An anonymous reader quotes a report from The Register: Bruce Perens, one of the founders of the Open Source movement, is ready for what comes next: the Post-Open Source movement. "I've written papers about it, and I've tried to put together a prototype license," Perens explains in an interview with The Register. "Obviously, I need help from a lawyer. And then the next step is to go for grant money." Perens says there are several pressing problems that the open source community needs to address. "First of all, our licenses aren't working anymore," he said. "We've had enough time that businesses have found all of the loopholes and thus we need to do something new. The GPL is not acting the way the GPL should have done when one-third of all paid-for Linux systems are sold with a GPL circumvention. That's RHEL." RHEL stands for Red Hat Enterprise Linux, which in June, under IBM's ownership, stopped making its source code available as required under the GPL. Perens recently returned from a trip to China, where he was the keynote speaker at the Bench 2023 conference. In anticipation of his conversation with El Reg, he wrote up some thoughts on his visit and on the state of the open source software community. One of the matters that came to mind was Red Hat.

"They aren't really Red Hat any longer, they're IBM," Perens writes in the note he shared with The Register. "And of course they stopped distributing CentOS, and for a long time they've done something that I feel violates the GPL, and my defamation case was about another company doing the exact same thing: They tell you that if you are a RHEL customer, you can't disclose the GPL source for security patches that RHEL makes, because they won't allow you to be a customer any longer. IBM employees assert that they are still feeding patches to the upstream open source project, but of course they aren't required to do so. This has gone on for a long time, and only the fact that Red Hat made a public distribution of CentOS (essentially an unbranded version of RHEL) made it tolerable. Now IBM isn't doing that any longer. So I feel that IBM has gotten everything it wants from the open source developer community now, and we've received something of a middle finger from them. Obviously CentOS was important to companies as well, and they are running for the wings in adopting Rocky Linux. I could wish they went to a Debian derivative, but OK. But we have a number of straws on the Open Source camel's back. Will one break it?"

Another straw burdening the Open Source camel, Perens writes, "is that Open Source has completely failed to serve the common person. For the most part, if they use us at all they do so through a proprietary software company's systems, like Apple iOS or Google Android, both of which use Open Source for infrastructure but the apps are mostly proprietary. The common person doesn't know about Open Source, they don't know about the freedoms we promote which are increasingly in their interest. Indeed, Open Source is used today to surveil and even oppress them." Free Software, Perens explains, is now 50 years old and the first announcement of Open Source occurred 30 years ago. "Isn't it time for us to take a look at what we've been doing, and see if we can do better? Well, yes, but we need to preserve Open Source at the same time. Open Source will continue to exist and provide the same rules and paradigm, and the thing that comes after Open Source should be called something else and should never try to pass itself off as Open Source. So far, I call it Post-Open." Post-Open, as he describes it, is a bit more involved than Open Source. It would define the corporate relationship with developers to ensure companies paid a fair amount for the benefits they receive. It would remain free for individuals and non-profit, and would entail just one license. He imagines a simple yearly compliance process that gets companies all the rights they need to use Post-Open software. And they'd fund developers who would be encouraged to write software that's usable by the common person, as opposed to technical experts.

Pointing to popular applications from Apple, Google, and Microsoft, Perens says: "A lot of the software is oriented toward the customer being the product -- they're certainly surveilled a great deal, and in some cases are actually abused. So it's a good time for open source to actually do stuff for normal people." The reason that doesn't often happen today, says Perens, is that open source developers tend to write code for themselves and those who are similarly adept with technology. The way to avoid that, he argues, is to pay developers, so they have support to take the time to make user-friendly applications. Companies, he suggests, would foot the bill, which could be apportioned to contributing developers using the sort of software that instruments GitHub and shows who contributes what to which products. Merico, he says, is a company that provides such software. Perens acknowledges that a lot of stumbling blocks need to be overcome, like finding an acceptable entity to handle the measurements and distribution of funds. What's more, the financial arrangements have to appeal to enough developers. "And all of this has to be transparent and adjustable enough that it doesn't fork 100 different ways," he muses. "So, you know, that's one of my big questions. Can this really happen?" Perens believes that the General Public License (GPL) is insufficient for today's needs and advocates for enforceable contract terms. He also criticizes non-Open Source licenses, particularly the Commons Clause, for misrepresenting and abusing the open-source brand.

As for AI, Perens views it as inherently plagiaristic and raises ethical concerns about compensating original content creators. He also weighs in on U.S.-China relations, calling for a more civil and cooperative approach to sharing technology.

You can read the full, wide-ranging interview here.

