Bun is "a modern JavaScript runtime like Node or Deno," according to its newly-launched web site, "built from scratch to focus on three main things."

- Start fast (it has the edge in mind).
- New levels of performance (extending JavaScriptCore, the engine).
- Being a great and complete tool (bundler, transpiler, package manager).

Bun is designed as a drop-in replacement for your current JavaScript & TypeScript apps or scripts — on your local computer, server or on the edge. Bun natively implements hundreds of Node.js and Web APIs, including ~90% of Node-API functions (native modules), fs, path, Buffer and more. [And Bun also implements Node.js' module resolution algorithm, so you can use npm packages in bun.js]

The goal of Bun is to run most of the world's JavaScript outside of browsers, bringing performance and complexity enhancements to your future infrastructure, as well as developer productivity through better, simpler tooling.... Why is Bun fast? An enormous amount of time spent profiling, benchmarking and optimizing things. The answer is different for every part of Bun, but one general theme: [it's written in Zig.] Zig's low-level control over memory and lack of hidden control flow makes it much simpler to write fast software.
An infographic on the site claims its server-side rendering of React is more than three times faster than Node or Deno. And Bun.js can even automatically load environment variables from .env files, according to the site. No more require("dotenv").load()
Hackaday describes it as "a performant all-in-one approach," including "bundling, transpiling, module resolution, and a fantastic foreign-function interface." Many Javascript projects have a bundling and transpiling step that takes the source and packages it together in a more standard format. Typescript needs to be packaged into javascript, and modules need to be resolved. Bun bakes all this in. Typescript and JSX "just work." This dramatically simplifies many projects as much of the build infrastructure is part of Bun itself, lowering cognitive load when trying to understand a project... Some web-specific APIs, such as fetch and Websockets, are also built-in.
"What's even wilder is that Bun is written by one person, Jared Sumner," the article points out — adding that the all the code is available on GitHub under the MIT License ("excluding dependencies which have various licenses.")

Apple introduced a security tool for iPhone, iPad and Mac devices that is designed to prevent targeted cyberattacks on high-profile users such as activists, journalists and government officials. From a report: The optional feature, called Lockdown Mode, will offer "extreme" protection for a "very small number of users who face grave, targeted attacks," Apple said Wednesday in a statement. The tool vastly reduces the number of physical and digital ways for an attacker to hack a user's device. Apple said the feature is aimed primarily at trying to combat attacks from "spyware" sold by NSO Group and other companies, particularly to state-sponsored groups.

[...] Lockdown Mode will affect the Messages app, FaceTime, Apple online services, configuration profiles, the Safari web browser and wired connections. With the tool in place, the Messages app will block attachments other than images and disable link previews. Those are two common mechanisms that hackers use to infiltrate devices remotely. The web browser, another frequent conduit for hackers, will also be severely limited, with restrictions on certain fonts, web languages and features involving reading PDFs and previewing content. In FaceTime, users won't be able to receive calls from an individual that they haven't previously called within the preceding 30 days.

The viral image-generation app is good, absurd fun. It's also giving the world an education in how artificial intelligence may warp reality. From a report: On June 6, Hugging Face, a company that hosts open source artificial intelligence projects, saw traffic to an AI image-generation tool called DALL-E Mini skyrocket. The outwardly simple app, which generates nine images in response to any typed text prompt, was launched nearly a year ago by an independent developer. But after some recent improvements and a few viral tweets, its ability to crudely sketch all manner of surreal, hilarious, and even nightmarish visions suddenly became meme magic. Behold its renditions of "Thanos looking for his mom at Walmart," "drunk shirtless guys wandering around Mordor," "CCTV camera footage of Darth Vader breakdancing," and "a hamster Godzilla in a sombrero attacking Tokyo." As more people created and shared DALL-E Mini images on Twitter and Reddit, and more new users arrived, Hugging Face saw its servers overwhelmed with traffic. "Our engineers didn't sleep for the first night," says Clement Delangue, CEO of Hugging Face, on a video call from his home in Miami. "It's really hard to serve these models at scale; they had to fix everything." In recent weeks, DALL-E Mini has been serving up around 50,000 images a day.

DALL-E Mini's viral moment doesn't just herald a new way to make memes. It also provides an early look at what can happen when AI tools that make imagery to order become widely available, and a reminder of the uncertainties about their possible impact. Algorithms that generate custom photography and artwork might transform art and help businesses with marketing, but they could also have the power to manipulate and mislead. A warning on the DALL-E Mini web page warns that it may "reinforce or exacerbate societal biases" or "generate images that contain stereotypes against minority groups." DALL-E Mini was inspired by a more powerful AI image-making tool called DALL-E (a portmanteau of Salvador Dali and WALL-E), revealed by AI research company OpenAI in January 2021. DALL-E is more powerful but is not openly available, due to concerns that it will be misused.

