The oldest human on record, Jeanne Calment of France, lived to the age of 122. What are the odds that the rest of us get there, too? Not high, barring a transformative medical breakthrough, according to research published this week in the journal Nature Aging. From a report: The study looked at data on life expectancy at birth collected between 1990 and 2019 from some of the places where people typically live the longest: Australia, France, Italy, Hong Kong, Japan, South Korea, Spain, Sweden and Switzerland. Data from the United States was also included, though the country's life expectancy is lower.

The researchers found that while average life expectancies increased during that time in all of the locations, the rates at which they rose slowed down. The one exception was Hong Kong, where life expectancy did not decelerate. The data suggests that after decades of life expectancy marching upward thanks to medical and technological advancements, humans could be closing in on the limits of what's possible for average life span. "We're basically suggesting that as long as we live now is about as long as we're going to live," said S. Jay Olshansky, a professor of epidemiology and biostatistics at the University of Illinois Chicago, who led the study. He predicted maximum life expectancy will end up around 87 years -- approximately 84 for men, and 90 for women -- an average age that several countries are already close to achieving.

Reddit has implemented new restrictions on moderators' ability to alter community visibility settings, the social media platform announced Monday. Moderators must now obtain admin approval before switching subreddits between public, private, or NSFW status.

The move comes in response to last year's widespread protests against API pricing changes, during which thousands of subreddits went private, disrupting platform accessibility. Reddit VP Laura Nestler stated the policy aims to prevent actions that "deliberately cause harm" and protect the site's long-term health.

An anonymous reader shares a report: IBM's plan to replace thousands of roles with AI presently looks more like outsourcing jobs to India, at the expense of organizational competency. That view of Big Blue was offered to The Register after our report on the IT giant's latest layoffs, which resonated so strongly with several IBM employees that they contacted The Register with thoughts on the job cuts. Our sources have asked not to be identified to protect their ongoing relationships with Big Blue. Suffice to say they were or are employed as senior technologists in business units that span multiple locations and were privy to company communications: These are not views from the narrow entrance to a single cubicle. We're going to refer to three by the pseudonyms Alex, Blake, and Casey.

"I always make this joke about IBM," said Alex. "It is: 'IBM doesn't want people to work for them.' Every six months or so they are doing rounds of [Resource Actions -- IBM-speak for layoffs] or forcing folks into impossible moves, which result in separation." That's consistent with CEO Arvind Krishna's commitment last year to replace around 7,800 jobs with AI. But our sources say Krishna's plan is on shaky ground: IBM's AI isn't up to the job of replacing people, and some of the people who could fix that have been let go. Alex observed that over the past four years, IBM management has constantly pushed for automation and the use of AI. "With AI tools writing that code for us ... why pay for senior-level staff when you can promote a youngster who doesn't really know any better at a much lower price?" he said. "Plus, once you have a seasoned programmer write code that is by law the company's IP and it is fed into an AI library, it basically learns it and the author is no longer needed." But our sources tell us that scenario has yet to be realized inside IBM.

The republic of Cyprus "has outstripped all other EU member states in embracing hot-water solar systems," reports the Guardian, "with an estimated 93.5 % of households exploiting the alternative energy form for domestic needs." EU figures show the eastern Mediterranean island exceeding renewable energy targets set in the heating and cooling of buildings thanks to the widespread use of the solar thermal technology... [First introduced in the late 1960s], the solar thermal systems not only collected solar energy as heat — usually generated through electricity and the burning of fossil fuels — they were extremely cost-effective and had helped spawn an entire industry [says Charalampos Theopemptou, the island's first environment commissioner and the head of the Cypriot parliament's environment committee].

"It's been great for low-income families and then there's the jobs: so many have been generated," the MP says. "There are the local manufacturers who produce the parts and then all the people who are trained to install them. It's big business." In his role as environment commissioner, Theopemptou pushed hard to make the solar systems obligatory on all newly constructed residential and commercial buildings... The popularity of the water heaters is such that a union of local solar thermal industrialists was established in 1977. Since then, more than 962,564 square cubic metres of "solar [panel] collectors" have been installed, the union says. Increasingly, the country's vibrant tourist industry has also resorted to the green solution with solar-powered hot water systems deployed in, they say, close to 100% of hotels...