The Vision Pro, Apple's first "spatial computing" device that costs $3,499, is expected to have a "late-January/early-February" release date, according to Apple analyst Ming-Chi Kuo. "The analyst says that the first wave of Vision Pros are being shipped to Apple in about a month, with total shipments numbering around 500,000 for the full year," adds TechCrunch. From the report: The company's precise target for the year remains an open-ended question. About a month after the device was revealed, reports suggested that Apple has scaled back expectations from around one million to "fewer than 400,000." Even the updated 500,000 figure is small for a company of Apple's massive size and influence. Keep in mind that the company should be shipping more than 200 million iPhones this calendar year.

The Vision Pro, however, is widely regarded as the biggest gambit of Tim Cook's 12-year tenure as CEO. Not only is it an entirely new category and form factor for the company, it's also prohibitively priced, even for customers accustomed to shelling out extra for apple products. Add to that VR's decades-long failure to live up to expectations, and you've got a big uphill fight on your hands. Kuo refers to Vision Pro as "Apple's most important product of 2024." Given the years of speculation and all the time and money the company has no doubt poured into the headset, it's a tough statement to argue.

"It's easy to default to giving the tech gifts that retailers tend to push on us this time of year..." notes Lifehacker senior writer Thorin Klosowski.

"But before you give one, think twice about what you're opting that person into." A number of these gifts raise red flags for us as privacy-conscious digital advocates. Ring cameras are one of the most obvious examples, but countless others over the years have made the security or privacy naughty list (and many of these same electronics directly clash with your right to repair). One big problem with giving these sorts of gifts is that you're opting another person into a company's intrusive surveillance practice, likely without their full knowledge of what they're really signing up for... And let's not forget about kids. Long subjected to surveillance from elves and their managers, electronics gifts for kids can come with all sorts of surprise issues, like the kid-focused tablet we found this year that was packed with malware and riskware. Kids' smartwatches and a number of connected toys are also potential privacy hazards that may not be worth the risks if not set up carefully.

Of course, you don't have to avoid all technology purchases. There are plenty of products out there that aren't creepy, and a few that just need extra attention during set up to ensure they're as privacy-protecting as possible. While we don't endorse products, you don't have to start your search in a vacuum. One helpful place to start is Mozilla's Privacy Not Included gift guide, which provides a breakdown of the privacy practices and history of products in a number of popular gift categories.... U.S. PIRG also has guidance for shopping for kids, including details about what to look for in popular categories like smart toys and watches....

Your job as a privacy-conscious gift-giver doesn't end at the checkout screen. If you're more tech savvy than the person receiving the item, or you're helping set up a gadget for a child, there's no better gift than helping set it up as privately as possible.... Giving the gift of electronics shouldn't come with so much homework, but until we have a comprehensive data privacy law, we'll likely have to contend with these sorts of set-up hoops. Until that day comes, we can all take the time to help those who need it.

"Reddit CEO Steve Huffman says that he stands by the company's decision to charge for API access," writes the blog 9to5Mac, "despite the fact that it was massively unpopular, and led to the demise of the leading Reddit app, Apollo." In an interview with FastCo, Huffman is unrepentant about the API decision, but says it could have been better communicated... "[H]e defended the company's decision to limit free access to its API as a necessary measure to foil AI-training freeloaders. 'Reddit is an open platform, and we love that,' he told me. 'At the same time, we have been taken advantage of by some of the largest companies in the world.'"
The incident ended up reappearing in Reddit's own "recap" pages showing highlights from its popular subreddits. For its Technology subreddit, the official recap shows that two most popular posts were "Apollo for Reddit is shutting down" and "Reddit sparks outrage after a popular app developer said it wants him to pay $20 million a year for data access."

And Reddit's official recap also shows that discussion leading to the second-most popular comment of the entire year for the subreddit. "Users supply all the content, and reddit turns around with this huge fuck you to its users, without whom it's just another crappy link aggregator. No, reddit, fuck you and your money grab."

The first most-popular comment appeared in a related discussion, headlined "Reddit Threatens to Remove Moderators From Subreddits Continuing Apollo-Related Blackouts." The comment?

Reddit: You're fired!
Moderator: I don't even work here.

The topic also dominated the official recap for the Programming subreddit, where it was the subject of all three of the top comments — and all three of the year's top posts:

Ironically, FastCo headlined its interview "As the AI era begins, Reddit is leaning into its humanity." ("Rebellious moderators. Large language models' peril and promise. Maybe a long-awaited IPO. Amid it all, Reddit CEO Steve Huffman says the web megacommunity is on a roll.") Other work has addressed concerns that bubbled to the surface during the moderator dust-up, such as accessibility issues: "I told the team, 'Just show up and ship,'" Huffman says. The official Reddit apps are finally compatible with screen readers used by users with vision impairments, with full compliance with the World Wide Web Consortium's accessibility guidelines planned by the end of 2024.

