"In a new paper, Cornell Tech researchers identified a problem that holds the key to whether all encryption can be broken — as well as a surprising connection to a mathematical concept that aims to define and measure randomness," according to a news release shared by Slashdot reader bd580slashdot: "Our result not only shows that cryptography has a natural 'mother' problem, it also shows a deep connection between two quite separate areas of mathematics and computer science — cryptography and algorithmic information theory," said Rafael Pass, professor of computer science at Cornell Tech...

Researchers have not been able to prove the existence of a one-way function. The most well-known candidate — which is also the basis of the most commonly used encryption schemes on the internet — relies on integer factorization. It's easy to multiply two random prime numbers — for instance, 23 and 47 — but significantly harder to find those two factors if only given their product, 1,081. It is believed that no efficient factoring algorithm exists for large numbers, Pass said, though researchers may not have found the right algorithms yet.

"The central question we're addressing is: Does it exist? Is there some natural problem that characterizes the existence of one-way functions?" he said. "If it does, that's the mother of all problems, and if you have a way to solve that problem, you can break all purported one-way functions. And if you don't know how to solve that problem, you can actually get secure cryptography...."

In the paper, Pass and doctoral student Yanyi Liu showed that if computing time-bounded Kolmogorov Complexity is hard, then one-way functions exist. Although their finding is theoretical, it has potential implications across cryptography, including internet security.

Google and Apple, which already battle over mobile operating systems, are opening a new front in their fight. How that plays out may determine the future of the web. From a report: Google was born on the web, and its business reflects its origin. The company depends on the web for search and advertising revenue. So it isn't a surprise that Google sees the web as key to the future of software. Front and center are web apps, interactive websites with the same power as conventional apps that run natively on operating systems like Windows, Android, MacOS and iOS. Apple has a different vision of the future, one that plays to its strengths. The company revolutionized mobile computing with its iPhone line. Its profits depend on those products and the millions of apps that run on them. Apple, unsurprisingly, appears less excited about developments, like web apps, that could cut into its earnings.

The two camps aren't simply protecting their businesses. Google and Apple have philosophical differences, too. Google, working to pack its dominant Chrome browser with web programming abilities, sees the web as an open place of shared standards. Apple, whose Safari browser lacks some of those abilities, believes its restraint will keep the web healthy. It wants a web that isn't plagued by security risks, privacy invasion and annoyances like unwanted notifications and permission pop-ups. Google leads a collection of heavy-hitting allies, including Microsoft and Intel, trying to craft new technology called progressive web apps, which look and feel like native apps but are powered by the web. PWAs work even when you have no network connection. You can launch PWAs from an icon on your phone home screen or PC start menu, and they can prod you with push notifications and synchronize data in the background for fast startup. PWA fans include Uber, travel site Trivago and India e-commerce site Flipkart. Starbucks saw its website usage double after it rolled out a PWA.

The split over native apps and web apps is more than just a squabble between tech giants trying to convert our lives online into their profits. How it plays out will shape what kind of a digital world we live in. Choosing native apps steers us to a world where we're locked into either iOS or Android, limited to software approved by the companies' app stores and their rules. Web apps, on the other hand, reinforce the web's strength as a software foundation controlled by no single company. A web app will work anywhere, making it easier to swap out a Windows laptop for an iPad. "What you're seeing is the tension between what is good for the user, which is to have a flexible experience, and what's good for the platform, which is to keep you in the platform as much as possible," said Mozilla Chief Technology Officer Eric Rescorla.

Arizona is leading a multi-U.S. state probe into whether Apple's deliberate slowing of older iPhones violated deceptive trade practice laws, Reuters reported Wednesday, citing documents. From a report: Last week, a separate document released by a tech watchdog group showed the Texas attorney general might sue Apple for such violations in connection with a multi-state probe, without specifying charges. In the ongoing probe since at least October 2018, investigators have asked Apple for data about "unexpected shutdowns" of iPhones and the company's throttling, or slowing down, of the devices through power management software, documents Reuters obtained through a public records request showed. Apple came under fire in 2017 when Primate Labs, the maker of software for measuring a phone's processor speeds, revealed that some iPhones became slower as they aged.

