Peder

Investigators probing a massive hack of the U.S. government and businesses say they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack. From a report: Close to a third of the victims didn't run the SolarWinds software initially considered the main avenue of attack for the hackers, according to investigators and the government agency digging into the incident. The revelation is fueling concern that the episode exploited vulnerabilities in business software used daily by millions [Editor's note: the link may be paywalled; alternative source]. Hackers linked to the attack have broken into these systems by exploiting known bugs in software products, by guessing online passwords and by capitalizing on a variety of issues in the way Microsoft cloud-based software is configured, investigators said. Approximately 30% of both the private-sector and government victims linked to the campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, said in an interview. The attackers "gained access to their targets in a variety of ways. This adversary has been creative," said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. "It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign." Corporate investigators are reaching the same conclusion. Last week, computer security company Malwarebytes said that a number of its Microsoft cloud email accounts were compromised by the same attackers who targeted SolarWinds, using what Malwarebytes called "another intrusion vector."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Bitflips are events that cause individual bits stored in an electronic device to flip, turning a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common naturally occurring causes. Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days. An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft's windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft's cloud-based services, and recovering from crashes. Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies normally buy these types of one-off domains to protect customers against phishing attacks. He bought them for $126 and set out to see what would happen. Over the course of two weeks, Remy's server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising. "The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it's after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows," he wrote in a post summarizing his findings. "As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken."

Read more of this story at Slashdot.

Sailfish OS has moved into its fourth generation with the release of Sailfish OS 4.0.1 Koli.

On a high-level Sailfish 4 includes several security and functionality updates, the long-awaited browser update, redesigned daily usage flow of key applications, as well as a rebooted developer experience. In particular we’re proud to boast full-scale OS-level Mobile Device Management (MDM) to enable easy and manageable end-to-end trusted corporate and governmental sector deployments.

There are also a bunch of other new additions, including Android 9 app support, app sandboxing, and QR code scanning, along with improved notifications, events view, contact management and more.

Remember that story from two years ago, about how China had supposedly infiltrated the supply chain of Supermicro? The story was denied by American intelligence agencies and the CEOs of Apple and Amazon, but today, Bloomberg posted a follow-up piece with more sources, both anonymous and named, that the story was, in fact, real, and probably a lot bigger, too.

The article lists several attacks that have taken place, all using hardware from Supermicro.

Each of these distinct attacks had two things in common: China and Super Micro Computer Inc., a computer hardware maker in San Jose, California. They shared one other trait; U.S. spymasters discovered the manipulations but kept them largely secret as tthey tried to counter each one and learn more about China’s capabilities.

Bloomberg is clearly sticking by and expanding its story, so this means it’s their and their sources’ word against that of giant corporations and American intelligence agencies, and we all know giant corporations and American intelligence agencies never lie.

Right?

According to a researcher, favicons can be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online. From a report: The tracking method is called a Supercookie, and it's the work of German software designer Jonas Strehle. "Supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user," Strehle said on his Github. "The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers." Strehle's Github explained that he became interested in the idea of using favicons to track users after reading a research paper [PDF] on the topic from the University of Illinois at Chicago. "The complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries," the paper explained. "In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons." To be clear, this is a proof-of-concept and not something that Strehle has found out in the wild.

Read more of this story at Slashdot.

Can a pair of unique spectacles banish nearsightedness without surgical intervention? Japan's Kubota Pharmaceutical Holdings says its wearable device can do just that, and it plans to start releasing the product in Asia, where many people grapple with myopia. From a report: The device, which the company calls Kubota Glasses or smart glasses, is still being tested. It projects an image from the lens of the unit onto the wearer's retina to correct the refractive error that causes nearsightedness. Wearing the device 60 to 90 minutes a day corrects myopia according to the Japanese company. Kubota Pharmaceutical has not disclosed additional details on how the device works. Through further clinical trials, it is trying to determine how long the effect lasts after the user wears the device, and how many days in total the user must wear the device to achieve a permanent correction for nearsightedness. Myopia is often results from the cornea and the retina in the eye being too far apart. This inhibits the proper focusing of light as it enters the eye and causes distant objects to look blurry. Asian are prone to nearsightedness. Of people aged 20 and under, 96% of South Koreans, 95% of Japanese, 87% of Hong Kongers, 85% of Taiwanese and 82% of Singaporeans are affected by the condition, according to Kubota.