As for AI's potential to transform the Reddit experience, Huffman is less prone to exuberant overpromising than the average tech company CEO. But the same attributes that led third-party assemblers of large language models to crave access to the company's corpus of information could help it leverage the technology to its own benefit... Rather than involving the most obvious AI functionality, like a Reddit chatbot, the examples he provides relate to moderation of problem content. For instance, the latitude that individual moderators have to govern their communities means that they can set rules that Huffman describes as "sometimes strict and sometimes esoteric." Newbies may run afoul of them by accident and have their posts yanked just as they're trying to join the conversation. In response, Reddit is currently prototyping an AI-powered feature called "post guidance." It'll flag rule-violating material before it's ever published: "The new user gets feedback, and the mod doesn't have to deal with it," says Huffman. He adds that Reddit will also use AI to crack down on willful bad behavior, such as bullying and hate speech, and that he expects progress on that front in 2024...

Members already engage in acts of commerce such as tipping Photoshop wizards to remove ex-boyfriends from images; he says the company plans to facilitate these transactions with a payment system "that will basically involve users sending money to users, whether it's rewarding them for content or paying for digital services or digital goods or [physical] services." "People are trying to start businesses on Reddit, but it wasn't really built for that," he adds. "So just trying to flesh out that ecosystem, I think that'll be very powerful."

The next version of Android could give you an estimate of your battery's remaining capacity, which naturally degrades over time. "Android 14 laid the initial groundwork for the OS to track battery health information, but Android 15 could actually bring that information in front of users," reports Android Authority. It could also tell you whether your device's battery has been replaced. From the report: The manufacture date and cycle count aren't the only battery-related statistics that Android 14 exposes to apps through new APIs, though. Other battery health details like the date of first use, charging policy, charging status, and state of health are also available. The state of health is particularly interesting because it's an estimate of the battery's current full charge capacity, expressed as a percentage relative to the battery's rated capacity. For example, if your Pixel 8 battery's state of health is measured at 90%, that means its remaining full charge capacity is estimated to be about 4118mAh (compared to the rated 4575mAh).

The Settings app currently doesn't show the battery state of health, but that's set to change in the future, as the latest version of the Settings Services app (an extension to the Settings app on Pixel and other devices) found within Android 14 QPR2 Beta 2 has a new "battery health" page that is set to show the state of health. [...] Strings within the APK suggest this page will show you the "estimated percentage of charge the battery can currently hold compared to when it was new" (i.e. the state of health) before and after "recalibration" of the battery. We don't have the exact details on what "recalibration" entails, but given that one string suggests the "process may take a few weeks," we're guessing that it's simply the system collecting data over a longer period to provide a more accurate estimate of the battery capacity. Meanwhile, the "initial battery health values" are "based on lab results" and hence "may vary from your actual battery state."

[...] We also learned that the Settings app itself will surface "tips" to the user when either the battery capacity is degraded or can't be detected, so the user doesn't have to manually check the "battery health" page. Lastly, we learned that Google is working on exposing more battery-related information to the OS, such as the part status and the serial number. [...] At the very least, we do know that Android will support reading the battery's part status and serial number, provided the battery exposes that information to the OS, and the vendor implements the new version of the Android health HAL. The health HAL is the software responsible for bridging the gap between the OS APIs that read battery/charging information (i.e. everything we talked about before) with the software that controls the battery/charging chips. Version 2.0 of the health HAL needs to be implemented to support all the new Android 14 battery health APIs like state of health, which is why so few devices support that right now.

In a notice on Monday, Xfinity notified customers of a "data security incident" that resulted in the theft of customer information, including usernames, passwords, contact information, and more. The Verge reports: Xfinity traces the breach to a security vulnerability disclosed by cloud computing company Citrix, which began alerting customers of a flaw in software Xfinity and other companies use on October 10th. While Xfinity says it patched the security hole, it later uncovered suspicious activity on its internal systems "that was concluded to be a result of this vulnerability."

The hack resulted in the theft of customer usernames and hashed passwords, according to Xfinity's notice. Meanwhile, "some customers" may have had their names, contact information, last four digits of their social security numbers, dates of birth, and / or secret questions and answers exposed. Xfinity has notified federal law enforcement about the incident and says "data analysis is continuing."

We still don't know how many users were affected by the breach. Xfinity will automatically ask customers to change their passwords the next time they log in to their accounts, and it's also encouraging users to turn on two-factor authentication. You can find the full notice, including contact information for the company's incident response team, on Xfinity's website (PDF). UPDATE 12/19/23: According to TechCrunch, almost 36 million Xfinity customers had their sensitive information accessed by hackers via a vulnerability known as "CitrixBleed." The vulnerability is "found in Citrix networking devices often used by big corporations and has been under mass-exploitation by hackers since late August," the report says. "Citrix made patches available in early October, but many organizations did not patch in time. Hackers have used the CitrixBleed vulnerability to hack into big-name victims, including aerospace giant Boeing, the Industrial and Commercial Bank of China and international law firm Allen & Overy."