For Demetra Asprou, a retired engineer, it's obvious that a region blessed with more than 300 days of sunshine a year should embrace solar energy. "It reduces electricity costs, increases the efficiency with which hot water is provided and is kind to the environment," she says. "Why would anyone use other, more traditional means to heat up water when only a few hours of sunlight, between 11am and 2pm, is enough for a 200-litre [44-gallon] tank to be filled with warm water that will last 48 hours? On days when there is no sunlight, which is rare, you always have electricity as a backup if necessary... Installation costs may be three times higher today, but there are EU-funded grants that the government hands out and within a year it's all paid off," she says. "After that, you basically have free hot water and see your electricity bills greatly reduced. In a country like Cyprus, it's a no-brainer."
Thanks to Slashdot reader votsalo for sharing the article.

An anonymous reader shares a report: Per a recent update to Microsoft's Deprecated Windows features page, Legacy DRM services utilized by Windows Media Player and Silverlight clients for Windows 7 and Windows 8 are now deprecated. This will prevent the streaming or playback of DRM-protected content in those applications on those operating systems. It also includes playing content from personal CD rips and streaming from a Silverlight or Windows 8 client to an Xbox 360 if you were still doing that.

For those unfamiliar, "DRM" refers to Digital Rights Management. Basically, DRM tech ensures that you aren't stealing or playing back pirated content. Of course, piracy still exists, but these days, most officially distributed movies, TV shows, games, etc., all involve some form of DRM unless explicitly advertised as DRM-free. DRM does seem like harmless piracy prevention on paper. Still, it hasn't been all that effective at eliminating piracy -- and where it is implemented, it mainly punishes or inconveniences paying customers. It is an excellent example of DRM's folly. Now, anyone who had previously opted into Microsoft's legitimate media streaming ecosystem with Windows 7 and 8 is being penalized for buying media legitimately since it will no longer work without them being forced to pivot to other streaming solutions.

"If you're plugged into KDE social media, you probably see a lot of requests for donations..." writes KDE developer Nate Graham on his personal blog. But "We know that the fraction of people who subscribe to these channels is small, so there's a huge number of people who may not even know they can donate to KDE, let alone that donations are critically important to its continued existence..." From 6.2 onwards, Plasma itself will show a system notification asking for a donation once per year, in December. The idea here is to get the message that KDE really does need your financial help in front of more eyeballs — especially eyeballs not currently looking at KDE's public-facing promotion efforts... [W]e tried our best to minimize the annoying-ness factor: It's small and unobtrusive, and no matter what you do with it (click any button, close it, etc) it'll go away until next year. It's implemented as a KDE Daemon (KDED) module, which allows users and distributors to permanently disable it if they like. You can also disable just the popup on System Settings' Notifications page, accessible from the configure button in the notification's header.

Ultimately the decision to do this came down to the following factors:

— We looked at FOSS peers like Thunderbird and Wikipedia which have similar things (and in Wikipedia's case, the message is vastly more intrusive and naggy). In both cases, it didn't drive everyone away and instead instead resulted in a massive increase in donations that the projects have been able to use to employ lots of people.

- KDE really needs something like this to help our finances grow sustainably in line with our userbase and adoption by vendors and distributors.
The blog post also answers the question: what are you going to do with all that money? This is a question the KDE e.V. board of directors as a whole would need to answer, and any decision on it will be made collectively. But as one of the five members on that board, I can tell you my personal answer and the one that as your representative, I'd advocate for. It's basically the platform I ran on two years ago: extend an offer of full-time employment to our current people, and hire even more! I want us to end up with paid QA people and distro developers, and even more software engineers. I want us to fund the creation of a next-generation KDE OS we can offer directly to institutions looking to switch to Linux, and a hardware certification program to go along with it. I want us to to extend our promotional activities and outreach to other major distros and vendors and pitch our software to them directly. I want to see Ubuntu, Red Hat Enterprise Linux, and SUSE Linux Enterprise Desktop ship Plasma by default. I want us to use this money to take over the world — with freedom, empowerment, and kindness.