In an interview with CNN, billionaire philanthropist Bill Gates responded to his prominence in anti-vaccine conspiracy theories that have spread online: CNN: There are 16,000 Facebook posts espousing conspiracy theories about you and the virus... They're liked or commented on 900,000 times. On YouTube the top 10 videos that spread lies about you had almost 5 million views. It's also pointed out that according to Zignal Labs, which is a media analysis company that tracks this, misinformation about you is the most widespread of all coronavirus falsehoods...

What do you say to people who believe this stuff? Because I'm sure you're inundated...

Bill Gates: The combination of having social media spreading things that are very titillating, to having this pandemic where people are uncertain and they'd prefer to have a simple explanation — it's meant that these things are really, you know, millions of messages a day. And people like myself and Dr. Fauci have become the target.

Often the clever thing they do — you know, our foundation has given more money to buy vaccines to save lives than any group. So you just turn that around — you say, "Okay, we're making money, and we're trying to kill people with vaccines, or by inventing something." And at least it's true — we are associated with vaccines — but you actually have, you know, sort of flipped the connection that we have there.

You know, I hope it doesn't create vaccine hesitancy. I hope this whole story of innovation that's going on, that we do get the benefit of that. It's really the only good news I'm bringing you today, is that diagnostic therapeutic and vaccine innovation, these amazing private-sector companies, without the coordination you would've liked — they are doing it... .
Gates told CBS News he expects some at-home, instant coronavirus tests to be approved in the next two to four months. "These are well-meaning people," Gates told CNN of the diagnostics innovators. "This is a time when people are doing great work.

"So I hope the conspiracy stuff dies down."

U.S. officials and scientists unveiled a plan this week to pursue what they called one of the most important technological frontiers of the 21st century: building a quantum Internet. From a report: Speaking in Chicago, one of the main hubs of the work, they set goals for forging what they called a second Internet -- one that would function alongside the globe's existing networks, using the laws of quantum mechanics to share information more securely and to connect a new generation of computers and sensors. Quantum technology seeks to harness the distinct properties of atoms, photons and electrons to build more powerful computers and other tools for processing information. A quantum Internet relies on photons exhibiting a quantum state known as entanglement, which allows them to share information over long distances without having a physical connection.

David Awschalom, a professor at the University of Chicago's Pritzker School of Molecular Engineering and senior scientist at Argonne National Laboratory, called the Internet project a pillar of the nation's quantum-research program. "It's the birth of a new technology. It's becoming a global competition. Every major country on earth has launched a quantum program ... because it is becoming clearer and clearer there will be big impacts," he said in an interview. The United States' top technology rival, China, is investing heavily in quantum technology, a field that could transform information processing and confer big economic and national security advantages to countries that dominate it. Europe is also hotly pursuing the research. The Energy Department and its 17 national labs will form the backbone of the project.

Having launched preliminary 5G services using millimeter wave hardware in late 2018, AT&T has technically been operating a 5G network for a year and a half -- but between the "5G+" network's few connection points and extremely limited hardware support, most people in the U.S. couldn't actually use it. Today, AT&T says its low band 5G network is officially available nationwide, reaching a potential 205 million customers across 395 coverage markets. From a report: The carrier is also making 5G service available to a wider range of customers at no additional charge. On a positive note, AT&T is now the second U.S. carrier with a nationwide 5G network, joining T-Mobile, which launched a similarly large offering in December 2019 using long distance but slow low band towers. But T-Mobile's low band 5G peaks at speeds around 225Mbps, nowhere near the 2Gbps peaks seen in Verizon's all but unusably small 5G network, while promising only a 20% improvement over 4G speeds on average. AT&T's low band 5G network is expected to deliver comparable performance but is using a technology called DSS to dynamically split prior 4G spectrum between 4G and 5G phones as user demand fluctuates.

New submitter kimmmos shares a report from BetaNews: An unprotected database belonging to the VPN service UFO VPN was exposed online for more than two weeks. Contained within the database were more than 20 million logs including user passwords stored in plain text. User of both UFO VPN free and paid services are affected by the data breach which was discovered by the security research team at Comparitech. Despite the Hong Kong-based VPN provider claiming to have a "strict no-logs policy" and that any data collected is anonymized, Comparitech says that "based on the contents of the database, users' information does not appear to be anonymous at all." A total of 894GB of data was exposed, and the API access records and user logs included: Account passwords in plain text; VPN session secrets and tokens; IP addresses of both user devices and the VPN servers they connected to; Connection timestamps; Geo-tags; Device and OS characteristics; and URLs that appear to be domains from which advertisements are injected into free users' web browsers. Comparitech notes that this runs counter to UFO VPN's privacy policy.

