In 1995 Scottish video game designer Chris Sawyer created the business simulator game Transport Tycoon Deluxe — and within four years, Wikipedia notes, work began on the first version of an open source version that's still being actively developed. "According to a study of the 61,154 open-source projects on SourceForge in the period between 1999 and 2005, OpenTTD ranked as the 8th most active open-source project to receive patches and contributions. In 2004, development moved to their own server."

Long-time Slashdot reader orudge says he's been involved for almost 25 years. "Exactly 21 years ago, I received an ICQ message (look it up, kids) out of the blue from a guy named Ludvig Strigeus (nicknamed Ludde)." "Hello, you probably don't know me, but I've been working on a project to clone Transport Tycoon Deluxe for a while," he said, more or less... Ludde made more progress with the project [written in C] over the coming year, and it looks like we even attempted some multiplayer games (not too reliable, especially over my dial-up connection at the time). Eventually, when he was happy with what he had created, he agreed to allow me to release the game as open source. Coincidentally, this happened exactly a year after I'd first spoken to him, on the 6th March 2004...

Things really got going after this, and a community started to form with enthusiastic developers fixing bugs, adding in new features, and smoothing off the rough edges. Ludde was, I think, a bit taken aback by how popular it proved, and even rejoined the development effort for a while. A read through the old changelogs reveals just how many features were added over a very short period of time. Quick wins like higher vehicle limits came in very quickly, and support for TTDPatch's NewGRF format started to be functional just four months later. Large maps, improved multiplayer, better pathfinders, improved TTDPatch compatibility, and of course, ports to a great many different operating systems, such as Mac OS X, BeOS, MorphOS and OS/2. It was a very exciting time to be a TTD fan!

Within six years, ambitious projects to create free replacements for the original TTD graphics, sounds and music sets were complete, and OpenTTD finally had its 1.0 release. And while we may not have the same frantic addition of new features we had in 2004, there have still been massive improvements to the code, with plenty of exciting new features over the years, with major releases every year since 2008. he move to GitHub in 2018 and the release of OpenTTD on Steam in 2021 have also re-energised development efforts, with thousands of people now enjoying playing the game regularly. And development shows no signs of slowing down, with the upcoming OpenTTD 14.0 release including over 40 new features!
"Personally, I would like to say thank you to everyone who has supported OpenTTD development over the past two decades..." they write, adding "Finally, of course, I'd like to thank you, the players! None of us would be here if people weren't still playing the game.

"Seeing how the first twenty years have gone, I can't wait to see what the next twenty years have in store. :)"

Researchers at Cado Security Labs received an alert about a honeypot using the Docker Engine API. "A Docker command was received..." they write, "that spawned a new container, based on Alpine Linux, and created a bind mount for the underlying honeypot server's root directory..." Typically, this is exploited to write out a job for the Cron scheduler to execute... In this particular campaign, the attacker exploits this exact method to write out an executable at the path /usr/bin/vurl, along with registering a Cron job to decode some base64-encoded shell commands and execute them on the fly by piping through bash.

The vurl executable consists solely of a simple shell script function, used to establish a TCP connection with the attacker's Command and Control (C2) infrastructure via the /dev/tcp device file. The Cron jobs mentioned above then utilise the vurl executable to retrieve the first stage payload from the C2 server... To provide redundancy in the event that the vurl payload retrieval method fails, the attackers write out an additional Cron job that attempts to use Python and the urllib2 library to retrieve another payload named t.sh
"Multiple user mode rootkits are deployed to hide malicious processes," they note. And one of the shell scripts "makes use of the shopt (shell options) built-in to prevent additional shell commands from the attacker's session from being appended to the history file... Not only are additional commands prevented from being written to the history file, but the shopt command itself doesn't appear in the shell history once a new session has been spawned."

The same script also inserts "an attacker-controlled SSH key to maintain access to the compromised host," according to the article, retrieves a miner for the Monero cryptocurrency and then "registers persistence in the form of systemd services" for both the miner and an open source Golang reverse shell utility named Platypus.