Sir Tim Berners-Lee "is skeptical about a blockchain-based internet," reports the Next Web. Instead, they describe his new vision as "a decentralized architecture that gives users control of their data" — on a Platform called Solid: Berners-Lee shares Web3's purported mission of transferring data from Big Tech to the people. But he's taking a different route to the target. While Web3 is based on blockchain, Solid is built with standard web tools and open specifications. Private information is stored in decentralized data stores called "pods," which can be hosted wherever the user wants. They can then choose which apps can access their data. This approach aims to provide interoperability, speed, scalability, and privacy.

"When you try to build that stuff on the blockchain, it just doesn't work," said Berners-Lee.

Berners-Lee says Solid serves two separate purposes. One is preventing companies f rom misusing our data for unsolicited purposes, from manipulating voters to generating clickbait.The other is providing opportunities to benefit from our information. Healthcare data, for instance, could be shared across trusted services to improve our treatment and support medical research. Our photos, meanwhile, could be supplied to Facebook friends, LinkedIn colleagues, and Flickr followers without having to upload the pictures to each platform.

This evokes Berners-Lee's original aim to make the web a collaborative tool. "I wanted to be able to solve problems when part of the solution is in my head and part of the solution is in your head, and you're on the other side of the planet — connected by the internet," he said.

"That was the sort of thing I wanted the web for. It took off more as a publishing medium — but all is not lost."

Long-time Slashdot reader Artem S. Tashkinov shares a blog post from indie game programmer who complains "The special upload tool I had to use today was a total of 230MB of client files, and involved 2,700 different files to manage this process." Oh and BTW it gives error messages and right now, it doesn't work. sigh.

I've seen coders do this. I know how this happens. It happens because not only are the coders not doing low-level, efficient code to achieve their goal, they have never even SEEN low level, efficient, well written code. How can we expect them to do anything better when they do not even understand that it is possible...? It's what they learned. They have no idea what high performance or constraint-based development is....

Computers are so fast these days that you should be able to consider them absolute magic. Everything that you could possibly imagine should happen between the 60ths of a second of the refresh rate. And yet, when I click the volume icon on my microsoft surface laptop (pretty new), there is a VISIBLE DELAY as the machine gradually builds up a new user interface element, and eventually works out what icons to draw and has them pop-in and they go live. It takes ACTUAL TIME. I suspect a half second, which in CPU time, is like a billion fucking years....

All I'm doing is typing this blog post. Windows has 102 background processes running. My nvidia graphics card currently has 6 of them, and some of those have sub tasks. To do what? I'm not running a game right now, I'm using about the same feature set from a video card driver as I would have done TWENTY years ago, but 6 processes are required. Microsoft edge web view has 6 processes too, as does Microsoft edge too. I don't even use Microsoft edge. I think I opened an SVG file in it yesterday, and here we are, another 12 useless pieces of code wasting memory, and probably polling the cpu as well.

This is utter, utter madness. Its why nothing seems to work, why everything is slow, why you need a new phone every year, and a new TV to load those bloated streaming apps, that also must be running code this bad. I honestly think its only going to get worse, because the big dumb, useless tech companies like facebook, twitter, reddit, etc are the worst possible examples of this trend....

There was a golden age of programming, back when you had actual limitations on memory and CPU. Now we just live in an ultra-wasteful pit of inefficiency. Its just sad.
Long-time Slashdot reader Z00L00K left a comment arguing that "All this is because everyone today programs on huge frameworks that have everything including two full size kitchen sinks, one for right handed people and one for left handed." But in another comment Slashdot reader youn blames code generators, cut-and-paste programming, and the need to support multiple platforms.

But youn adds that even with that said, "In the old days, there was a lot more blue screens of death... Sure it still happens but how often do you restart your computer these days." And they also submitted this list arguing "There's a lot more functionality than before."

• Some software has been around a long time. Even though the /. crowd likes to bash Windows, you got to admit backward compatibility is outstanding
• A lot of things like security were not taken in consideration
• It's a different computing environment.... multi tasking, internet, GPUs
• In the old days, there was one task running all the time. Today, a lot of error handling, soft failures if the app is put to sleep
• A lot of code is due to to software interacting one with another, compatibility with standards
• Shiny technology like microservices allow scaling, heterogenous integration

So who's right and who's wrong? Leave your own best answers in the comments.

