Although hydrogen-dedicated renewable energy capacity is expected to increase by 45 GW between 2022 and 2028, the estimates are 35% lower than what the International Energy Agency (IEA) forecasted a year ago. Reuters reports: There is growing political momentum for low-emission hydrogen but actual implementation has been held up by uncertain demand outlooks, a lack of clarity in regulatory frameworks, and a lack of infrastructure to deliver hydrogen to end users, the IEA said in an emailed response to questions. Slow progress on real-world implementation "is a consequence of barriers that could be expected in a sector that needs to build up new and complex value chains," the IEA said. Uncertainties have been exacerbated by inflation and sluggish policy implementation.

Expected renewable energy capacity for hydrogen production represents just 7% of the capacity pledged for the same period and one tenth the sum of government targets for 2030, IEA said in its report. Around 75% of expected capacity is based in three countries, with China taking the lion's share, followed by Saudi Arabia and the United States, the IEA says.

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," said FBI Director Christopher Wray in a prepared testimony before the House Select Committee on the Chinese Communist Party. NBC News reports: Wray also argued that "there has been far too little public focus" that Chinese hackers are targeting critical infrastructure in the U.S. such as water treatment plants, electrical grids, oil and natural gas pipelines, and transportation systems, according to the prepared remarks. "And the risk that poses to every American requires our attention -- now," his prepared testimony said.

As Wray testified, the Justice Department and FBI announced they had disabled a Chinese hacking operation that had infected hundreds of small office and home routers with botnet malware that targeted critical infrastructure. The DOJ said the hackers, known to the private sector as "Volt Typhoon," used privately owned small routers that were infected with "KV botnet" malware to conceal further Chinese hacking activities against U.S. and foreign victims. Wray addressed the malware in his testimony, emphasizing that it targets critical infrastructure in the U.S. [...]

At Wednesday's hearing, the director of the federal Cybersecurity and Infrastructure Security Agency, Jen Easterly, testified that Americans should expect efforts by China to wage influence campaigns online relating to the 2024 election. However, Easterly added that she was confident that voting systems and other election infrastructure are well-defended. "To be very clear, Americans should have confidence in the integrity of our election infrastructure because of the enormous amount of work that's been done by state and local election officials, by the federal government, by vendors, by the private sector since 2016," Easterly said in her testimony.

Wray emphasized in the remarks that the "cyber onslaught" of Chinese hackers "goes way beyond prepositioning for future conflict," saying in the prepared remarks that every day the hackers are "actively attacking" U.S. economic security, engaging in "wholesale theft of our innovation, and our personal and corporate data." "And they don't just hit our security and economy. They target our freedoms, reaching inside our borders, across America, to silence, coerce, and threaten our citizens and residents," the excerpts said.

Exxon Mobil has filed a complaint in a Texas court seeking to block a climate proposal by activist investors from a shareholder vote in May. This marks Exxon's first legal action against such a proposal. Exxon argues the proposal, which urges adoption of emissions targets for Exxon's products, does not serve shareholder interests. The activist investors counter that Exxon is the only major oil company lacking these targets. TechCrunch: The problem Exxon faces is that the "basic rules of society," specifically "those embedded in ethical custom," are changing, and the company now finds itself on the wrong side of them. Two-thirds of Americans say we should prioritize alternative energy over fossil fuels, and 69% say the U.S. should move toward net-zero emissions by 2050, according to the Pew Research Center. Internationally, most people want their governments to do something about climate change.

Exxon would normally take its grievances to the SEC, filing a request with the regulator to omit the proposal from this year's proxy statement. But under the Biden administration, the SEC has been siding more frequently with shareholders. After all, who's the boss?

Seagate this week unveiled the industry's first hard disk drive platform that uses heat-assisted media recording (HAMR). Tom's Hardware: The new Mozaic 3+ platform relies on several all-new technologies, including new media, new write and read heads, and a brand-new controller. The platform will be used for Seagate's upcoming Exos hard drives for cloud datacenters with a 30TB capacity and higher. Heat-assisted magnetic recording is meant to radically increase areal recording density of magnetic media by making writes while the recording region is briefly heated to a point where its magnetic coercivity drops significantly.

