Forgot your password?
Close
typodupeerror

Submission + - The World's First Unkillable UEFI Bootkit For Linux (arstechnica.com)

Submitted by Anonymous Coward
An anonymous reader writes: Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines. Researchers at security firm ESET said Wednesday that Bootkitty—the name unknown threat actors gave to their Linux bootkit—was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.

Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines. “Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,” ESET researchers wrote. “Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats.” [...] As ESET notes, the discovery is nonetheless significant because it demonstrates someone—most likely a malicious threat actor—is pouring resources and considerable know-how into creating working UEFI bootkits for Linux. Currently, there are few simple ways for people to check the integrity of the UEFI running on either Windows or Linux devices. The demand for these sorts of defenses will likely grow in the coming years.

Submission + - Appin's global censorship campaign to stop you from reading these docs (muckrock.com) 1

Submitted by v3rgEz
v3rgEz writes: Founded in 2003, Appin has been described as a cybersecurity company and an educational consulting firm. Appin was also, according to Reuters reporting and extensive marketing materials, a prolific “hacking for hire” service, stealing information from politicians and militaries as well as businesses and even unfaithful spouses.

Legal letters, being sent to newsrooms and organizations around the world, are trying to remove that story from the internet — and are often succeeding. Now, MuckRock, Techdirt and the Electronic Frontier Foundation are pushing back, helping to ensure the materials stays available. As Masnick at Techdirt notes, "This kind of censorial bullying may work on other publications, but Techdirt believes that (1) important stories, especially around surveillance and hacking, deserve to be read and (2) it’s vitally important to call it out publicly when operations like Appin seek to silence reporting, especially when it’s done through abusing the legal process to silence and intimidate journalists and news organizations."

Submission + - HP CEO Evokes James Bond-Style Hack Via Ink Cartridges (arstechnica.com)

Submitted by Anonymous Coward
An anonymous reader writes: Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, "We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network." That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

Dynamic Security stops HP printers from functioning if an ink cartridge without an HP chip or HP electronic circuitry is installed. HP has issued firmware updates that block printers with such ink cartridges from printing, leading to the above lawsuit (PDF), which is seeking class-action certification. The suit alleges that HP printer customers were not made aware that printer firmware updates issued in late 2022 and early 2023 could result in printer features not working. The lawsuit seeks monetary damages and an injunction preventing HP from issuing printer updates that block ink cartridges without an HP chip.

Unsurprisingly, Lores' claim comes from HP-backed research. The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks. [...] It's clear that HP's tactics are meant to coax HP printer owners into committing to HP ink, which helps the company drive recurring revenue and makes up for money lost when the printers are sold. Lores confirmed in his interview that HP loses money when it sells a printer and makes money through supplies. But HP's ambitions don't end there. It envisions a world where all of its printer customers also subscribe to an HP program offering ink and other printer-related services. "Our long-term objective is to make printing a subscription. This is really what we have been driving," Lores said.

Submission + - France Passes New Bill Allowing Police to Remotely Activate Cameras on Phones (gizmodo.com)

Submitted by Anonymous Coward
An anonymous reader writes: Amidst ongoing protests in France, the country has just passed a new bill that will allow police to remotely access suspects’ cameras, microphones, and GPS on cell phones and other devices. As reported by Le Monde, the bill has been criticized by the French people as a “snoopers” charter that allows police unfettered access to the location of its citizens. Moreover, police can activate cameras and microphones to take video and audio recordings of suspects. The bill will reportedly only apply to suspects in crimes that are punishable by a minimum of five years in jail and Justice Minister Eric Dupond-Moretti claimed that the new provision would only affect a few dozen cases per year. During a debate over the bill yesterday, French politicians added an amendment that orders judge approval for any surveillance conducted under the scope of the bill and limits the duration of surveillance to six months, according to Le Monde.

