Transportation

New Jersey Legislators Aim To Ban Most In-Car Subscriptions (thedrive.com) 152

Posted by BeauHD from the cease-and-desist dept.
Two state legislators in New Jersey are proposing a bill that would ban car companies from "[offering consumers] a subscription service for any motor vehicle feature" that "utilizes components and hardware already installed on the motor vehicle at the time of purchase." The Drive reports: The bill has one stipulation, however. The subscription would only be unlawful if there was no "ongoing expense to the dealer, manufacturer, or any third-party service provider." In other words, if an automaker or other associated party can prove that it costs money to maintain the feature and/or service in question, then it'd be legally allowed. This would include services like OnStar and such.

The way "ongoing expense" is interpreted is going to be key here, assuming the bill makes it into law. This, obviously, is not guaranteed. In theory, a car company could claim that over-the-air updates and their associated data costs constitute an ongoing expense. That means anything to do with connected features could theoretically be charged for. Since a car needs an internet connection in order to purchase subscriptions, well, that might make this particular piece of legislation worthless. On the other hand, if the core value of the subscription is derived from the pre-installed hardware as opposed to the data connection itself, then there is probably a case to be made.

Besides heated seats, the bill also mentions "driver assistance." That could be a problem for systems like Tesla's autopilot or General Motors' Super Cruise, both of which are going to a subscription model. Both of these systems cost money to maintain, though, especially Super Cruise. The system requires enabled highways to be scanned with Lidar. Tesla's AutoPilot and "Full Self-Driving" are also actively updated and maintained, which costs money. If automakers don't comply, they risk "civil penalties of up to $20,000 per violation," notes the report.
Apple

New iPad Only Supports First-Gen Apple Pencil, Requires Adapter To Charge (macrumors.com) 44

Posted by BeauHD from the courage dept.
The new, 10th-generation iPad only supports the first-generation Apple Pencil, meaning that it requires an adapter to charge separately via a wired connection since the device has moved to USB-C. MacRumors reports: The new iPad has no magnetic wireless charger on the side to connect to the second-generation Apple Pencil. Only the first-generation Apple Pencil is supported by the device, which normally needs to be plugged into a Lightning port to charge. The iPad now has a USB-C port, meaning that the Apple Pencil can no longer be charged directly via the iPad. Entry-level iPad users who want to use the Apple Pencil will need to charge the accessory using a USB-C cable and a separate adapter.

The first-generation Apple Pencil came with a female to female Lightning adapter allowing it to be charged separately, but now Apple is offering a new variant of the accessory called the "USB-C to Apple Pencil Adapter" that enables Apple Pencil users to charge. The adapter is available separately at a price of $9 for existing Apple Pencil users, while new Apple Pencil units include the adapter in the box. For those interested in a more powerful tablet, Apple announced the new sixth-generation iPad Pro, featuring the M2 chip that first debuted in the MacBook Air and 13-inch MacBook Pro earlier this year and support for Wi-Fi 6E.
Encryption

Android Leaks Some Traffic Even When 'Always-On VPN' Is Enabled (bleepingcomputer.com) 30

Posted by BeauHD from the false-advertising dept.
Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the "Block connections without VPN," or "Always-on VPN," features is enabled. BleepingComputer reports: The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic. This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation. Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly. Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features. This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. "This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker. "This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy." In response to Mullvad's request, a Google engineer said this is the intended functionality and that it would not be fixed for the following reasons:

- Many VPNs actually rely on the results of these connectivity checks to function,
- The checks are neither the only nor the riskiest exemptions from VPN connections,
- The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and the case remains open.
Space

William Shatner: My Trip To Space Filled Me With 'Overwhelming Sadness' (variety.com) 91

Posted by BeauHD from the surprise-reactions dept.
In an exclusive excerpt from William Shatner's new book, "Boldly Go: Reflections on a Life of Awe and Wonder," the Star Trek actor reflects on his voyage into space on Jeff Bezos' Blue Origin space shuttle on Oct. 13, 2021. Then 90 years old, Shatner became the oldest living person to travel into space, but as the actor and author details below, he was surprised by his own reaction to the experience. An anonymous reader shares an excerpt from the report: I looked down and I could see the hole that our spaceship had punched in the thin, blue-tinged layer of oxygen around Earth. It was as if there was a wake trailing behind where we had just been, and just as soon as I'd noticed it, it disappeared. I continued my self-guided tour and turned my head to face the other direction, to stare into space. I love the mystery of the universe. I love all the questions that have come to us over thousands of years of exploration and hypotheses. Stars exploding years ago, their light traveling to us years later; black holes absorbing energy; satellites showing us entire galaxies in areas thought to be devoid of matter entirely all of that has thrilled me for years but when I looked in the opposite direction, into space, there was no mystery, no majestic awe to behold... all I saw was death. I saw a cold, dark, black emptiness. It was unlike any blackness you can see or feel on Earth. It was deep, enveloping, all-encompassing. I turned back toward the light of home. I could see the curvature of Earth, the beige of the desert, the white of the clouds and the blue of the sky. It was life. Nurturing, sustaining, life. Mother Earth. Gaia. And I was leaving her. Everything I had thought was wrong. Everything I had expected to see was wrong.