Read more of this story at Slashdot.

"Don a headset which places a sensor on the back of your head, and it'll detect your brainwaves which can then be translated into digital actions," writes Engadget. VentureBeat reports that NextMind "has started shipping its real-time brain computer interface Dev Kit for $399." The device translates brain signals into digital commands, allowing you to control computers, AR/VR headsets, and IoT devices (lights, TVs, music, games, and so on) with your visual attention. Paris-based NextMind is part of a growing number of startups building neural interfaces that rely on machine learning algorithms. There are invasive devices like the one from Elon Musk's Neuralink, which in August revealed a prototype showing readings from a pig's brain using a coin-shaped device implanted under the skull. There are also noninvasive devices like the electromyography wristband that translates neuromuscular signals into machine-interpretable commands from Ctrl-labs, which Facebook acquired in September 2019. NextMind is developing a noninvasive device — an electroencephalogram (EEG) worn on the back of your head, where your brain's visual cortex is located. When we spoke with NextMind CEO Sid Kouider last year, he promised the kits would begin shipping in Q2 2020. Then the pandemic hit. "We had about three, four months of delays due to COVID-19, but not more than that in terms of production," Kouider told VentureBeat. The company shipped "hundreds" of Dev Kits in November after producing its first thousand units. Another thousand units are set to be produced next month.

Read more of this story at Slashdot.

The machine learning company OpenAI is developing models that improve computer vision and can produce original images from a text prompt. From a report: The new models are the latest steps in ongoing efforts to create machine learning systems that exhibit elements of general intelligence, while performing tasks that are actually useful in the real world -- without breaking the bank on computing power. OpenAI this week is announcing two new systems that attempt to do for images what its landmark GPT-3 model did last year for text generation. DALL-E is a neural network that can "take any text and make an image out of it," says Ilya Sutskever, OpenAI co-founder and chief scientist. That includes concepts it would never have encountered in training, like the drawing of an anthropomorphic daikon radish walking a dog. DALL-E operates somewhat similarly to GPT-3, the huge transformer model that can generate original passages of text based on a short prompt. CLIP, the other new neural network, "can take any set of visual categories and instantly create very strong and reliable visually classifiable text descriptions," says Sutskever, improving on existing computer vision techniques with less training and expensive computational power.

Read more of this story at Slashdot.

According to Reuters, the FBI is investigating whether the hackers behind a series of intrusions at U.S. federal agencies and companies also broke into project-management software created by the Czech-based company JetBrains in order to breach its customers. From the report: Privately held JetBrains produces software called TeamCity that is used by tens of thousands of customers to construct other software. Among its customers is SolarWinds, JetBrains Chief Executive Maxim Shafirov said from St. Petersburg, Russia, where JetBrains has offices. SolarWinds revealed last month that someone with access to its system for developing network-management software had inserted back doors into two updates of its flagship Orion products. Dozens of SolarWinds customers, including at least a half-dozen U.S. agencies, were then exploited by the same hackers. U.S. intelligence agencies said Tuesday that Russia was likely behind the damaging spree, though Russian officials denied it. Shafirov said his company had fielded questions from SolarWinds but that he had not heard anything about JetBrains software being the hackers' route into SolarWinds or other customers.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Krebs On Security: The ongoing breach affecting thousands of organizations that relied on backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system, according to a memo released Wednesday by the Administrative Office (AO) of the U.S. Courts. The judicial branch agency said it will be deploying more stringent controls for receiving and storing sensitive documents filed with the federal courts, following a discovery that its own systems were compromised as part of the SolarWinds supply chain attack. That intrusion involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software as far back as March 2020. "The AO is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary's Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings," the agency said in a statement published Jan. 6. "An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation," the statement continues. "Due to the nature of the attacks, the review of this matter and its impact is ongoing." The AO declined to comment on specific questions about their breach disclosure. But a source close to the investigation told KrebsOnSecurity that the federal court document system was "hit hard," by the SolarWinds attackers, which multiple U.S. intelligence and law enforcement agencies have attributed as "likely Russian in origin." The source said the intruders behind the SolarWinds compromise seeded the AO's network with a second stage "Teardrop" malware that went beyond the "Sunburst" malicious software update that was opportunistically pushed out to all 18,000 customers using the compromised Orion software. This suggests the attackers were targeting the agency for deeper access to its networks and communications. The report notes that AO's court document system "may contain highly sensitive information, including intellectual property and trade secrets, or even the identities of confidential informants." While it doesn't hold documents that are classified for national security reasons, "the system is full of sensitive sealed filings -- such as subpoenas for email records and so-called 'trap and trace' requests that law enforcement officials use to determine with whom a suspect is communicating via phone, when and for how long."