"In a filing with Maine's attorney general, Comcast confirmed that almost 35.8 million customers are affected by the breach. Comcast's latest earnings report shows the company has more than 32 million broadband customers, suggesting this breach has impacted most, if not all Xfinity customers."

Adobe said US regulators are probing the company's cancellation rules for software subscriptions, an issue that has long been a source of ire for customers. From a report: The company has been cooperating with the Federal Trade Commission on a civil investigation of the issue since June 2022, Adobe said Wednesday in a filing. A settlement could involve "significant monetary costs or penalties," the company said.

Users of Adobe programs including Photoshop and Premiere have long complained about the expense of canceling a subscription, which can cost more than $700 annually for individuals. Subscribers must cancel within two weeks of buying a subscription to receive a full refund; otherwise, they incur a prorated penalty. Some other digital services such as Spotify and Netflix don't charge a cancellation fee. Digital subscriptions have been a recent focus for the FTC. It proposed a rule in March that consumers must be able to cancel subscriptions as easily as they sign up for them.

"Too often, companies make it difficult to unsubscribe from a service, wasting Americans' time and money on things they may not want or need," President Joe Biden said in a social media post at the time. Adobe said the FTC alerted the company in November that commission staff say "they had the authority to enter into consent negotiations to determine if a settlement regarding their investigation of these issues could be reached. We believe our practices comply with the law and are currently engaging in discussion with FTC staff."

An anonymous reader quotes a report from REVE News: The U.S. Energy Information Administration (EIA) expects, for the first year on record, combined electricity generation from wind and solar to surpass generation from coal in 2024. EIA expects solar generation in 2024 to increase 39% (228 kilowatthours) from 2023, driven by continued increases in solar capacity. "Renewables, particularly solar photovoltaics, are growing rapidly and making large contributions to electricity generation," DeCarolis said.

EIA expects natural gas prices to be $2.77 per million British thermal units this winter, about 23% lower than previously forecast. The winter season is off to a warmer-than-expected start, so U.S. households are consuming less natural gas for heat than expected. The lower natural gas consumption is also contributing to rising U.S. natural gas inventories, which typically results in lower prices. "We're seeing record domestic natural gas production paired with lower-than-expected natural gas demand, and we expect that is going to push prices lower this winter season," DeCarolis said. EIA will publish its next STEO on January 9, 2024, including the agency's first forecasts for the energy sector through 2025. The full report is available on the EIA website.

For the first time, Netflix has released a comprehensive report of what people watched on the platform over a six month period. It includes hours viewed for every title, the premiere date for any Netflix show and movie, and whether a title was available globally. From the Hollywood Reporter: The list includes worldwide viewing for more than 18,000 movies and seasons of TV (18,214, to be exact) between January and June. Those 18,214 titles all had at least 50,000 hours of viewing over those six months, encompassing about 99 percent of all viewing on Netflix, vp strategy and analysis Lauren Smith told reporters during a presentation of the data on Tuesday. It is the deepest dive into viewing that Netflix (or any other streamer) has ever made public.

Among the highlights: The Night Agent was the biggest title on Netflix in the first half of 2023, racking up 812.1 million hours of viewing. Season two of Ginny & Georgia was second at 665.1 million hours, followed by Korean drama The Glory (622.8 million hours). Wednesday ranked fourth at 507.7 million hours of viewing, despite being released in November 2022. The company is using total hours viewed in this report as a way to measure engagement by its users rather than the "view" formula (total viewing hours divided by running time) it employs to compare titles in its weekly top 10 lists.

Original series and movies dominate the top of the chart, but Smith said the split between original and licensed titles was more even: About 55 percent of viewing was for originals and 45 percent was for licensed shows and films. Suits, which dominated the Nielsen U.S. streaming charts for much of the summer and fall, had a combined 599 million hours of viewing worldwide on Netflix across all nine seasons. The show's first season ranked highest, coming in 67th place with 129.1 million hours. At the other end, a little more than 20 percent of the titles on Netflix's list (3,813 in all) had very little viewing. The company rounded them to 100,000 hours but they would fall between 50,000 and 149,999 hours -- barely a drop in the streamer's more than 100 billion total hours of viewing for the six months. The full "What We Watched: A Netflix Engagement Report" can be downloaded here.

