

Could your car power your home? GM makes it a reality in EV truck demo. Read More »


Smashing into an asteroid shows researchers how to better protect Earth

Connecting with a fastball —

Slowing down an asteroid by just one-tenth of a second makes all the difference.

Riding atop a SpaceX Falcon 9 rocket, NASA’s Double Asteroid Redirection Test, or DART, spacecraft sets off to collide with an asteroid in the world’s first full-scale planetary defense test mission in November 2021.

Enlarge / Riding atop a SpaceX Falcon 9 rocket, NASA’s Double Asteroid Redirection Test, or DART, spacecraft sets off to collide with an asteroid in the world’s first full-scale planetary defense test mission in November 2021.

On a fall evening in 2022, scientists at the Johns Hopkins University Applied Physics Laboratory were busy with the final stages of a planetary defense mission. As Andy Rivkin, one of the team leaders, was getting ready to appear in NASA’s live broadcast of the experiment, a colleague posted a photo of a pair of asteroids: the half-mile-wide Didymos and, orbiting around it, a smaller one called Dimorphos, taken about 7 million miles from Earth.

“We were able to see Didymos and this little dot in the right spot where we expected Dimorphos to be,” Rivkin recalled.

After the interview, Rivkin joined a crowd of scientists and guests to watch the mission’s finale on several big screens: As part of an asteroid deflection mission called DART, a spacecraft was closing in on Dimorphos and photographing its rocky surface in increasing detail.

Then, at 7: 14 pm, a roughly 1,300-pound spacecraft slammed head-on into the asteroid.

Within a few minutes, members of the mission team in Kenya and South Africa posted images from their telescopes, showing a bright plume of debris.

In the days that followed, researchers continued to observe the dust cloud and discovered it had morphed into a variety of shapes, including clumps, spirals, and two comet-like tails. They also calculated that the impact slowed Dimorphos’ orbit by about a tenth of an inch per second, proof-of-concept that a spacecraft—also called a kinetic impactor—could target and deflect an asteroid far from Earth.

The final five-and-a-half minutes of images from the DART spacecraft as it approached and then intentionally collided with asteroid Dimorphos. The video is 10 times faster than reality, except for the last six images.

NASA/Johns Hopkins APL/YouTube

Ron Ballouz, a planetary scientist at the lab, commented that what is often seen in the movies is a “sort of last-ditch-effort, what we like to call a final-stage of planetary defense.” But if hazardous objects can be detected years in advance, other techniques like a kinetic impactor can be used, he added.

If a deflection were necessary, scientists would need to change the speed of a hazardous object, such as an asteroid or comet, enough that it doesn’t end up at the same place and time as Earth as they orbit the Sun. Rivkin said this translates into at least a seven-minute change in the arrival time: If a Dimorphos-sized object were predicted to collide with Earth 67 years from now, for instance, the slow-down that DART imparted would be just enough to add up to the seven minutes, he added.

With less lead time, researchers could use a combination of multiple deflections, larger spacecrafts, or boosts in speed, depending on the hazardous object. “DART was designed to validate a technique, and specific situations would inevitably require adapting things,” said Rivkin.

Researchers use data from DART and smaller-scale experiments to predict the amount of deflection using computer simulations.

Scientists are also focusing on the type of asteroid that Dimorphos appears to be: a “rubble pile,” as they call it, because objects of this kind are thought to be made of clumps of many rocks.

In fact, scientists think that most asteroids the size of Dimorphos and larger are rubble piles. As scientists continue to learn more about rubble piles, they will be able to make better predictions about deflecting asteroids or comets. And in 2026, a new mission will arrive at Didymos and Dimorphos to collect more data to fine-tune the computer models.

In the meantime, researchers are trying to learn as much as possible in the unwelcome case an asteroid or comet is discovered to be a threat to Earth and a more rapid response is necessary.

Scientists first suspected that many asteroids are rubble piles about 50 years ago. Their models showed that when larger asteroids smashed into one another, the collisions could throw off fragments that would then reassemble to form new objects.

It wasn’t until 2005, though, that scientists saw their first rubble pile: asteroid Itokawa, when a spacecraft visited it and photographed it. Then, in 2018, they saw another called Ryugu, and later that year, one more, asteroid Bennu. DART’s camera also showed Didymos and Dimorphos are likely of the same variety.

“It’s one thing to talk about rubble piles, but another to see what looks like a bunch of rocks dumped off a truck up close,” said William Bottke, a planetary scientist at the Southwest Research Institute in Boulder, Colorado.

Smashing into an asteroid shows researchers how to better protect Earth Read More »