It also delivers "various utilities," according to the blog Security Week, "including 'masscan' for host discovery." Citing CADO's researchers, they write that the shell script also "weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents." The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet... ["For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," the researchers writes.]

"This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers," Cado notes. "It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments."

Longtime Slashdot reader SonicSpike shares a report from The Intercept: With the new version of Signal, you will no longer broadcast your phone number to everyone you send messages to by default, though you can choose to if you want. Your phone number will still be displayed to contacts who already have it stored in their phones. Going forward, however, when you start a new conversation on Signal, your number won't be shared at all: Contacts will just see the name you use when you set up your Signal profile. So even if your contact is using a custom Signal client, for example, they still won't be able to discover your phone number since the service will never tell it to them.

You also now have the option to set a username, which Signal lets you change whenever you want and delete when you don't want it anymore. Rather than directly storing your username as part of your account details, Signal stores a cryptographic hash of your username instead; Signal uses the Ristretto 25519 hashing algorithm, essentially storing a random block of data instead of usernames themselves. This is like how online services can confirm a user's password is valid without storing a copy of the actual password itself. "As far as we're aware, we're the only messaging platform that now has support for usernames that doesn't know everyone's usernames by default," said Josh Lund, a senior technologist at Signal. The move is yet another piece of the Signal ethos to keep as little data on hand as it can, lest the authorities try to intrude on the company. Whittaker explained, "We don't want to be forced to enumerate a directory of usernames." [...]

If Signal receives a subpoena demanding that they hand over all account data related to a user with a specific username that is currently active at the time that Signal looks it up, they would be able to link it to an account. That means Signal would turn over that user's phone number, along with the account creation date and the last connection date. Whittaker stressed that this is "a pretty narrow pipeline that is guarded viciously by ACLU lawyers," just to obtain a phone number based on a username. Signal, though, can't confirm how long a given username has been in use, how many other accounts have used it in the past, or anything else about it. If the Signal user briefly used a username and then deleted it, Signal wouldn't even be able to confirm that it was ever in use to begin with, much less which accounts had used it before.

In short, if you're worried about Signal handing over your phone number to law enforcement based on your username, you should only set a username when you want someone to contact you, and then delete it afterward. And each time, always set a different username. Likewise, if you want someone to contact you securely, you can send them your Signal link, and, as soon as they make contact, you can reset the link. If Signal receives a subpoena based on a link that was already reset, it will be impossible for them to look up which account it was associated with. If the subpoena demands that Signal turn over account information based on a phone number, rather than a username, Signal could be forced to hand over the cryptographic hash of the account's username, if a username is set. It would be difficult, however, for law enforcement to learn the actual username itself based on its hash. If they already suspect a username, they could use the hash to confirm that it's real. Otherwise, they would have to guess the username using password cracking techniques like dictionary attacks or rainbow tables.

Piracy was traditionally seen as something that predominantly young males were interested in. This is a largely outdated representation of reality, as girls and women began to catch up a long time ago. In some countries, including Indonesia, more women pirate music, movies, and TV-shows than their male counterparts. TorrentFreak reports: [N]ew findings published by researchers from Northumbria University Newcastle, which include gender, are worth highlighting. The survey data, looking at piracy trends in Thailand and Indonesia, was released by Marketing professor Dr. Xuemei Bian and Ms. Humaira Farid. The results were presented to WIPO's Advisory Committee on Enforcement recently and the associated presentation (PDF) was published online. Through an online survey and in-person interviews, the research aims to map consumer attitudes and behaviors in Indonesia and Thailand, particularly in connection with online copyright infringement.

One of the overall conclusions is that piracy remains a common activity in both Asian countries. Pirates are present in all age groups but and music, movies en TV-shows tend to be in highest demand and younger people. Those under 40, are more likely to pirate than their older counterparts. These findings are not out of the ordinary and the same trends are visible in other countries too. Interestingly, however, some notable differences between the two countries appear when gender is added to the mix. The tables below show that women are more likely to pirate than men in Indonesia. This is true for all content categories, except for software, where men are slightly in the lead. In Thailand, however, men are more likely to pirate across all categories. The researchers do not attempt to explain these differences. However, they show once again that 'dated' gender stereotypes don't always match with reality. And when they have little explanatory value, one can question whether gender is even relevant in a piracy context.