Seagate's Mozaic 3+ uses 10 glass disks with a magnetic layer consisting of an iron-platinum superlattice structure that ensures both longevity and smaller media grain size compared to typical HDD platters. To record the media, the platform uses a plasmonic writer sub-system with a vertically integrated nanophotonic laser that heats the media before writing. Because individual grains are so small with the new media, their individual magnetic signatures are lower, whereas magnetic inter-track interference (ITI) effect is somewhat higher. As a result, Seagate had to introduce its new Gen 7 Spintronic Reader, which features the "world's smallest and most sensitive magnetic field reading sensors," according to the company. Because Seagate's new Mozaic 3+ platform deals with new media with a very small grain size, an all-new writer, and a reader that features multiple tiny magnetic field readers, it also requires a lot of compute horsepower to orchestrate the drive's work. Therefore, Seagate has equipped with Mozaic 3+ platform with an all-new controller made on a 12nm fabrication process.

Google researchers say they have evidence that a notorious Russian-linked hacking group -- tracked as "Cold River" -- is evolving its tactics beyond phishing to target victims with data-stealing malware. From a report: Cold River, also known as "Callisto Group" and "Star Blizzard," is known for conducting long-running espionage campaigns against NATO countries, particularly the United States and the United Kingdom. Researchers believe the group's activities, which typically target high-profile individuals and organizations involved in international affairs and defense, suggest close ties to the Russian state. U.S. prosecutors in December indicted two Russian nationals linked to the group.

Google's Threat Analysis Group (TAG) said in new research this week that it has observed Cold River ramping up its activity in recent months and using new tactics capable of causing more disruption to its victims, predominantly targets in Ukraine and its NATO allies, academic institutions and non-government organizations. These latest findings come soon after Microsoft researchers reported that the Russia-aligned hacking group had improved its ability to evade detection. In research shared with TechCrunch ahead of its publication on Thursday, TAG researchers say that Cold River has continued to shift beyond its usual tactic of phishing for credentials to delivering malware via campaigns using PDF documents as lures.

An anonymous reader quotes a report from Wired: As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs -- including Apple, Qualcomm, and AMD chips -- that could allow an attacker to steal large quantities of data from a GPU's memory. The silicon industry has spent years refining the security of central processing units, or CPUs, so they don't leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven't been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York -- based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern. "There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data," Heidy Khlaaf, Trail of Bits' engineering director for AI and machine learning assurance, tells WIRED. "We're looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal."

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target's device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others' data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn't be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response. In their proof of concept, as seen in the GIF below, the researchers demonstrate an attack where a target -- shown on the left -- asks the open source LLM Llama.cpp to provide details about WIRED magazine. Within seconds, the attacker's device -- shown on the right -- collects the majority of the response provided by the LLM by carrying out a LeftoverLocals attack on vulnerable GPU memory. The attack program the researchers created uses less than 10 lines of code. [...] Though exploiting the vulnerability would require some amount of existing access to targets' devices, the potential implications are significant given that it is common for highly motivated attackers to carry out hacks by chaining multiple vulnerabilities together. Furthermore, establishing "initial access" to a device is already necessary for many common types of digital attacks. The researchers did not find evidence that Nvidia, Intel, or Arm GPUs contain the LeftoverLocals vulnerability, but Apple, Qualcomm, and AMD all confirmed to WIRED that they are impacted. Here's what each of the affected companies had to say about the vulnerability, as reported by Wired:

Apple: An Apple spokesperson acknowledged LeftoverLocals and noted that the company shipped fixes with its latest M3 and A17 processors, which it unveiled at the end of 2023. This means that the vulnerability is seemingly still present in millions of existing iPhones, iPads, and MacBooks that depend on previous generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a number of Apple devices. They found that Apple's M2 MacBook Air was still vulnerable, but the iPad Air 3rd generation A12 appeared to have been patched.
Qualcomm: A Qualcomm spokesperson told WIRED that the company is "in the process" of providing security updates to its customers, adding, "We encourage end users to apply security updates as they become available from their device makers." The Trail of Bits researchers say Qualcomm confirmed it has released firmware patches for the vulnerability.
AMD: AMD released a security advisory on Wednesday detailing its plans to offer fixes for LeftoverLocals. The protections will be "optional mitigations" released in March.
Google: For its part, Google says in a statement that it "is aware of this vulnerability impacting AMD, Apple, and Qualcomm GPUs. Google has released fixes for ChromeOS devices with impacted AMD and Qualcomm GPUs."