Five years after founding Atari in 1972, Nolan Bushnell started work on a chain of pizza restaurants with singing animatronic robots and videogames — called Chuck E. Cheese's Pizza Time Theatre. While 600 of the restaurants still operate today, "the company is in the process of remodeling its more than 400 U.S. locations," reports the Los Angeles Times, "and the last 30 or so remaining animatronic bands are being shown the door in favor of interactive dance floors and large screens that feature Chuck E. and pals in animated form." That is, they're being evicted everywhere but Northridge, Los Angeles... The goal — or hope — for the company is to have at least one location that can serve both new generations as well as nostalgia hunters, especially fans of animatronic figures.

Animatronics have long been the stars of themed entertainment, at least as long as Disneyland has been putting mechanical creatures in its rides and shows. In the '80s and '90s, theme parks began switching to screen-based entertainment to mirror blockbuster movies, but today animatronics have been making a comeback. The recent makeover, for instance, of Disneyland's Adventureland Treehouse came with the addition of multiple animatronic figures, and Universal Studios' Super Nintendo World is full of mechanical kinetic energy from an assortment of characters. Additionally, this year's video game-inspired movie "Five Nights at Freddy's" is centered on a haunted pizzeria where the animatronics become sentient. The film is indicative of the cult fandom that has long existed around Chuck E. Cheese and its former competitor Showbizz Pizza Place, as evidenced by the documentary "The Rock-afire Explosion," which charts the pizza and animatronic band wars of the '80s...

Restaurant franchise's CEO David McKillips says the company is acknowledging not just changing technological tastes but the realities of maintaining animatronic groups, which are programmed in Texas but maintained locally. "These are decades old, and we have a dedicated technician at every single location who spends a fair amount of time making sure the animatronics are working properly," McKillips says, adding that "it's a fairly complex issue" to keep the bands up and running.
The animatronic band's final restaurant hopes to become a tourist destination offering "retro glory," according to the article. (The robots are still powered by floppy disks.) And there are fans who still fondly remember the singing robots, judging by an episode of the Simpsons where Homer hunts down the last animatronic robots that sang in a 1970s chain of pizza parlors — titled "Do Pizza Bots Dream of Electric Guitars"

Unfortunately, in the episode Homer has to compete with a reboot-minded J. J. Abrams...

"U.S. lawmakers and ministers from around the world blasted a letter that emerged Friday night, warning OPEC member states to resist calls at the COP28 climate summit for a fossil fuel phase-out," reports Axios: The letter has shaken up the climate talks in a critical phase, as nations spar over whether to include historic language in an emerging climate agreement that calls for a phase-out of fossil fuels... "OPEC's letter is outrageous. OPEC wants to talk about emissions, but not the source of the emissions," said Sen. Ed Markey (D-MA), who is visiting COP28 as part of a congressional delegation. "It would be like the tobacco industry saying you can talk about lung cancer, but you can't talk about cigarettes. It's outrageous, it's preposterous," he told Axios. "The extent to which they had the nerve to write such a preposterous letter, just shows you how much in denial they still are." The letter, reportedly sent by the OPEC secretary general to all 13 member nations and 10 members of the larger OPEC+ coalition on Dec. 6, warned of the possibility of a tipping point toward a COP28 outcome containing language calling for a phase-out of fossil fuels.
Reuters reports that "It was the first time OPEC's Secretariat has intervened in the U.N. climate talks with such a letter, according to Alden Meyer of the E3G climate change think tank. 'It indicates a whiff of panic,' he said."

More from Politico: The full-scale resistance that oil-exporting countries are mounting against a COP28 deal to end fossil fuel use is a sign of "panic," said Germany's climate envoy... [T]o Jennifer Morgan, Germany's special envoy for international climate action, the letter was also a rare admission from the oil industry that these climate talks pose an existential threat to its business model...

As the talks speed toward a close, officials are working to craft language that can get support from the nearly 200 countries participating in the process. It will be up to the UAE presidency of COP28 to attempt to find consensus. Draft text over the weekend offered several options for a pledge to "phase out" fossil fuels, all with various caveats. But several people close to the talks said that Saudi Arabia and the Arab group of negotiators have resisted such language, including storming out of one meeting room, according to one observer of the process granted anonymity to discuss the closed-door talks.

"We have raised our consistent concerns with attempts to attack energy sources instead of emissions," Saudi Arabia's Albara Tawfiq said during Sunday's public session.
The Guardian adds that "there is some optimism coming from the discussions." Catherine Abreu, the executive director of Destination Zero, said: "In eight years of attending climate talks, I have never felt more that we were talking about what really matters. Hearing ministers from all around the world talk straight about the realities of phasing out fossil fuels is something I could not have imagined happening in this process even two years ago. "What's clear after this Majlis dialogue at Cop28 is that there is overwhelming consensus that phasing out fossil fuels and scaling up renewable energy is absolutely necessary to hold to the promise of the Paris Agreement and keep the hope of 1.5 alive.

