Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
News

VP.NET Publishes SGX Enclave Code: Zero-Trust Privacy You Can Actually Verify 12

Posted by Slashdot Staff from the dont-trust-verify dept.
VP.NET has released the source code for its Intel SGX enclave on GitHub, allowing anyone to build the enclave and verify its mrenclave hash matches what's running on the servers. This takes "don't trust, verify" from marketing to reality, making privacy claims testable all the way down to hardware-enforced execution.

A move like this could set a new benchmark for transparency in privacy tech.

Comment Re:what does AI do when... (Score 1) 70

I would expect the AI to say "fix the core routing network" based on the last problem I had. It turns out the ISP's config is broken for IPv6 BGP via two different backends on their system to the same router on my end. I kept getting the BGP packets on the wrong interface so one link would never come up. I have no idea how that would happen but it did. Oddly the v4 BGP works quite well.

Comment Re:Who gives a shit. (Score 1) 275

by thogard (#65516344) Attached to: Much of the World's Solar Gear is Made Using Fossil Power in China

Base load coal power in China is about $25/MWh. Solar panels by the container ship load cost less than $0.20 a watt at the factory. Most of that cost is the energy to make them. A good guess for daily average solar production is 4 hrs a day at 100% power for total power produced over the 20 year expected life of the panel.
AI

McDonald's AI Hiring Bot Exposed Millions of Applicants' Data To Hackers 25

Posted by BeauHD from the perils-of-AI dept.
An anonymous reader quotes a report from Wired: If you want a job at McDonald's today, there's a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and resume, directs them to a personality test, and occasionally makes them "go insane" by repeatedly misunderstanding their most basic questions. Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants -- including all the personal information they shared in those conversations -- with tricks as straightforward as guessing the username and password "123456."

On Wednesday, security researchers Ian Carroll and Sam Curryrevealedthat they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with along track record of independent security testing, discovered that simple web-based vulnerabilities -- including guessing one laughably weak password -- allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. "I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more," says Carroll. "So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years." Paradox.ai confirmed the security findings, acknowledging that only a small portion of the accessed records contained personal data. The company stated that the weak-password account ("123456") was only accessed by the researchers and no one else. To prevent future issues, Paradox is launching a bug bounty program. "We do not take this matter lightly, even though it was resolved swiftly and effectively," Paradox.ai's chief legal officer, Stephanie King, told WIRED in an interview. "We own this."

In a statement to WIRED, McDonald's agreed that Paradox.ai was to blame. "We're disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us," the statement reads. "We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection."
News

VP.net Promises "Cryptographically Verifiable Privacy" (torrentfreak.com) 36

Posted by Slashdot Staff from the next-gen-vpn dept.
TorrentFreak spotlights VP.net, a brand-new service from Private Internet Access founder Andrew Lee (the guy who gifted Linux Journal to Slashdot) that eliminates the classic "just trust your VPN" problem by locking identity-mapping and traffic-handling inside Intel SGX enclaves. The company promises 'cryptographically verifiable privacy' by using special hardware 'safes' (Intel SGX), so even the provider can't track what its users are up to.

The design goal is that no one, not even the VPN company, can link "User X" to "Website Y."

Lee frames it as enabling agency over one's privacy:

"Our zero trust solution does not require you to trust us - and that's how it should be. Your privacy should be up to your choice - not up to some random VPN provider in some random foreign country."
The team behind VP.net includes CEO Matt Kim as well as arguably the first Bitcoin veterans Roger Ver and Mark Karpeles.

Ask Slashdot: Now that there's a VPN where you don't have to "just trust the provider" - arguably the first real zero-trust VPN - are trust based VPNs obsolete?

Comment Did anyone do the math? (Score 1) 79

by thogard (#65446239) Attached to: Amazon Doubles Prime Video Ads to 6 Minutes Per Hour

When are advertisers going to learn that too many ads run people away from their product. That has been a great deal of technical market research that proves that. The bottom line after increases in ad spend also proves it. I guess the people buying ads haven't collectively figured out that the only people who are falling for the ad agency's BS is the ad buyers, not the end customers. There is plenty of data showing only 2 commercials in a typical sitcom work which is the 1st one past the end and the one before it starts. The rest of the commercials in a sitcom decrease brand value.

The Aussie ABC has a show called Gruen which is about ads and covers the technical and psychological details behind advertising while making fun of bad ads. The show was named after the well studied psychological technique of confusing customers with shop layout.
Patents

Intel Wins Jury Trial Over Patent Licenses In $3 Billion VLSI Fight (reuters.com) 22

Posted by BeauHD from the much-needed-break dept.
A Texas jury ruled that Intel may hold a license to patents owned by VLSI Technology through its agreement with Finjan Inc., both controlled by Fortress Investment Group -- potentially nullifying over $3 billion in previous patent infringement verdicts against Intel. Reuters reports: VLSI has sued Intel in multiple U.S. courts for allegedly infringing several patents covering semiconductor technology. A jury in Waco, Texas awarded VLSI $2.18 billion in their first trial in 2021, which a U.S. appeals court has since overturned and sent back for new proceedings.

An Austin, Texas jury determined that VLSI was entitled to nearly $949 million from Intel in a separate patent infringement trial in 2022. Intel has argued in that case that the verdicts should be thrown out based on a 2012 agreement that gave it a license to patents owned by Finjan and other companies "under common control" with it. U.S. District Judge Alan Albright held the latest jury trial in Austin to determine whether Finjan and VLSI were under the "common control" of Fortress. VLSI said it was not subject to the Finjan agreement, and that the company did not even exist until four years after it was signed.

Comment Re:Welp (Score 1) 116

by thogard (#65358019) Attached to: Memory-Safe Sudo To Become the Default In Ubuntu

Sun tried that 25 years ago and even today it is hard to find correct examples of how to create the configuration to make it useful. There were a lot of good things in Trusted Solaris that never got used even in most places that decided they needed the "Trusted" version.

Comment Re:I see no reason to go beyond Git. (Score 1) 114

The time/date meta data is fine when it is correct with a properly written Makefile. The problem is most projects have never had a proper Makefile which is one of the reasons so many other build systems are out there. People don't seem to know how to build a proper Makefile. When Linus started with Linux, he was using systems that didn't do timestamps correctly and there were ugly hacks to keep things working. Even today some of those concepts have made their way into many other Linux based distros even though the underlying technology was fixed long ago. I think git needs an option to "preserve as much metadata as possible" including the create/modify times. Right now I use a program that pulls that out of git and sets the times which seems like a hack that should be a config file option.

Slashdot Top Deals

Congratulations! You are the one-millionth user to log into our system. If there's anything special we can do for you, anything at all, don't hesitate to ask!

Close