"The ambient light sensors present in most mobile devices can be accessed by software without any special permissions, unlike permissions required for accessing the microphone or the cameras," writes longtime Slashdot reader BishopBerkeley. "When properly interrogated, the data from the light sensor can reveal much about the user." IEEE Spectrum reports: While that may not seem to provide much detailed information, researchers have already shown these sensors can detect light intensity changes that can be used to infer what kind of TV programs someone is watching, what websites they are browsing or even keypad entries on a touchscreen. Now, [Yang Liu, a PhD student at MIT] and colleagues have shown in a paper in Science Advances that by cross-referencing data from the ambient light sensor on a tablet with specially tailored videos displayed on the tablet's screen, it's possible to generate images of a user's hands as they interact with the tablet. While the images are low-resolution and currently take impractically long to capture, he says this kind of approach could allow a determined attacker to infer how someone is using the touchscreen on their device. [...]

"The acquisition time in minutes is too cumbersome to launch simple and general privacy attacks on a mass scale," says Lukasz Olejnik, an independent security researcher and consultant who has previously highlighted the security risks posed by ambient light sensors. "However, I would not rule out the significance of targeted collections for tailored operations against chosen targets." But he also points out that, following his earlier research, the World Wide Web Consortium issued a new standard that limited access to the light sensor API, which has already been adopted by browser vendors.

Liu notes, however, that there are still no blanket restrictions for Android apps. In addition, the researchers discovered that some devices directly log data from the light sensor in a system file that is easily accessible, bypassing the need to go through an API. The team also found that lowering the resolution of the images could bring the acquisition times within practical limits while still maintaining enough detail for basic recognition tasks. Nonetheless, Liu agrees that the approach is too complicated for widespread attacks. And one saving grace is that it is unlikely to ever work on a smartphone as the displays are simply too small. But Liu says their results demonstrate how seemingly harmless combinations of components in mobile devices can lead to surprising security risks.

Japanese startup EX-Fusion plans to eliminate small pieces of space junk with laser beams fired from the ground. Nikkei Asia reports: EX-Fusion stands apart in that it is taking the ground-based approach, with the startup tapping its arsenal of laser technology originally developed in pursuit of fusion power. In October, EX-Fusion signed a memorandum of understanding with EOS Space Systems, an Australian contractor that possesses technology used to detect space debris. EX-Fusion plans to place a high-powered laser inside an observatory operated by EOS Space outside of Canberra. The first phase will be to set up laser technology to track debris measuring less than 10 cm. Pieces of this size have typically been difficult to target from the ground using lasers.

For the second phase, EX-Fusion and EOS Space will attempt to remove the space debris by boosting the power of the laser beams fired from the surface. The idea is to fire the laser intermittently against the debris from the opposing direction of its travel in order to slow it down. With a decreased orbiting speed, the debris will enter the Earth's atmosphere to burn up. High-powered lasers are often associated with weapons that blast objects into smithereens. Indeed, the EOS Space group supplies laser weapon systems used to destroy drones. But lasers designed to remove space debris are completely different from weapon-grade lasers, EOS Space's executive vice president James Bennett said during a visit to Japan in November.

Current laser weaponry often uses fiber lasers, which are capable of cutting and welding metal and can destroy targets like drones through heat created from continuous firing. Capturing and removing space junk instead involves diode-pumped solid-state (DPSS) lasers, which are pulsed to apply force to fast moving debris, stopping it like a brake. EX-Fusion's signature laser fusion process also involves DPSS lasers, which strike the surface of a hydrogen fuel pellet just millimeters in diameter, compressing it to trigger a fusion reaction. This makes space debris removal a useful test along the path to commercializing the fusion technology.

Previously unknown self-replicating malware has been infecting Linux devices worldwide, installing cryptomining malware using unusual concealment methods. The worm is a customized version of Mirai botnet malware, which takes control of Linux-based internet-connected devices to infect others. Mirai first emerged in 2016, delivering record-setting distributed denial-of-service attacks by compromising vulnerable devices. Once compromised, the worm self-replicates by scanning for and guessing credentials of additional vulnerable devices. While traditionally used for DDoS attacks, this latest variant focuses on covert cryptomining. ArsTechnica adds: On Wednesday, researchers from network security and reliability firm Akamai revealed that a previously unknown Mirai-based network they dubbed NoaBot has been targeting Linux devices since at least last January. Instead of targeting weak telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims' computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.