These have been dreams for a long time, and throughout KDE we've been slowly moving towards them over the years. With a lot more money, we can turbocharge the pace! If that stuff sounds good, you can start with a donation today.
A reaction from GamingOnLinux: I think it is fair for KDE to expose that they need funding and asking that from inside the UI would not hurt for a software that delivered so much for free (as in freedom and as in "gratis").
Linux magazine points out that other new features for 6.2 "include the ability to block apps from inhibiting sleep mode, a new 'fill' mode for wallpaper, an overhauled System Settings Accessibility page, and the usual slew of bug fixes."

An anonymous reader shares a report: It's been a burning question for months -- are Intel's laptop chips susceptible to the same permanent damage that can potentially lay 24 different flagship desktop chips low? Today, Intel has finally confirmed: its 13th and 14th Gen laptop chips do not seem to have an instability issue. And the company claims they are definitely not affected by the too-high voltage issue, which it's now calling "Vmin Shift Instability." While Intel maintains that Vmin Shift Instability is not necessarily the root cause or only cause of the crashes -- it's still investigating -- Intel spokesperson Thomas Hannaford now tells The Verge that laptop chips basically aren't affected at all.

An anonymous reader quotes a report from Ars Technica: A controversial bill aimed at enforcing safety standards for large artificial intelligence models has now passed the California State Assembly by a 45-11 vote. Following a 32-1 state Senate vote in May, SB-1047 now faces just one more procedural state senate vote before heading to Governor Gavin Newsom's desk. As we've previously explored in depth, SB-1047 asks AI model creators to implement a "kill switch" that can be activated if that model starts introducing "novel threats to public safety and security," especially if it's acting "with limited human oversight, intervention, or supervision." Some have criticized the bill for focusing on outlandish risks from an imagined future AI rather than real, present-day harms of AI use cases like deep fakes or misinformation. [...]

If the Senate confirms the Assembly version as expected, Newsom will have until September 30 to decide whether to sign the bill into law. If he vetoes it, the legislature could override with a two-thirds vote in each chamber (a strong possibility given the overwhelming votes in favor of the bill). At a UC Berkeley Symposium in May, Newsom said he worried that "if we over-regulate, if we overindulge, if we chase a shiny object, we could put ourselves in a perilous position." At the same time, Newsom said those over-regulation worries were balanced against concerns he was hearing from leaders in the AI industry. "When you have the inventors of this technology, the godmothers and fathers, saying, 'Help, you need to regulate us,' that's a very different environment," he said at the symposium. "When they're rushing to educate people, and they're basically saying, 'We don't know, really, what we've done, but you've got to do something about it,' that's an interesting environment." Supporters of the AI safety bill include state senator Scott Weiner and AI experts including Geoffrey Hinton and Yoshua Bengio. Bengio supports the bill as a necessary step for consumer protection and insists that AI should not be self-regulated by corporations, akin to other industries like pharmaceuticals and aerospace.

Stanford professor Fei-Fei Li opposes the bill, arguing that it could have harmful effects on the AI ecosystem by discouraging open-source collaboration and limiting academic research due to the liability placed on developers of modified models. A group of business leaders also sent an open letter Wednesday urging Newsom to veto the bill, calling it "fundamentally flawed."

NASA's 2022 DART mission "successfully demonstrated how a fast-moving spacecraft could change an asteroid's trajectory by crashing into it," remembers Gizmodo, "potentially providing a way to defend Earth — though the asteroid in this test was never a real threat."

But a followup study suggests debris from that 525-foot (160-meter) asteroid "could actually strike back," they add, "though we're not in any danger." The [DART] team posits that the collision produced a field of rocky ejecta that could reach Earth within 10 years... [Various aerospace scientists] studied data collected by the Light Italian CubeSat for Imaging of Asteroids, or LICIACube, which observed DART's impact of Dimorphos up close. Then, they fed LICIACube's data into supercomputers at NASA's Navigation and Ancillary Information Facility to simulate how the debris from the asteroid — basically dust and rock — may have disseminated into space. The simulations tracked about 3 million particles kicked up by the impact, some of which are large enough to produce meteors that could be spotted on Earth. Particles from the impact could get to Mars in seven to 13 years, and the fastest particles could make it to our own world in just seven years.