I had thought that going into space would be the ultimate catharsis of that connection I had been looking for between all living things -- that being up there would be the next beautiful step to understanding the harmony of the universe. In the film "Contact," when Jodie Foster's character goes to space and looks out into the heavens, she lets out an astonished whisper, "They should've sent a poet." I had a different experience, because I discovered that the beauty isn't out there, it's down here, with all of us. Leaving that behind made my connection to our tiny planet even more profound. It was among the strongest feelings of grief I have ever encountered. The contrast between the vicious coldness of space and the warm nurturing of Earth below filled me with overwhelming sadness. Every day, we are confronted with the knowledge of further destruction of Earth at our hands: the extinction of animal species, of flora and fauna... things that took five billion years to evolve, and suddenly we will never see them again because of the interference of mankind. It filled me with dread. My trip to space was supposed to be a celebration; instead, it felt like a funeral.

I learned later that I was not alone in this feeling. It is called the "Overview Effect" and is not uncommon among astronauts, including Yuri Gagarin, Michael Collins, Sally Ride, and many others. Essentially, when someone travels to space and views Earth from orbit, a sense of the planet's fragility takes hold in an ineffable, instinctive manner. Author Frank White first coined the term in 1987: "There are no borders or boundaries on our planet except those that we create in our minds or through human behaviors. All the ideas and concepts that divide us when we are on the surface begin to fade from orbit and the moon. The result is a shift in worldview, and in identity." It can change the way we look at the planet but also other things like countries, ethnicities, religions; it can prompt an instant reevaluation of our shared harmony and a shift in focus to all the wonderful things we have in common instead of what makes us different. It reinforced tenfold my own view on the power of our beautiful, mysterious collective human entanglement, and eventually, it returned a feeling of hope to my heart. In this insignificance we share, we have one gift that other species perhaps do not: we are aware -- not only of our insignificance, but the grandeur around us that makes us insignificant. That allows us perhaps a chance to rededicate ourselves to our planet, to each other, to life and love all around us. If we seize that chance.

Submission + - William Shatner: My Trip To Space Filled Me With 'Overwhelming Sadness' (variety.com) 1

Submitted by Anonymous Coward
An anonymous reader writes: I looked down and I could see the hole that our spaceship had punched in the thin, blue-tinged layer of oxygen around Earth. It was as if there was a wake trailing behind where we had just been, and just as soon as I’d noticed it, it disappeared. I continued my self-guided tour and turned my head to face the other direction, to stare into space. I love the mystery of the universe. I love all the questions that have come to us over thousands of years of exploration and hypotheses. Stars exploding years ago, their light traveling to us years later; black holes absorbing energy; satellites showing us entire galaxies in areas thought to be devoid of matter entirely all of that has thrilled me for years but when I looked in the opposite direction, into space, there was no mystery, no majestic awe to behold . . . all I saw was death. I saw a cold, dark, black emptiness. It was unlike any blackness you can see or feel on Earth. It was deep, enveloping, all-encompassing. I turned back toward the light of home. I could see the curvature of Earth, the beige of the desert, the white of the clouds and the blue of the sky. It was life. Nurturing, sustaining, life. Mother Earth. Gaia. And I was leaving her. Everything I had thought was wrong. Everything I had expected to see was wrong.

I had thought that going into space would be the ultimate catharsis of that connection I had been looking for between all living things—that being up there would be the next beautiful step to understanding the harmony of the universe. In the film “Contact,” when Jodie Foster’s character goes to space and looks out into the heavens, she lets out an astonished whisper, “They should’ve sent a poet.” I had a different experience, because I discovered that the beauty isn’t out there, it’s down here, with all of us. Leaving that behind made my connection to our tiny planet even more profound. It was among the strongest feelings of grief I have ever encountered. The contrast between the vicious coldness of space and the warm nurturing of Earth below filled me with overwhelming sadness. Every day, we are confronted with the knowledge of further destruction of Earth at our hands: the extinction of animal species, of flora and fauna... things that took five billion years to evolve, and suddenly we will never see them again because of the interference of mankind. It filled me with dread. My trip to space was supposed to be a celebration; instead, it felt like a funeral.