Looking at other differences between Thai and Indonesian consumers there are some other notable findings. For example, in Indonesia, 64% of the respondents say they're aware of the availability of pirated movies and TV-shows on YouTube, compared to 'just' 32% in Thailand. Indonesian consumers are also more familiar with music piracy sites and pirate much more frequently than Thai consumers, as the table below shows. Finally, the researchers also looked at various attitudes toward piracy. This shows that Thai pirates would be most likely to stop if legal services were more convenient, while Indonesian pirates see cheaper legal services as the largest discouraging factor.

An anonymous reader shares a report: Google is introducing improvements to search suggestions in Chrome, the company announced today. As part of the changes, users will start to get more helpful search suggestions in Chrome based on what others are searching for, see more images for suggested searches and find search suggestions even with a poor connection.

Search suggestions are the drop-down list of suggested completions that appear before you finish typing out your query in Google. The feature generates predictions to help users save time and speed up their search. With these new updates, Google is expanding the availability of search suggestions and using them to boost inspiration. When users are signed into Chrome on desktop and open a new tab, they will now start to see suggestions in the search box related to their previous searches based on what other people are searching for.

New York Gov. Kathy Hochul is proposing legislation that would criminalize some deceptive and abusive uses of AI and require disclosure of AI in election campaign materials, her office told Axios. From the report: Hochul's proposed laws include establishing the crime of "unlawful dissemination or publication of a fabricated photographic, videographic, or audio record." Making unauthorized uses of a person's voice "in connection with advertising or trade" a misdemeanor offense. Such offenses are punishable by up to one year jail sentence. Expanding New York's penal law to include unauthorized uses of artificial intelligence in coercion, criminal impersonation and identity theft.

Amending existing intimate images and revenge porn statutes to include "digital images" -- ranging from realistic Photoshop-produced work to advanced AI-generated content. Codifying the right to sue over digitally manipulated false images. Requiring disclosures of AI use in all forms of political communication "including video recording, motion picture, film, audio recording, electronic image, photograph, text, or any technological representation of speech or conduct" within 60 days of an election.

"My goal is to have a firewall that I trust," writes Slashdot reader eggegick, "not a firewall that comes from the manufacture that might have back doors." I'm looking for a cheap mini PC I can turn into a headless Linux-based wireless and Ethernet router. The setup would be a cable modem on the Comcast side, Ethernet out from the modem to the router and Ethernet, and WiFi out to the home network.
Two long-time Slashdot readers had suggestions. johnnys believes "any old desktop or even a laptop will work.... as long as you have a way to get a couple of (fast or Gigabit) Ethernet ports and a good WiFi adapter... " Cable or any consumer-grade broadband doesn't need exotic levels of throughput: Gigabit Ethernet will not be saturated by any such connection...

You can also look at putting FOSS firewall software like DD-WRT or OpenWrt on consumer-grade "routers". Such hardware is usually set up with the right hardware and capabilities you are looking for. Note however that newer hardware may not work with such firmwares as the FCC rules about controlling RF have caused many manufacturers to lock down firmware images.

And you don't necessarily need to roll your own with iptables: There are several BSD or Linux-based FOSS distributions that do good firewall functionality. PFSense is very good and user-friendly, and there are others. OpenBSD provides an exceptionally capable enterprise-level firewall on a secure platform, but it's not designed to be user-friendly.
Long-time Slashdot reader Spazmania agrees the "best bet" is "one of those generic home wifi routers that are supported by DD-WRT or OpenWrt." It's not uncommon to find something used for $10-$20. And then install one or the other, giving a Linux box with full control. Add a USB stick so you have enough space for all the utilities.

