RSS 생중계
Researchers Hack Electronic Shifters With a Few Hundred Dollars of Hardware
An anonymous reader quotes a report from Wired: Professional cycling has, in its recent history, been prone to a shocking variety of cheating methods and dirty tricks.Performance-enhancing drugs.Tacks strewn on race courses. Even stealthy motors hidden inside of wheel hubs. Now, for those who fail to download a software patch for their gear shifters -- yes, bike components now get software updates -- there may be hacker saboteurs to contend with, too. At the Usenix Workshop on Offensive Technologies earlier this week, researchers from UC San Diego and Northeastern University revealed a technique that would allow anyone with a few hundred dollars of hardware to hack Shimano wireless gear-shifting systems (Warning: source may be paywalled; alternative source) of the kind used by many of the top cycling teams in the world, including in recent events like the Olympics and the Tour de France. Their relatively simple radio attack would allow cheaters or vandals to spoof signals from as far as 30 feet away that trigger a target bike to unexpectedly shift gears or to jam its shifters and lock the bike into the wrong gear.
The trick would, the researchers say, easily be enough to hamper a rival on a climb or, if timed to certain intense moments of a race, even cause dangerous instability. "The capability is full control of the gears. Imagine you're going uphill on a Tour de France stage: If someone shifts your bike from an easy gear to a hard one, you're going to lose time," says Earlence Fernandes, an assistant professor at UCSD's Computer Science and Engineering department. "Or if someone is sprinting in the big chain ring and you move it to the small one, you can totally crash a person's bike like that." [...] The researchers' technique exploits the increasingly electronic nature of modern high-end bicycles, which now have digital components like power meters, wireless control of fork suspensions, and wireless shifters. "Modern bicycles are cyber-physical systems," the researchers note in their Usenix paper. Almost all professional cyclists now use electronic shifters, which respond to digital signals from shifter controls on the bike's handlebars to move a bicycle's chain from gear to gear, generally more reliably than mechanical shifting systems. In recent years, those wired electronic shifters have transitioned again to wireless versions that pair via a radio connection, such as the popular Di2 wireless shifters sold by the Japanese cycling component firm Shimano, which the researchers focused on. Shimano says it has developed a firmware update to patch the exploit but it won't be available widely until late August. The update is intended to improve wireless transmission across Shimano Di2 component platforms, though specific details about the fix and how it prevents the identified attacks have not been disclosed for security reasons.
Read more of this story at Slashdot.
Climate Activists Stop Air Traffic After Breaking Into Four Airport Sites
Climate activists have broken into four German airport sites, briefly bringing air traffic to a halt at two of those before police made arrests. From a report: Protesters from Letzte Generation -- Germany's equivalent to Just Stop Oil -- gained access on Thursday to airfields in areas near the takeoff and landing strips of Cologne-Bonn, Nuremberg, Berlin Brandenburg and Stuttgart airports at dawn. Air traffic was suspended for a short time at Nuremberg and Cologne-Bonn due to police operations. The activists cut holes in fences with bolt cutters, glued themselves to the asphalt and unfurled banners reading "Oil kills" and "Sign the treaty," in reference to Letzte Generation's demand that the German government negotiate and sign an agreement for an international ban on the use of oil, gas and coal by 2030.
The action was reminiscent of similar protests this summer and followed raids carried out a week ago on the homes of climate activists in five German cities, at which police collected DNA samples, in what Letzte Generation called "an attempt at intimidation." The interior minister, Nancy Faeser, condemned the protest and called for anyone convicted of involvement in Thursday's action to be given prison sentences. She wrote: "These criminal actions are dangerous and stupid. These anarchists are risking not only their own lives, but are also endangering others. We have recommended tough prison sentences. And we obligate airports to secure their facilities significantly better."
Read more of this story at Slashdot.