Read more of this story at Slashdot.

Terraformation, a startup led by Yishan Wong, former CEO of Reddit, is demonstrating an approach to reforest the planet quickly enough to fight climate change. Fast Company reports: Trees can play a key role in capturing carbon at scale -- by one estimate, nearly a trillion hectares of land could feasibly be reforested, and those trees could potentially store more than 200 gigatons of carbon. But efforts at reforestation are moving too slowly. "Essentially, we need to scale the solution in about 10 years, so that there is time for the forest to mature and become a carbon sink of reasonable size to meet various nations' commitments to be net zero around 2040 or 2050," says Yishan Wong, CEO of the Hawaii-based startup, called Terraformation. One of the challenges the company identified was the lack of land: Some land that was originally forested is now covered by cities or used for farming. Other areas might not be available for sale. But there's a large amount of desertified land that is available. The United Nations Convention to Combat Desertification reports that around 4.7 billion acres on the planet -- about twice the size of China -- have been affected by drought or desertification, but could potentially be restored. Finding enough water to grow trees there is a challenge. But the folks at Terraformation believe that if desalinated water is used to irrigate seedlings, a restored forest will eventually be able to sustain itself. In Hawaii, the startup built the world's largest fully off-grid, solar-powered desalination system. With a half-acre of solar panels, there's enough power to desalinate around 34,000 gallons of water per day, taken from a well on the site. A drip irrigation system sends the water to the roughly 1,900 native trees and shrubs that have been planted in the area so far. As the forest grows, proving that the system works, the company is working to replicate the same idea around the world. It's creating seed banks that fit inside shipping containers and can store the millions of native seeds that are necessary for large planting projects. It's also building open-source software that groups can use to collect data and track progress after trees are planted.

Read more of this story at Slashdot.

ZDNet takes a look at a new nonprofit group called the Organization for Ethical Source (OES): The OES is devoted to the idea that the free software and open-source concept of "Freedom Zero" are outdated. Freedom Zero is "the freedom to run the program as you wish, for any purpose." It's fundamental to how open-source software is made and used... They hate the notion that open-source software can be used for any purpose including "evil" purposes. The group states: The world has changed since the Open Source Definition was created — open source has become ubiquitous, and is now being leveraged by bad actors for mass surveillance, racist policing, and other human rights abuses all over the world. The OES believes that the open-source community must evolve to address the magnitude and complexity of today's social, political, and technological challenges... How does this actually work in a license...? The Software shall not be used by any person or entity for any systems, activities, or other uses that violate any Human Rights Laws. "Human Rights Laws" means any applicable laws, regulations, or rules (collectively, "Laws") that protect human, civil, labor, privacy, political, environmental, security, economic, due process, or similar rights.... This latest version of the license was developed in collaboration with a pro-bono legal team from Corporate Accountability Lab (CAL). It has been adopted by many open-source projects including the Ruby library VCR; mobile app development tool Gryphon; Javascript mapping library react-leaflet; and WeTransfer's entire open-source portfolio... The organization adds, though, the license's most significant impact may be the debate it sparked between ethical-minded developers and open-source traditionalists around the primacy of Freedom Zero. The article includes this quote from someone described as an open source-savvy lawyer. "To me, ethical licensing is a case of someone with a very small hammer seeing every problem as a nail, and not even acknowledging that the nail is far too big for the hammer."

Read more of this story at Slashdot.