And are today's programmers leaving too much code bloat?

An anonymous reader quotes a report from TechCrunch: Another strike against use of Google Analytics in Europe: The Italian data protection authority has found a local web publisher's use of the popular analytics tool to be non-compliant with EU data protection rules owing to user data being transferred to the U.S. -- a country that lacks an equivalent legal framework to protect the info from being accessed by US spooks. The Garante found the web publisher's use of Google Analytics resulted in the collection of many types of user data, including device IP address, browser information, OS, screen resolution, language selection, plus the date and time of the site visit, which were transferred to the U.S. without adequate supplementary measures being applied to raise the level of protection to the necessary EU legal standard.

Protections applied by Google were not sufficient to address the risk, it added, echoing the conclusion of several other EU DPAs who have also found use of Google Analytics violates the bloc's data protection rules over the data export issue. Italy's DPA has given the publisher in question (a company called Caffeina Media Srl) 90 days to fix the compliance violation. But the decision has wider significance as it has also warned other local websites that are using Google Analytics to take note and check their own compliance, writing in a press release [translated from Italian with machine translation]: "[T]he Authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through GA [Google Analytics], also in consideration of the numerous reports and questions that are being received by the Office, and invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data." A Google spokesperson issued the following statement: "People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors -- but not by identifying individuals or tracking them across the web. These organizations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance."

Google is reviewing the Italian DPA's decision, according to the spokesperson.

An anonymous reader shares a report: For Jung Ki-young, a South Korean software engineer, Microsoft's decision to retire its Internet Explorer web browser marked the end of a quarter-century love-hate relationship with the technology. To commemorate its demise, he spent a month and 430,000 won ($330) designing and ordering a headstone with Explorer's "e" logo and the English epitaph: "He was a good tool to download other browsers." After the memorial went on show at a cafe run by his brother in the southern city of Gyeongju, a photo of the tombstone went viral.

It's finally happening. Microsoft will be ending support for most versions of its Internet Explorer (IE) 11 browser on June 15. ZDNet: Microsoft announced more than a year ago that IE would be removed from most versions of Windows 10 this year and has spent months encouraging customers to get ready by proactively retiring the browser from their organizations. IE 11 will be retired for Windows 10 client SKUs (version 20H2 and later) and Windows 10 IoT (version 20H2 and later). Products not affected by this retirement include IE Mode in Edge; IE 11 desktop on Windows 8.1, Windows 7 (with Extended Security Updates), Windows Server LTSC (all versions), Windows Server 2022, Windows 10 client LTSC (all versions), Windows 10 IoT LTSC (all versions). The IE 11 desktop app is not available on Windows 11, as Edge is the default browser for Windows 11. IE Mode in Microsoft Edge will be supported through at least 2029 to give web developers eight years to modernize legacy apps and eventually remove the need for IE mode, officials have said. According to Net Applications, a web monitoring tool, Internet Explorer still has a market share of 5.21% on desktops and laptops, far behind Chrome at over 69%, to be sure, but still ahead of Apple's Safari, which commands 3.73% market share.

In 2019 SEO toolset provider Ahrefs announced it would build it's own search engine, remembers Search Engine Land. After investing $60 million of its own money, this month that search engine has finally launched with the name of "Yep", and Ahrefs "is positioning it as a Googe competitor.

"However, we've seen plenty of Google competitors and Google "killers" come and go over the past two decades. So for now, let's just call it a Google alternative... Yep will not collect personal information (e.g., geolocation, name, age, gender) by default. Your Yep search history will not be stored anywhere.

What Yep will rely on is aggregated search statistics to improve algorithms, spelling corrections, and search suggestions, the company said. "In other words, we do save certain data on searches, but never in a personally identifiable way," said Ahrefs CEO Dmytro Gerasymenko.... What Yep will use is a searcher's:

- Entered keywords.
- Language preference received from the browser.
- Approximate geographical area at the origin of the search at the scale of a region or a city (deduced from the IP address)....

AhrefsBot visits more than 8 billion webpages every 24 hours, which makes it the second most active crawler on the web, behind only Google, Ahrefs said. For 12 years, AhrefsBot has been crawling the web. They had just been using the AhrefsBot data to power its link database and SEO insights. The Yep search index is updated every 15 to 30 minutes. Daily, the company adds 30 million webpages and drops 20 million.