ISPs Ask Supreme Court To Kill New York Law That Requires $15 Broadband Plans
ISPs have asked the US Supreme Court to strike down a New York law that requires broadband providers to offer $15-per-month service to people with low incomes. From a report: On Monday, a Supreme Court petition challenging the state law was filed by six trade groups representing the cable, telecom, mobile, and satellite industries. Although ISPs were recently able to block the FCC's net neutrality rules, this week's petition shows the firms are worried about states stepping into the regulatory vacuum with various kinds of laws targeting broadband prices and practices. A broadband-industry victory over federal regulation could bolster the authority of New York and other states to regulate broadband. To prevent that, ISPs said the Supreme Court should strike down both the New York law and the FCC's broadband regulation, although the rulings would have to be made in two different cases.
A situation in which the New York law is upheld while federal rules are struck down "will likely lead to more rate regulation absent the Court's intervention," ISPs told the Supreme Court. "Other States are likely to copy New York once the Attorney General begins enforcing the ABA [Affordable Broadband Act] and New York consumers can buy broadband at below-market rates. As petitioners' members have shown, New York's price cap will require them to sell broadband at a loss and deter them from investing in expanding their broadband networks. As rate regulation proliferates, those harms will as well, stifling critical investment in bringing broadband to unserved and underserved areas." The New York law was upheld in April by the US Court of Appeals for the 2nd Circuit, which reversed a 2021 District Court ruling. New York Attorney General Letitia James agreed last week not to enforce the $15 broadband law while the Supreme Court considers whether to take up the case.
Read more of this story at Slashdot.
Apple, Google Wallets To Carry California Driver's Licenses
Californians' driver's licenses are going digital as people will soon be able to carry them in their Apple or Google wallets. From a report: The governor's office says it's a secure and convenient tool that will allow users to more easily undergo ID verification, such as airport screenings. The virtual wallet capabilities, which are set to roll out "in the coming weeks," will allow users to add and access California driver's licenses and ID cards on their iPhones, Apple Watch and Android devices -- similar to credit cards.
They will be authorized for use in TSA screenings, select apps and select businesses, such as Circle K. Participating airports in the state include SFO, SJC and LAX. The new format, which Gov. Gavin Newsom is expected to announce Thursday, is part of the DMV's broader mobile driver's license (mDL) pilot, which launched last year. "This is a big step in our efforts to better serve all Californians, meeting people where they're at and with technology people use every day," Newsom said in a statement shared first with Axios.
Read more of this story at Slashdot.
Microsoft Tweaks Fine Print To Warn Everyone Not To Take Its AI Seriously
Microsoft is notifying folks that its AI services should not be taken too seriously, echoing prior service-specific disclaimers. From a report: In an update to the IT giant's Service Agreement, which takes effect on September 30, 2024, Redmond has declared that its Assistive AI isn't suitable for matters of consequence. "AI services are not designed, intended, or to be used as substitutes for professional advice," Microsoft's revised legalese explains. The changes to Microsoft's rules of engagement cover a few specific services, such as noting that Xbox customers should not expect privacy from platform partners.
"In the Xbox section, we clarified that non-Xbox third-party platforms may require users to share their content and data in order to play Xbox Game Studio titles and these third-party platforms may track and share your data, subject to their terms," the latest Service Agreement says. There are also some clarifications regarding the handling of Microsoft Cashback and Microsoft Rewards. But the most substantive revision is the addition of an AI Services section, just below a passage that says Copilot AI Experiences are governed by Bing's Terms of Use. Those using Microsoft Copilot with commercial data protection get a separate set of terms. The tweaked consumer-oriented rules won't come as much of a surprise to anyone who has bothered to read the contractual conditions governing Microsoft's Bing and associated AI stuff. For example, there's now a Services Agreement prohibition on using AI Services for "Extracting Data."
Read more of this story at Slashdot.
German Cyber Agency Wants Changes in Microsoft, CrowdStrike Products After Tech Outage
An anonymous reader shares a report: Since last month's blue-screen deluge, CrowdStrike has published analyses of what went wrong and said it hired third-party security companies to review its product. Now, Germany's powerful cybersecurity agency is seizing the moment and hoping to rattle tech and cyber companies into altering their products to head off another mega-meltdown. In particular, the Bonn-based Federal Office for Information Security is taking aim at the access Microsoft gives security providers to its Windows kernel, a core part of its operating system. As well, the German agency is looking for fundamental changes in the way CrowdStrike and other cyber firms design their tools, in hopes of curbing that access.