OneWeb is back. The company on Friday made its fourth launch of a batch of satellites to build up its constellation in low-Earth orbit that eventually will provide broadband internet access around the globe. From a report: The latest group of 36 satellites headed to orbit atop a Russian Soyuz rocket from Vostochny Cosmodrome, ending a long delay since the last OneWeb launch, on Feb. 6. The nine months since then have seen the company file for bankruptcy at the start of the coronavirus pandemic only to re-emerge under new ownership led by the British government and India's Bharti Global. OneWeb is now flying over 100 satellites of a planned 648-bird constellation.

Read more of this story at Slashdot.

A group of journalists has built a browser extension, called Simple Search, to show you what Google search would look like without the information panels, shopping boxes, and search ads. The Verge reports: Introducing the extension, Maddy Varner and Sam Morris describe it as a conscious throwback to an earlier version of Google search, before the integration of the Knowledge Graph and its accompanying information boxes. "The extension lets you travel back to a time when online search operated a little differently," they write. "Nowadays, you don't always have to click any of the 'blue links' to get information related to your search -- Google gives you what it thinks is important in info boxes of information pulled from other websites." The extension works on Google and Bing searches and is available for both Firefox and Chrome browsers.

Read more of this story at Slashdot.

An anonymous reader quotes a report from IEEE Spectrum: In April, Guoping Feng and colleagues at MIT, along with [Karl Deisseroth, a neuroscientist and bioengineer at Stanford University] demonstrated a minimally invasive optogenetic system that required drilling a small hole in the skull, then being able to control opsin-expressing neurons six millimeters deep into the brain using blue light. This approach used of a type of opsin that slowly activates neurons in a step-wise manner. In the most recent study [published in the journal Nature Biotechnology], Deisseroth and colleagues sought to instead enable both deep and fast optogenetics without surgery. The Stanford team expressed in the brain cells of mice a powerful new opsin called ChRmine (pronounced like the deep-red color "carmine"), discovered by Deisseroth's group last year in a marine organism. Then, they shined a red light outside the skull and were able to activate neural circuits in the midbrain and brainstem at depths of up to 7 millimeters. With the technique, the scientists turned on and off brain circuits with millisecond precision. "It really worked well, far better than we even expected might be possible," says Deisseroth. The team then tested the effectiveness of the system. In one instance, they used light to quickly and precisely stop seizures in epileptic mice, and in another to turn on serotonin-producing neurons to promote social behavior in mice. Most optogenetic techniques involve injecting viruses with an opsin gene of choice directly into the brain with a needle. To avoid this, the Stanford team used a type of PHP virus developed at CalTech that can be injected in the blood. The virus then crosses the blood-brain barrier to deliver its payload, an opsin gene, to brain cells. In this case, even the delivery of the gene is noninvasive -- no needle penetrates the brain. Deisseroth's team is now testing the non-invasive technique in fish and collaborating with others to apply it to non-human primates. They're also working with the Seattle-based Allen Institute to develop mouse lines bred with ChRmine in their cells.

Read more of this story at Slashdot.

The Wine program for running Windows games/applications on Linux and other platforms can run on a number of different architectures, but Wine doesn’t handle the emulation of running Windows x86/x64 binaries on other architectures like 64-bit ARM or PowerPC. But that’s what the Wine-based Hangover is about with currently allowing those conventional Windows binaries to run on AArch64 (ARM64) and 64-bit POWER too.

Hangover started out with a focus on Windows x64 binaries on ARM64 in looking at the possible use-case of running Windows software on ARM mobile devices and more. This year with the help of Raptor Computing Systems there has been Hangover support added for IBM POWER 64-bit.

It would be really amazing if Linux on POWER could make use of WINE like regular x86 Linux users can. It’s a long way off, still, but progress is being made.