I just went through the search for mini-PCs for a project at work. The main problem is that almost all of them cool poorly, and that significantly impairs their life span.I finally found a few at the $100 price point that cooled acceptably... and they disappeared from the market shortly after I bought the test units, replaced with newer models in the $250 ballpark.
Share your own thoughts and experiences in the comments.

Can you roll your own home router?

An anonymous reader quotes a report from Ars Technica: Comcast has reluctantly agreed to discontinue its "Xfinity 10G Network" brand name after losing an appeal of a ruling that found the marketing term was misleading. It will keep using the term 10G in other ways, however. Verizon and T-Mobile both challenged Comcast's advertising of 10G, a term used by cable companies since it was unveiled in January 2019 by industry lobby group NCTA-The Internet & Television Association. We wrote in 2019 that the cable industry's 10G marketing was likely to confuse consumers and seemed to be a way of countering 5G hype generated by wireless companies.

10G doesn't refer to the 10th generation of a technology. It is a reference to potential 10Gbps broadband connections, which would be much faster than the actual speeds on standard cable networks today. The challenges lodged against Comcast marketing were filed with the advertising industry's self-regulatory system run by BBB National Programs. BBB's National Advertising Division (NAD) ruled against Comcast in October 2023, but Comcast appealed to the National Advertising Review Board (NARB). The NARB announced its ruling today, agreeing with the NAD that "Comcast should discontinue use of the term 10G, both when used in the name of the service itself ('Xfinity 10G Network') as well as when used to describe the Xfinity network. The use of 10G in a manner that is not false or misleading and is consistent with the panel decision is not precluded by the panel recommendations."

Comcast agreed to make the change in an advertiser's statement that it provided to the NARB. "Although Comcast strongly disagrees with NARB's analysis and approach, Comcast will discontinue use of the brand name 'Xfinity 10G Network' and will not use the term '10G' in a manner that misleadingly describes the Xfinity network itself," Comcast said. Comcast said it disagrees with "the recommendation to discontinue the brand name" because the company "makes available 10Gbps of Internet speed to 98 percent of its subscribers upon request." But those 10Gbps speeds aren't available in Comcast's typical service plans and require a fiber-to-the-home connection instead of a standard cable installation. Comcast said it may still use 10G in ways that are less likely to confuse consumers. "Consistent with the panel's recommendation... Comcast reserves the right to use the term '10G' or 'Xfinity 10G' in a manner that does not misleadingly describe the Xfinity network itself," the company said.

SpaceX revealed that it's delivering over 42 petabytes of data for customers per day, according to engineer Travis Brashears. "We're passing over terabits per second [of data] every day across 9,000 lasers," Brashears said today at SPIE Photonics West, an event in San Francisco focused on the latest advancements in optics and light. "We actually serve over lasers all of our users on Starlink at a given time in like a two-hour window." PCMag reports: Although Starlink uses radio waves to beam high-speed internet to customers, SpaceX has also been outfitting the company's satellites with a "laser link" system to help drive down latency and improve the system's global coverage. The lasers, which can sustain a 100Gbps connection per link, are especially crucial to helping the satellites fetch data when no SpaceX ground station is near, like over the ocean or Antarctic. Instead, the satellite can transmit the data to and from another Starlink satellite in Earth's orbit, forming a mesh network in space.

Tuesday's talk from Brashears revealed the laser system is quite robust, even as the equipment is flying onboard thousands of Starlink satellites constantly circling the Earth. Despite the technical challenges, the company has achieved a laser "link uptime" at over 99%. The satellites are constantly forming laser links, resulting in about 266,141 "laser acquisitions" per day, according to Brashears' presentation. But in some cases, the links can also be maintained for weeks at a time, and even reach transmission rates at up to 200Gbps.