"The most important thing is to prevent [that] this can happen again," said Thomas Caspers, director general for technology strategy at the BSI, as the agency is known. Leveraging the dread that filled Silicon Valley following the July outage, the BSI is planning to organize a conference this year gathering major tech firms, where it hopes they will commit to restricting access to the kernel, a change Caspers says is crucial to stopping similar failures. "We expect each company to be very specific about what they will do based on what we agreed on," he said.
Read more of this story at Slashdot.
Redbox App Axed, Dashing People's Hopes of Keeping Purchased Content
Roku has removed the Redbox app from its platform, effectively cutting off users' access to purchased content following Redbox parent company Chicken Soup for the Soul Entertainment's bankruptcy filing. The move signals the likely end of Redbox's digital streaming service, which launched in 2017 to complement its DVD rental kiosks. Customers attempting to use the Redbox app on Roku devices now receive an error message directing them to other streaming services. While the app remains downloadable on some platforms, including Apple's App Store and Google Play, its functionality is severely limited. The shutdown raises questions about the fate of content purchased through Redbox's streaming service and the company's remaining 24,000 physical kiosks.
Read more of this story at Slashdot.
Google Sold Android Phones With Hidden Insecure Feature, Companies Find
Google's master software for some Android phones includes a hidden feature that is insecure and could be activated to allow remote control or spying on users, according to a security company that found it inside phones at a U.S. intelligence contractor. From a report: The feature appears intended to give employees at stores selling Pixel phones and other models deep access to the devices so they can demonstrate how they work, according to researchers at iVerify who shared their findings with The Washington Post. The discovery and Google's lack of explanation alarmed the intelligence contractor, data analysis platform vendor Palantir Technologies, to the extent that it has stopped issuing Android phones to employees, Palantir told The Post.
"Mobile security is a very real concern for us, given where we're operating and who we're serving," Palantir Chief Information Security Officer Dane Stuckey said. "This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally." The security company said it contacted Google about its findings more than 90 days ago and that the tech giant has not indicated whether it would remove or fix the application. On Wednesday night, Google told The Post that it would issue an update to remove the application. "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update," said company spokesperson Ed Fernandez. He said distributors of other Android phones would also be notified.
Read more of this story at Slashdot.
Eric Schmidt Walks Back Claim Google Is Behind on AI Because of Remote Work
Eric Schmidt, ex-CEO and executive chairman at Google, walked back remarks in which he said his former company was losing the AI race because of its remote-work policies. From a report: "I misspoke about Google and their work hours," Schmidt said Wednesday in an email to The Wall Street Journal. "I regret my error." Schmidt, who left Google parent Alphabet's board more than five years ago, spoke earlier at a wide-ranging discussion at Stanford University. He criticized Google's remote-work policies in response to a question about Google competing with OpenAI. "Google decided that work-life balance and going home early and working from home was more important than winning," Schmidt said at Stanford. "The reason startups work is because the people work like hell."
Video of Schmidt's talk was posted on YouTube this week by Stanford Online, a division of the university that offers online courses. The video, which had more than 40,000 views as of Wednesday afternoon, has since been set to private. Schmidt said he asked for the video to be taken down.
Read more of this story at Slashdot.
Kim Dotcom To Be Extradited From New Zealand To US
EmagGeek writes: Kim Dotcom, who is facing criminal charges relating to the defunct filesharing website Megaupload, is to be extradited to the US, the New Zealand justice minister says, which could end more than a decade of legal wrangling. German-born Dotcom has New Zealand residency and has been fighting extradition to the US since 2012 after an FBI-ordered raid on his Auckland mansion. The high court in New Zealand first approved his extradition in 2017, with an appeal court reaffirming the finding the year after. In 2020, the country's supreme court again affirmed the finding but opened the door for a fresh round of judicial review.