An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 84 for Windows, Mac, Linux, Android, and iOS. Chrome 84 resumes SameSite cookie changes, includes the Web OTP API and Web Animations API, and removes older Transport Layer Security (TLS) versions. First deprecated with Chrome 81 in April, TLS 1.0 and TLS 1.1 have now been completely removed with Chrome 84. This is notable for anyone who manages a website, even if they don't use Chrome at home or at work. TLS is a cryptographic protocol designed to provide communications security over a computer network -- websites use it to secure all communications between their servers and browsers. TLS also succeeds Secure Sockets Layer (SSL) and thus handles the encryption of every HTTPS connection.

In May 2016, Chrome 51 introduced the SameSite attribute to allow sites to declare whether cookies should be restricted to a same-site (first-party) context. The hope was this would mitigate cross-site request forgeries (CSRF). Chrome 80 began enforcing a new secure-by-default cookie classification system, treating cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies set as SameSite=None; Secure are available in third-party contexts, provided they are being accessed from secure connections. Due to the coronavirus crisis, however, Google paused the SameSite cookie changes, with plans to resume enforcement sometime over the summer. SameSite cookie enforcement has now resumed with a gradual rollout ramping up over the next several weeks for Chrome 80 and newer.

Chrome 84 introduces the Web OTP API (formerly called the SMS Receiver API). This API helps users enter a one-time password (OTP) on a webpage when a specially crafted SMS message is delivered to their Android phone. When verifying the ownership of a phone number, developers typically send an OTP over SMS that must be manually entered by the user (or copied and pasted). The user has to switch to their native SMS app and back to their web app to input the code. The Web OTP API lets developers help users enter the code with one tap. Chrome 84 also adopts the Web Animations API, which gives developers more control over web animations. These can be used to help users navigate a digital space, remember your app or site, and provide implicit hints around how to use your product. Parts of the API have been around for some time, but this implementation brings greater spec compliance and supports compositing operations, which control how effects are combined and offer many new hooks that enable replaceable events. The API also supports Promises, which allow for animation sequencing and provide greater control over how animations interact with other app features.

Self-driving startup Voyage built a physical "Telessist Pod" with software that allows a remote operator to give instructions to a self-driving car. A reader shares a report from Ars Technica "For all of this to work safely, it had to basically be a car without wheels," Voyage CEO Oliver Cameron told me in a Thursday phone interview. "It had to have a real steering wheel, real pedals, real automotive-grade connectors, and real automotive-grade ECUs." Voyage's engineers built a "car without wheels" because they wanted to mirror the experience of driving a real car as closely as possible. "If you try to do it with a gaming steering wheel, you don't get the force feedback" you get with a real car, Cameron said. "It's impossible to drive reliably like that. It's so unsafe."

Remote Voyage drivers sit in a metal cage the size of a golf cart. There's a steering wheel, gas pedal, and brake pedal where you'd expect them in a real car. A wraparound array of computer monitors shows the car's surroundings. An encrypted wireless data connection keeps the components in the Telessist pod synchronized with their counterparts in the real car. Voyage says the network latency is under 100 milliseconds -- short enough that the driver won't notice a significant lag. In case something goes wrong, the company bonded together five separate cellular connections, each with its own SIM card on a different wireless carrier, to achieve maximum redundancy and hence reliability," reports Ars. "If one of the five networks fails, software automatically switches over to the other four."

There's a system called Remote Drive Assist that will take over if the car loses its wireless connection. Voyage even added an emergency braking system, which consists of a small, self-contained lidar unit in front of Voyage's cars. "If it detects an imminent collision, it has the power to activate the brakes and bring the vehicle to a stop," adds Ars. "This means that, even if the human driver -- or Voyage's main self-driving system, for that matter -- makes a mistake, the car is unlikely to run into anything."