Brashears also said Starlink's laser system was able to connect two satellites over 5,400 kilometers (3,355 miles) apart. The link was so long "it cut down through the atmosphere, all the way down to 30 kilometers above the surface of the Earth," he said, before the connection broke. "Another really fun fact is that we held a link all the way down to 122 kilometers while we were de-orbiting a satellite," he said. "And we were able to downstream the video." During his presentation, Brashears also showed a slide depicting how the laser system can deliver data to a Starlink dish in Antarctica through about seven different paths. "We can dynamically change those routes within milliseconds. So as long as we have some path to the ground [station], you're going to have 99.99% uptime. That's why it's important to get as many nodes up there as possible," he added.

An anonymous reader quotes a report from TechCrunch: Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave "unrestricted access" to the company's source code, according to the security research firm that discovered it. Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the car maker. The London-based cybersecurity company said it discovered a Mercedes employee's authentication token in a public GitHub repository during a routine internet scan in January. According to Mittal, this token -- an alternative to using a password for authenticating to GitHub -- could grant anyone full access to Mercedes's GitHub Enterprise Server, thus allowing the download of the company's private source code repositories.

"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the internal GitHub Enterprise Server," Mittal explained in a report shared by TechCrunch. "The repositories include a large amount of intellectual property connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information." Mittal provided TechCrunch with evidence that the exposed repositories contained Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code. It's not known if any customer data was contained within the repositories. It's not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023. A Mercedes spokesperson confirmed that the company "revoked the respective API token and removed the public repository immediately."

"We can confirm that internal source code was published on a public GitHub repository by human error. The security of our organization, products, and services is one of our top priorities. We will continue to analyze this case according to our normal processes. Depending on this, we implement remedial measures."

Thomas Claburn reports via The Register: A security researcher in Germany has been fined $3,300 for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. Back in June 2021, according to our pals at Heise, an contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.

With that easy-to-find password in hand, anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution, but data belonging to all of the vendor's clients stored on that database server. That info is said to have included personal details of those customers' own customers. And we're told that Modern Solution's program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords. The contractor's findings were discussed in a June 23, 2021 report by Mark Steier, who writes about e-commerce. That same day Modern Solution issued a statement [PDF] -- translated from German -- summarizing the incident [...]. The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories. But it claims that only a limited amount of data -- names and addresses -- about shoppers who made purchases from these retail clients was exposed. Steier contends that's incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution's clients.

In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge â" he worked previously for a related firm -- and the biz claimed he was a competitor. Hendrik H. was charged with unlawful data access under Section 202a of Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law. In June, 2023, a Julich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected. But the Aachen regional court directed the district court to hear the complaint. Now, the district court has reversed its initial decision. On January 17, a Julich District Court fined Hendrik H. and directed him to pay court costs.

Google Maps is about to get better at showing directions inside tunnels. A new feature spotted by SmartDroid allows the Android version of the app to use Bluetooth beacons to track your location in areas where GPS signals typically can't reach. The Verge: These beacons transmit Bluetooth signals that give location data to your phone, according to the Google-owned Waze, which already supports the feature. The app then uses this information along with the device's mobile connectivity to "provide real-time traffic data as it would with a typical GPS connection."

Brandon Vigliarolo reports via The Register: A US federal tax change that took effect in 2022 thanks to a time-triggered portion of the Trump-era Tax Cuts and Jobs Act may leave entrepreneurs with massive tax bills. Section 174 of the US tax code -- prior to the passage of the 2017 TCJA -- allowed companies to handle the tax bill of their specified research or experimental (SRE) budgets in one of two ways: Either capitalized and amortized over the course of five years, or written off annually. Of the many things covered by SRE, most crucially for our purposes is "any amount paid or incurred in connection with the development of any software," which includes developer salaries.

The TCJA included a post-dated change to Section 174 that took effect on January 1, 2022 that would no longer allow companies to automatically expense any SRE costs on an annual basis. Going forward they'd all have to be amortized over five years -- a potential budgetary disaster for companies that haven't been doing so in the past. As pointed out by Gergely Orosz of The Pragmatic Engineer, a theoretical company with $1m in revenue and $1m of software developer salary costs could have claimed it had no taxable profit in 2021. The required SRE amortization rate of 10 percent would mean the org had $900k in profit in 2022 -- and a six-figure tax bill coming due the following year. This isn't theoretical -- Orosz said that he recently spoke to several engineers and entrepreneurs who've been surprised with massive tax bills that have led to layoffs, reduced hiring, and left some companies in financial distress.

