RSS 생중계

Tech's Message To the Hill: We're Not Facebook

Slashdot - 3시간 16분 지남
TikTok, YouTube and Snapchat will appear before Congress Tuesday with a key priority: distinguishing their practices from Facebook's. From a report: Facebook is under attack, and its tech peers don't want to get caught in the crossfire as lawmakers mull legislation to rein in the company. At the hearing before the Senate Commerce consumer protection subcommittee, representatives from TikTok, YouTube and Snap will focus on ways their services differ from Facebook and Instagram and measures they've already put in place to protect children. TikTok's Michael Beckerman, vice president and head of public policy, will highlight proactive safety moves the company has made, including disabling direct messages for users under 16. Snap's Jennifer Stout, vice president of global public policy, will note that the company was designed to avoid some of the toxicity of social media platforms and uses human moderation for creator posts that will reach more than 25 users. YouTube's Leslie Miller, vice president of government affairs and public policy, will point out that the company already has designed different services and products for younger users, including YouTube Kids, Made for Kids and Supervised Experiences.

Read more of this story at Slashdot.

카테고리:

Facebook Says It's Refocusing Company on 'Serving Young Adults'

Slashdot - 3시간 59분 지남
Facebook CEO Mark Zuckerberg says he's redirected teams within his company to "make serving young adults their north star." The comment, made on a call with investors this afternoon, speaks to Facebooks' concerns about declining usage among teens and young adults. From a report: "So much of our services have gotten dialed to be the best for the most people who use them, rather than specifically for young adults," Zuckerberg said. He suggested the change will be more than just lip service. Facebook usage among older users will grow slower than it otherwise would have because of the changes, Zuckerberg said. Even with those tradeoffs, he said, "I think it's the right approach." Zuckerberg expects the changes to take years. One of the more immediate shifts could be to Instagram, which he says will see "significant changes" to lean further into video and make Reels "a more central part of the experience."

Read more of this story at Slashdot.

카테고리:

Biden Appoints Jessica Rosenworcel To Officially Lead the FCC

Slashdot - 4시간 43분 지남
President Joe Biden named acting Federal Communications Commissioner Chair Jessica Rosenworcel to officially head the agency on Tuesday, propping her up as the administration's leader to tackle broadband expansion and net neutrality. Biden also nominated progressive advocate Gigi Sohn as the third Democrat for the bench. From a report: The decision comes late into Biden's term, beating out both former presidents Jimmy Carter and Richard Nixon who nominated their FCC chairs well into September of their first years. If confirmed by the Senate before December, the FCC's 2-2 deadlock would end and provide Democrats with a majority to push forward Biden's telecom agenda. But it's unclear if senators plan to move on Rosenworcel and Sohn's confirmations before the end of the year. Without a majority, current Democratic commissioners Rosenworcel and Geoffrey Starks have their hands tied when it comes to implementing Biden's agenda. In July, Biden signed an executive order urging the FCC to restore Obama-era net neutrality rules and to take up other measures to promote broadband competition, including requiring companies to provide transparency into pricing.

Read more of this story at Slashdot.

카테고리:

Amazon Joins Race for Quantum Computer With New Caltech Center

Slashdot - 5시간 17분 지남
Amazon is officially entering the race to develop a quantum computer, joining U.S. and Chinese rivals in the quest to harness the properties of nature's tiniest particles into computing power far surpassing existing machines. From a report: Amazon will base its quantum team at a new center on the campus of Caltech in Pasadena, Calif., which officially opens this week. Caltech described it as the first "corporate-partnership building" on the university's campus, showing "Caltech's interests in bringing fundamental science to the marketplace." The investment reflects growing corporate interest in quantum computers, which are still at an early stage of development but could someday crack problems that existing computers can't, such as identifying new materials to capture and remove carbon dioxide from the atmosphere, or new chemical compounds to treat intractable diseases. In the defense sphere, some scientists believe quantum computers might someday be able to break existing forms of encryption, making them a hot development priority for the United States, China and other nations.

Read more of this story at Slashdot.

카테고리:

CVE-2021-41182

Latest 7 days CVE Lists - 5시간 33분 지남
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

CVE-2021-41183

Latest 7 days CVE Lists - 5시간 33분 지남
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

CVE-2021-41184

Latest 7 days CVE Lists - 5시간 33분 지남
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

CVE-2021-41185

Latest 7 days CVE Lists - 5시간 33분 지남
Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may manually apply the changes from the fix commit.

CVE-2021-41188

Latest 7 days CVE Lists - 5시간 33분 지남
Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability.