Akamai has been monitoring NoaBot for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that's already infected. The following figure tracks the number of attacks delivered to the honeypot over the past year.

TechCrunch reports: Apple's warnings in late October that Indian journalists and opposition figures may have been targeted by state-sponsored attacks prompted a forceful counterattack from Prime Minister Narendra Modi's government. Officials publicly doubted Apple's findings and announced a probe into device security.

India has never confirmed nor denied using the Pegasus tool, but nonprofit advocacy group Amnesty International reported Thursday that it found NSO Group's invasive spyware on the iPhones of prominent journalists in India, lending more credibility to Apple's early warnings. "Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation," said Donncha Ã" Cearbhaill, head of Amnesty International's Security Lab, in the blog post.
Cloud security company Lookout has also published "an in-depth technical look" at Pegasus, calling its use "a targeted espionage attack being actively leveraged against an undetermined number of mobile users around the world." It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, Apple's built-in messaging and email apps, and others. It steals the victim's contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device...

According to news reports, NSO Group sells weaponized software that targets mobile phones to governments and has been operating since 2010, according to its LinkedIn page. The Pegasus spyware has existed for a significant amount of time, and is advertised and sold for use on high-value targets for multiple purposes, including high-level espionage on iOS, Android, and Blackberry.
Thanks to Slashdodt reader Mirnotoriety for sharing the news.

An anonymous reader quotes a report from SecurityWeek: Albania's Parliament said on Tuesday that it had suffered a cyberattack with hackers trying to get into its data system, resulting in a temporary halt in its services. A statement said Monday's cyberattack had not "touched the data of the system," adding that experts were working to discover what consequences the attack could have. It said the system's services would resume at a later time. Local media reported that a cellphone provider and an air flight company were also targeted by Monday's cyberattacks, allegedly from Iranian-based hackers called Homeland Justice, which could not be verified independently.

Albania suffered a cyberattack in July 2022 that the government and multinational technology companies blamed on the Iranian Foreign Ministry. Believed to be in retaliation for Albania sheltering members of the Iranian opposition group Mujahedeen-e-Khalq, or MEK, the attack led the government to cut diplomatic relations with Iran two months later. The Iranian Foreign Ministry denied Tehran was behind an attack on Albanian government websites and noted that Iran has suffered cyberattacks from the MEK. In June, Albanian authorities raided a camp for exiled MEK members to seize computer devices allegedly linked to prohibited political activities. [...] In a statement sent later Tuesday to The Associated Press, MEK's media spokesperson Ali Safavi claimed the reported cyberattacks in Albania "are not related to the presence or activities" of MEK members in the country.

An anonymous reader quotes a report from Ars Technica: Apple's AirTags are meant to help you effortlessly find your keys or track your luggage. But the same features that make them easy to deploy and inconspicuous in your daily life have also allowed them to be abused as a sinister tracking tool that domestic abusers and criminals can use to stalk their targets. Over the past year, Apple has taken protective steps to notify iPhone and Android users if an AirTag is in their vicinity for a significant amount of time without the presence of its owner's iPhone, which could indicate that an AirTag has been planted to secretly track their location. Apple hasn't said exactly how long this time interval is, but to create the much-needed alert system, Apple made some crucial changes to the location privacy design the company originally developed a few years ago for its "Find My" device tracking feature. Researchers from Johns Hopkins University and the University of California, San Diego, say, though, that they've developed (PDF) a cryptographic scheme to bridge the gap -- prioritizing detection of potentially malicious AirTags while also preserving maximum privacy for AirTag users. [...]

The solution [Johns Hopkins cryptographer Matt Green] and his fellow researchers came up with leans on two established areas of cryptography that the group worked to implement in a streamlined and efficient way so the system could reasonably run in the background on mobile devices without being disruptive. The first element is "secret sharing," which allows the creation of systems that can't reveal anything about a "secret" unless enough separate puzzle pieces present themselves and come together. Then, if the conditions are right, the system can reconstruct the secret. In the case of AirTags, the "secret" is the true, static identity of the device underlying the public identifier that is frequently changing for privacy purposes. Secret sharing was conceptually useful for the researchers to employ because they could develop a mechanism where a device like a smartphone would only be able to determine that it was being followed around by an AirTag with a constantly rotating public identifier if the system received enough of a certain type of ping over time. Then, suddenly, the suspicious AirTag's anonymity would fall away and the system would be able to determine that it had been in close proximity for a concerning amount of time.