"This detailed data will aid in the identification of DART-created meteors, enabling researchers to accurately analyze and interpret impact-related phenomena," the team wrote in the paper.
"However, these faster particles are expected to be too small to produce visible meteors, based on early observations," said Dr. Eloy Peña-Asensio, who lead the research team, in an interview with Universe Today. (He's a Research Fellow with the Deep-space Astrodynamics Research and Technology group at Milan's Polytechnic Institute.) The team's simulations indicated it could take up to 30 years before any of the ejecta is observed on Earth, in a new (and human-created) meteor shower called the Dimorphids.

So while they won't pose any risk, "If these ejected Dimorphos fragments reach Earth... their small size and high speed will cause them to disintegrate in the atmosphere, creating a beautiful luminous streak in the sky."

"I've been somewhat okay about backing up our home data," writes long-time Slashdot reader 93 Escort Wagon.

But they could use some good advice: We've got a couple separate disks available as local backup storage, and my own data also gets occasionally copied to encrypted storage at BackBlaze. My daughter has her own "cloud" backups, which seem to be a manual push every once in a while of random files/folders she thinks are important. Including our media library, between my stuff, my daughter's, and my wife's... we're probably talking in the neighborhood of 10 TB for everything at present. The whole setup is obviously cobbled together, and the process is very manual. Plus it's annoying since I'm handling Mac, Linux, and Windows backups completely differently (and sub-optimally). Also, unsurprisingly, the amount of data we possess does seem to be increasing with time.

I've been considering biting the bullet and buying an NAS [network-attached storage device], and redesigning the entire process — both local and remote. I'm familiar with Synology and DSM from work, and the DS1522+ looks appealing. I've also come across a lot of recommendations for QNAP's devices, though. I'm comfortable tackling this on my own, but I'd like to throw this out to the Slashdot community.

What NAS do you like for home use. And what disks did you put in it? What have your experiences been?
Long-time Slashdot reader AmiMoJo asks "Have you considered just building one?" while suggesting the cheapest option is low-powered Chinese motherboards with soldered-in CPUs. And in the comments on the original submission, other Slashdot readers shared their examples:

• destined2fail1990 used an AMD Threadripper to build their own NAS with 10Gbps network connectivity.
• DesertNomad is using "an ancient D-Link" to connect two Synology DS220 DiskStations
• Darth Technoid attached six Seagate drives to two Macbooks. "Basically, I found a way to make my older Mac useful by simply leaving it on all the time, with the external drives attached."

But what's your suggestion? Share your own thoughts and experiences. What NAS do you like for home use? What disks would you put in it?

And what have your experiences been?

An anonymous reader shared this report from the Observer: Thousands of scientists have protested to the US Congress over the "unprecedented and indefensible" decision by Nasa to cancel its Viper lunar rover mission. In an open letter to Capitol Hill, they have denounced the move, which was revealed last month, and heavily criticised the space agency over a decision that has shocked astronomers and astrophysicists across the globe.

The car-sized rover has already been constructed at a cost of $450 million and was scheduled to be sent to the moon next year, when it would have used a one-metre drill to prospect for ice below the lunar surface in soil at the moon's south pole. Ice is considered to be vital to plans to build a lunar colony, not just to supply astronauts with water but also to provide them with hydrogen and oxygen that could be used as fuels... "Quite frankly, the agency's decision beggars belief," said Prof Clive Neal, a lunar scientist at the University of Notre Dame, in Indiana. "Viper is a fundamental mission on so many fronts and its cancellation basically undermines Nasa's entire lunar exploration programme for the next decade. It is as straightforward as that. Cancelling Viper makes no sense whatsoever."