Now, the justice minister, Paul Goldsmith, has signed an extradition order for Dotcom, a spokesperson said on Thursday. "I considered all of the information carefully, and have decided that Mr Dotcom should be surrendered to the US to face trial," Goldsmith said. "As is common practice, I have allowed Mr Dotcom a short period of time to consider and take advice on my decision. I will not, therefore, be commenting further at this stage."
Read more of this story at Slashdot.
[$] Memory-management: tiered memory, huge pages, and EROFS
The kernel's memory-management developers have been busy in recent times;
it can be hard to keep up with all that has been happening in this core
area. In an attempt to catch up, here is a look at recent work
affecting tiered-memory systems, underutilized huge pages, and duplicated
file data in the Enhanced Read-Only Filesystem (EROFS).
Security updates for Thursday
Security updates have been issued by AlmaLinux (container-tools:rhel8), Debian (flatpak), Fedora (389-ds-base, dotnet8.0, and roundcubemail), Red Hat (bind9.16, firefox, python-setuptools, and thunderbird), Slackware (dovecot), SUSE (389-ds, curl, kernel, kernel-firmware, kubernetes1.25, openssl-1_1, openssl-3, python-Pillow, and zziplib), and Ubuntu (busybox, linux-azure, and ruby-rmagick).
Epic Judge Says He'll 'Tear the Barriers Down' on Google's App Store Monopoly
Judge James Donato just made it crystal clear: Google will pay. From a report: Eight months after a federal jury unanimously decided that Google's Android app store is an illegal monopoly in Epic v. Google, Donato held his final hearing on remedies today. While we don't yet know what will happen, he repeatedly shut down any suggestion that Google shouldn't have to open up its store to rival stores, that it'd be too much work or cost too much, or that the proposed remedies go too far.
"We're going to tear the barriers down, it's just the way it's going to happen," said Donato. "The world that exists today is the product of monopolistic conduct. That world is changing." Donato will issue his final ruling in a little over two weeks.
Read more of this story at Slashdot.
Cisco Slashes Thousands of Workers As It Announces Yearly Profit of $10.3 Billion
An anonymous reader quotes a report from SFGATE: Cisco Systems is laying off 7% of its workforce, the company announced in a filing with the Securities and Exchange Commission on Wednesday. It's the San Jose tech giant's second time slashing thousands of jobs this year. The networking and telecommunications company is vast, reporting to have 84,900 employees in July 2023 before it chopped at least 4,000 in February. That means the new 7% cut will likely affect at least 5,500 workers. Cisco spokesperson Robyn Blum said in an email to SFGATE that the layoff is meant to allow the company to invest in "key growth opportunities and drive more efficiency in our business." [...]
More hints about the layoff's potential reasoning showed up in a Wednesday blog post from CEO Chuck Robbins. The executive wrote that Cisco plans to consolidate its networking, security and collaboration teams into one organization and said the company is still integrating Splunk; Cisco closed its $28 billion acquisition of San Francisco-based data security and management company in March. Cisco also announced its earnings for its last fiscal year on Wednesday. Total revenue was slightly down year over year, to $53.8 billion, but the company still reported a $10.3 billion profit during the same period.
Read more of this story at Slashdot.
Magic: The Gathering Community Fears Generative AI Will Replace Talented Artists
Slate's Derek Heckman, an avid fan of Magic: The Gathering since the age of 10, expresses concern about the potential replacement of the game's distinctive hand-drawn art with generative AI -- and he's not alone. "I think we're all pretty afraid of what the potential is, given what we've seen from the generative image side," Sam, a YouTube creator who runs the channel Rhystic Studies, told him. "It's staggeringly powerful. And it's only in its infancy."
"Magic's greatest asset has always been its commitment to create a new illustration for every new card," he said. He adds that if we sacrifice that commitment for A.I., "you'd get to a point pretty fast where it just disintegrates and becomes the ugliest definition of the word product." Here's an excerpt from his report: So far, Magic's parent company, Wizards of the Coast, has outwardly agreed with Sam, saying in an official statement in 2023 that Magic "has been built on the innovation, ingenuity, and hard work of talented people" and forbidding outside creatives from using A.I. in their work. However, a number of recent incidents -- from the accidental use of A.I. art in a Magic promotional image to a very intentional LinkedIn post for a "Principal AI Engineer," one that Wizards had to clarify was for the company's video game projects -- have left many players unsure whether Wizards is potentially evolving their stance, or merely trying to find their footing in an ever-changing A.I. landscape.
