Waymo Simulated Real-World Crashes To Prove Its Self-Driving Cars Can Prevent Deaths
technology - Posted On:2021-03-08 16:44:59 Source: slashdot
In a bid to prove that its robot drivers are safer than humans, Waymo simulated dozens of real-world fatal crashes that took place in Arizona over nearly a decade. From a report: The Google spinoff discovered that replacing either vehicle in a two-car crash with its robot-guided minivans would nearly eliminate all deaths, according to data it publicized today. The results are meant to bolster Waymo's case that autonomous vehicles operate more safely than human-driven ones. With millions of people dying in auto crashes globally every year, AV operators are increasingly leaning on this safety case to spur regulators to pass legislation allowing more fully autonomous vehicles on the road. But that case has been difficult to prove out, thanks to the very limited number of autonomous vehicles operating on public roads today. To provide more statistical support for its argument, Waymo has turned to counterfactuals, or "what if?" scenarios, meant to showcase how its robot vehicles would react in real-world situations. Last year, the company published 6.1 million miles of driving data in 2019 and 2020, including 18 crashes and 29 near-miss collisions. In those incidents where its safety operators took control of the vehicle to avoid a crash, Waymo's engineers simulated what would have happened had the driver not disengaged the vehicle's self-driving system to generate a counterfactual. The company has also made some of its data available to academic researchers. Read more of this story at Slashdot.
DARPA Taps Intel To Help Build the Holy Grail of Encryption
it - Posted On:2021-03-08 14:29:59 Source: slashdot
The Defense Advanced Research Projects Agency, or DARPA, has signed an agreement with Intel to add it to its Data Protection in Virtual Environments project, which aims to create a practically useful form of fully homomorphic encryption. From a report: Fully homomorphic encryption has been described as the "holy grail" of encryption because it allows encrypted data to be used without ever having to decrypt it. Fully homomorphic encryption isn't fantasy -- it already exists and is usable, but it is incredibly impractical. "FHE adoption in the industry has been slow because processing data using fully homomorphic encryption methods on cryptograms is data intensive and incurs a huge 'performance tax' even for simple operations," Intel said in a press release. The potential benefits of fully homomorphic encryption make creating a practical way to use it a cybersecurity imperative. Intel succinctly describes the biggest problem in data security as being caused by "encryption techniques [that] require that data be decrypted for processing. It is during this decrypted state that data can become more vulnerable for misuse." The goal of the Data Protection in Virtual Environments program is to develop an accelerator for fully homomorphic encryption that will make it more practical and scalable, which is where Intel comes in. The chip manufacturer's role in the project will be academic research and the development of an application-specific integrated circuit that will accelerate fully homomorphic encryption processing. Intel said that, when fully realized, its accelerator chip could reduce processing times by five orders of magnitude over existing CPU-driven fully homomorphic encryption systems. Read more of this story at Slashdot.
Intel's Thunderbolt Pushes Into Mainstream as Fast Alternative To USB
it - Posted On:2021-03-08 12:00:00 Source: slashdot
Thunderbolt, Intel's super-speedy connection technology, isn't widely used. But that may change in the coming year, as more computer makers incorporate the USB competitor into their new models. From a report: Intel has hoped Thunderbolt, which debuted in 2011 on Apple's 2011 MacBook Pro, would become commonplace for computer users. A year later, the chipmaker forecast that "most PCs" would have Thunderbolt by 2015 to 2017. Despite the hype, only premium PCs carry the fast connection. To get a boost in adoption, Intel has built Thunderbolt into its newest Core processors, code-named Tiger Lake, which means laptop makers get Thunderbolt without having to pay extra for separate controller chips. Because Intel chips are so widely used, the company says Thunderbolt will now have its moment to shine. "I would expect by 2022 Thunderbolt will be in more than 50% of the PCs sold," said Jason Ziller, who runs Intel's connectivity products, adding that more than half of laptops that ship in the next year will "definitely" carry the technology. Ziller has led Thunderbolt work since before it debuted in Apple's 2011 MacBook Pro laptops almost exactly 10 years ago. PC ports don't capture the imagination the way fast processors or smartphone cameras do. But they're a crucial part of most people's computing experience. Thunderbolt ports provide fast and versatile connections to external storage devices, monitors, network adapters and other peripherals. They can replace ports for HDMI, DisplayPort, Ethernet and power. The new Thunderbolt 4 lets multiport docks and hubs offer three Thunderbolt ports instead of just one. Read more of this story at Slashdot.