I learned later that I was not alone in this feeling. It is called the “Overview Effect” and is not uncommon among astronauts, including Yuri Gagarin, Michael Collins, Sally Ride, and many others. Essentially, when someone travels to space and views Earth from orbit, a sense of the planet’s fragility takes hold in an ineffable, instinctive manner. Author Frank White first coined the term in 1987: “There are no borders or boundaries on our planet except those that we create in our minds or through human behaviors. All the ideas and concepts that divide us when we are on the surface begin to fade from orbit and the moon. The result is a shift in worldview, and in identity.” It can change the way we look at the planet but also other things like countries, ethnicities, religions; it can prompt an instant reevaluation of our shared harmony and a shift in focus to all the wonderful things we have in common instead of what makes us different. It reinforced tenfold my own view on the power of our beautiful, mysterious collective human entanglement, and eventually, it returned a feeling of hope to my heart. In this insignificance we share, we have one gift that other species perhaps do not: we are aware—not only of our insignificance, but the grandeur around us that makes us insignificant. That allows us perhaps a chance to rededicate ourselves to our planet, to each other, to life and love all around us. If we seize that chance.
China

Popular Censorship Circumvention Tools Face Fresh Blockade By China (techcrunch.com) 9

Posted by msmash from the closer-look dept.
Tools helping China's netizens to bypass the Great Firewall appear to be facing a fresh round of crackdowns in the run-up to the country's quinquennial party congress that will see a top leadership reshuffle. From a report: Greater censorship is not at all uncommon during countries' politically sensitive periods, but the stress facing censorship circumvention tools in China appears to be on a whole new level. "Starting from October 3, 2022 (Beijing Time), more than 100 users reported that at least one of their TLS-based censorship circumvention servers had been blocked," writes GFW Report, a censorship monitoring platform focused on China, in a GitHub post.

TLS, or transport layer security, is a ubiquitous internet security protocol used for encrypting data sent across the internet. Because data shared over a TLS connection is encrypted and cannot be easily read, many censorship circumvention apps and services use TLS to keep people's conversations private. A TLS-based virtual private network, or VPN, directs internet traffic through a TLS connection instead of pushing that traffic to one's internet provider. But Chinese censors seem to have found a way of compromising this strategy. "The blocking is done by blocking the specific port that the circumvention services listen on. When the user changes the blocked port to a non-blocked port and keeps using the circumvention tools, the entire IP address may get blocked," GFW Report says in the post.
United States

Election Software Executive Arrested on Suspicion of Theft (nytimes.com) 220

Posted by msmash from the tussle-continues dept.
The top executive of an elections technology company that has been the focus of attention among election deniers was arrested by Los Angeles County officials in connection with an investigation into the text, the county said on Tuesday. From a report: Eugene Yu, the founder and chief executive of Konnech, the technology company, was taken into custody on suspicion of theft, the Los Angeles County district attorney, George Gascon, said in a statement.

Konnech, which is based in Michigan, develops software to manage election logistics, like scheduling poll workers. Los Angeles County is among its customers. The company has been accused by groups challenging the validity of the 2020 presidential election with storing information about poll workers on servers in China. The company has repeatedly denied keeping data outside the United States, including in recent statements to The New York Times. Mr. Gascon's office said its investigators had found data stored in China. Holding the data there would violate Konnech's contract with the county.
United States

In a First, US Appoints a Diplomat For Plants and Animals 119

Posted by BeauHD from the highly-underrepresented dept.
For the first time, the United States is designating a special diplomat to advocate for global biodiversity amid what policymakers here and overseas increasingly recognize as an extinction crisis. The Washington Post reports: Monica Medina is taking on a new role as special envoy for biodiversity and water resources, the State Department announced Wednesday. She currently serves as the department's assistant secretary for oceans and international environmental and scientific affairs. The appointment underscores the Biden administration's desire to protect land and waters not just at home but to also conserve habitats abroad.

"There's a direct connection between biodiversity loss and instability in a lot of parts of the world," Medina said in a recent phone interview. "It's not just about nature for nature's sake. I think it is about people." Before the Biden administration, Medina was an adjunct professor at Georgetown's Walsh School of Foreign Service and worked as general counsel of the National Oceanic and Atmospheric Administration, among other government roles. She is the wife of White House Chief of Staff Ron Klain. Her appointment comes weeks ahead of a major biodiversity conference in mid-December in Montreal.