“For organized crime, the police can have access to the sound and image of a device. This concerns any connected device: telephone, speaker microphone, computer camera, computer system of a car... all without the knowledge of the persons concerned,” French advocacy group La Quadrature du Net said in a statement on Twitter last month, machine translated by Gizmodo. “In view of the growing place of digital tools in our lives, accepting the very principle that they are transformed into police auxiliaries without our being aware of it poses a serious problem in our societies.”

Submission + - Sacramento Sheriff is sharing license plate reader data with anti-abortion state (yahoo.com)

Submitted by j3x0n
j3x0n writes: In 2015, Democratic Elk Grove Assemblyman Jim Cooper voted for Senate Bill 34, which restricted law enforcement from sharing automated license plate reader (ALPR) data with out-of-state authorities. In 2023, now-Sacramento County Sheriff Cooper appears to be doing just that.

The Electronic Frontier Foundation (EFF) a digital rights group, has sent Cooper a letter requesting that the Sacramento County Sheriff’s Office cease sharing ALPR data with out-of-state agencies that could use it to prosecute someone for seeking an abortion.

Submission + - 2,200 Forgotten Vintage Computers Are Being Liberated From a Barn (vice.com)

Submitted by Anonymous Coward
An anonymous reader writes: For more than two decades, the biggest retro computing story in recent memory sat like a sleeper cell in a Massachusetts barn. The barn was in danger of collapse. It could no longer protect the fleet of identical devices hiding inside. A story like this doesn’t need the flash of a keynote or a high-profile marketing campaign. It really just needs someone to notice. And the reason anyone did notice was because this barn could no longer support the roughly 2,200 machines that hid on its second floor. These computers, with a weight equivalent to roughly 11 full-size vehicles, were basically new, other than the fact that they had sat unopened and unused for nearly four decades, roughly half that time inside this barn. Every box was “new old stock,” essentially a manufactured time capsule, waiting to be found by somebody.

These machines, featuring the label of a forgotten brand built around an idea that was tragically too early to succeed, could have disappeared, anonymously, into the junkyard of history, as so many others like them have. Instead, they ended up on eBay, at a bargain-basement price of $59.99 each. And when the modern retro computing community turned them on, what they found was something worth bringing back to life. It took a while for anyone to notice these stylish metal-and-plastic machines from 1983. First, information spread like whispers in the community of tech forums, Discord servers, and Patreon channels where retro tech collectors hid. But then, a well-known tech YouTuber, Adrian Black, did a video about them, and these eBay machines, slapped with the logo of a company called NABU, were anonymous no more. [...]

In a way, this is two stories: The first, of a breakthrough network from Canada, a consumer-friendly 1983 version of the internet decades ahead of its time. The other story, of the man who got a hold of these machines, held onto them for 33 years, and mysteriously allowed them to flood the used market one day. One day, thanks to a confluence of the right people noticing the right eBay listings, these two stories merged and created a third story—the tale of a computer network, brought back to life.

Submission + - Reddit Ousted Mods After Subreddits Filled With Porn To Protest API Price Scheme (arstechnica.com)

Submitted by Anonymous Coward
An anonymous reader writes: After threatening to do so last week, Reddit has now removed the moderators of some of the subreddits that were protesting Reddit's new API pricing scheme. Some of these subreddits have new mods in the protesters' place, while other affected subreddits have been left unmoderated. Still others, oddly, saw their moderators reinstated. Reddit claims the moves are a response to mods breaking its Moderator Code of Conduct by allowing "not safe for work" (NSFW) content in previously "safe for work" subreddits. However, moderators who spoke to Ars Technica believe Reddit's actions are designed to silence their protests over the new fees.

Various Reddit moderators reached out to Ars Technica this week, informing us that mods for r/Celebrities, r/InterestInGasFuck_, r/mildlyinteresting, r/self, r/ShittyLifeProTips, and r/TIHI have been removed. Other subreddits are reportedly affected, too, including r/toyota, r/garmin, and r/IllegalLifeProTips. All of the communities recently started allowing NSFW content as a form of API pricing protest. Reddit can't sell ads on NSFW content, and Redditors have accused the company of covertly switching some subreddits back to SFW.