Can WhatsApp Stop Spreading Misinformation Without Compromising Encryption?
technology - Posted On:2021-03-07 17:59:59 Source: slashdot
"WhatsApp, the Facebook-owned messaging platform used by 2 billion people largely in the global south, has become a particularly troublesome vector for misinformation," writes Quartz — though it's not clear what the answer is: The core of the problem is its use of end-to-end encryption, a security measure that garbles users' messages while they travel from one phone to another so that no one other than the sender and the recipient can read them. Encryption is a crucial privacy protection, but it also prevents WhatsApp from going as far as many of its peers to moderate misinformation. The app has taken some steps to limit the spread of viral messages, but some researchers and fact-checkers argue it should do more, while privacy purists worry the solutions will compromise users' private conversations... In April 2020, WhatsApp began slowing the spread of "highly forwarded messages," the smartphone equivalent of 1990s chain emails. If a message has already been forwarded five times, you can only forward it to one person or group at a time. WhatsApp claims that simple design tweak cut the spread of viral messages by 70%, and fact-checkers have cautiously cheered the change. But considering that all messages are encrypted, it's impossible to know how much of an impact the cut had on misinformation, as opposed to more benign content like activist organizing or memes. Researchers who joined and monitored several hundred WhatsApp groups in Brazil, India, and Indonesia found that limiting message forwarding slows down viral misinformation, but doesn't necessarily limit how far the messages eventually spread.... This isn't just a semantic argument, says EFF strategy director Danny O'Brien. Even the smallest erosion of encryption protections gives Facebook a toehold to begin scanning messages in a way that could later be abused, and protecting the sanctity of encryption is worth giving up a potential tool for curbing misinformation. "This is a consequence of a secure internet," O'Brien says. "Dealing with the consequences of that is going to be a much more positive step than dealing with the consequences of an internet where no one is secure and no one is private...." No matter what WhatsApp does, it will have to contend with dueling constituencies: the privacy hawks who see the app's encryption as its most important feature, and the fact-checkers who are desperate for more tools to curb the spread of misinformation on a platform that counts a quarter of the globe among its users. Whatever Facebook decides will have widespread consequences in a world witnessing the simultaneous rise of fatal lies and techno-authoritarianism. Read more of this story at Slashdot.
A Retired Microsoft OS Engineer's Comparison of Linux with Windows
technology - Posted On:2021-03-07 15:45:00 Source: slashdot
David Plummer is a retired Microsoft operating systems engineer, "going back to the MS-DOS and Windows 95 days." (He adds that in the early '90s he'd fixed a few handle leaks in the early source code of Linux, "and sent my changes off to Linus at Rutgers.") This weekend on YouTube he shared his thoughts on "the classic confrontation: Windows versus Linux," promising an "epic operating systems face-off." Some highlights: On Usability: "Linux's itself lacks a proper user interface beyond the command line. That command line can be incredibly powerful, particularly if you're adept with Bash or Zsh or similar, but you can't really describe it as particularly usable. Of course most distributions do come with a desktop user interface of some kind if you prefer, but as a bit of a shell designer myself, if I might be so bold, they're generally pretty terrible. At least the Mint distribution looks pretty nice. "Windows, on the other hand, includes by default a desktop shell interface that, if you set aside the entirely subjective design aesthetics, is professionally designed, usability tested and takes into consideration the varying levels of accessibility required by people with different limitations. In terms of usability, particularly if you do include accessibility in that metric, Windows comes out ahead..." On Updates: "Windows users are well served by a dedicated Windows Update team at Microsoft, but the process has occasionally had its hiccups and growing pains. It's very easy to update a Linux system, and while there's no professional team sitting by the big red phone ready to respond to Day Zero exploits, the updates do come out with reasonable alacrity, and in some cases you can even update the kernel without rebooting. "Keep in mind, however, that Linux is a monolithic kernel, which means that it's all one big happy kernel. Almost everything is in there. If they hadn't started to add that ability a few years back, you'd be rebooting for every driver install. The reality is that some parts of the Linux kernel are just going to require a reboot, just as some parts of the Windows system are going to as well. I think we can likely all agree, however, that Windows software is hardly selective about rebooting the system, and you're asked to do it far too often. "While we're on the topic of upgrades, we can't overlook the fact that upgrades are generally free in the Open Source world, unless you're using a pre-built distribution from a vendor. To it's credit, though, I don't remember the last time Microsoft actually charged for an operating system upgrade if you were just a normal end user or enthusiast. Still, this point goes to Linux." Plummer also says he agrees with that argument that open source software is more open to security exploits, "simply because, all else equal, it's easy to figure out where the bugs are to exploit in the first place," while proprietary software has professional test organizations hunting for bugs. "I think it's a bit of a fallacy to rely on the 'many eyeballs' approach..." Yet he still ultimately concludes Linux is more secure simply because the vast universe of Windows makes it a much more attractive target. Especially since most Windows users retain full administrator privileges... Read more of this story at Slashdot.