Amazon is Building a Clubhouse Competitor That Turns Hosts Into DJs

Slashdot - 화, 2021/10/26 - 11:55오후
Amazon is next on the list of companies getting into the live audio game. The company is building a new app, codenamed "Project Mic," that gives anyone the ability to make and distribute a live radio show, complete with music, according to a presentation viewed by The Verge. From a report: This project's big goal is to democratize and reinvent the radio. The app will be focused on the US initially. Listeners will be able to tune in through the app, as well as through Audible, Amazon Music, Twitch, and Alexa-equipped devices. With the Alexa devices, listeners will be able to interact with shows using just their voice. The app experience will also be optimized for the car, playing into Amazon's idea of trying to reinvent radio. A mockup app image viewed by The Verge depicts a screen listing shows that are currently live; trending topics, like #NBA or #hot100; and featured creators. Users will also be able to search for content by topic, name, or music.

Read more of this story at Slashdot.

카테고리:

Security updates for Tuesday

lwn.net - 화, 2021/10/26 - 11:53오후
Security updates have been issued by Debian (php7.3 and php7.4), Mageia (kernel and kernel-linus), openSUSE (chromium and virtualbox), Oracle (xstream), Red Hat (kernel, rh-ruby30-ruby, and samba), and Ubuntu (binutils and mysql-5.7).
카테고리:

CVE-2021-41158

Latest 7 days CVE Lists - 화, 2021/10/26 - 11:15오후
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges.

CVE-2021-41172

Latest 7 days CVE Lists - 화, 2021/10/26 - 11:15오후
AS_Redis is an AntSword plugin for Redis. The Redis Manage plugin for AntSword prior to version 0.5 is vulnerable to Self-XSS due to due to insufficient input validation and sanitization via redis server configuration. Self-XSS in the plugin configuration leads to code execution. This issue is patched in version 0.5.

CVE-2021-41173

Latest 7 days CVE Lists - 화, 2021/10/26 - 11:15오후
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading.

CVE-2021-41175

Latest 7 days CVE Lists - 화, 2021/10/26 - 11:15오후
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8.

CVE-2021-37363

Latest 7 days CVE Lists - 화, 2021/10/26 - 11:15오후
An Insecure Permissions issue exists in Gestionale Open 11.00.00. A low privilege account is able to rename the mysqld.exe file located in bin folder and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues.

CVE-2021-37364

Latest 7 days CVE Lists - 화, 2021/10/26 - 11:15오후
OpenClinic GA 5.194.18 is affected by Insecure Permissions. By default the Authenticated Users group has the modify permission to openclinic folders/files. A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues.

CVE-2021-41157

Latest 7 days CVE Lists - 화, 2021/10/26 - 11:15오후
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.

AnandTech Reviews Apple's M1 Pro and M1 Max Chips

Slashdot - 화, 2021/10/26 - 11:06오후
AnandTech reviews the recently unveiled M1 Pro and M1 Max chips : The M1 Pro and M1 Max change the narrative completely -- these designs feel like truly SoCs that have been made with power users in mind, with Apple increasing the performance metrics in all vectors. We expected large performance jumps, but we didn't expect the some of the monstrous increases that the new chips are able to achieve. On the CPU side, doubling up on the performance cores is an evident way to increase performance -- the competition also does so with some of their designs. How Apple does it differently, is that it not only scaled the CPU cores, but everything surrounding them. It's not just 4 additional performance cores, it's a whole new performance cluster with its own L2. On the memory side, Apple has scaled its memory subsystem to never before seen dimensions, and this allows the M1 Pro & Max to achieve performance figures that simply weren't even considered possible in a laptop chip. The chips here aren't only able to outclass any competitor laptop design, but also competes against the best desktop systems out there, you'd have to bring out server-class hardware to get ahead of the M1 Max -- it's just generally absurd. On the GPU side of things, Apple's gains are also straightforward. The M1 Pro is essentially 2x the M1, and the M1 Max is 4x the M1 in terms of performance. Games are still in a very weird place for macOS and the ecosystem, maybe it's a chicken-and-egg situation, maybe gaming is still something of a niche that will take a long time to see make use of the performance the new chips are able to provide in terms of GPU. What's clearer, is that the new GPU does allow immense leaps in performance for content creation and productivity workloads which rely on GPU acceleration. To further improve content creation, the new media engine is a key feature of the chip. Particularly video editors working with ProRes or ProRes RAW, will see a many-fold improvement in their workflow as the new chips can handle the formats like a breeze -- this along is likely going to have many users of that professional background quickly adopt the new MacBook Pro's. For others, it seems that Apple knows the typical MacBook Pro power users, and has designed the silicon around the use-cases in which Macs do shine. The combination of raw performance, unique acceleration, as well as sheer power efficiency, is something that you just cannot find in any other platform right now, likely making the new MacBook Pro's not just the best laptops, but outright the very best devices for the task. It's a comprehensive review, and Intel should be panicking.

Read more of this story at Slashdot.

카테고리:

CVE-2011-2195

Latest 7 days CVE Lists - 화, 2021/10/26 - 10:15오후
A flaw was found in WebSVN 2.3.2. Without prior authentication, if the 'allowDownload' option is enabled in config.php, an attacker can invoke the dl.php script and pass a well formed 'path' argument to execute arbitrary commands against the underlying operating system.

페이지

KLDP 수집기 구독하기