Security researchers say a smartwatch, popular with the elderly and dementia patients, could have been tricked into letting an attacker easily take control of the device. From a report: These watches are designed to help patients to easily call their carers and for carers to track the location of their patients. They come with their own cellular connection, so that they work anywhere. But researchers at U.K.-based security firm Pen Test Partners found that they could trick the smartwatch into sending fake "take pills" reminders to patients as often as they want, they said. "A dementia sufferer is unlikely to remember that they had already taken their medication," wrote Vangelis Stykas in a blog post. "An overdose could easily result." The vulnerabilities were found in the back-end cloud system, known as SETracker, which powers the smartwatch.

An anonymous reader quotes a report from ZDNet: Google has announced it is launching a new organization, Open Usage Commons (OUC), to host the trademarks for three of its most important new open-source projects. These are Angular, a web application framework for mobile and desktop; Gerrit, a web-based team code-collaboration tool; and Istio, a popular open mesh platform to connect, manage, and secure microservices. While it only covers three Google projects, for now, OUC is meant to give open-source projects a neutral, independent home for their project trademarks. The organization will also assist with conformance testing, establishing mark usage guidelines, and handling trademark usage issues. The organization will not provide services that are outside the realm of usage, such as technical mentorship, community management, project events, or project marketing. "Having an entity like this does make some sense for a certain number of use cases," says Andrew "Andy" Updegrove, open-source standards and patent expert and founding partner of top-technology law firm Gesmer Updegrove. "The most obvious one is an unincorporated OSS project. An amorphous group of individuals can't own a trademark efficiently, so there's no way to protect the project name unless they agree on a singular owner. There are many cases where an individual member has owned a project mark, and that has often led to downstream problems. So simply having a neutral owner is a community good without going any farther than that."

Updegrove also said noted trademarks have usually been achieved by a project "approaching a host, like The Apache Foundation or Linux Foundation and asking them to take over as host. But that usually requires taking the project under the umbrella, and subject to the rules, of that foundation."

Updegrove wonders if there's "more to the story than meets the eye." He notes there is one important difference by only handing over the trademarks: "A project that is primarily important to a single vendor and primarily staffed and controlled by developers employed by that employer can continue to exercise effective control while avoiding the market suspicion that might arise if the vendor owned the mark." He suspects Google is doing this "to up the credibility of some of its projects [to the open-source community] while not taking the more extreme step of turning the project over to a foundation in connection with which a new and more independent governance structure is put in place."

Intel unveiled Thunderbolt 4 on Wednesday, the next iteration of the I/O specification that provides a high-speed peripheral bus to docks, displays, external storage and eGPUs for PCs. Rather than increase the available bandwidth, however, Thunderbolt 4 provides more clarity and helps create new categories of products. From a report: Thunderbolt 4 will debut later this year as part of Intel's "Tiger Lake" CPU platform, as Intel originally announced during CES in January. We now know it will support 40Gbps throughput, but with tighter minimum specs. Thunderbolt 4 will guarantee that a pair of 4K displays will work with a Thunderbolt dock, and require Thunderbolt 4-equipped PCs to charge on at least one Thunderbolt port. Thunderbolt PCs will be able to connect to either "compact" or "full" docks with up to four Thunderbolt ports. Longer Thunderbolt cables will be possible, too. One thing that doesn't seem to be changing is Thunderbolt's exclusivity. Intel developed Thunderbolt, and perhaps not coincidentally, OEM systems based on rival AMD's CPUs have never had this technology. While AMD has officially dismissed the need for Thunderbolt, with generation 4 Intel appears to have made it even harder for AMD to get it, even if it wanted to. Intel's still pitching Thunderbolt as a single standard to rule them all, but the reality up to now has been complicated. You still have to squint hard at that USB-C-shaped port to determine which of the multitude of USB specifications it meets, including whether it's a USB4 connection that happens to support Thunderbolt. To muddy things further, Thunderbolt also encompasses PCIe, DisplayPort, and USB Power Delivery standards.