Ahrefs said its Singapore data center is powered by around 1,000 servers that store and process 100 petabytes of web data (webpages, links between them, and the search index). Each server uses at least 2x 100GB connections... Before the end of the year, Ahrefs plans to open a U.S.-based data center.
"It's a unique proposition," reports TechCrunch, "running its own search index, rather than relying on APIs from Google or Bing.

"As for the name? I dunno; Yep seems pretty daft to me, but I guess at least the name is one character shorter than Bing, the other major search engine I'll only ever use by accident." Name aside, Yep is taking a fresh new path through the world of internet advertising, claiming that it's giving 90% of its ad revenues to content creators. The pitch is pretty elegant:

"Let's say that the biggest search engine in the world makes $100B a year. Now, imagine if they gave $90B to content creators and publishers," the company paints a picture of the future it wants to live in. "Wikipedia would probably earn a few billion dollars a year from its content. They'd be able to stop asking for donations and start paying the people who polish their articles a decent salary."

It's an impressively quixotic windmill to fight for the bootstrapped company Ahrefs. Its CEO sheds some light on why this makes sense to him:

"Creators who make search results possible deserve to receive payments for their work...."

Perhaps it sounds a little idealistic, but damn it, that's what made me excited about Yep in the first place. It represents the faintest of echoes from a web more innocent and more hopeful than the social-media poisoned cesspool of chaos and fake news we often find ourselves in today.
Search Engine Land points out that DuckDuckGo, which launched in 2008, "gets as many searches per year (~15.7 billion) as Google gets in about two or three days. Even Microsoft Bing — which is owned by Microsoft, the third-largest company on the planet by market cap — has failed to make a significant dent in Google's search market share since 2009."

But they also quote Ahrefs CEO Dmytro Gerasymenko as saying in 2019, "If we succeed in our endeavors, Google will finally get some long overdue competition for search."

The Register has unveiled their "cynic's guide to desktop Linux," which they ultimately concede is a snarky yet affectionate list of "the least bad distros."

For those who are "sick of Windows but can't afford a Mac," the article begins by addressing people who complain there's too many Linux distros to choose from. "We thought we'd simplify things for you by listing how and in which ways the different options suck." - The year of Linux on the desktop came and went, and nobody noticed — maybe because it doesn't say "Linux" on it. ChromeOS only runs on ChromeBooks and ChromeBoxes, but they outsold Macs for a while before the pandemic. "Flex" is the version for ordinary PCs... ChromeOS Flex works great, because it only does one thing: browse the web. You can't install apps, not even Android ones: only official kit does that. You can run Debian containers: if you know what that means, go run Debian. If you don't know what that means, trust us, you don't want to.

- Ubuntu is an ancient African word that means I can't configure Debian....

- Mint is an Ubuntu remix with knobs on. It was an also-ran for years, but when Ubuntu went all Mac-like it saw its chance and grabbed it — along with the number one spot in the charts. It dispenses with some of the questionable bits of recent Ubuntu, such as GNOME and Snaps, but replaces them with dodgy bits of its own, such as a confusing choice of not one, not two, but three Windows-like desktops, and overly cautious approaches to updates and upgrades.

- Debian is the daddy of free distros, and the one that invented the idea of a packaging tool that automatically installs dependencies. It's easier than it used to be, but mired in politics. It's sort of like Ubuntu, but more out of date, harder to install, and with fewer drivers. If that sounds just your sort of thing, go for it.
There's 10 snarky entries in all, zinging Fedora, openSUSE, Arch Linux, and Pop!_OS — as well as the various spinoffs of Red Hat Enterprise Linux. (The article calls Rocky Linux and AlmaLinux "RHEL with the serial numbers filed off.")

And there's also one final catch-call entry for "Tiny obscure distros. All of them."

Thanks to Slashdot reader AleRunner for sharing the link...

The head of the UK government's digital transformation unit recently announced a change to the nation's government services site gov.uk: they've "removed jQuery as a dependency for all frontend apps, meaning 32 KB of minified and compressed JavaScript was removed" for everything from selecting elements to attaching event listeners....

Nearly 84% of mobile pages used jQuery in 2021, points out a new essay at Gov.UK — before explaining why they decided not to: jQuery was an instrumental tool in a time when we really needed a way to script interactivity in a way that smoothed over the differing implementations of stuff like event handling, selecting elements, animating elements, and so on.

The web is better because of jQuery — not just because it has such incredible utility, but because its ubiquity led to making what it provided part of the web platform itself. Nowadays, we can do just about anything jQuery can do in vanilla JavaScript... It really begs the question: Do we really need jQuery today? That's a question that GOV.UK has answered with a resounding "no"....