An anonymous reader quotes a report from Fortune: Cloudflare is launching a privacy-friendly rival to Google Analytics. Google Analytics is a free toolkit that's used by website administrators across the globe to help them track the behavior of the people visiting those sites -- how they find them, what they do there, the devices they're using, and so on. However, the service -- the most popular of its kind -- also helps Google track websites' visitors, so it can better profile them for advertising purposes. This privacy-invasive aspect makes many people squeamish. And that's where Cloudflare would now like to step in. Around its birthday every year, the decade-old company -- which went public last year -- announces a move intended to "give back" to the wider Internet community. These moves are often related to privacy. On Tuesday, it unveiled Cloudflare Web Analytics, a free-to-use toolkit that largely replicates what Google Analytics offers -- minus the invasive tracking, and thus the ability to assess the performance of targeted ads carried on websites. Cloudflare Web Analytics is immediately available to the company's paid customers, but any website owner will be able to use it from some point in the coming months. Cloudflare's scale is crucial here [...] because it takes substantial resources to run a free analytics platform, and Cloudflare already has a giant network that can support the load. Cloudflare Web Analytics isn't the company's only big announcement this week. "On Monday, Cloudflare launched a beta testing program for a cloud technology called Durable Objects," the report adds. "You can read the technical explanation here, but in essence this is a tool that allows developers of online services to make those services comply with the increasing number of data-localization and data-protection laws that limit where users' data is supposed to go." "With Durable Objects, Cloudflare says, it is possible to specify where particular data will reside on Cloudflare's network, so -- for example -- a German user's data does not have to leave Germany. Or, with an eye to other current news, a service such as TikTok could ensure that U.S. users' data never leaves the U.S., without having to create a separate version of its service for that country."

Read more of this story at Slashdot.

Wired has highlighted several browser extensions that "are a simple first step in improving your online privacy." Other steps to take include adding a privacy-first browser and VPN to further mask your web activity. An anonymous reader shares the report: Privacy Badger is one of the best options for blocking online tracking in your current browser. For a start, it's created by the Electronic Frontier Foundation, a US-based non-profit digital rights group that's been fighting online privacy battles since 1990. It's also free. Privacy Badger tracks all the elements of web pages you visit -- including plugins and ads placed by external companies. If it sees these appearing across multiple sites you visit then the extension tells your browser not to load any more of that content. DuckDuckGo is best-known for its anonymous search engine that doesn't collect people's data. DuckDuckGo also makes an extension for Chrome. The Privacy Essentials extension blocks hidden third-party trackers, showing you which advertising networks are following you around the web over time. The tool also highlights how websites collect data through a partnership with Terms of Service Didn't Read and includes scores for sites' privacy policies. It also adds its non-tracking search to Chrome. The Ghostery browser extension blocks trackers and shows lists of which ones are blocked for each site (including those that are slow to load), allows trusted and restricted sites to be set up and also lets people you block ads. The main Ghostery extension is free but there's also a paid for $49 per month subscription that provides detailed breakdowns of all trackers and can be used for analysis or research. There are Ghostery extensions for Chrome, Firefox, Microsoft Edge and Opera. Unlike other tools here, Adblock Plus is primarily marketed as an ad blocking tool -- the others don't necessarily block ads by default but aim to be privacy tools that may limit the most intrusive types of ads. Using an ad blocker comes with a different set of ethical considerations to tools that are designed to stop overly intrusive web tracking; ad blockers will block a much wider set of items on a webpage and this can include ads that don't follow people around the web. Adblock Plus is signed up to the Acceptable Ads project that shows non-intrusive ads by default (although this can be turned off). On a privacy front Adblock Plus's free extensions block third party trackers and allow for social media sharing buttons that send information back to their owners to be disabled.

Read more of this story at Slashdot.

Dputiger writes: After nine months of work, I've published workflows, example videos, and screenshots showing how to restore Star Trek: Deep Space Nine from the rather potato quality of its DVDs to something you could plausibly call HD equivalent. These are the results. "With careful processing and good upscaling, it's possible to give Deep Space Nine a clarity that I think approaches that of what's typically referred to as 'HD' content, though it's still limited to the NTSC color gamut as opposed to later standards like Rec. 709," writes Joel Hruska via ExtremeTech. "At its worst -- allowing for some deviations from perfection -- it'll still look like the best damn DVD you've ever seen. At its best -- and I consider the shot of Sisko up there to be one of the best -- I'd argue that he, at least, comes across in HD levels of detail." The article "is not a step-by-step tutorial on how to perform this process," Hruska writes, adding, "that will be its own project." There will, however, be enough information that anyone with a passing knowledge of AviSynth "should be able to recreate both approaches."