After staving off collapse by cutting costs, many young tech companies are out of options, fueling a cash bonfire. From a report: WeWork raised more than $11 billion in funding as a private company. Olive AI, a health care start-up, gathered $852 million. Convoy, a freight start-up, raised $900 million. And Veev, a home construction start-up, amassed $647 million. In the last six weeks, they all filed for bankruptcy or shut down. They are the most recent failures in a tech start-up collapse that investors say is only beginning. After staving off mass failure by cutting costs over the past two years, many once-promising tech companies are now on the verge of running out of time and money. They face a harsh reality: Investors are no longer interested in promises. Rather, venture capital firms are deciding which young companies are worth saving and urging others to shut down or sell.

It has fueled an astonishing cash bonfire. In August, Hopin, a start-up that raised more than $1.6 billion and was once valued at $7.6 billion, sold its main business for just $15 million. Last month, Zeus Living, a real estate start-up that raised $150 million, said it was shutting down. Plastiq, a financial technology start-up that raised $226 million, went bankrupt in May. In September, Bird, a scooter company that raised $776 million, was delisted from the New York Stock Exchange because of its low stock price. Its $7 million market capitalization is less than the value of the $22 million Miami mansion that its founder, Travis VanderZanden, bought in 2021. "As an industry we should all be braced to hear about a lot more failures," said Jenny Lefcourt, an investor at Freestyle Capital. "The more money people got before the party ended, the longer the hangover."

Getting a full picture of the losses is difficult since private tech companies are not required to disclose when they go out of business or sell. The industry's gloom has also been masked by a boom in companies focused on artificial intelligence, which has attracted hype and funding over the last year. But approximately 3,200 private venture-backed U.S. companies have gone out of business this year, according to data compiled for The New York Times by PitchBook, which tracks start-ups. Those companies had raised $27.2 billion in venture funding. PitchBook said the data was not comprehensive and probably undercounts the total because many companies go out of business quietly. It also excluded many of the largest failures that went public, such as WeWork, or that found buyers, like Hopin.

"Researchers have identified a large number of bugs to do with the processing of images at boot time," writes longtime Slashdot reader jd. "This allows malicious code to be installed undetectably (since the image doesn't have to pass any validation checks) by appending it to the image. None of the current secure boot mechanisms are capable of blocking the attack." Ars Technica reports: LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year's worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware. The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix (sometimes still called IBVs or independent BIOS vendors); device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs. The researchers unveiled the attack on Wednesday at the Black Hat Security Conference in London.

As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment. "Once arbitrary code execution is achieved during the DXE phase, it's game over for platform security," researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. "From this stage, we have full control over the memory and the disk of the target device, thus including the operating system that will be started." From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started. The following video demonstrates a proof-of-concept exploit created by the researchers. The infected device -- a Gen 2 Lenovo ThinkCentre M70s running an 11th-Gen Intel Core with a UEFI released in June -- runs standard firmware defenses, including Secure Boot and Intel Boot Guard. LogoFAIL vulnerabilities are tracked under the following designations: CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238. However, this list is currently incomplete.

"A non-exhaustive list of companies releasing advisories includes AMI (PDF), Insyde, Phoenix, and Lenovo," reports Ars. "People who want to know if a specific device is vulnerable should check with the manufacturer."

"The best way to prevent LogoFAIL attacks is to install the UEFI security updates that are being released as part of Wednesday's coordinated disclosure process. Those patches will be distributed by the manufacturer of the device or the motherboard running inside the device. It's also a good idea, when possible, to configure UEFIs to use multiple layers of defenses. Besides Secure Boot, this includes both Intel Boot Guard and, when available, Intel BIOS Guard. There are similar additional defenses available for devices running AMD or ARM CPUs."

GiveDirectly, a nonprofit providing cash assistance to low-income households, is conducting a large-scale basic income experiment in rural Kenya, giving varying payment structures to recipients. "It is giving around 6,000 people in rural Kenya a little more than $20 a month, every month, starting in 2016 and going until 2028," reports Vox's Dylan Matthews. "Tens of thousands more people are getting shorter-term or differently structured payments." Matthews reports on some of the early findings of the experiment: The latest research on the GiveDirectly pilot, done by MIT economists Tavneet Suri and Nobel Prize winner Abhijit Banerjee, compares three groups: short-term basic income recipients (who got the $20 payments for two years), long-term basic income recipients (who get the money for the full 12 years), and lump sum recipients, who got $500 all at once, or roughly the same amount as the short-term basic income group. The paper is still being finalized, but Suri and Banerjee shared some results on a call with reporters this week. By almost every financial metric, the lump sum group did better than the monthly payment group. Suri and Banerjee found that the lump sum group earned more, started more businesses, and spent more on education than the monthly group. "You end up seeing a doubling of net revenues" -- or profits from small businesses -- in the lump sum group, Suri said. The effects were about half that for the short-term $20-a-month group.