This view was backed by Ben Fernando of Johns Hopkins University, who was one of the organisers of the open letter to Congress. "A team of 500 people dedicated years of their careers to construct Viper and now it has been cancelled for no good reason whatsoever," he told the Observer last week. "Fortunately I think Congress is taking this issue very seriously and they have the power to tell Nasa that it has to go ahead with the project. Hopefully they will intervene."
"When Nasa announced its decision to abandon Viper, the space agency said it planned to disassemble and reuse its components for other moon missions — unless other space companies or agencies offered to take over the project. More than a dozen groups have since expressed an interest in taking over Viper, a Nasa spokesperson told the Observer last week."

An anonymous reader quotes a report from Wired: Security flaws in your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it. At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they're calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006, or possibly even earlier.

Nissim and Okupski note that exploiting the bug would require hackers to already have obtained relatively deep access to an AMD-based PC or server, but that the Sinkclose flaw would then allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a "bootkit" that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot -- which the researchers warn encompasses the large majority of the systems they tested -- a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system. Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says. Nissim sums up that worst-case scenario in more practical terms: "You basically have to throw your computer away." In a statement shared with WIRED, AMD said it "released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon."

The company also noted that it released patches for its EPYC processors earlier this year. It did not answer questions about how it intends to fix the Sinkclose vulnerability.

"The Royal Mint, which has produced coins since the 9th Century, has begun to recover gold from electronic waste as the use of cash has declined and fewer new coins are needed," writes Slashdot reader newcastlejon. "In 2022, construction began on a new site in Llantrisant, Wales. This facility will now be used to initially produce gold for jewelry and later for commemorative coins." The BBC reports: At the Royal Mint plant, piles of circuit boards are being fed into the new facility. First, they are heated to remove their various components. Then the array of detached coils, capacitors, pins and transistors are sieved, sorted, sliced and diced as they move along a conveyor belt. Anything with gold in it is set aside. The gold-laden pieces go to an on-site chemical plant. They're tipped into a chemical solution which leaches the gold out into the liquid. This is then filtered, leaving a powder behind. It looks pretty nondescript but this is actually pure gold -- it just needs to be heated in a furnace to be transformed into a gleaming nugget. "Traditional gold recovery processes are very energy intensive and use very toxic chemicals that can only be used once, or they go to high energy smelters and they're basically burnt," says Leighton John, the Royal Mint's operations director. "The groundbreaking thing for us is the fact that this chemistry is used at room temperature, at very low energy, it's recyclable and pulls gold really quickly."

"Our aim is to process over 4,000 tonnes of e-waste annually," says Leighton John. "Traditionally this waste is shipped overseas but we're keeping it in the UK and we're keeping those elements in the UK for us to use. It's really important."

The report notes that the UK is the second biggest producer of tech trash per capita, beaten only by Norway. According to the UN, e-waste is a rapidly growing problem, with 62 million tons discarded in 2022. That's expected to increase by a third by 2030.

Security researchers from SafeBreach have found what they say is a Windows downgrade attack that's invisible, persistent, irreversible and maybe even more dangerous than last year's BlackLotus UEFI bootkit. From a report: After seeing the damage that UEFI bootkit could do by bypassing secure boot processes in Windows, SafeBreach's Alon Leviev became curious whether there were any other fundamental Windows components that could be abused in a similar manner. He hit the jackpot in one of the most unlikely places: The Windows update process.

"I found a way to take over Windows updates to update the system, but with control over all of the actual update contents," Leviev told us in an interview ahead of his Black Hat USA conference presentation today detailing his findings. Using his technique, having compromised a machine so that he could get in as a normal user, Leviev was able to control which files get updated, which registry keys are changed, which installers get used, and the like. And he was able to do all of it while side-stepping every single integrity verification implemented in the Windows update process. After that, "I was able to downgrade the OS kernel, DLLs, drivers ... basically everything that I wanted." To make matters worse, Leviev said that poking and prodding around the vulnerabilities he found enabled him to attack the entire Windows virtualization stack, including virtualization-based security (VBS) features that are supposed to isolate the kernel and make attacker access less valuable.