Read more of this story at Slashdot.

The Fairphone 3+ is a $550 phone with modular parts that can easily be swapped out by users themselves. "In many ways, a Fairphone is the antithesis of the iPhone," writes Catie Keck via Gizmodo. "It doesn't benefit most retailers to allow you to easily repair your own stuff, meaning that a lot of gizmos these days -- particularly higher-end electronics -- are packed with proprietary parts and sometimes even software locks to dissuade consumers from attempting to perform repairs themselves." While it is a "repairable dream" and features two big camera upgrades over the Fairphone 3 (which does support the new upgraded camera modules), it's, sadly, only available overseas. Keck writes: Fairphone 3+ has 64GB of memory but can be upgraded to 400GB with a MicroSD card. It has a Qualcomm 632 processor, a 5.65-inch display, Bluetooth 5, a 3000mAh battery that supports Qualcomm QuickCharge, and six total modules to swap out for easy repair. A thing I didn't expect to love as much as I did was fingerprint ID on the backside of the phone -- particularly as Face ID on my iPhone 11 has become a massive pain in the butt in these mask-on times. At present, Fairphone doesn't support 4G connectivity in the U.S., my biggest gripe with the phone second only to the fact that the phones only ship within Europe. [...] Fairphone runs on Android -- the Fairphone 3+ comes with Android 10 pre-installed and ready to go. As for its camera, I was happy enough with the photograph with the newer lens. Photo nerds may be more sensitive to the trade-offs when compared with, say, the iPhone 11 Pro, but for the average person, I think Fairphone's cameras would work beautifully. I especially loved the portrait mode on the front camera, which worked in even exceptionally low-light environments for me. Software likely isn't the primary reason that anyone is looking at getting a Fairphone device, but shipping pre-installed with a lot of familiar apps means making the switch will likely be relatively painless, though so far my iPhone is a bit snappier overall in terms of performance. Again, the tradeoff is a commitment to repairability that you simply won't get with an Apple device unless the company radically overhauls its entire business model or unless it's forced, neither of which seems remotely likely for the foreseeable future.

Read more of this story at Slashdot.

How-To Geek has discovered three of the world's most popular web browsers contain Easter Eggs: It seems like every browser has a hidden game these days. Chrome has a dinosaur game, Edge has surfing, and Firefox has . . . unicorn pong? Yep, you read that right — here's how to play it. First, open Firefox. Click the hamburger menu (the three horizontal lines) at the upper right, and then click "Customize." On the "Customize Firefox" tab, you'll see a list of interface elements to configure the toolbar. Click and drag all the toolbar items except "Flexible Space" into the "Overflow Menu" on the right. Click the Unicorn button that appears at the bottom of the window.... There's screenshots in the article illustrating all of the steps — and the result.

Read more of this story at Slashdot.

An anonymous reader quotes ZDNet: Microsoft has finally published a support document detailing its workaround for the August 2020 Patch Tuesday update for Windows 10 version 2004 that caused blue screens of deaths (BSODs) on newer Lenovo ThinkPads and broke Windows Hello biometric login... It's the same as Lenovo's earlier workaround but comes with a stern security warning from Microsoft. Microsoft also explains how Lenovo Vantage violates Microsoft's security controls in Windows. Users might bypass the BSOD screen, but they are endangering their computers by implementing the workaround, according to Microsoft. The workaround also affects some of Microsoft's latest security features for Windows 10, such as Hypervisor Code Integrity for shielding the OS from malicious drivers, as well as Windows Defender Credential Guard. "This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk," Microsoft states.... The good news for affected ThinkPad users is that Microsoft and Lenovo are working together on a fix. However, Microsoft hasn't said when that will be available.

Read more of this story at Slashdot.