In response to fan concerns, Wizards has created an "AI art FAQ" detailing, among other things, the new technologies it's invested in to detect A.I. use in art. Still, trust in the company has been damaged by this year's incidents. Longtime Magic artist David Rapoza even severed ties with the game this past January, citing this seeming difference between Wizards' words and actions when it comes to the use of A.I. Sam says the larger audience has likewise been left "cautiously suspicious," hoping to believe Wizards' official statements while also carefully noting the company's moves and mistakes with the technology. "I think what we want is for Wizards to commit hard to one lane and stay [with] what is tried and true," Sam says. "And that is prioritizing human work over shortcuts."
Read more of this story at Slashdot.
Researchers Figure Out How To Keep Clocks On the Earth, Moon In Sync
Ars Technica's John Timmer reports: [T]he International Astronomical Union has a resolution that calls for a "Lunar Celestial Reference System" and "Lunar Coordinate Time" to handle things there. On Monday, two researchers at the National institute of Standards and Technology, Neil Ashby and Bijunath Patla, did the math to show how this might work. [...] Ashby and Patla worked on developing a system where anything can be calculated in reference to the center of mass of the Earth/Moon system. Or, as they put it in the paper, their mathematical system "enables us to compare clock rates on the Moon and cislunar Lagrange points with respect to clocks on Earth by using a metric appropriate for a locally freely falling frame such as the center of mass of the Earth-Moon system in the Sun's gravitational field." What does this look like? Well, a lot of deriving equations. The paper's body has 55 of them, and there are another 67 in the appendices. So, a lot of the paper ends up looking like this.
Things get complicated because there are so many factors to consider. There are tidal effects from the Sun and other planets. Anything on the surface of the Earth or Moon is moving due to rotation; other objects are moving while in orbit. The gravitational influence on time will depend on where an object is located. So, there's a lot to keep track of. Ashby and Patla don't have to take everything into account in all circumstances. Some of these factors are so small they'll only be detectable with an extremely high-precision clock. Others tend to cancel each other out. Still, using their system, they're able to calculate that an object near the surface of the Moon will pick up an extra 56 microseconds every day, which is a problem in situations where we may be relying on measuring time with nanosecond precision. And the researchers say that their approach, while focused on the Earth/Moon system, is still generalizable. Which means that it should be possible to modify it and create a frame of reference that would work on both Earth and anywhere else in the Solar System. Which, given the pace at which we've sent things beyond low-Earth orbit, is probably a healthy amount of future-proofing. The findings have been published in the Astronomical Journal. A National Institute of Standards and Technology (NIST) press release announcing the work can be found here.
Read more of this story at Slashdot.
Scientists Find Humans Age Dramatically In Two Bursts: At 44, Then 60
An anonymous reader quotes a report from The Guardian: The study, which tracked thousands of different molecules in people aged 25 to 75, detected two major waves of age-related changes at around ages 44 and again at 60. The findings could explain why spikes in certain health issues including musculoskeletal problems and cardiovascular disease occur at certain ages. [...] The research tracked 108 volunteers, who submitted blood and stool samples and skin, oral and nasal swabs every few months for between one and nearly seven years. Researchers assessed 135,000 different molecules (RNA, proteins and metabolites) and microbes (the bacteria, viruses and fungi living in the guts and on the skin of the participants).
The abundance of most molecules and microbes did not shift in a gradual, chronological fashion. When the scientists looked for clusters of molecules with the largest shifts, they found these transformations tended to occur when people were in their mid-40s and early 60s. The mid-40s aging spike was unexpected and initially assumed to be a result of perimenopausal changes in women skewing results for the whole group. But the data revealed similar shifts were happening in men in their mid-40s, too. "This suggests that while menopause or perimenopause may contribute to the changes observed in women in their mid-40s, there are likely other, more significant factors influencing these changes in both men and women," said Dr Xiaotao Shen, a former postdoctoral scholar at Stanford medical school and first author of the study who is now based at Nanyang Technological University Singapore.