As of this writing, some of the subreddits whose mods were removed remain unmoderated. Other subreddits have new mods. One example, r/Celebrities, has already seen resistance from community members, claiming the new mods "don't represent" them and that these mods weren't active in the community before the protests. Meanwhile, the feeling around the general mod community is one of disgust, while some are seriously considering abandoning their volunteer posts or have already done so. "We put up with a lot as Reddit mods—death threats, doxing, sorting through lewd and even illegal material (that Reddit continually ignores)—and deserve to be treated with basic respect," a Reddit moderator, who asked to be referred to only as Jess for privacy reasons, said regarding the removal of some mods. The mod has started erasing their account and has resigned as a moderator. "I have no desire to be associated with a company that conducts itself in such a manner," Jess said. Confusingly, the moderators of some of the subreddits, including r/mildlyinteresting, were restored.

Submission + - China's experimental molten salt reactor receives operating licence 1

Submitted by sonlas
sonlas writes: China's National Nuclear Safety Administration (NNSA) has granted a license for the operation of the Thorium Molten Salt Reactor — Liquid Fuel 1 (TMSR-LF1), a Generation IV reactor, by the Shanghai Institute of Applied Physics (SINAP). The project, costing $450 million, was completed in 2021. China is not the first to build a thorium reactor, but previous attempts had only reached the experimental stage.

This reactor, utilizing a special salt coolant, is designed to run at high temperatures for up to 10 years. These new reactors do not need to be built by the seaside and can reach very high temperatures, significantly increasing electricity production efficiency. But that's not the only advantage, as Thorium, which serves both as fuel and coolant, produces very little radioactive waste and is a much more abundant resource than Uranium. In fact, China possesses one of the world's largest thorium reserves, which experts believe are sufficient to power the country for over 20,000 years.

If successful, China plans to build larger Generation IV reactors by 2030, and export this technology, particularly to countries in the Global South..

Submission + - Autonomous Waymo Car Runs Over Dog In San Francisco (arstechnica.com) 1

Submitted by Anonymous Coward
An anonymous reader writes: One of Alphabet's Waymo autonomous cars has killed a pet dog. TechCrunch spotted the public report of the incident, which says one of the Waymo Jaguar I-Pace cars ran over a dog in San Francisco while in autonomous mode with a safety driver behind the wheel.

Waymo's collision report says: "On May 21, 2023 at 10:56 AM PT a Waymo Autonomous Vehicle (“Waymo AV”) operating in San Francisco, California was in a collision involving a small dog on Toland Street at Toland Place. The Waymo AV was traveling southwest on Toland Street when a small dog ran into the street in front of the Waymo AV. The Waymo AV then made contact with the dog, which did not survive. At the time of the impact, the Waymo AV’s Level 4 ADS was engaged in autonomous mode, and a test driver was present (in the driver’s seating position). The Waymo AV sustained damage."

The collision was a block from Waymo's Toland Depot, a 120,000-square-foot warehouse that houses at least 50 autonomous cars. The speed limit on Toland Street is 25 mph, according to posted signs viewable on Google Maps. From that Street View link, the road looks like a busy industrial area with many warehouses, truck delivery areas, and barbed-wire fences. The incident is Waymo's first reported fatality.

Submission + - Stanford Golf Phenom Rose Zhang Turns Pro, Vows to 'Never Code Again' 1

Submitted by theodp
theodp writes: Golf reports that amateur golf legend Rose Zhang will compete for the first time as a professional when she tees off in the first round of the Mizuho Americas Open Thursday. Golf news is rarely fodder for Slashdot discussion, but when the 20-year-old Stanford student (who plans to complete her degree after a leave of absence) was asked by Golf to identify her toughest class, she threw CS under the bus.