The explanation they arrived at was that the big $500 all at once provided valuable startup capital for new businesses and farms, which the $20 a month group would need to very conscientiously save over time to replicate. "The lump sum group doesn't have to save," Suri explains. "They just have the money upfront and can invest it." Intriguingly, the results for the long-term monthly group, which will receive about $20 a month for 12 years rather than two, had results that looked more like the lump sum group. The reason, Suri and Banerjee find, is that they used rotating savings and credit associations (ROSCAs). These are institutions that sprout up in small communities, especially in the developing world, where members pay small amounts regularly into a common fund in exchange for the right to withdraw a larger amount every so often. "It converts the small streams into lump sums," Suri summarizes. "We see that the long-term arm is actually using ROSCAs. A lot of their UBI is going into ROSCAs to generate these lump sums they can use to invest." [...]

As you might expect, given how entrepreneurially minded the recipients are, the researchers found no evidence that any of the payments discouraged work or increased purchases of alcohol -- two common criticisms of direct cash giving. In fact, so many people who used to work for wages instead started businesses that there was less competition for wage work, and overall wages in villages rose as a result. And they found one major advantage for monthly payments over lump sum ones, despite the big benefits of lump sum payments for business formation. People who got monthly checks were generally happier and reported better mental health than lump sum recipients. [...] I think this points to the takeaway from this research not being "just give people a lump sum no matter what." Ideally, you could ask specific people how they would prefer to get money. ... [L]ong-term monthly payments seem to offer the best of all worlds because they enable people to use ROSCAs to generate lump sum payments when they want them. That enables flexibility: People who want monthly payments can get them, and people who need cash upfront can organize with their peers to get that.

The API tokens of tech giants Meta, Microsoft, Google, VMware, and more have been found exposed on Hugging Face, opening them up to potential supply chain attacks. From a report: Researchers at Lasso Security found more than 1,500 exposed API tokens on the open source data science and machine learning platform -- which allowed them to gain access to 723 organizations' accounts. In the vast majority of cases (655), the exposed tokens had write permissions granting the ability to modify files in account repositories. A total of 77 organizations were exposed in this way, including Meta, EleutherAI, and BigScience Workshop - which run the Llama, Pythia, and Bloom projects respectively.

The three companies were contacted by The Register for comment but Meta and BigScience Workshop did not not respond at the time of publication, although all of them closed the holes shortly after being notified. Hugging Face is akin to GitHub for AI enthusiasts and hosts a plethora of major projects. More than 250,000 datasets are stored there and more than 500,000 AI models are too. The researchers say that if attackers had exploited the exposed API tokens, it could have led to them swiping data, poisoning training data, or stealing models altogether, impacting more than 1 million users.

What's behind a supposed shortage of cybersecurity workers? Last month cybersecurity professional Ben Rothke questioned whether a "shortage" even existed. Instead Rothke argued that human resources "needs to understand how to effectively hire information security professionals. Expecting an HR generalist to find information security specialists is a fruitless endeavor at best."

Rothke — a founding member of the Cloud Security Alliance — contacted Slashdot this week with "a follow-up piece" arguing there's another problem. "How can you know how many security jobs there are if there's no real statistical data available?" (Most articles on the topic cite the exact same two studies, which Rothke sees as "not statistically defendable.") Which begs the question — how many information security jobs are there? The short answer is that no one has a clue. The problem is that there is no statistically verifiable and empirically researched data on the number of current information security jobs and what the future holds. All data to date is based on surveys and extrapolations, which is a poor way to do meaningful statistical research... Based on LinkedIn job postings, veteran industry analyst Richard Stiennon found 15,849 job openings at 1,433 cybersecurity vendors. As to the millions of security jobs, he notes that the same could be extrapolated for office administrators. There are millions of companies, but it's not like they all will need full-time security people.

Helen Patton is a veteran information security professional and CISO at Cisco Security Business Group, and the author of Navigating the Cybersecurity Career Path. As to the security jobs crisis, she notes that there are plenty of talented and capable people looking for jobs, and feels there's in fact, no crisis at all. Instead, she says part of the issue is hiring managers who don't truly stop to think about the skills required for a role, and how a candidate can demonstrate those skills. What they do is post jobs that ask for false proxies for experience — degrees, certifications, work experience — and as a consequence, they are looking for candidates that don't exist. She suggests that fixing the hiring process will go a lot further to close the skills gap, than training a legion of new people.
Challenging this supposed glut of unfilled positions, Rothke also shares some recent stories from people who've recently looked for information security jobs. ("He tried to explain to the CIO that Agile was not an appropriate methodology for security projects unless they were primarily software-based. The CIO replied, 'oh the CIO at Chase would tell you differently.' Not realizing that most projects at the bank are software-based.") If you want to know how few information security jobs there really are — speak to people who have graduated from security bootcamps and master's degree programs, and they will tell you the challenges they are facing... That's not to say there are not lots of information security jobs. It's just that there are not the exaggerated and hyperbolic amounts that are reported.