This is a big deal when it comes to the user experience, because GOV.UK provides services and information online for The United Kingdom at scale. Not everyone is tapping away on their 2022 MacBook Pro on a rip-roarin' broadband connection. GOV.UK has to be accessible to everyone, and that means keepin' it lean.... dependencies matter when it comes to performance. Don't shortchange your users if the web platform can easily do the job a framework can.

This level of commitment to the user experience from a institution that works at the scale GOV.UK does is commendable. I can only hope others follow in their footsteps.

The new free trade agreement between Australia and the UK includes a site blocking paragraph. The text requires the countries to provide injunctive relief to require ISPs to prevent subscribers from accessing pirate sites. While this doesn't change much for the two countries, rightsholders are already eying similar requirements for trade deals with other nations. TorrentFreak reports: The inclusion of a blocking paragraph in the copyright chapter of the trade deal was high on the agenda of various copyright holder groups. Following a series of hearings and consultations, both countries settled on the following text:

1. Each Party shall provide that its civil judicial authorities have the authority to grant an injunction against an ISP within its territory, ordering the ISP to take action to block access to a specific online location, in cases where:
(a) that online location is located outside the territory of that Party; and
(b) the services of the ISP are used by a third party to infringe copyright or related rights in the territory of that Party.

2. For greater certainty, nothing in this Article precludes a Party from providing that its judicial authorities may grant an injunction to take action to block access to online locations used to infringe intellectual property rights in circumstances other than those specified in paragraph 1.

This hasn't gone unnoticed by the Alliance for Intellectual Property, which represents rightsholder organizations such as the MPA, BPI, and the Premier League. The group repeatedly urged the UK Government to include site-blocking powers in the agreement. In a recent submission to the UK Government, the Alliance once again stresses the importance of site blocking, while also hinting at broadening the current anti-piracy toolbox. "It has become a hugely valuable tool in the armory of rights holders looking to protect their IP. It is vital that the UK Government ensures the preservation of the no-fault injunctive relief regime," the Alliance writes. "We would also encourage the opening of dialogue, wherever possible, to share experience around UK practices and to encourage faster, more efficient website blocking procedures, whether through civil, criminal, administrative or voluntary means."

The site-blocking language is already included in the latest trade deal draft but the Alliance is also looking ahead at future agreements with other countries. In this context, the blocking paragraph will send a clear message. "We would therefore urge the UK Government to include reference to the site blocking legislation in the FTA with Australia as it will send an important message to future countries that we might chose [sic] to negotiate trade agreements with." The Alliance for Intellectual Property doesn't mention any other countries by name. However, it specifically references a report from the U.S. Copyright Office where site blocking was mentioned as a potential future anti-piracy option. In the same report, the Copyright Office also stressed that further research would be required on the effect and impact of a U.S. site-blocking scheme, but the idea wasn't dismissed outright.

The board members of the FIDO alliance include Amazon, Google, PayPal, RSA, and Apple and Microsoft (as well as Intel and Arm). It describes its mission as reducing the world's "over-reliance on passwords."

Today Wired reports that the group thinks "it has finally identified the missing piece of the puzzle" for finally achieving large-scale adoption of a password-supplanting technology: On Thursday, the organization published a white paper that lays out FIDO's vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption....

The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step.... FIDO is looking to get to the heart of what still makes passwordless schemes tough to navigate. And the group has concluded that it all comes down to the procedure for switching or adding devices. If the process for setting up a new phone, say, is too complicated, and there's no simple way to log in to all of your apps and accounts — or if you have to fall back to passwords to reestablish your ownership of those accounts — then most users will conclude that it's too much of a hassle to change the status quo.

The passwordless FIDO standard already relies on a device's biometric scanners (or a master PIN you select) to authenticate you locally without any of your data traveling over the Internet to a web server for validation. The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a "FIDO credential" manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device's biometric or passcode lock. At Apple's Worldwide Developer Conference last summer, the company announced its own version of what FIDO is describing, an iCloud feature known as "Passkeys in iCloud Keychain," which Apple says is its "contribution to a post-password world...."

FIDO's white paper also includes another component, a proposed addition to its specification that would allow one of your existing devices, like your laptop, to act as a hardware token itself, similar to stand-alone Bluetooth authentication dongles, and provide physical authentication over Bluetooth. The idea is that this would still be virtually phish-proof since Bluetooth is a proximity-based protocol and can be a useful tool as needed in developing different versions of truly passwordless schemes that don't have to retain a backup password. Christiaan Brand, a product manager at Google who focuses on identity and security and collaborates on FIDO projects, says that the passkey-style plan follows logically from the smartphone or multi-device image of a passwordless future. "This grand vision of 'Let's move beyond the password,' we've always had this end state in mind to be honest, it just took until everyone had mobile phones in their pockets," Brand says....