For more than 30 years, the world's largest iceberg was stuck in the Antarctic. Five times the size of New York City's land area and more than 1,000 feet deep, the mammoth piece of ice finally became loose in 2020 and began a slow drift toward the Southern Ocean. Now, A23a, as it's known, is spinning in place. From a report: After leaving Antarctic waters, the iceberg got stuck in a vortex over a seamount, or an underwater mountain. Imagine a 1,400-square-mile piece of ice as deep as the Empire State Building spinning slowly but steadily enough to fully rotate it on its head over the course of about 24 days. The iceberg is spinning near the South Orkney Islands, about 375 miles northeast of the Antarctic Peninsula, "maintaining a chill 15 degree rotation per day," the British Antarctic Survey, the United Kingdom's polar research institute, said on social media.

"It's basically just sitting there, spinning around and it will very slowly melt as long as it stays there," said Alex Brearley, a physical oceanographer and head of the Open Oceans research group at the British Antarctic Survey. "What we don't know is how quickly it will actually come out of this." A23a has been embroiled in drama since the start, a trait it picked up from its parent-berg. A23, which was even bigger than A23a, was one of three icebergs that broke off, or calved, from the Filchner Ice Shelf in 1986. At the time of the calving, A23 was home to a Soviet Union research center and researchers eventually had to abandon the base. A23a broke off later that year and hit bottom in the Weddell Sea, where it would remain for 34 more years.

An anonymous reader shares a report: Hundreds of websites trying to block the AI company Anthropic from scraping their content are blocking the wrong bots, seemingly because they are copy/pasting outdated instructions to their robots.txt files, and because companies are constantly launching new AI crawler bots with different names that will only be blocked if website owners update their robots.txt. In particular, these sites are blocking two bots no longer used by the company, while unknowingly leaving Anthropic's real (and new) scraper bot unblocked.

This is an example of "how much of a mess the robots.txt landscape is right now," the anonymous operator of Dark Visitors told 404 Media. Dark Visitors is a website that tracks the constantly-shifting landscape of web crawlers and scrapers -- many of them operated by AI companies -- and which helps website owners regularly update their robots.txt files to prevent specific types of scraping. The site has seen a huge increase in popularity as more people try to block AI from scraping their work. "The ecosystem of agents is changing quickly, so it's basically impossible for website owners to manually keep up. For example, Apple (Applebot-Extended) and Meta (Meta-ExternalAgent) just added new ones last month and last week, respectively," they added.

Nvidia's new R555 Linux driver series has significantly improved their open-source GPU kernel driver modules, achieving near parity with their proprietary drivers. Phoronix's Michael Larabel reports: The NVIDIA open-source kernel driver modules shipped by their driver installer and also available via their GitHub repository are in great shape. With the R555 series the support and performance is basically at parity of their open-source kernel modules compared to their proprietary kernel drivers. [...] Across a range of different GPU-accelerated creator workloads, the performance of the open-source NVIDIA kernel modules matched that of the proprietary driver. No loss in performance going the open-source kernel driver route. Across various professional graphics workloads, both the NVIDIA RTX A2000 and A4000 graphics cards were also achieving the same performance whether on the open-source MIT/GPLv2 driver or using NVIDIA's classic proprietary driver.

Across all of the tests I carried out using the NVIDIA 555 stable series Linux driver, the open-source NVIDIA kernel modules were able to achieve the same performance as the classic proprietary driver. Also important is that there was no increased power use or other difference in power management when switching over to the open-source NVIDIA kernel modules.

It's great seeing how far the NVIDIA open-source kernel modules have evolved and that with the upcoming NVIDIA 560 Linux driver series they will be defaulting to them on supported GPUs. And moving forward with Blackwell and beyond, NVIDIA is just enabling the GPU support along their open-source kernel drivers with leaving the proprietary kernel drivers to older hardware. Tests I have done using NVIDIA GeForce RTX 40 graphics cards with Linux gaming workloads between the MIT/GPL and proprietary kernel drivers have yielded similar (boring but good) results: the same performance being achieved with no loss going the open-source route. You can view Phoronix's performance results in charts here, here, and here.