An anonymous reader quotes a report from Ars Technica: Google Fiber's wireline broadband is expanding to a new city for the first time in several years as part of a public-private partnership to build an open-access network that any ISP can use to offer service. The new network will be in West Des Moines, Iowa. Google Fiber "paused" plans to expand to new cities in October 2016 amid lawsuits filed by incumbent ISPs and construction problems that eventually led to the Alphabet-owned ISP's complete exit from Louisville. But in West Des Moines, Google Fiber will rely on the city to build a network of fiber conduits. "Municipalities like West Des Moines excel at building and maintaining infrastructure. At digging and laying pipes under the roads, restoring and preserving the sidewalks and green spaces, reducing traffic congestion, and lowering construction disruption," Google Fiber said in an announcement yesterday.

The West Des Moines government's announcement said that "once the City installs conduit in the public right of way, broadband providers will pay a license fee to install their fiber in the City's conduit. Google Fiber will be the first tenant in the network." A conduit-license agreement "calls for Google Fiber to cover a portion of the construction cost to build conduit... through their monthly lease payments." "On a monthly basis, Google Fiber would pay the city $2.25 for each household that connects to the network," according to the Des Moines Register. Google Fiber would pay the city a minimum of $4.5 million over 20 years. Construction is expected to begin this fall and be completed in about two and a half years, the city said. While Google Fiber is slated to be the first tenant offering fiber service over the West Des Moines network, the city is hoping to spur broadband competition by letting other ISPs install their own fiber in the conduits. Current ISPs in West Des Moines include CenturyLink and Mediacom. "Every home and business in West Des Moines is eligible for a free connection point from their property to the municipal fiber conduit," the city said. "The City will be installing these connections and will contact every business and resident in the near future to ensure everyone has the opportunity to participate." The city also said it aims to make high-speed broadband available to "all residents, regardless of their means."

"West Des Moines plans to invest nearly $40 million" in the project, the Des Moines Register wrote, adding that city officials intend to "solicit bids for laying the underground conduit that would house the fiber-optic cables."

A seventh former eBay employee is now facing federal charges in connection with a cyberstalking campaign that allegedly targeted a Natick couple who wrote critical content about the company in its newsletter. From a report: Philip Cooke, 55, of San Jose, Calif. is charged with conspiracy to commit cyberstalking and conspiracy to tamper with witnesses. Cooke, who was a former Santa Clara police captain and was supervisor of security operations at eBay's European and Asian offices, is expected to be appear in Boston federal court at a later date. James Baugh, 45, of San Jose, California, eBay's former director of safety and security and former eBay director of global resiliency David Harville, 48, of New York City, was among the first six charged.

A fifteen-year-old cartoon is an unlikely contender for most-watched show in America. And yet when "Avatar: The Last Airbender" arrived on Netflix, in May, it rose through the ranks to become the platform's No. 1 offering, and even now it remains a fixture in the Top Ten for the U.S. From a report: The series first ran from 2005 to 2008 on Nickelodeon, and swiftly made a name for itself as a politically resonant, emotionally sophisticated work -- one with a sprawling but meticulously plotted mythos that destined the show for cult-classic status. Last summer, after "Game of Thrones" flubbed its finale, fans and critics held up "Avatar" as a counterexample: a fantasy series that knew what it wanted to be from the beginning. Like all such stories, "Avatar" (created by Bryan Konietzko and Michael Dante DiMartino, and no relation to the James Cameron blockbuster) demands some exposition. In a world where nations are defined by their connection to one of the four elements -- water, earth, fire, and air -- maintaining the peace falls to the Avatar, the only person who can achieve mastery of them all. Just as the Fire Nation launches an attack, he vanishes.

The series begins a century later, when a twelve-year-old boy named Aang is discovered and revived by a pair of Water Tribe teen-agers -- and the Fire Nation is well on its way to global conquest. The first two episodes are largely what you'd expect: world-building punctuated by moments of whimsy. In the third, Aang returns to the temple where he was born to find the aftermath of a genocide. He is, he discovers, both the Avatar and the last of the Air Nomads. Where earlier shows might have hinted at such an atrocity for adult viewers' benefit, "Avatar" is overt, taking seriously its young audience's capacity to confront the consequences of endless war. Moral ambiguity abounds, and people from all nations see the conflict as, variously, an opportunity or a tragedy; there are Earth Kingdom citizens who have become cynical or apathetic after generations of fighting, and those from the Fire Nation who are fully capable of doing good. Aang, like the monks who raised him, is a pacifist at heart, but the series makes it clear that his is not the only way of bringing balance to the world. On the eve of his confrontation with the Fire Lord, one of his past lives -- a warrior named Kyoshi, who has killed would-be conquerors before -- counsels that "only justice will bring peace."