To FIDO, the biggest priority is a paradigm shift in account security that will make phishing a thing of the past.... When asked if this is really it, if the death knell for passwords is truly, finally tolling, Google's Brand turns serious, but he doesn't hesitate to answer: "I feel like everything is coalescing," he says. "This should be durable."
Such a change won't happen overnight, the article points out. "With any other tech migration (ahem, Windows XP), the road will inevitably prove arduous."

An anonymous reader quotes a report from Ars Technica: Cryptographic keys generated with older software now owned by technology company Rambus are weak enough to be broken instantly using commodity hardware, a researcher reported on Monday. This revelation is part of an investigation that also uncovered a handful of weak keys in the wild. The software comes from a basic version of the SafeZone Crypto Libraries, which were developed by a company called Inside Secure and acquired by Rambus as part of its 2019 acquisition of Verimatrix, a Rambus representative said. That version was deprecated prior to the acquisition and is distinct from a FIPS-certified version that the company now sells under the Rambus FIPS Security Toolkit brand.

Researcher Hanno Bock said that the vulnerable SafeZone library doesn't sufficiently randomize the two prime numbers it used to generate RSA keys. (These keys can be used to secure Web traffic, shells, and other online connections.) Instead, after the SafeZone tool selects one prime number, it chooses a prime in close proximity as the second one needed to form the key. "The problem is that both primes are too similar," Bock said in an interview. "So the difference between the two primes is really small." The SafeZone vulnerability is tracked as CVE-2022-26320. Cryptographers have long known that RSA keys that are generated with primes that are too close together can be trivially broken with Fermat's factorization method. French mathematician Pierre de Fermat first described this method in 1643. Fermat's algorithm was based on the fact that any number can be expressed as the difference between two squares. When the factors are near the root of the number, they can be calculated easily and quickly. The method isn't feasible when factors are truly random and hence far apart. The security of RSA keys depends on the difficulty of factoring a key's large composite number (usually denoted as N) to derive its two factors (usually denoted as P and Q). When P and Q are known publicly, the key they make up is broken, meaning anyone can decrypt data protected by the key or use the key to authenticate messages.

So far, Bock has identified only a handful of keys in the wild that are vulnerable to the factorization attack. Some of the keys belong to printers originally branded as Fuji Xerox and now belonging to Canon. Printer users can use the keys to generate a Certificate Signing Request. The creation date for the keys was 2020 or later. The weak Canon keys are tracked as CVE-2022-26351. Bock also found four vulnerable PGP keys, typically used to encrypt email, on SKS PGP key servers. A user ID tied to the keys implied they were created for testing, so he doesn't believe they're in active use. Bock said he believes all the keys he found were generated using software or methods not connected to the SafeZone library. If true, other software that generates keys might be easily broken using the Fermat algorithm. It's plausible also that the keys were generated manually, "possibly by people aware of this attack creating test data." The researcher found the keys by searching through billions of public keys that he either had access to, were shared with him by other researchers, or that were available through certificate transparency programs. UPDATE: The headline incorrectly stated that a "600-Year-Old Algorithm" was used. It's been changed to "379-Year-Old-Algorithm" to reflect the updated headline on Ars.

Microsoft's latest Windows 11 test build is another substantial one, adding two important features: payment information, and a new security feature called Smart App Control that will watch over new apps and games that you add to your PC. PCWorld reports: Microsoft released Windows 11 Insider Preview Build 22567 for the Dev Channel on Wednesday with other changes, tooâ"including a tweak to Windows Update, so that now you can configure your PC to turn on an update when renewable energy is at its most plentiful. (Remember, code that Microsoft tests within the Dev Channel may make its way to your PC eventually -- or not.)

Asking for credit-card information within Windows isn't that startling, as you've probably already entered payment information into the Microsoft ecosystem either for buying apps or movies on the Microsoft Store app or for making similar purchases via your Xbox. Still, those transactions are normally performed via your Microsoft Account web page, which manages all of that online and behind the scenes. (You can reach them via the Windows 11 Settings > Accounts > Your Microsoft account.) Microsoft considers the additional credit-card info as part of the subscription option it added last month. Now, if your subscription risks falling through because of an expired credit card, Microsoft will alert you. Conceptually, however, it implies that your PC is as much a tool to make purchases as it is to simply work and game.