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what's known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon..., and it's not clear when it was taken down. The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one. The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings "DO NOT SHIP" or "DO NOT TRUST." These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren't clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.

Cryptographic key management best practices call for credentials such as production platform keys to be unique for every product line or, at a minimum, to be unique to a given device manufacturer. Best practices also dictate that keys should be rotated periodically. The test keys discovered by Binarly, by contrast, were shared for more than a decade among more than a dozen independent device makers. The result is that the keys can no longer be trusted because the private portion of them is an open industry secret. Binarly has named its discovery PKfail in recognition of the massive supply-chain snafu resulting from the industry-wide failure to properly manage platform keys. The report is available here. Proof-of-concept videos are here and here. Binarly has provided a scanning tool here. "It's a big problem," said Martin Smolar, a malware analyst specializing in rootkits who reviewed the Binarly research. "It's basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically... execute any malware or untrusted code during system boot. Of course, privileged access is required, but that's not a problem in many cases."

Binarly founder and CEO Alex Matrosov added: "Imagine all the people in an apartment building have the same front door lock and key. If anyone loses the key, it could be a problem for the entire building. But what if things are even worse and other buildings have the same lock and the keys?"

Minnesota has become the second state to pass what it's calling a "Jetsons law," establishing rules for cars that can take to the sky. New Hampshire was the first to enact a "Jetsons" law. From a report: The new road rules in Minnesota address "roadable aircraft," which is basically any aircraft that can take off and land at an airfield but is also designed to be operated on a public highway. The law will let owners of these vehicles register them as cars and trucks, but they won't have to obtain a license plate. The tail number will suffice instead.

As for operation, flying cars won't be allowed to take off or land on public roadways, Minnesota officials declared (an exception is made in the case of emergency). Those shenanigans are restricted to airports. While the idea of a Jetsons-like sky full of flying cars is still firmly rooted in the world of science fiction, the concept of flying cars isn't quite as distant as it might seem (though it has some high-profile skeptics). United Airlines, two years ago, made a $10 million bet on the technology, putting down a deposit for 200 four-passenger flying taxis from Archer Aviation, a San Francisco-based startup working on the aircraft/auto hybrid.

In a blog post on Tuesday, security firm KnowBe4 revealed that a remote software engineer hire was a North Korean threat actor using a stolen identity and AI-augmented images. "Detailing a seemingly thorough interview process that included background checks, verified references and four video conference-based interviews, KnowBe4 founder and CEO Stu Sjouwerman said the worker avoided being caught by using a valid identity that was stolen from a U.S.-based individual," reports CyberScoop. "The scheme was further enhanced by the actor using a stock image augmented by artificial intelligence." From the report: An internal investigation started when KnowBe4's InfoSec Security Operations Center team detected "a series of suspicious activities" from the new hire. The remote worker was sent an Apple laptop, which was flagged by the company on July 15 when malware was loaded onto the machine. The AI-filtered photo, meanwhile, was flagged by the company's Endpoint Detection and Response software. Later that evening, the SOC team had "contained" the fake worker's systems after he stopped responding to outreach. During a roughly 25-minute period, "the attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software," Sjouwerman wrote in the post. "He used a [single-board computer] raspberry pi to download the malware." From there, the company shared its data and findings with the FBI and with Mandiant, the Google-owned cyber firm, and came to the conclusion that the worker was a fictional persona operating from North Korea.

KnowBe4 said the fake employee likely had his workstation connected "to an address that is basically an 'IT mule laptop farm.'" They'd then use a VPN to work the night shift from where they actually reside -- in this case, North Korea "or over the border in China." That work would take place overnight, making it appear that they're logged on during normal U.S. business hours. "The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs," Sjouwerman wrote. "I don't have to tell you about the severe risk of this." Despite the intrusion, Sjouwerman said "no illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems." He chalked up the incident to a threat actor that "demonstrated a high level of sophistication in creating a believable cover identity" and identified "weaknesses in the hiring and background check processes."