The first wave of changes included molecules linked to cardiovascular disease and the ability to metabolize caffeine, alcohol and lipids. The second wave of changes included molecules involved in immune regulation, carbohydrate metabolism and kidney function. Molecules linked to skin and muscle ageing changed at both time points. Previous research suggested that a later spike in aging may occur around the age of 78, but the latest study could not confirm this because the oldest participants were 75. The pattern fits with previous evidence that the risk of many age-related diseases does not increase incrementally, with Alzheimer's and cardiovascular disease risk showing a steep uptick after 60. It is also possible that some of the changes could be linked to lifestyle or behavioral factors. For instance, the change in alcohol metabolism could result from an uptick in consumption in people's mid-40s, which can be a stressful period of life. The findings have been published in the journal Nature Aging.
Read more of this story at Slashdot.
NIST Finalizes Trio of Post-Quantum Encryption Standards
"NIST has formally accepted three algorithms for post-quantum cryptography," writes ancient Slashdot reader jd. "Two more backup algorithms are being worked on. The idea is to have backup algorithms using very different maths, just in case a flaw in the original approach is discovered later." The Register reports: The National Institute of Standards and Technology (NIST) today released the long-awaited post-quantum encryption standards, designed to protect electronic information long into the future -- when quantum computers are expected to break existing cryptographic algorithms. One -- ML-KEM (PDF) (based on CRYSTALS-Kyber) -- is intended for general encryption, which protects data as it moves across public networks. The other two -- ML-DSA (PDF) (originally known as CRYSTALS-Dilithium) and SLH-DSA (PDF) (initially submitted as Sphincs+) -- secure digital signatures, which are used to authenticate online identity. A fourth algorithm -- FN-DSA (PDF) (originally called FALCON) -- is slated for finalization later this year and is also designed for digital signatures.
NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future. One of the sets includes three algorithms designed for general encryption -- but the technology is based on a different type of math problem than the ML-KEM general-purpose algorithm in today's finalized standards. NIST plans to select one or two of these algorithms by the end of 2024. Despite the new ones on the horizon, NIST mathematician Dustin Moody encouraged system administrators to start transitioning to the new standards ASAP, because full integration takes some time. "There is no need to wait for future standards," Moody advised in a statement. "Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event."
From the NIST: This notice announces the Secretary of Commerce's approval of three Federal Information Processing Standards (FIPS):
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
- FIPS 204, Module-Lattice-Based Digital Signature Standard
- FIPS 205, Stateless Hash-Based Digital Signature Standard
These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions in the NIST Post-Quantum Cryptography Standardization Project.
Read more of this story at Slashdot.
Artists Claim 'Big' Win In Copyright Suit Fighting AI Image Generators
Ars Technica's Ashley Belanger reports: Artists defending a class-action lawsuit are claiming a major win this week in their fight to stop the most sophisticated AI image generators from copying billions of artworks to train AI models and replicate their styles without compensating artists. In an order on Monday, US district judge William Orrick denied key parts of motions to dismiss from Stability AI, Midjourney, Runway AI, and DeviantArt. The court will now allow artists to proceed with discovery on claims that AI image generators relying on Stable Diffusion violate both the Copyright Act and the Lanham Act, which protects artists from commercial misuse of their names and unique styles.
"We won BIG," an artist plaintiff, Karla Ortiz, wrote on X (formerly Twitter), celebrating the order. "Not only do we proceed on our copyright claims," but "this order also means companies who utilize" Stable Diffusion models and LAION-like datasets that scrape artists' works for AI training without permission "could now be liable for copyright infringement violations, amongst other violations." Lawyers for the artists, Joseph Saveri and Matthew Butterick, told Ars that artists suing "consider the Court's order a significant step forward for the case," as "the Court allowed Plaintiffs' core copyright-infringement claims against all four defendants to proceed."
Read more of this story at Slashdot.
[$] LWN.net Weekly Edition for August 15, 2024
The LWN.net Weekly Edition for August 15, 2024 is available.