"CS 106A," Zhang replied, referring to a computer science course. "Currently and still trying to grind in that class. It’s been a little unfortunate for me. I’m not a CS major. Will never code again after this class." Back in April, Zhang expressed some doubts about being able to juggle the demands of an already-renowned golf career and CS 106A. "I’ll be super, super busy," Zhang said in an interview. "I’m planning on taking CS 106A. I don’t know if it’s a smart decision but it’s kind of an essential intro CS class into Stanford so I’m going to try to navigate that, balance that out.”

The Stanford Daily reports that CS 106A: Programming Methodology is an introductory programming course taken by 1,600+ students from all academic disciplines each year (2015 Slashdot post on CS 106A's growing pains). According to the syllabus, CS 106A "uses the Python programming language" and there's "no prior programming experience required," although the schedule indicates a lot of ground is covered for someone new to coding (the same could be said of Harvard's famed CS50).

Lest some take Zhang to task for the sin of stating programming is hard, consider that Stanford's CS 106A website suggests the same, reporting that the median score on the midterm exam was only 68%, despite a plethora of review materials and sessions. CS 106A students were offered the chance to submit formal 'regrade requests' to try to improve their midterm scores and can also vie for "a Jamba Juice gift card and 100% on the final exam" by entering a Python programming contest — one prize will be awarded for "Aesthetic merit", another for "Algorithmic sophistication" (a number of runners-up will be awarded "a grade boost similar to getting a + on one of their assignments").

Submission + - China Overtakes the US In Scientific Research Output (theguardian.com)

Submitted by Anonymous Coward
An anonymous reader writes: China has overtaken the US as the world leader in both scientific research output and “high impact” studies, according to a report published by Japan’s science and technology ministry. The report, which was published by Japan’s National Institute of Science and Technology Policy (NISTP) on Tuesday, found that China now publishes the highest number of scientific research papers yearly, followed by the US and Germany. The figures were based on yearly averages between 2018 and 2020, and drawn from data compiled by the analytics firm Clarivate.
The Japanese NISTP report also found that Chinese research comprised 27.2% of the world’s top 1% most frequently cited papers. The number of citations a research paper receives is a commonly used metric in academia. The more times a study is cited in subsequent papers by other researchers, the greater its “citation impact." The US accounted for 24.9% of the top 1% most highly cited research studies, while UK research was third at 5.5%. China published a yearly average of 407,181 scientific papers, pulling ahead of the US’s 293,434 journal articles and accounting for 23.4% of the world’s research output, the report found. China accounted for a high proportion of research into materials science, chemistry, engineering and mathematics, while US researchers were more prolific in research into clinical medicine, basic life sciences and physics.

Submission + - Are space scientists ready for Starship—the biggest rocket ever? (science.org) 1

Submitted by sciencehabit
sciencehabit writes: NASA’s Lunar Crater Observation and Sensing Satellite mission was brutish and short. It began on 9 October 2009, when the hull of a spent Centaur rocket stage smashed into Cabeus crater, near the south pole of the Moon, with the force of about 2 tons of TNT. And it ended minutes later, when a trailing spacecraft flew through and analyzed the lofted plume of debris before it, too, crashed. About 6% of the plume was water, presumably from ice trapped in the shadowed depths of the crater, where the temperature never rises above –173C. The Moon, it turned out, wasn’t as bone dry as the Apollo astronauts believed. “That was our first ground truth that there is water ice,” says Jennifer Heldmann, a planetary scientist at NASA’s Ames Research Center who worked on the mission.

Today, Heldmann wants to send another rocket to probe lunar ice—but not on a one-way trip. She has her eye on Starship, a behemoth under development by private rocket company SpaceX that would be the largest flying object the world has ever seen. With Starship, Heldmann could send 100 tons to the Moon, more than twice the lunar payload of the Saturn V, the workhorse of the Apollo missions. She dreams of delivering robotic excavators and drills and retrieving ice in freezers onboard Starship, which could return to Earth with tens of tons of cargo. By analyzing characteristics such as the ice’s isotopic composition and its depth, she could learn about its origin: how much of it came from a bombardment of comets and asteroids billions of years ago versus slow, steady implantation by the solar wind. She could also find out where the ice is abundant and pure enough to support human outposts. “It’s high-priority science, and it’s also critical for exploration,” Heldmann says.