"Security researchers from Amsterdam have publicly detailed 'BlindSide' as a new speculative execution attack vector for both Intel and AMD processors," reports Phoronix: BlindSide is self-described as being able to "mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets, and enable reliable exploitation. This works even in face of strong randomization schemes, e.g., the recent FGKASLR or fine-grained schemes based on execute-only memory, and state-of-the-art mitigations against Spectre and other transient execution attacks." From a single buffer overflow in the kernel, researchers claim three BlindSide exploits in being able to break KASLR (Kernel Address Space Layout Randomization), break arbitrary randomization schemes, and even break fine-grained randomization. There's more information on the researcher's web site, and they've also created an informational video. And here's a crucial excerpt from their paper shared by Slashdot reader Hmmmmmm: In addition to the Intel Whiskey Lake CPU in our evaluation, we confirmed similar results on Intel Xeon E3-1505M v5, XeonE3-1270 v6 and Core i9-9900K CPUs, based on the Skylake, KabyLake and Coffee Lake microarchitectures, respectively, as well as on AMD Ryzen 7 2700X and Ryzen 7 3700X CPUs, which are based on the Zen+ and Zen2 microarchitectures. Overall, our results confirm speculative probing is effective on a modern Linux system on different microarchitectures, hardened with the latest mitigations.

Read more of this story at Slashdot.

The Cybersecurity and Infrastructure Security Agency (CISA) has published a security advisory today warning of a wave of attacks carried out by hacking groups affiliated with China's Ministry of State Security (MSS). From a report: CISA says that over the past year, Chinese hackers have scanned US government networks for the presence of popular networking devices and then used exploits for recently disclosed vulnerabilities to gain a foothold on sensitive networks. The list of targeted devices includes F5 Big-IP load balancers, Citrix and Pulse Secure VPN appliances, and Microsoft Exchange email servers. For each of these devices, major vulnerabilities have been publicly disclosed over the past 12 months, such as CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688, respectively. According to a table summarizing Chinese activity targeting these devices published by CISA today, some attacks have been successful and enabled Chinese hackers to gain a foothold on federal networks.

Read more of this story at Slashdot.

The FBI has sent a private security alert to the US financial sector last week warning organizations about the increasing number of credential stuffing attacks that have targeted their networks and have led to breaches and considerable financial losses. From a report: Credential stuffing is a relatively new term in the cyber-security industry. [...] According to an FBI security advisory obtained by ZDNet today, credential stuffing attacks have increased in recent years and have now become a major problem for financial organizations. "Since 2017, the FBI has received numerous reports on credential stuffing attacks against US financial institutions, collectively detailing nearly 50,000 account compromises," the FBI said. "The victims included banks, financial services providers, insurance companies, and investment firms."

Read more of this story at Slashdot.

Earlier today, Elon Musk demonstrated his startup Neuralink's brain link device working in a pig named Gertrude. While the science and the device itself were front-and-center at the presentation, the surgical robot the company debuted is equally as important because it's designed to handle the full surgical installation process. "That includes opening up the scalp, removing a portion of the skull, inserting the hundreds of 'thread' electrodes 6mm deep along with the accompanying chip, then closing the incision," reports CNET. TechCrunch takes a closer look at the robot: The rounded polycarbonate sci-fi design of the brain surgeon bot looks like something out of the Portal franchise, but it's actually the creation of Vancouver-based industrial design firm Woke Studio. To be clear, Musk's engineers and scientists have created the underlying technology, but Woke built the robot's look and user experience, as well as the behind-the-ear communication end piece that Neuralink has shown in prior presentations. Neuralink's bot features clean white (required for ensuring sterility, per Woke), arcing lines and smooth surfaces for a look that at once flags its advanced technical capabilities, but also contains some soothing and more approachable elements, which is wise considering what the machine is intended to do. Woke says the Neuralink surgical robot can be separated into three main parts: The head, the body and base. The head of the robot is that helmet-like piece, which actually holds the head of the patient. It also includes a guide for the surgical needle, as well as embedded cameras and sensors to map the patent's brain. The intent of the design of this piece, which includes a mint-colored interior, is to give the robot "an anthroprmorphic characteristic" that helps distract from the invasive nature of the procedure. There are also single-use disposable bags that line the interior of the helmet for sterile operation. The Neuralink robot also has a "body," that humped rear assembly, which includes all the parts responsible for the motion of the robot as it sets up from the procedure. The third element is the base, which basically keeps the whole thing from tipping over, and apparently also contains the computing brains of the brain-bot itself.

Read more of this story at Slashdot.