The SvarDOS Community Builds an Open Source DOS Distribution
technology - Posted On:2021-03-07 12:45:00 Source: slashdot
Long-time Slashdot reader sproketboy shared a link to SvarDOS, "an open-source project that is meant to integrate the best out of the currently available DOS tools, drivers and games." From their site: DOS development has been abandoned by commercial players a very long time ago, mostly during early nineties. Nowadays, it survives solely through the efforts of hobbyists and retro-enthusiasts, but this is a highly sparse and unorganized ecosystem. SvarDOS aims to collect available DOS software, package it and make it easy to find and install applications using a network-enabled package manager (like apt-get, but for DOS and able to run even on a 8086 PC). Once installed, SvarDOS is a minimalistic DOS system that offers only the FreeDOS kernel and the most basic tools for system administration. It is up to the user to install additional packages. Care is taken so SvarDOS remains 8086-compatible, at least in its most basic (core) configuration. SvarDOS files are published under the terms of the MIT license. This applies only to SvarDOS-specific files, though - the packages supplied with SvarDOS may be subject to different licenses (GPL, BSD, Public Domain, Freeware...). Read more of this story at Slashdot.
How a Malicious Actor Targeted a Go Package On GitHub
it - Posted On:2021-03-07 10:44:57 Source: slashdot
ArghBlarg (Slashdot reader #79,067) shares some research from a senior application security engineer at GitLab: Michael Henrikson describes his investigations into Go package manager "supply chain" attacks and found at least one very suspicious package, typosquatting on one of the most popular logging libraries. The imposter package phones home to an IP he alleges belongs to the Chinese company Tencent, a good case for always going over your package imports, in any language, and ensuring you're either a) auditing them regularly, or b) keeping frozen vendored copies which you can trust. From the article: I honestly expected the list to be bigger, but I was of course happy to see that the Go ecosystem isn't completely infested (yet) with malicious typosquat packages... It looks like the author utfave wants to know the hostname, operating system, and architecture of all the machines using their version of urfave/cli. The function extracts the system information and then calls out to the IP address 188.8.131.52 belonging to the Chinese company Shenzhen Tencent Computer Systems via HTTP with the system information added as URL parameters. While this code won't give them any access to systems, it's highly suspicious that they collect this information and the actor can quickly change this code to call back with a reverse shell if they identify a system to be valuable or interesting... I think Go is in a better situation than other programming languages because the source of packages is always explicitly written every time they are used, but code editor automation could make typosquat attacks more likely to happen as the developer doesn't write the import paths manually as often. Read more of this story at Slashdot.
America's Air Force Is Having To Reverse Engineer Parts of Its Own Stealth Bomber
technology - Posted On:2021-03-06 14:45:00 Source: slashdot
Long-time Slashdot reader AmiMoJo shares a report from The Drive: In a surprising turn of events, the United States government is calling upon its country's industry to reverse engineer components for the Air Force's B-2 Spirit stealth bomber. An official call for this highly unusual kind of assistance was put out today on the U.S. government's contracting website beta.SAM.gov. Mark Thompson, a national-security analyst at the Project On Government Oversight, brought our attention to the notice, which seeks an engineering effort that will reverse engineer key parts for the B-2's Load Heat Exchangers. While it is not exactly clear what part of the aircraft's many complex and exotic subsystems these heat exchangers relate to, the bomber has no shortage of avionics systems, for example, which could require cooling... While it's hard to say exactly why this approach is being taken now, it indicates that the original plans for these components are unavailable or the manufacturing processes and tooling used to produce them no longer exists... Indeed, as the average age of the Air Force fleet continues to increase, there are only likely to be more such requirements for parts that are long out of production. Before he stood down, the former Assistant Secretary of the Air Force for Acquisition, Technology, and Logistics, Will Roper, told Air Force Magazine of his desire for a "digital representation of every part in the Air Force inventory...." All in all, the search for reverse-engineered components for the B-2 fleet is keeping with the Air Force's current trend of moving toward the latest digital engineering and manufacturing techniques to help ensure its aircraft can be sustained not just easier and more cheaply, but in some cases, possibly at all. Read more of this story at Slashdot.