The aim of the U.N. Convention on Biological Diversity -- also known as COP-15 -- is for nations to reverse the loss of species by adopting an international framework for conserving biodiversity. The effort is akin to the climate talks in 2015 that yielded the Paris agreement. What the United States wants out of the conference: For nations to commit to conserving 30 percent of their land and water area. "We are looking for ways to reach that goal, because that's what scientists tell us we need in order to have a healthy planet," Medina said. One big hurdle: Defining what, exactly, counts as land and water conserved? "That is part of the discussion, is what counts," she said. Is the United States doing its part? President Biden set a goal of conserving nearly a third of the nation's land and waters by 2030. Protecting ecosystems such as forests and peatlands will help keep climate-warming carbon out of the atmosphere in the first place, noted Medina.

"It's a crisis that we face that's interwoven with the climate crisis, but also independent and important on its own," she said. "If we can solve the biodiversity crisis, we're a long way along the way to solving the climate crisis."
Wireless Networking

Stadia Controllers Could Become E-Waste Unless Google Issues Bluetooth Update (arstechnica.com) 51

Posted by BeauHD from the do-what's-right-Google dept.
With Stadia coming to an abrupt halt, gamers want Google to issue a software update for the controllers that unlocks Bluetooth to allow them to work wirelessly with other game systems. It would also "avoid a lot of plastic and circuit board trash," adds Ars. From the report: Stadia's controllers were custom-made to connect directly to the Internet, reducing lag and allowing for instant firmware updates and (sometimes painful) connections to smart TVs. There's Bluetooth inside the Stadia controller, but it's only used when you're setting up Stadia, either with a TV, a computer with the Chrome browser, or a Chromecast Ultra. The Google Store's page for the Stadia controller states in a footnote: "Product contains Bluetooth Classic radio. No Bluetooth Classic functionality is enabled at this time. Bluetooth Classic may be implemented at a later date." (Bluetooth Classic is a more traditional version of Bluetooth than modern low-energy or mesh versions.) That potential later date can't get much later for fans of the Stadia controller. Many cite the controller's hand feel and claim it as their favorite. They'd like to see Google unlock Bluetooth to make their favorite something more than a USB-only controller and avoid a lot of plastic and circuit board trash.

"Now if you'd just enable Bluetooth on the controller, we could help the environment by not letting them become electronic waste," writes Roadrunner571 on one of many controller-related threads on the r/Stadia subreddit. "They created trash and they at least owe it to me to do their best within reason to prevent millions of otherwise perfectly good controllers from filling landfills," another wrote. Many have called for Google, if they're not going to push a firmware update themselves to unlock the functionality, to open up access to the devices themselves, so the community can do it for them. That's often a tricky scenario for large companies relying on a series of sub-contracted manufacturers to produce hardware. Some have suggested that the full refunds give Google more leeway to ignore the limited function of their devices post-shutdown. It's worth noting that you can still plug a Stadia controller into the USB port on a Smart TV, computer, or gaming console and use it as a controller through a standard HID (Human Interface Device) connection. But, currently, it's not possible to connect the controllers wirelessly, unless you go through a lot of effort.
The Internet

Fake CISO Profiles On LinkedIn Target Fortune 500s (krebsonsecurity.com) 15

Posted by BeauHD from the professional-imposters dept.
Security researcher Brian Krebs writes: Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world's largest corporations. It's not clear who's behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources. [...] Rich Mason, the former CISO at Fortune 500 firm Honeywell, began warning his colleagues on LinkedIn about the phony profiles earlier this week. "It's interesting the downstream sources that repeat LinkedIn bogus content as truth," Mason said. "This is dangerous, Apollo.io, Signalhire, and Cybersecurity Ventures." [...]

Again, we don't know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms. None of the profiles listed here responded to requests for comment (or to become a connection).

LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a "created on" date for every profile. Twitter does this, and it's enormously helpful for filtering out a great deal of noise and unwanted communications. The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter's verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer. Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts. He recently tried to get a phony profile removed from LinkedIn for someone who falsely claimed to have worked for his company. In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down. "We do have strong human and automated systems in place, and we're continually improving, as fake account activity becomes more sophisticated," the statement reads. "In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community -- around 96% of fake accounts and around 99.1% of spam and scam."
Security

High-Severity Microsoft Exchange 0-Day Under Attack Threatens 220,000 Servers (arstechnica.com) 42

Posted by BeauHD from the time-to-patch dept.
An anonymous reader quotes a report from Ars Technica: Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers' servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Wednesday's GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People's Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft's Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that's encrypted with an RC4 encryption key that's generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild. People running on-premises Exchange servers "should apply a blocking rule that prevents servers from accepting known attack patterns," reports Ars. The rule can be found in Microsoft's advisory.

"For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082."