Another interesting addition is what Microsoft calls Smart App Control, or SAC. Microsoft describes it as a "new security feature for Windows 11 that blocks untrusted or potentially dangerous applications." What those applications are, apparently, is up to Microsoft. And yes, there's always a concern that SAC would flag otherwise innocuous applications that it simply hasn't seen before. But Microsoft is gently easing SAC onto your PC. For one thing, you'll need to perform a clean install to enable it. For another, SAC won't immediately insert itself. Other tweaks and changes include the ability to have Windows update your PC when clean energy is more commonly available (via Microsoft's partners electricityMap or WattTime) and better integration between your Android phone and PC via Windows 11 OOBE (Out of the Box Experience).

Additionally, "Microsoft now offers wider availability of speech packs to improve transcription, the ability to choose a mic for dictation/ transcription, and the ability to mute your speakers by simply clicking the volume icon in the hardware indicator for volume," reports PCWorld.

The imperfect, scattershot search tool delivers just enough usefulness and serendipity to keep one hooked. From a report: Google Alerts can cast a wonderful net, but mesh size matters: large holes and it catches nothing, too small and it catches everything. Consider the earliest and one of the most persistent reasons for setting these alerts: tracking yourself. All is vanity, perhaps especially on the Internet, so it's no surprise that one of the things that we're most eager to know is what the world is saying about us. The engineer who developed the alert system for Google told CNN that when he first presented the idea, twenty years ago, his manager was skeptical, worrying that it would starve the search-engine of traffic: rather than consumers constantly searching for fresh mentions of whatever topic interested them, they would wait for the alert, then follow its links not to Google but to outside Web sites, leaching away potential advertising revenue. In response, the engineer, one of the first forty or so employees of the company, took his prototype to Google's co-founders, who approved it after watching him demonstrate only two search terms: "Google" and "Larry Page," the name of one of the co-founders.

Learning what other people thought about us used to take either a great deal of luck, like Tom Sawyer being mistaken for dead and then getting to eavesdrop on his own funeral, or a great deal of effort, like Harun al-Rashid, a caliph of the Abbasid dynasty, in the "Arabian Nights," disguising himself in order to venture out into the streets and talk with his subjects candidly. But the Internet has made it easy -- made it, in fact, almost unavoidable. The same Google Alert can make sure you know that your long-lost bunkmate from summer camp has mentioned you in an essay, that a friend of your deceased uncle has written a memoir of their time together in the Marines (including the care packages you sent them), and that the local newspaper has digitized its archives, thereby offering up to the Internet your high-school football averages and your arrest for vandalism.

An anonymous reader quotes a report from ZDNet: A group of Brazilian researchers has created a web platform that is able to identify false information online in an automated manner. Developed by academics at the Center for Mathematical Sciences Applied to Industry (CeMEAI), the system uses a combination of statistical models and machine learning techniques to establish whether a specific content in Brazilian Portuguese is likely to be false. Initial tests suggest the platform is able to detect fake news with a 96% accuracy. The CeMEAI is a research center based in the mathematics and computer science department of the University of Sao Paulo, in the Sao Paulo state city of Sao Carlos. The center is supported by grants from the Sao Paulo Research Agency (FAPESP). In an interview with FAPESP's news agency, project coordinator and technology transfer director Francisco Louzada Neto said the goal of the project is "to offer society an additional tool to identify, not only subjectively, whether a news item is false or not."

The system uses statistical methods to analyze writing characteristics, such as words used or more frequently used grammatical classes. These are then fed into a machine learning-based classifier, which is able to distinguish patterns of language, vocabulary and semantics of fake and real news, and automatically infer whether the content submitted to the platform is false. The models were trained with a massive database of real and false news and were exposed to the vocabulary used in over 100,000 articles published over the last five years. The researchers will aim to use the false news related to the upcoming presidential elections, as well as content related to the Covid-19 pandemic to further calibrate the models. The researchers also commented on the potential risks of the system in the interview, including the potential that the system could be used by fake news creators to assess the potential for false content to pass for real before it is published. "That's a risk we're going to have to deal with," Louzada noted.

New submitter LZ_Mordan writes: David Heinemeier Hansson, the Ruby on Rails web development framework creator, took to Twitter on Monday to tell his followers that he was no longer a Bitcoin skeptic. "I still can't believe that this is the protest that would prove every Bitcoin crank a prophet. And for me to have to slice a piece of humble pie, and admit that I was wrong on crypto's fundamental necessity in Western democracies," Hansson wrote. In a blog post titled "I was wrong, we need crypto," the Danish programmer mentioned that he's been skeptical about Bitcoin and the crypto industry in general since the early 2010s.