The stainless steel Starship rocket, standing upright, photographed from near the top so that its height is accentuated by the perspective.
SpaceX expects to launch the 120-meter-tall Starship on its first orbital test flight in the coming months.SPACEX
When SpaceX CEO Elon Musk talks up Starship, it’s mostly about human exploration: Set up bases on Mars and make humans a multiplanetary species! Save civilization from extinction! But Heldmann and many others believe the heavy lifter could also radically change the way space scientists work. They could fly bigger and heavier instruments more often—and much more cheaply, if SpaceX’s projections of cargo launch costs as low as $10 per kilogram are to be believed. On Mars, they could deploy rovers not as one-offs, but in herds. Space telescopes could grow, and fleets of satellites in low-Earth orbit could become commonplace. Astronomy, planetary science, and Earth observation could all boldly go, better than they ever have before.

Of course, Starship isn’t real yet. All eyes will be on a first orbital launch test, expected sometime in the coming months. Even if it is a success, no one knows whether SpaceX will be able to achieve its vision of launching the rockets daily and reusing them many times. Also unsettled is whether a market will materialize for a rocket that could put so much into orbit. But scientists need to prepare, Heldmann says. “We on the science side need to be ready to take advantage of those capabilities when they come online.”

Submission + - The Founder of GeoCities on What Killed the 'Old Internet' (gizmodo.com)

Submitted by Anonymous Coward
An anonymous reader writes: In the early aughts, my wheezing dialup connection often operated as if it were perpetually out of breath. Thus, unlike my childhood friends, it was near to impossible for me to watch videos, TV shows, or listen to music. Far from feeling limited, I felt like I was lucky, for I had access to an encyclopedia of lovingly curated pages about anything I wanted to know—which in those days was anime—the majority of which was conveniently located on GeoCities. For all the zoomers scrunching up their brows, here’s a primer. Back in the 1990s, before the birth of modern web hosting household names like GoDaddy and WP Engine, it wasn’t exactly easy or cheap to publish a personal website. This all changed when GeoCities came on the scene in 1994.

The company gave anyone their own little space of the web if they wanted it, providing users with roughly 2 MB of space for free to create a website on any topic they wished. Millions took GeoCities up on its offer, creating their own homemade websites with web counters, flashing text, floating banners, auto-playing sound files, and Comic Sans. Unlike today’s Wild Wild Internet, websites on GeoCities were organized into virtual neighborhoods, or communities, built around themes. “HotSprings” was dedicated to health and fitness, while “Area 51” was for sci-fi and fantasy nerds. There was a bottom-up focus on users and the content they created, a mirror of what the public internet was like in its infancy. Overall, at least 38 million webpages were built on GeoCities. At one point, it was the third most-visited domain online. Yahoo acquired GeoCities in 1999 for $3.6 billion. The company lived on for a decade more until Yahoo shut it down in 2009, deleting millions of sites.

Nearly two decades have passed since GeoCities, founded by David Bohnett, made its debut, and there is no doubt that the internet is a very different place than it was then. No longer filled with webpages on random subjects made by passionate folks, it now feels like we live in a cyberspace dominated by skyscrapers—named Facebook, Google, Amazon, Twitter, and so on—instead of neighborhoods. Proponents of Web3, like Andreessen Horowitz general partner Chris Dixon, argue that we need to get back to what we had in the days of GeoCities—while also not giving up the advances of the Web2 years—and allow creators and businesses to form a relationship with their audiences that is not governed by algorithms and advertising. It’s yet to be seen if the version of Web3 backed by Dixon will ever materialize but it’s not looking good.