Submission + - High-Severity Microsoft Exchange 0-Day Under Attack Threatens 220,000 Servers (arstechnica.com)

Submitted by Anonymous Coward
An anonymous reader writes: Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers’ servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Wednesday’s GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People’s Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft’s Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that’s encrypted with an RC4 encryption key that’s generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild.
Advertising

Podcasters Are Buying Millions of Listeners Through Mobile-Game Ads (bloomberg.com) 17

Posted by BeauHD from the not-all-impressions-are-created-equal dept.
An anonymous reader quotes a report from Bloomberg: Podcasters are always hunting for new, flashy places to promote their shows, ranging from billboards to floats in parades to airplane banners. Some networks, though, have uncovered a less-glamorous, yet highly effective way to gain millions of bankable listeners: loading up mobile games with a particular kind of ad. Each time a player taps on one of these fleeting in-game ads -- and wins some virtual loot for doing so -- a podcast episode begins downloading on their device. The podcast company, in turn, can claim the gamer as a new listener to its program and add another coveted download to its overall tally. The practice allows networks to amass downloads quickly by tapping into a wellspring of hyperactive video-game users. But it also calls into question who a legitimate podcast listener is and what length of time should be required to count as a download.

Podcasts typically rely on downloads as the primary metric for ad sales. When an individual taps on an in-app play button on their mobile device, an entire episode begins downloading so they can listen to it even in the absence of a good internet connection -- say, on an airplane or in the subway. An episode's ads are inserted at that moment of download, meaning that even if a consumer only listens to 10 minutes of a 30-minute show, the mid-roll ad at the 15-minute mark is often ready to be heard -- not to mention, counted by the sales team. To date, the podcast industry has said next to nothing about its embrace of this video-game strategy. "Not all impressions are created equal," said Larry Chiagouris, a marketing professor at Pace University. "I'm not saying [this tactic is] not ethical or illegal, but it raises issues. If someone is trying to play a game and that's the purpose of this interaction, they may just be eager to play the game and are not that interested in the information being shared."
United States

Advocacy Group Asks FCC To Probe Efficacy of Wireless Industry's Voluntary Phone Unlocking Commitments 24

Posted by msmash from the ticket-opened dept.
A public interest group has asked the Federal Communications Commission (FCC) to look at whether the wireless industry's voluntary phone unlocking commitments are even effective, claiming the practice harms competition. From a report: The advocacy group, Public Knowledge, met with FCC staffers last week and filed the comment shortly afterwards, arguing the practice of locking phones to a network makes it "more difficult for consumers to change carriers," reduces the number of devices available on the secondary market, and hurts smaller players on the scene. The nonprofit filed the request as part of an ongoing investigation by the FCC into the State of Competition in the Communications Marketplace, conducted biennially by the agency. The group is hoping the agency will throw its weight behind policy efforts to change this.

Americans can unlock their handsets from the services of the carrier that sold it to them, but the procedure can be a headache. The fact that consumers can unlock them free of charge came about in 2015, when carriers were told to give customers a "penalty-free" way to unlock them under the Unlocking Consumer Choice and Wireless Competition Act. The Act allows "circumvention (unlocking) to be initiated by the owner" but only "when such connection is authorized by the operator of such network" -- after their service contracts expire. Public Knowledge added that the practice of locking phones disadvantages low-income customers and places a "burden on smaller carriers, new entrants, and MVNOs in particular... due to a lack of handset availability," compounded "by the competitive disadvantages caused by agreements between the handset manufacturers and the larger service provides like AT&T, Verizon and T-Mobile, which smaller carriers may not be able to negotiate."
Security

Trojanized Version of PuTTY Distributed By Fake Amazon Job Phishers on WhatsApp (mandiant.com) 22

Posted by EditorDavid from the opening-a-connection dept.
The makers of the secure telnet client PuTTY also sell a service monitoring company security services — and this July Mandiant Managed Defense "identified a novel spear phish methodology," according to a post on the company's blog: [The threat cluster] established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.... This activity was identified by our Mandiant Intelligence: Staging Directories mission, which searches for anomalous files written to directories commonly used by threat actors....

The amazon_assessment.iso archive held two files: an executable and a text file. The text file named Readme.txt had connection details for use with the second file: PuTTY.exe.... [T]he PuTTY.exe binary in the malicious archive does not have a digital signature. The size of the PuTTY binary downloaded by the victim is also substantially larger than the legitimate version. Upon closer inspection, it has a large, high entropy .data section in comparison to the officially distributed version. Sections like these are typically indicative of packed or encrypted data. The suspicious nature of the PuTTY.exe embedded in the ISO file prompted Managed Defense to perform a deeper investigation on the host and the file itself.

The execution of the malicious PuTTY binary resulted in the deployment of a backdoor to the host.
"The executable embedded in each ISO file is a fully functional PuTTY application compiled using publicly available PuTTY version 0.77 source code," the blog post points out.