He noted that some of his biggest arguments against Bitcoin were the cryptocurrency's energy consumption, transaction fees, the lack of real decentralization, supposed fraud involving Tether (USDT) stablecoin and many others. But all these arguments do not provide enough reasons to disregard cryptocurrencies as a tool to support freedom and democracy in situations where countries like Canada impose martial law in response to peaceful protest movements, Hansson argued, stating: "It's clear to me now that I was too hasty to completely dismiss crypto on the basis of all the things wrong with it at the moment. Instead of appreciating the fundamental freedom to transact that it's currently our best shot at protecting."

Players generate a wealth of revealing psychological data -- and some companies are soaking it up. From a report: While there are no numbers on how many video game companies are surveilling their players in-game (although, as a recent article suggests, large publishers and developers like Epic, EA, and Activision explicitly state they capture user data in their license agreements), a new industry of firms selling middleware "data analytics" tools, often used by game developers, has sprung up. These data analytics tools promise to make users more amenable to continued consumption through the use of data analysis at scale.

Such analytics, once available only to the largest video game studios -- which could hire data scientists to capture, clean, and analyze the data, and software engineers to develop in-house analytics tools -- are now commonplace across the entire industry, pitched as "accessible" tools that provide a competitive edge in a crowded marketplace by companies like Unity, GameAnalytics, or Amazon Web Services. (Although, as a recent study shows, the extent to which these tools are truly "accessible" is questionable, requiring technical expertise and time to implement.) As demand for data-driven insight has grown, so have the range of different services -- dozens of tools in the past several years alone, providing game developers with different forms of insight. One tool -- essentially Uber for playtesting -- allows companies to outsource quality assurance testing, and provides data-driven insight into the results. Another supposedly uses AI to understand player value and maximize retention (and spending, with a focus on high-spenders).

Developers might use data from these middleware companies to further refine their game (players might be getting overly frustrated and dying at a particular point, indicating the game might be too difficult) or their monetization strategies (prompting in-app purchases -- such as extra lives -- at such a point of difficulty). But our data is not just valuable to video game companies in fine-tuning design. Increasingly, video game companies exploit this data to capitalize user attention through targeted advertisements. As a 2019 eMarketer report suggests, the value of video games as a medium for advertising is not just in access to large-scale audience data (such as the Unity ad network's claim to billions of users), but through ad formats such as playable and rewarded advertisements -- that is, access to audiences more likely to pay attention to an ad.

"As part of their growing battle against popular open source software tool youtube-dl, three major music labels are now suing Uberspace, the company that currently hosts the official youtube-dl homepage," reports TorrentFreak: According to plaintiffs Sony, Universal and Warner, youtube-dl circumvents YouTube's "rolling cipher" technology, something a German court found to be illegal in 2017.... While the RIAA's effort to take down youtube-dl from GitHub grabbed all the headlines, moves had already been underway weeks before that in Germany. Law firm Rasch works with several major music industry players and it was on their behalf that cease-and-desist orders were sent to local hosting service Uberspace. The RIAA complained that the company was hosting the official youtube-dl website although the tool itself was hosted elsewhere.

"The software itself wasn't hosted on our systems anyway so, to be honest, I felt it to be quite ridiculous to involve us in this issue anyway — a lawyer specializing in IT laws should know better," Jonas Pasche from Uberspace said at the time.

In emailed correspondence today Uberspace informed TorrentFreak that, following the cease-and-desist in October 2020, three major music labels are now suing the company in Germany... According to the labels, youtube-dl poses a risk to their business and enables users to download their artists' copyrighted works by circumventing YouTube's technical measures. As a result, Uberspace should not be playing a part in the tool's operations by hosting its website if it does not wish to find itself liable too....

The alleged illegality of youtube-dl is indeed controversial. While YouTube's terms of service generally disallow downloading, in Germany there is the right to make a private copy, with local rights group GEMA collecting fees to compensate for just that. Equally, when users upload content to YouTube under a Creative Commons license, for example, they agree to others in the community making use of that content. "Even if YouTube doesn't provide video download functionality right out of the box, the videos are not provided with copy protection," says former EU MP Julia Reda from the Society for Freedom Rights (GFF) to NetzPolitik. "Not only does YouTube pay license fees for music, we all pay fees for the right to private copying in the form of the device fee, which is levied with every purchase of smartphones or storage media," says Reda.

"Despite this double payment, Sony, Universal and Warner Music want to prevent us from exercising our right to private copying by saving YouTube videos locally on the hard drive."