"Solar panels are an increasingly important source of renewable power that will play an essential role in fighting climate change. They are also complex pieces of technology that become big, bulky sheets of electronic waste at the end of their lives — and right now, most of the world doesn't have a plan for dealing with that," reports Wired. (Alternate URL here.) But we'll need to develop one soon, because the solar e-waste glut is coming. By 2050, the International Renewable Energy Agency projects that up to 78 million metric tons of solar panels will have reached the end of their life, and that the world will be generating about 6 million metric tons of new solar e-waste annually. While the latter number is a small fraction of the total e-waste humanity produces each year, standard electronics recycling methods don't cut it for solar panels. Recovering the most valuable materials from one, including silver and silicon, requires bespoke recycling solutions. And if we fail to develop those solutions along with policies that support their widespread adoption, we already know what will happen. "If we don't mandate recycling, many of the modules will go to landfill," said Arizona State University solar researcher Meng Tao, who recently authored a review paper on recycling silicon solar panels, which comprise 95 percent of the solar market... And because solar panels contain toxic materials like lead that can leach out as they break down, landfilling also creates new environmental hazards.

Read more of this story at Slashdot.

"Apple is being sued for allegedly refusing to help those who have fallen victim to a iTunes gift card scam," reports 9to5Mac, in an article shared by Slashdot reader AmiMoJo: An 11-count class action lawsuit has been filed against the company. Apple is accused of lying when it says that there is no way to trace or refund the value of the cards... iTunes gift card scams usually work in a slightly different way, typically being used to buy paid apps owned by the scammers, so they receive 70% of the money when paid by Apple. The lawsuit says that Apple tells scam victims there is nothing that can be done once the money has been spent, but argues that this isn't true. In fact, Apple holds 100% of the funds for a period of 4-6 weeks, between the apps being purchased and Apple paying the developer. During this time, the company is in a position to refund 100% of the card value. Additionally, Apple takes a 30% commission, so would always be in a position to refund this much, even after the scammer has been paid. ZDNet quotes the court documents as arguing that Apple "is incentivized to allow the scam to continue because it reaps a 30% commission on all scammed proceeds... knowingly or recklessly, Apple plays a vital role in the scheme by failing to prevent payouts to the scammers."

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Guardian: The multinational drinks company Diageo says it has created the world's first paper-based spirits bottle that is 100% plastic-free. The company said it was aiming to launch the bottle early next year with its Johnnie Walker whisky brand in one market before rolling it out worldwide. The bottle is made from sustainably sourced pulp, complies with international food and drink safety standards and is fully recyclable. The contents are protected by a liner, made of resin rather than plastic, which holds the liquid but disintegrates when finished. The cap will be made of aluminum. The report notes that a paper beer bottle was unveiled last year by Danish brewer Carlsberg.

Read more of this story at Slashdot.

Friday IBM Research updated their open source "IBM Differential Privacy Library," a suite of new lightweight tools offering "an array of functionality to extract insight and knowledge from data with robust privacy guarantees." "Most tasks can be run with only a single line of code," brags a new blog post (shared by Slashdot reader IBMResearch), explaining how it works: This year for the first time in its 230-year history the U.S. Census will use differential privacy to keep the responses of its citizens confidential when the data is made available. But how does it work? Differential privacy uses mathematical noise to preserve individuals' privacy and confidentiality while allowing population statistics to be observed. This concept has a natural extension to machine learning, where we can protect models against privacy attacks, while maintaining overall accuracy. For example, if you want to know my age (32) I can pick a random number out of a hat, say ±7 — you will only learn that I could be between 25 and 39. I've added a little bit of noise to the data to protect my age and the US Census will do something similar. While the US government built its own differential privacy tool, IBM has been working on its own open source version and today we are publishing our latest release v0.3. The IBM Differential Privacy Library boasts a suite of tools for machine learning and data analytics tasks, all with built-in privacy guarantees. Our library is unique to others in giving scientists and developers access to lightweight, user-friendly tools for data analytics and machine learning in a familiar environment... What also sets our library apart is our machine learning functionality enables organisations to publish and share their data with rigorous guarantees on user privacy like never before... Also included is a collection of fundamental tools for data exploration and analytics. All the details for getting started with the library can be found at IBM's Github repository.

Read more of this story at Slashdot.