An anonymous reader quotes a report from the Associated Press: City lawmakers in Brazil have enacted what appears to be the nation's first legislation written entirely by artificial intelligence -- even if they didn't know it at the time. The experimental ordinance was passed in October in the southern city of Porto Alegre and city councilman Ramiro Rosario revealed this week that it was written by a chatbot, sparking objections and raising questions about the role of artificial intelligence in public policy. Rosario told The Associated Press that he asked OpenAI's chatbot ChatGPT to craft a proposal to prevent the city from charging taxpayers to replace water consumption meters if they are stolen. He then presented it to his 35 peers on the council without making a single change or even letting them know about its unprecedented origin.

"If I had revealed it before, the proposal certainly wouldn't even have been taken to a vote," Rosario told the AP by phone on Thursday. The 36-member council approved it unanimously and the ordinance went into effect on Nov. 23. "It would be unfair to the population to run the risk of the project not being approved simply because it was written by artificial intelligence," he added. [...] Keeping the proposal's origin secret was intentional. Rosario told the AP his objective was not just to resolve a local issue, but also to spark a debate. He said he entered a 49-word prompt into ChatGPT and it returned the full draft proposal within seconds, including justifications.

"I am convinced that ... humanity will experience a new technological revolution," he said. "All the tools we have developed as a civilization can be used for evil and good. That's why we have to show how it can be used for good." And the council president [Hamilton Sossmeier], who initially decried the method, already appears to have been swayed. "I changed my mind," Sossmeier said. "I started to read more in depth and saw that, unfortunately or fortunately, this is going to be a trend."

An anonymous reader quotes a report from Ars Technica: Security researchers are tracking what they say is the "mass exploitation" of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open source file-sharing server app. The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing "mass exploitation" in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.

CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they're configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week's disclosure, ownCloud officials said that in containerized configurations -- such as those using the Docker virtualization tool -- the URL can reveal data used to log in to the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn't sufficient to lock down a vulnerable server. [...]

To fix the ownCloud vulnerability under exploitation, ownCloud advised users to: "Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.

We also advise to change the following secrets:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key"

An anonymous reader shares a report: The biggest benefit Samsung Internet on a desktop operating system will provide is the syncing of browsing data between your phone and PC, the lack of which has prevented many users from using Samsung Internet as their primary browser app on their phones and tablets. Unfortunately, Samsung hasn't yet implemented full-fledged sync support on Samsung Internet for Windows. While you can log in with your Samsung account, only browsing history, bookmarks, saved pages and open tabs can be synced at this time. Password syncing is not available, which hopefully won't remain the case for long.

The first time you run Samsung Internet on Windows, you can import browsing history, bookmarks/favorites, and search engines from other browsers, including Google Chrome and Microsoft Edge. You can also import bookmarks using an HTML file. As for other features, Samsung Internet on Windows has ad blocker support, a secret (incognito) mode, extension support, light and dark mode themes, and a few others. Since Samsung Internet is based on the open-source Chromium project like Chrome and Microsoft Edge, it should support extensions and add-ons that work on those browsers.

"Red Hat is going to do away with the X.Org server and support Wayland and XWayland for apps that currently (or only) run on X11," writes Slashdot reader motang. Red Hat's Carlos Soriano Sanchez confirmed on the Red Hat blog: "The result of this evaluation is that, while there are still some gaps and applications that need some level of adaptation, we believe the Wayland infrastructure and ecosystem are in good shape, and that we're on a good path for the identified blockers to be resolved by the time RHEL 10 is out, planned to be released on the first half of 2025.

With this, we've decided to remove Xorg server and other X servers (except Xwayland) from RHEL 10 and the following releases. Xwayland should be able to handle most X11 clients that won't immediately be ported to Wayland, and if needed, our customers will be able to stay on RHEL 9 for its full life cycle while resolving the specifics needed for transitioning to a Wayland ecosystem. It's important to note that "Xorg Server" and "X11" are not synonymous, X11 is a protocol that will continue to be supported through Xwayland, while the Xorg Server is one of the implementations of the X11 protocol.
[...]
This decision will allow us to focus our efforts starting from RHEL 10 solely on a modern stack and ecosystem. This means we will be able to tackle problems such as HDR, increased security, setups with mixed low and high density displays or very high density displays, better GPU/Display hot-plugging, better gestures and scrolling, and so on. We are confident that Wayland will provide a solid platform and we're excited to work with the community and all of our partners and customers on building the future for Linux."