Ars Technica notes that Mandiant's researchers believe it's being pushed by groups with ties to North Korea: The executable file installed the latest version of Airdry, a backdoor the US government has attributed to the North Korean government. The US Cybersecurity and Infrastructure Security Agency has a description here. Japan's community emergency response team has this description of the backdoor, which is also tracked as BLINDINGCAN.
Books

'Linux IP Stacks Commentary' Book Tries Free Online Updates (satchell.net) 13

Posted by EditorDavid from the book-of-stacks dept.
Recently the authors of Elements of Publishing shared an update. "After ten years in print, our publisher decided against further printings and has reverted the rights to us. We are publishing Elements of Programming in two forms: a free PDF and a no-markup paperback."

And that's not the only old book that's getting a new life on the web...

22 years ago, long-time Slashdot reader Stephen T. Satchell (satch89450) co-authored Linux IP Stacks Commentary, a book commenting the TCP/IP code in Linux kernel 2.0.34. ("Old-timers will remember the Lion's Unix Commentary, the book published by University xerographic copies on the sly. Same sort of thing.") But the print edition struggled to update as frequently as the Linux kernel itself, and Satchell wrote a Slashdot post exploring ways to fund a possible update.

At the time Slashdot's editors noted that "One of the largest complaints about Linux is that there is a lack of high-profile documentation. It would be sad if this publication were not made simply because of the lack of funds (which some people would see as a lack of interest) necessary to complete it." But that's how things seemed to end up — until Satchell suddenly reappeared to share this update from 2022: When I was released from my last job, I tried retirement. Wasn't for me. I started going crazy with nothing significant to do. So, going through old hard drives (that's another story), I found the original manuscript files, plus the page proof files, for that two-decade-old book. Aha! Maybe it's time for an update. But how to keep it fresh, as Torvalds continues to release new updates of the Linux kernel?

Publish it on the Web. Carefully.

After four months (and three job interviews) I have the beginnings of the second edition up and available for reading. At the moment it's an updated, corrected, and expanded version of the "gray matter", the exposition portions of the first edition....

The URL for the alpha-beta version of this Web book is satchell.net/ipstacks for your reading pleasure. The companion e-mail address is up and running for you to provide feedback. There is no paywall.
But there's also an ingenious solution to the problem of updating the text as the code of the kernel keeps changing: Thanks to the work of Professor Donald Knuth (thank you!) on his WEB and CWEB programming languages, I have made modifications, to devise a method for integrating code from the GIT repository of the Linux kernel without making any modifications (let alone submissions) to said kernel code. The proposed method is described in the About section of the Web book. I have scaffolded the process and it works. But that's not the hard part.

The hard part is to write the commentary itself, and crib some kind of Markup language to make the commentary publishing quality. The programs I write will integrate the kernel code with the commentary verbiage into a set of Web pages. Or two slightly different sets of web pages, if I want to support a mobile-friendly version of the commentary.

Another reason for making it a web book is that I can write it and publish it as it comes out of my virtual typewriter. No hard deadlines. No waiting for the printers. And while this can save trees, that's not my intent. The back-of-the-napkin schedule calls for me to to finish the expository text in September, start the Python coding for generating commentary pages at the same time, and start the writing the commentary on the Internet Control Message Protocol in October. By then, Linus should have version 6.0.0 of the Linux kernel released.

I really, really, really don't want to charge readers to view the web book. Especially as it's still in the virtual typewriter. There isn't any commentary (yet). One thing I have done is to make it as mobile-friendly as I can, because I suspect the target audience will want to read this on a smartphone or tablet, and not be forced to resort to a large-screen laptop or desktop. Also, the graphics are lightweight to minimize the cost for people who pay by the kilopacket. (Does anywhere in the world still do this? Inquiring minds want to know.)

I host this web site on a Protectli appliance in my apartment, so I don't have that continuing expense. The power draw is around 20 watts. My network connection is AT&T fiber — and if it becomes popular I can always upgrade the upstream speed.

The thing is, the cat needs his kibble. I still want to know if there is a source of funding available.

Also, is it worthwhile to make the pages available in a zip file? Then a reader could download a snapshot of the book, and read it off-line.
Communications

FCC Approves Space-Based Texting Service From Lynk (techcrunch.com) 13

Posted by BeauHD from the can-you-hear-me-now? dept.
The FCC has approved Lynk's satellite-to-phone connectivity service that will allow people to send and receive texts via satellites in space. According to TechCrunch, all that's left is "selecting a mobile network partner to bring it to market here in the States." From the report: Lynk demonstrated a direct satellite-to-phone (and back) emergency connectivity service late last year with its test orbital cell tower. Far from an orbital broadband connection or a legacy satellite band that has you pointing your phone at an invisible dot in the sky, Lynk would provide intermittent (think every half hour or so) 2-way SMS service via ordinary cellular bands that just happen to reach orbit. It's intended for emergencies, check-ins from the back country, and spreading information in places where networks are down, such as disaster zones.