Why the 'Small Internet' Movement Wants to Revive Gopher
technology - Posted On:2021-03-06 10:44:56 Source: slashdot
Twitter Is Testing An 'Undo' Option After Sending Tweets
technology - Posted On:2021-03-05 19:59:59 Source: slashdot
Twitter is working on a feature that could offer users a short window of time to rethink posting a tweet even after they hit send. CNN reports: The company confirmed to CNN Business on Friday it is testing an undo option that would potentially let users retract or correct a tweet before it's officially posted on the platform. The feature was discovered by Jane Manchun Wong, an app developer who has a strong track record of uncovering new tools on social networks before they're released. Wong posted a GIF on Twitter that shows a blue "undo" bar appearing beneath the words "Your Tweet was sent." (It's possible the feature could change before it formally rolls out -- if it ever does.) It's not quite the edit button users have long requested, but it's a step toward helping users proactively catch errors and slow down before sending impulse tweets. Read more of this story at Slashdot.
At Least 30,000 US Organizations Newly Hacked Via Holes In Microsoft's Email Software
it - Posted On:2021-03-05 19:14:59 Source: slashdot
An anonymous reader quotes a report from Krebs On Security: At least 30,000 organizations across the United States -- including a significant number of small businesses, towns, cities and local governments -- have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that's focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems. In each incident, the intruders have left behind a "web shell," an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser that gives the attackers administrative access to the victim's computer servers. Speaking on condition of anonymity, two cybersecurity experts who've briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over "hundreds of thousands" of Microsoft Exchange Servers worldwide -- with each victim system representing approximately one organization that uses Exchange to process email. Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed "Hafnium," and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft's initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. "We've worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today," Volexity President Steven Adair said. "Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server. The truth is, if you're running Exchange and you haven't patched this yet, there's a very high chance that your organization is already compromised." A Microsoft spokesperson said in a statement: "The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources." Read more of this story at Slashdot.
Vertical Tabs, Startup Boost, and More Will Roll Out To Edge This Month
technology - Posted On:2021-03-05 18:29:59 Source: slashdot
Several new features are on the way to Microsoft Edge this month, including vertical tabs, startup boost, and modern Microsoft Bing search experiences. The new features were recently shown off by Microsoft in a recent blog post. Windows Central reports: First up is vertical tabs. This feature allows you to move the tabs from across the top of your browser over to the side. The feature lets you see more of your tabs at once. We recently saw the option to resize vertical tabs in Microsoft Edge Canary, but it is now rolling out to Dev too. Next, are Microsoft's new Bing search experiences. Microsoft's new experiences help you see the information that you'd like without having to click around and fish through content as much. For example, when searching for a recipe, the new recipe experience will show ingredient lists, substitutions, and more information just by hovering over a search result. The experience will also play any video if you hover over a result. There are similar new experiences for other content, like DIY projects and gardening. Microsoft also announced improvements to how it aggregates information for topics you search. Lastly, startup boost is a new feature that should cut down how long it takes Edge to launch after you reboot your PC. The feature will roll out this month, and Microsoft says that it will cut down launch times by between 29% -- 41%. Read more of this story at Slashdot.
India Threatens Jail for Facebook, WhatsApp and Twitter Employees
technology - Posted On:2021-03-05 15:15:00 Source: slashdot
India's government has threatened to jail employees of Facebook, its WhatsApp unit and Twitter as it seeks to quash political protests and gain far-reaching powers over discourse on foreign-owned tech platforms, WSJ reported Friday, citing people familiar with the warnings. From the report: The warnings are in direct response to the tech companies' reluctance to comply with data and takedown requests from the government related to protests by Indian farmers that have made international headlines, the people say. At least some of the written warnings cite specific, India-based employees at risk of arrest if the companies don't comply, according to two of the people. The threats mark an escalation of India's efforts to pressure U.S. tech companies at a moment when those companies are looking to the world's second-most-populous nation for growth in the coming years. Some of the government's requests for data involve WhatsApp, which is hugely popular in India and promises users encrypted communication, unable to be read by outside parties. Read more of this story at Slashdot.