We can, however, ask GeoCities’ founder what he thinks of the internet of today, subsumed by social media networks, hate speech, and more corporate than ever. Bohnett now focuses on funding entrepreneurs through Baroda Ventures, an early-stage tech fund he founded, and on philanthropy with the David Bohnett Foundation, a nonprofit dedicated to social justice and social activism that he chairs. Right off the bat, Bohnett says something that strikes me. It may, in fact, be the sentence that summarizes the key distinction between the internet of the ‘90s-early 2000s and the internet we have today. “GeoCities was not about self-promotion,” Bohnett told Gizmodo in an interview. “It was about sharing your interest and your knowledge.”

Submission + - SPAM: Hundreds of E-Commerce Sites Booby-Trapped With Payment Card-Skimming Malware

Submitted by Anonymous Coward
An anonymous reader writes: About 500 e-commerce websites were recently found to be compromised by hackers who installed a credit card skimmer that surreptitiously stole sensitive data when visitors attempted to make a purchase. A report published on Tuesday is only the latest one involving Magecart, an umbrella term given to competing crime groups that infect e-commerce sites with skimmers. Over the past few years, thousands of sites have been hit by exploits that cause them to run malicious code. When visitors enter payment card details during purchase, the code sends that information to attacker-controlled servers.

Sansec, the security firm that discovered the latest batch of infections, said the compromised sites were all loading malicious scripts hosted at the domain naturalfreshmall[.]com. “The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form,” firm researchers wrote on Twitter. “Payments are sent to [spam URL stripped]...." The hackers then modified existing files or planted new files that provided no fewer than 19 backdoors that the hackers could use to retain control over the sites in the event the malicious script was detected and removed and the vulnerable software was updated. The only way to fully disinfect the site is to identify and remove the backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.

Sansec worked with the admins of hacked sites to determine the common entry point used by the attackers. The researchers eventually determined that the attackers combined a SQL injection exploit with a PHP object injection attack in a Magento plugin known as Quickview. [...] It’s not hard to find sites that remain infected more than a week after Sansec first reported the campaign on Twitter. At the time this post was going live, Bedexpress[.]com continued to contain this HTML attribute, which pulls JavaScript from the rogue naturalfreshmall[.]com domain. The hacked sites were running Magento 1, a version of the e-commerce platform that was retired in June 2020. The safer bet for any site still using this deprecated package is to upgrade to the latest version of Adobe Commerce. Another option is to install open source patches available for Magento 1 using either DIY software from the OpenMage project or with commercial support from Mage-One.
Link to Original Source

Submission + - SPAM: Frogs Without Legs Regrow Leglike Limbs in New Experiment

Submitted by Anonymous Coward
An anonymous reader writes: African clawed frogs are masters of putting themselves back together, handily regenerating lost tails and hind limbs, when they are tadpoles. But these powers dim with maturity. Wait for an adult frog to regrow a lopped-off limb and you’ll see only a tapered spike, more like a talon than a leg. Now, a group of scientists have found a way to harness the adult frog’s own cells to regrow an imperfect but functional limb. The researchers placed a silicone cap laden with a mixture of regenerative drugs onto an amputation wound for 24 hours. Over the next 18 months, the frogs gradually regrew what was lost, forming a new leglike structure with nerves, muscles, bones and even toelike projections.

The researchers describe this approach, which builds on earlier research, in a paper published Wednesday in the journal Science Advances. The process could guide future research on limb regeneration in humans, but it will be challenging to replicate the results in mammals. “It was a total surprise,” Nirosha Murugan, a researcher at Algoma University in Ontario, Canada, and an author of the paper, said of the complexity of the regrown limb. “I didn’t think we would get the patterning that we did.” “It’s not a full limb that’s regrown,” said Kelly Tseng, a biologist studying regeneration at the University of Nevada, Las Vegas, who was not involved with the research. “But it’s certainly a robust response.” “It is particularly promising that only a daylong treatment can have such a positive effect on an adult animal,” Can Aztekin, a researcher studying limb regeneration at the Swiss Federal Institute of Technology in Lausanne who was not involved with the research, wrote in an email.
Link to Original Source

Slashdot Top Deals

The first sign of maturity is the discovery that the volume knob also turns to the left.

Close