House of Representatives member Ron Estes (R-KS), who last year sponsored a bill to restore Section 174 to its pre-TCJA option to expense or amortize, likewise said an a late-2023 op-ed that the changes have led to R&D at US companies -- not just in the tech sector -- shrinking considerably. "Since amortization took effect, the growth rate of R&D spending has slowed dramatically from 6.6 percent on average over the previous five years to less than one-half of 1 percent over the last 12 months," Estes said. "The [R&D] sector is down by more than 14,000 jobs." [...] That, and the Section 174 changes make the US far less enticing as a place to open a business or do R&D, and the only one with such forced amortization in the world. Not much is being done to fix the TCJA problem with Section 174. The Estes bill, along with a related bill introduced in the Senate in March 2023, have not undergone a committee hearing since their introduction. The White House hasn't mentioned anything about Section 174.

Meanwhile, the IRS released a notice (PDF) reminding tax payers about Section 174's changes.

E-commerce giant eBay agreed to pay a $3 million penalty for the harassment and stalking of a Massachusetts couple by several of its employees. "The couple, Ina and David Steiner, had been subjected to threats and bizarre deliveries, including live spiders, cockroaches, a funeral wreath and a bloody pig mask in August 2019," reports CBS News. From the report: Thursday's fine comes after several eBay employees ran a harassment and intimidation campaign against the Steiners, who publish a news website focusing on players in the e-commerce industry. "eBay engaged in absolutely horrific, criminal conduct. The company's employees and contractors involved in this campaign put the victims through pure hell, in a petrifying campaign aimed at silencing their reporting and protecting the eBay brand," Levy said. "We left no stone unturned in our mission to hold accountable every individual who turned the victims' world upside-down through a never-ending nightmare of menacing and criminal acts."

The Justice Department criminally charged eBay with two counts of stalking through interstate travel, two counts of stalking through electronic communications services, one count of witness tampering and one count of obstruction of justice. The company agreed to pay $3 million as part of a deferred prosecution agreement. Under the agreement, eBay will be required to retain an independent corporate compliance monitor for three years, officials said, to "ensure that eBay's senior leadership sets a tone that makes compliance with the law paramount, implements safeguards to prevent future criminal activity, and makes clear to every eBay employee that the idea of terrorizing innocent people and obstructing investigations will not be tolerated," Levy said.

Former U.S. Attorney Andrew Lelling said the plan to target the Steiners, which he described as a "campaign of terror," was hatched in April 2019 at eBay. Devin Wenig, eBay's CEO at the time, shared a link to a post Ina Steiner had written about his annual pay. The company's chief communications officer, Steve Wymer, responded: "We are going to crush this lady." About a month later, Wenig texted: "Take her down." Prosecutors said Wymer later texted eBay security director Jim Baugh. "I want to see ashes. As long as it takes. Whatever it takes," Wymer wrote. Investigators said Baugh set up a meeting with security staff and dispatched a team to Boston, about 20 miles from where the Steiners live. "Senior executives at eBay were frustrated with the newsletter's tone and content, and with the comments posted beneath the newsletter's articles," the Department of Justice wrote in its Thursday announcement. Two former eBay security executives were sentenced to prison over the incident.

Researchers have designed an app to reduce the impact of tinnitus, an often debilitating condition that manifests via a ringing sound or perpetual buzzing. The Guardian reports: While there is no cure, there are a number of ways of managing the condition, including cognitive behavioural therapy (CBT). This helps people to reduce their emotional connection to the sound, allowing the brain to learn to tune it out. However, CBT can be expensive and difficult for people to access. Researchers have created an app, called MindEar, that provides CBT through a chatbot with other approaches such as sound therapy. "What we want to do is empower people to regain control," said Dr Fabrice Bardy, the first author of the study from the University of Auckland -- who has tinnitus.