Microsoft's $10 Billion Pentagon Deal at Risk Amid Amazon Fight
technology - Posted On:2021-03-05 10:44:57 Source: slashdot
Microsoft is in danger of losing a contract to provide $10 billion of cloud computing services to the Pentagon, a deal the government has threatened to scrap altogether after years of legal squabbling. From a report: The U.S. Defense Department said it will reconsider the controversial procurement if a federal judge declines to dismiss Amazon's allegations that former President Donald Trump's meddling cost the company the winner-take-all contract. That means the fate of a cloud project the Pentagon considers critical for its war fighters may rest in the hands of the U.S. Court of Federal Claims, which could soon issue a ruling on Amazon's accusations. The Pentagon said last month it would take too long to prove in court that its decision to award Microsoft the lucrative cloud deal wasn't unduly influenced by the White House. If the judge allows Amazon to argue its bias claims in the case, the government may decide to stop fighting. "If the court denies the government's motion we will most likely be facing an even longer litigation process," Pentagon spokesman John Kirby said at a press conference late last month. "The DOD Chief Information Officer will reassess the strategy going forward." The warning is another twist in a contentious process that has involved years of legal challenges, behind-the-scenes lobbying and a public relations campaign by technology rivals to unseat Amazon as the original front-runner for the cloud contract when it was unveiled in 2018. More than a year after Microsoft was named the winner, the Defense Department is still fighting to execute the Joint Enterprise Defense Infrastructure cloud -- or JEDI, an acronym intended to evoke "Star Wars" imagery -- to serve as the primary data repository for military services worldwide. The deal is worth $10 billion over a decade. There are signs the Pentagon is already moving on. The Defense Department is talking up its other cloud contracts beyond JEDI, and some of the program's biggest cheerleaders have left the department, leaving new leaders to make decisions on a procurement they inherited from the Trump administration. Even Microsoft executives are trumpeting all the other work the company plans to keep doing for the Defense Department, in the event that its image-boosting JEDI deal goes south. Read more of this story at Slashdot.
Flutter 2: Google's Toolkit For Developers Takes a Big Step Forward
technology - Posted On:2021-03-05 08:14:57 Source: slashdot
An anonymous reader quotes a report from ZDNet: Google has announced Flutter 2, a major upgrade to its framework for building user interfaces for mobile, the web and desktop. Flutter promises to allow developers to use the same codebase to build native apps for iOS, Android, Windows 10, macOS, and Linux and for the web on browsers including Chrome, Firefox, Safari or Edge. It can also be embedded in an IoT device with a screen, such as cars, TVs, and home appliances. The move to Flutter 2 promises to benefit the over 150,000 Flutter Android apps already available on the Play Store. Every app will get a free upgrade with Flutter 2 allowing developers to target desktop and web without rewriting them. Google apps now built with Flutter include Google Pay, Stadia and Google Nest Hub among others. Flutter 2 also brings production quality support for the web, with a focus on progressive web apps (PWAs) that behave like desktop apps, single page apps, and mobile apps on the web. Google has added a new CanvasKit-powered rendering engine built with WebAssembly. For mobile web apps, in recent months it's added autofill, control over address bar URLs and routing, and PWA manifests. For desktop browsers, it has added interactive scrollbars and keyboard shortcuts, increased the default content density in desktop modes, and added screen reader support for accessibility on Windows, macOS and ChromeOS. Google has been working with Ubuntu maker Canonical to bring Flutter to the desktop. Canonical will make Flutter the default choice for future desktop and mobile apps it creates. Microsoft is also releasing contributions to the Flutter engine that supports foldable Android devices, such as the Microsoft Surface Duo. Read more of this story at Slashdot.
SpaceX Starlink Factory In Texas Will Speed Up Production of Dishy McFlatface
technology - Posted On:2021-03-04 22:44:58 Source: slashdot
An anonymous reader quotes a report from Ars Technica: SpaceX says it is building a factory in Austin, Texas, to design systems that will help make satellite dishes, Wi-Fi routers, and other equipment for its Starlink satellite broadband network. The news comes from a job posting for an automation and controls engineer position flagged in a story Tuesday by local news channel KXAN. "To keep up with global demand, SpaceX is breaking ground on a new, state of the art manufacturing facility in Austin, TX," the job posting said. "The Automation & Controls Engineer will play a key role as we strive to manufacture millions of consumer facing devices that we ship directly to customers (Starlink dishes, Wi-Fi routers, mounting hardware, etc)." The factory apparently won't make the dishes and routers on site but will instead design systems that improve the manufacturing process. "Specifically, they will design and develop control systems and software for production line machinery -- ultimately tackling the toughest mechanical, software, and electrical challenges that come with high-volume manufacturing, all while maintaining a focus on flexibility, reliability, maintainability, and ease of use," the job posting said. Starlink is in beta and is serving over 10,000 customers, and it has asked the Federal Communications Commission for permission to deploy up to 5 million user terminals in the US. SpaceX calls this piece of hardware "Dishy McFlatface," and it receives transmissions from SpaceX's low-Earth orbit satellites. Starlink has been charging $99 per month plus a one-time fee of $499 for the user terminal, mounting tripod, and router. Starlink recently began taking preorders for service that would become available in the second half of 2021. Read more of this story at Slashdot.