Long-time Slashdot reader dhammabum writes: As reported in the recent slashdot story, starting in September we system admins will be forced into annually updating TLS certificates because of a decision by Apple, abetted by Google and Mozilla. Supposedly this measure somewhat rectifies the current ineffective certificate revocation list system by limiting the use of compromised certificates to one year... But in an attempt to prevent this pathetic measure, could we instead use DNS to replace the current certificate revocation list system?

Why not create a new type of TXT record, call it CRR (Certificate Revocation Record), that would consist of the Serial Number (or Subject Key ID or thumbprint) of the certificate. On TLS connection to a website, the browser does a DNS query for a CRR for the Common Name of the certificate. If the number/key/thumbprint matches, reject the connection. This way the onus is on the domain owner to directly control their fate. The only problem I can see with this is if there are numerous certificate Alternate Names — there would need to be a CRR for each name. A pain, but one only borne by the hapless domain owner.

Alternatively, if Apple is so determined to save us from ourselves, why don't they fund and host a functional CRL system? They have enough money. End users could create a CRL request via their certificate authority who would then create the signed record and forward it to this grand scheme.

Otherwise, are there any other ideas?

Android's long-awaited "Nearby Sharing" feature, which allows you to share files between Android devices wirelessly, is rolling out to beta testers. Android Police reports: Nearby Sharing may appear slightly differently depending on the type of content you try to share. In all cases, it shows up as an app in the apps list on the share sheet, but you may also get a smaller prompt just under the content preview, more like it did in the previous Android 11 video leak. We tested it on a Pixel 4 XL and Pixel 3a running Android 10, but the appearance may also vary on other versions of Android. Note that Nearby Share works for both files like photos or videos, as well as other shareable content like Tweets and URLs. It probably works with a lot of things.

Select Nearby Share in the share sheet as the target, and you're prompted to turn on the feature, if it's the first time you've used it. The quick setup process lets you configure your default device name and device visibility settings, though those can also be changed later. Once you have it enabled, Nearby Sharing starts looking for other nearby devices. The interface is pretty simple: A big X in the top left corner backs you out, your avatar on the right takes you to a settings pane that lets you configure things like your device name, visibility, and which mechanism to use to make the transfer (i.e., whether to use your internet connection for small files, to stick to Wi-Fi, or to always share offline). Google says Nearby Share is currently in limited testing via the Play Services beta: "We're currently conducting a beta test of a new Nearby Share feature that we plan to share more information on in the future. Our goal is to launch the feature with support for Android 6+ devices as well as other platforms."

Apple said last week that it declined to implement 16 new web technologies (Web APIs) in Safari because they posed a threat to user privacy by opening new avenues for user fingerprinting. Technologies that Apple declined to include in Safari because of user fingerprinting concerns include: Web Bluetooth - Allows websites to connect to nearby Bluetooth LE devices.
Web MIDI API - Allows websites to enumerate, manipulate and access MIDI devices.
Magnetometer API - Allows websites to access data about the local magnetic field around a user, as detected by the device's primary magnetometer sensor.
Web NFC API - Allows websites to communicate with NFC tags through a device's NFC reader.
Device Memory API - Allows websites to receive the approximate amount of device memory in gigabytes.
Network Information API - Provides information about the connection a device is using to communicate with the network and provides a means for scripts to be notified if the connection type changes.

Battery Status API - Allows websites to receive information about the battery status of the hosting device. Web Bluetooth Scanning - Allows websites to scan for nearby Bluetooth LE devices.
Ambient Light Sensor - Lets websites get the current light level or illuminance of the ambient light around the hosting device via the device's native sensors.
[...]
The vast majority of these APIs are only implemented in Chromium-based browsers, and very few on Mozilla's platform. Apple claims that the 16 Web APIs above would allow online advertisers and data analytics firms to create scripts that fingerprint users and their devices.