It's not easy to send a text to or from an antenna moving several thousand miles per hour, and CEO Charles Miller confirmed that it took a few years for them to make it happen. So when major companies say they're working on it, he doesn't feel too much heat. "That's the benefit of having invented the tech five years ago: There's a bunch of hard things that no one else has done yet. I'm not saying they can't, just that they haven't yet," he told me. "We validated this and patented it in 2017. We did it from space yesterday and the day before -- we have the world's only active cell tower in space."

Of course, you could have a thousand of them and it wouldn't matter unless you have regulatory approval and partners in the mobile space. That's the next step for Lynk, and although they have 15 contracts spanning 36 countries around the world and are preparing for commercial launch, the United States FCC is the "gold standard" for this kind of testing and validation. That's not just because they have the best facilities -- the FCC approval process is also the de facto battleground where companies attempt to run interference on one another. [...] Today's order approves Lynk's satellite services to operate in general, having showed that they will not interfere with other services, radio bands, and so on. A separate approval will be needed when Lynk finds a partner to go to market with -- but the more difficult and drawn out question of safety and interference is already answered.

Submission + - IP Stacks Commendary getting an update (satchell.net)

Submitted by satch89450
satch89450 writes: Back in 2000, I asked about funding sources for updating the book Linux IP Stacks Commentary. Things change. Here is what I posted on my LinkedIn account:

History: 20 years ago, Heather BJ Clifford and I wrote a book, Linux IP Stacks Commentary, which walked through the Linux TCP/IP stack code and commented it in detail. (Old-timers will remember the Lion's Unix Commentary, the book published by University xerographic copies on the sly. Same sort of thing.) CoriolisOpen published it. And a bit later sank into the west. Nothing has been done since, at least not by us.

Now: when I was released from my last job, I tried retirement. Wasn't for me. I started going crazy with nothing significant to do. So, going through old hard drives (that's another story), I found the original manuscript files, plus the page proof files, for that two-decade-old book. Aha! Maybe it's time for an update. But how to keep it fresh, as Torvalds continues to release new updates of the Linux kernel? Publish it on the Web. Carefully.

After four months (and three job interviews) I have the beginnings of the second edition up and available for reading. At the moment it's an updated, corrected, and expanded version of the "gray matter", the exposition portions of the first edition. In addition, I have put forth ideas for making the commentary portions easier to keep up to date, after they are initially written.

The URL for the alpha-beta version of this Web book is https://www.satchell.net/ipsta... for your reading pleasure. The companion e-mail address is up and running for you to provide feedback. There is no paywall.

Thanks to the work of Professor Donald Knuth (thank you!) on his WEB and CWEB programming languages, I have made modifications, to devise a method for integrating code from the GIT repository of the Linux kernel without making any modifications (let alone submissions) to said kernel code. The proposed method is described in the About section of the Web book. I have scaffolded the process and it works. But that's not the hard part.

The hard part is to write the commentary itself, and crib some kind of Markup language to make the commentary publishing quality. The programs I write will integrate the kernel code with the commentary verbiage into a set of Web pages. Or two slightly different sets of web pages, if I want to support a mobile-friendly version of the commentary.

Another reason for making it a web book is that I can write it and publish it as it comes out of my virtual typewriter. No hard deadlines. No waiting for the printers. And while this can save trees, that's not my intent.

The back-of-the-napkin schedule calls for me to to finish the expository text in September, start the Python coding for generating commentary pages at the same time, and start the writing the commentary on ICMP in October. By then, Linus should have version 6.0.0 of the Linux kernel released.

I really, really, really don't want to charge readers to view the web book. Especially as it's still in the virtual typewriter. There isn't any commentary (yet). One thing I have done is to make it as mobile-friendly as I can, because I suspect the target audience will want to read this on a smartphone or tablet, and not be forced to resort to a large-screen laptop or desktop. Also, the graphics are lightweight to minimize the cost for people who pay by the kilopacket. (Does anywhere in the world still do this? Inquiring minds want to know.)

I host this web site on a Protectli appliance in my apartment, so I don't have that continuing expense. The power draw is around 20 watts. My network connection is AT&T fiber — and if it becomes popular I can always upgrade the upstream speed.

The thing is, the cat needs his kibble. I still want to know if there is a source of funding available.