Honda Launches World's First Level 3 Self-Driving Car
technology - Posted On:2021-03-04 19:59:59 Source: slashdot
Honda Motor will on Friday launch a new car equipped with the world's first certified level 3 autonomous driving technology. Nikkei Asia reports: Industry experts are cautiously watching to see if the Legend, a luxury sedan that operates without driver supervision under certain conditions but requires the driver to assume control of the vehicle within seconds when alerted, can capture enough demand to suggest a way forward for other manufacturers. Honda unveiled the Legend on Thursday at an online press event. The new model's Traffic Jam Pilot system was approved by Japan's Ministry of Land, Infrastructure, Transport and Tourism in November. It can free drivers from driving in congested traffic on an expressway when traveling slower than 50 kilometers per hour. The system automatically accelerates, brakes and steers while monitoring the vehicle's surroundings, using data from high-definition mapping and external sensors. The driver, meanwhile, can enjoy the vehicle's infotainment using the navigation screen but must respond to the system's request for a handover when the vehicle speeds up after the traffic jam eases. The report says Honda is proceeding cautiously, only producing 100 units that will be available only for lease sales. The vehicle will also carry a steep price of $102,000. Read more of this story at Slashdot.
Windows.com Bitsquatting Hack Can Wreak 'Unknown Havoc' On PCs
technology - Posted On:2021-03-04 17:14:59 Source: slashdot
An anonymous reader quotes a report from Ars Technica: Bitflips are events that cause individual bits stored in an electronic device to flip, turning a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common naturally occurring causes. Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days. An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft's windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft's cloud-based services, and recovering from crashes. Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies normally buy these types of one-off domains to protect customers against phishing attacks. He bought them for $126 and set out to see what would happen. Over the course of two weeks, Remy's server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising. "The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it's after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows," he wrote in a post summarizing his findings. "As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken." Read more of this story at Slashdot.
Three Top Russian Cybercrime Forums Hacked
it - Posted On:2021-03-04 15:14:59 Source: slashdot
tsu doh nimh shares a report: Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums' user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums. On Tuesday, someone dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently pilfered from Mazafaka (a.k.a. "Maza," "MFclub"), an exclusive crime forum that has for more than a decade played host to some of the most experienced and infamous Russian cyberthieves. At the top of a 35-page PDF leaked online is a private encryption key allegedly used by Maza administrators. The database also includes ICQ numbers for many users. ICQ, also known as "I seek you," was an instant message platform trusted by countless early denizens of these older crime forums before its use fell out of fashion in favor of more private networks, such as Jabber and Telegram. This is notable because ICQ numbers tied to specific accounts often are a reliable data point that security researchers can use to connect multiple accounts to the same user across many forums and different nicknames over time. Cyber intelligence firm Intel 471 assesses that the leaked Maza database is legitimate. Read more of this story at Slashdot.
Chrome Switches Its Release Cycle for First Time in a Decade
technology - Posted On:2021-03-04 14:30:00 Source: slashdot
Google Chrome releases will soon arrive more frequently than ever. From a report:In an announcement today, Google said it is updating the Chrome release schedule for the first time in over a decade. For a cool 10+ years now, Chrome stable releases have shipped every 6 weeks with new features, security fixes, etc. With improvements to testing and release processes, Google has realized that it can shorten the release cycle and will do so in Q3 of this year. Starting with Chrome 94, Google will move to a 4-week milestone release cycle. Freaked out at the possibility that Google might break features, remove things you like, or cause other issues with so many releases? Don't worry, Google is also introducing an Extended Stable release that will see milestone updates every 8 weeks. Now, it will still get updates every 2 weeks to address "important issues," but none of the new features or all security fixes that the 4-week milestones see will be included. Read more of this story at Slashdot.