Writing in the journal Frontiers in Audiology and Otology, Bardy and colleagues report how 28 people completed the study, 14 of whom were asked to use the app's virtual coach for 10 minutes a day for eight weeks. The other 14 participants were given similar instructions with four half-hour video calls with a clinical psychologist. The participants completed online questionnaires before the study and after the eight-week period. The results reveal six participants given the app alone, and nine who were also given video calls, showed a clinically significant decrease in the distress caused by tinnitus, with the extent of the benefit similar for both groups. After a further eight weeks, a total of nine participants in both groups reported such improvements.

According to Bloomberg, Apple's AirDrop feature has been cracked by a Chinese state-backed institution to identify senders who share "undesirable content". MacRumors reports: AirDrop is Apple's ad-hoc service that lets users discover nearby Macs and iOS devices and securely transfer files between them over Wi-Fi and Bluetooth. Users can send and receive photos, videos, documents, contacts, passwords and anything else that can be transferred from a Share Sheet. Apple advertises the protocol as secure because the wireless connection uses Transport Layer Security (TLS) encryption, but the Beijing Municipal Bureau of Justice (BMBJ) says it has devised a way to bypass the protocol's encryption and reveal identifying information.

According to the BMBJ's website, iPhone device logs were analyzed to create a "rainbow table" which allowed investigators to convert hidden hash values into the original text and correlate the phone numbers and email accounts of AirDrop content senders. The "technological breakthrough" has successfully helped the public security authorities identify a number of criminal suspects, who use the AirDrop function to spread illegal content, the BMBJ added. "It improves the efficiency and accuracy of case-solving and prevents the spread of inappropriate remarks as well as potential bad influences," the bureau added.

It is not known if the security flaw in the AirDrop protocol has been exploited by a government agency before now, but it is not the first time a flaw has been discovered. In April 2021, German researchers found that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. According to the researchers, Apple was informed of the flaw in May of 2019, but did not fix it.

An anonymous reader quotes a report from the Washington Post: People are swallowing hundreds of thousands of microscopic pieces of plastic each time they drink a liter of bottled water, scientists have shown -- a revelation that could have profound implications for human health. A new paper released Monday in the Proceedings of the National Academy of Sciences found about 240,000 particles in the average liter of bottled water, most of which were "nanoplastics" -- particles measuring less than one micrometer (less than one-seventieth the width of a human hair). [...]

The typical methods for finding microplastics can't be easily applied to finding even smaller particles, but Min co-invented a method that involves aiming two lasers at a sample and observing the resonance of different molecules. Using machine learning, the group was able to identify seven types of plastic molecules in a sample of three types of bottled water. [...] The new study found pieces of PET (polyethylene terephthalate), which is what most plastic water bottles are made of, and polyamide, a type of plastic that is present in water filters. The researchers hypothesized that this means plastic is getting into the water both from the bottle and from the filtration process.

Researchers don't yet know how dangerous tiny plastics are for human health. In a large review published in 2019, the World Health Organization said there wasn't enough firm evidence linking microplastics in water to human health, but described an urgent need for further research. In theory, nanoplastics are small enough to make it into a person's blood, liver and brain. And nanoplastics are likely to appear in much larger quantities than microplastics -- in the new research, 90 percent of the plastic particles found in the sample were nanoplastics, and only 10 percent were larger microplastics. Finding a connection between microplastics and health problems in humans is complicated -- there are thousands of types of plastics, and over 10,000 chemicals used to manufacture them. But at a certain point, [...] policymakers and the public need to prepare for the possibility that the tiny plastics in the air we breathe, the water we drink and the clothes we wear have serious and dangerous effects. "You still have a lot of people that, because of marketing, are convinced that bottled water is better," said Sherri Mason, a professor and director of sustainability at Penn State Behrend in Erie. "But this is what you're drinking in addition to that H2O."