Green notes, though, that a limitation of secret sharing algorithms is that they aren't very good at sorting and parsing inputs if they're being deluged by a lot of different puzzle pieces from all different puzzles -- the exact scenario that would occur in the real world where AirTags and Find My devices are constantly encountering each other. With this in mind, the researchers employed a second concept known as "error correction coding," which is specifically designed to sort signal from noise and preserve the durability of signals even if they acquire some errors or corruptions. "Secret sharing and error correction coding have a lot of overlap," Green says. "The trick was to find a way to implement it all that would be fast, and where a phone would be able to reassemble all the puzzle pieces when needed while all of this is running quietly in the background." The researchers published (PDF) their first paper in September and submitted it to Apple. More recently, they notified the industry consortium about the proposal.

In October, Apple issued notifications warning over a half dozen India lawmakers of their iPhones being targets of state-sponsored attacks. According to a new report from the Washington Post, the Modi government responded by criticizing Apple's security and demanding explanations to mitigate political impact (Warning: source may be paywalled; alternative source). From the report: Officials from the ruling Bharatiya Janata Party (BJP) publicly questioned whether the Silicon Valley company's internal threat algorithms were faulty and announced an investigation into the security of Apple devices. In private, according to three people with knowledge of the matter, senior Modi administration officials called Apple's India representatives to demand that the company help soften the political impact of the warnings. They also summoned an Apple security expert from outside the country to a meeting in New Delhi, where government representatives pressed the Apple official to come up with alternative explanations for the warnings to users, the people said. They spoke on the condition of anonymity to discuss sensitive matters. "They were really angry," one of those people said.

The visiting Apple official stood by the company's warnings. But the intensity of the Indian government effort to discredit and strong-arm Apple disturbed executives at the company's headquarters, in Cupertino, Calif., and illustrated how even Silicon Valley's most powerful tech companies can face pressure from the increasingly assertive leadership of the world's most populous country -- and one of the most critical technology markets of the coming decade. The recent episode also exemplified the dangers facing government critics in India and the lengths to which the Modi administration will go to deflect suspicions that it has engaged in hacking against its perceived enemies, according to digital rights groups, industry workers and Indian journalists. Many of the more than 20 people who received Apple's warnings at the end of October have been publicly critical of Modi or his longtime ally, Gautam Adani, an Indian energy and infrastructure tycoon. They included a firebrand politician from West Bengal state, a Communist leader from southern India and a New Delhi-based spokesman for the nation's largest opposition party. [...] Gopal Krishna Agarwal, a national spokesman for the BJP, said any evidence of hacking should be presented to the Indian government for investigation.

The Modi government has never confirmed or denied using spyware, and it has refused to cooperate with a committee appointed by India's Supreme Court to investigate whether it had. But two years ago, the Forbidden Stories journalism consortium, which included The Post, found that phones belonging to Indian journalists and political figures were infected with Pegasus, which grants attackers access to a device's encrypted messages, camera and microphone. In recent weeks, The Post, in collaboration with Amnesty, found fresh cases of infections among Indian journalists. Additional work by The Post and New York security firm iVerify found that opposition politicians had been targeted, adding to the evidence suggesting the Indian government's use of powerful surveillance tools. In addition, Amnesty showed The Post evidence it found in June that suggested a Pegasus customer was preparing to hack people in India. Amnesty asked that the evidence not be detailed to avoid teaching Pegasus users how to cover their tracks. "These findings show that spyware abuse continues unabated in India," said Donncha O Cearbhaill, head of Amnesty International's Security Lab. "Journalists, activists and opposition politicians in India can neither protect themselves against being targeted by highly invasive spyware nor expect meaningful accountability."

Hundreds of students from leading UK universities have launched a "career boycott" of Barclays over its climate policies, warning that the bank will miss out on top talent unless it stops financing fossil fuel companies. From a report: More than 220 students from Barclays' top recruitment universities, including Oxford, Cambridge, and University College London, have sent a letter to the high street lender, saying they will not work for Barclays and raising the alarm over its funding for oil and gas firms including Shell, TotalEnergies, Exxon and BP. "Your ambitious decarbonisation targets are discredited by your absence of action and the roster of fossil fuel companies on your books," the letter said. "You may say you're working with them to help them transition, but Shell, Total and BP have all rowed back."