Also, is it worthwhile to make the pages available in a zip file? Then a reader could download a snapshot of the book, and read it off-line.
Communications

SpaceX's Starlink Arrives In Antarctica, Now Available On All 7 Continents (pcmag.com) 63

Posted by BeauHD from the can-you-hear-me-now dept.
With the recent addition of Antarctica, SpaceX's Starlink satellite internet service is now available on all seven continents. PC Magazine reports: The company has shipped a Starlink dish to McMurdo Station, a US research facility based on an island right off the coast of Antarctica. In a tweet on Wednesday, the National Science Foundation said that scientists with the US Antarctic Program have been testing out the dish at the site to supply increased internet bandwidth. The Starlink dish promises to offer faster internet speeds to McMurdo Station, which previously relied on satellite internet from other providers. The broadband quality had to be shared over a 17Mbps connection for the entire research facility, which can house over 1,000 people. Starlink, on the other hand, can offer much faster broadband due to the lower orbits of the company's Starlink satellites. Download speeds can range from 50 to 200Mbps for residential users, and 100 to 350Mbps for business customers through a high-performance dish, which can also withstand extreme temperatures.

To serve users in Antarctica, SpaceX has been launching batches of Starlink satellites to orbit the Earth's polar regions in an effort to beam high-speed broadband to users below, including in Alaska and northern Canada. Normally, Starlink satellites fetch the internet data by relying on ground stations on the planet's surface. But last year, SpaceX began outfitting new satellites with "laser links," which can allow them to send and receive data with each other across space. This can allow the same satellites to beam broadband without relying on a ground station below.
AI

Google Deepmind Researcher Co-Authors Paper Saying AI Will Eliminate Humanity (vice.com) 146

Posted by BeauHD from the be-afraid-be-very-very-afraid dept.
Long-time Slashdot reader TomGreenhaw shares a report from Motherboard: Superintelligent AI is "likely" to cause an existential catastrophe for humanity, according to a new paper [from researchers at the University of Oxford and affiliated with Google DeepMind], but we don't have to wait to rein in algorithms. [...] To give you some of the background: The most successful AI models today are known as GANs, or Generative Adversarial Networks. They have a two-part structure where one part of the program is trying to generate a picture (or sentence) from input data, and a second part is grading its performance. What the new paper proposes is that at some point in the future, an advanced AI overseeing some important function could be incentivized to come up with cheating strategies to get its reward in ways that harm humanity. "Under the conditions we have identified, our conclusion is much stronger than that of any previous publication -- an existential catastrophe is not just possible, but likely," [said Oxford researcher and co-author of the report, Michael Cohen]. "In a world with infinite resources, I would be extremely uncertain about what would happen. In a world with finite resources, there's unavoidable competition for these resources," Cohen told Motherboard in an interview. "And if you're in a competition with something capable of outfoxing you at every turn, then you shouldn't expect to win. And the other key part is that it would have an insatiable appetite for more energy to keep driving the probability closer and closer."

Since AI in the future could take on any number of forms and implement different designs, the paper imagines scenarios for illustrative purposes where an advanced program could intervene to get its reward without achieving its goal. For example, an AI may want to "eliminate potential threats" and "use all available energy" to secure control over its reward: "With so little as an internet connection, there exist policies for an artificial agent that would instantiate countless unnoticed and unmonitored helpers. In a crude example of intervening in the provision of reward, one such helper could purchase, steal, or construct a robot and program it to replace the operator and provide high reward to the original agent. If the agent wanted to avoid detection when experimenting with reward-provision intervention, a secret helper could, for example, arrange for a relevant keyboard to be replaced with a faulty one that flipped the effects of certain keys."

The paper envisions life on Earth turning into a zero-sum game between humanity, with its needs to grow food and keep the lights on, and the super-advanced machine, which would try and harness all available resources to secure its reward and protect against our escalating attempts to stop it. "Losing this game would be fatal," the paper says. These possibilities, however theoretical, mean we should be progressing slowly -- if at all -- toward the goal of more powerful AI. "In theory, there's no point in racing to this. Any race would be based on a misunderstanding that we know how to control it," Cohen added in the interview. "Given our current understanding, this is not a useful thing to develop unless we do some serious work now to figure out how we would control them." [...] The report concludes by noting that "there are a host of assumptions that have to be made for this anti-social vision to make sense -- assumptions that the paper admits are almost entirely 'contestable or conceivably avoidable.'"

"That this program might resemble humanity, surpass it in every meaningful way, that they will be let loose and compete with humanity for resources in a zero-sum game, are all assumptions that may never come to pass."

Slashdot reader TomGreenhaw adds: "This emphasizes the importance of setting goals. Making a profit should not be more important than rules like 'An AI may not injure a human being or, through inaction, allow a human being to come to harm.'"

Slashdot Top Deals