Large oil firms have started to water down climate commitments, including BP, which originally pledged to lower emissions by 35% by 2030 but is now aiming for a 20% to 30% cut instead. Meanwhile, ExxonMobil quietly withdrew funding for plans to use algae to create low-carbon fuel, while Shell announced it would not increase its investments in renewable energy this year, despite earlier promises to slash its emissions. The letter calls on Barclays to end all financing and underwriting of oil and gas companies -- not only their projects -- and to boost funding of firms behind wind and solar energy significantly.

The European Union on Wednesday added three adult content companies - Pornhub, Stripchat and XVideos - to its list of firms subject to stringent regulations under new online content rules. From a report: The new rules, known as the Digital Services Act (DSA), require companies to conduct risk management, undergo external and independent auditing, and share data with authorities and researchers. In April, the EU designated five Alphabet subsidiaries, two Meta Platforms units, two Microsoft businesses, X and Alibaba's AliExpress among 19 companies under the rules. Such designated companies will have to do more to tackle disinformation, give more protection and choice to users and ensure stronger protection for children or risk fines of as much as 6% of their global turnover. "Pornhub, Stripchat and XVideos meet the user thresholds to fall under stricter #DSA obligations," the bloc's industry chief Thierry Breton said. "Creating a safer online environment for our children is an enforcement priority under the DSA."

jd writes: Ars Technica is reporting a newly-discovered man-in-the-middle attack against SSH. This only works if you are using "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC", so it isn't a universal flaw. The CVE numbers for this vulnerability are CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446.

From TFA:

At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake -- the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.

The Terrapin attack is a novel cryptographic attack targeting the integrity of the SSH protocol, the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. The attack exploits weaknesses in the specification of SSH paired with widespread algorithms, namely ChaCha20-Poly1305 and CBC-EtM, to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.

"EVs mandates are coming to Canada whether you like it or not," writes Slashdot reader Major_Disorder, sharing a report from the Canadian Broadcasting Corporation. "Here is what my Canadian brothers and sisters need to know." From the report: New regulations being published this week by Environment Minister Steven Guilbeault will effectively end sales of new passenger vehicles powered only by gasoline or diesel in 2035. Guilbeault said the Electric Vehicle Availability Standard will encourage automakers to make more battery-powered cars and trucks available in Canada. "There's no mistaking it. We are at a tipping point," he said, noting sizable growth in EV sales in Canada and demand that has previously outstripped the available supply.

Automakers will have the next 12 years to phase out combustion engine cars, trucks and SUVs with a requirement to gradually increase the proportion of electric models they offer for sale each year. The electric-vehicle sales mandate regulations will be published later this week. They are setting up a system in which every automaker will have to show that a minimum percentage of vehicles they offer for sale are fully electric or longer-range plug-in hybrids. It will start with 20 per cent in 2026 and rise slightly to 23 per cent in 2027. After that, the share of EVs will begin to increase much faster, so that by 2028, 34 per cent of all vehicles sold will need to be electric -- 43 per cent by 2029 and 60 per cent by 2030. That number keeps rising until it hits 100 per cent in 2035.

Guilbeault said the government is working to revise the national building code to encourage the spread of charging stations. The updated code would ensure that residential buildings constructed after 2025 have the electrical capacity to accommodate the charging stations. [...] The policy will be regulated under the Canadian Environmental Protection Act and will issue credits to automakers for the EVs they sell. Generally, a fully electric model will generate one credit, with plug-in hybrids getting partial or full credit depending on how far they can go on a single charge. Manufacturers that sell more EVs than they need to meet each year's target can either bank those credits to meet their targets in future years, or sell them to companies that didn't sell enough. They can also cover up to 10 per cent of the credits they need each year by investing in public fast-charging stations. Every $20,000 spent on DC fast chargers that are operating before 2027 can earn the equivalent of one credit. Automakers that come up short for their sales requirements will be able to cover the difference by buying credits from others who exceed their targets, or by investing in charging stations. Automakers can start earning some credits toward their 2026 and 2027 targets over the next two years -- a bid by the government to encourage a faster transition.

Using a "recently refurbished" telescope array, SETI scientists performed 541 hours of additional observations — and found 35 new "Fast Radio Bursts" (or FRBs). SciTechDaily reports: All 35 FRBs were found in the lower part of the frequency spectrum, each with its unique energy signature. "This work is exciting because it provides both confirmation of known FRB properties and the discovery of some new ones," said the SETI Institute's Dr. Sofia Sheikh, NSF MPS-Ascend Postdoctoral Fellow and lead author. "We're narrowing down the source of FRBs, for example, to extreme objects such as magnetars, but no existing model can explain all of the properties that have been observed so far. It has been wonderful to be part of the first FRB study done with the Allen Telescope Array — this work proves that new telescopes with unique capabilities, like the Allen Telescope Array, can provide a new angle on outstanding mysteries in FRB science."

The detailed findings, recently published in the journal Monthly Notices of the Royal Astronomical Society (MNRAS), showcase the intriguing behaviors of FRBs. These mysterious signals exhibit downward frequency drifting, a connection between their bandwidth and center frequency, and changes in burst duration over time. The team also observed something that had never been reported before: there was a noticeable drop in the center frequency of bursts over the two months of observation, revealing an unexpected cosmic slide-whistle...

No clear pattern was found, highlighting the unpredictability of these celestial phenomena.
SETI says its Allen Telescope Array (or ATA) was custom-built for SETI searches, "thanks to the interest and benevolence of many donors, including technologists Paul Allen (co-founder of Microsoft) and Nathan Myhrvold (former Chief Technology Officer for Microsoft)." The Allen Telescope Array offers SETI scientists access to an instrument seven days a week, and permits the search of several different targets (usually nearby star systems) simultaneously. This can result in a speed-up of SETI searches by a factor of at least 100.

According to the Wall Street Journal, Microsoft wants to use nuclear energy to power its artificial intelligence operations. And in order to help cut the red tape required to make that happen, Microsoft plans to use AI. From a report: A Microsoft team has spent months building an AI trained on nuclear regulations and licensing requirements to help the tech giant fill out all the applications it needs to build its own power plants. This typically takes years and millions, but Microsoft is urgently looking for more power to bring next-generation AI to life.

That's because the larger the model and the more capable it becomes, the more power it requires. Microsoft today reflects the sensibilities of its founder, Bill Gates, in that the company believes in carbon-neutral energy sources -- and, like Gates who himself invests in nuclear power innovation, the company seems to see more potential in nuclear than other renewable sources of energy.

"If we're going to do that carbon-free, we're going to need all the tools in the tool kit," Michelle Patron, Microsoft's senior director of sustainability policy, told the Journal.

An anonymous reader quotes a report from the New York Times: [H]ow do we feed ourselves without further damaging the planet or worsening rising levels of hunger? This year's United Nations climate summit has confronted this question like never before. For the first time there is a broad acknowledgment that the food agenda is aligned with the climate fight across the board," said Ed Davey of the World Resources Institute, who worked with organizers of the summit, known as COP28, on its food agenda. [...] More than two-thirds of the world's countries endorsed an agreement to retool the global food system, though it's vague, lacks concrete targets, and is nonbinding. The United Nations food agency issued a landmark report laying out what it would take to align the global food system with the goal to limit average global temperature rise to manageable levels. The United States and the United Arab Emirates together committed about $17 billion toward agricultural innovations to address climate change. [...]

The F.A.O. road map means doing different things in different countries. In North America, food experts said, it means nudging citizens to eat less meat and dairy, which produce high emissions. In countries of sub-Saharan Africa, it means increasing agricultural productivity. Every country must cut food loss and waste. "We are at this reckoning point where we have to move away from pure awareness raising and actually start changing habits," Yvette Cabrera, a food waste expert at the Natural Resources Defense Council, said.

Road maps, of course, are only that until someone starts following the directions. In this case, that's up to national governments. That's where the Emirates Declaration on Sustainable Agriculture, Resilient Food Systems and Climate Action comes in. It commits countries to including agricultural emissions in their next round of climate targets, in 2025. It contains no other targets or timelines, nor prescribes any specific policies. So far, 154 countries have signed on. India, which has long been sensitive to any global accords that impact food security, was a holdout. One measure of the coming food fight is that it's unclear whether there's any appetite to include agricultural emissions targets in the main agreement, which is the subject of bitter negotiations at the moment. The latest draft does not include them.