RSS 생중계

It is something of a DebConf tradition that members of the Debian Technical Committee (TC) take the stage to talk about the work that the committee does—and more. DebConf24 in Busan, South Korea was no exception, as TC chair Sean Whitton, who will complete his term at the end of the year, and one of its newest members, Stefano Rivera, described the constitutional underpinnings of the TC, how it tries to make decisions when it needs to, and the constant process of recruiting new members. After that, they took a few questions from the audience. The session provided a nice overview of the TC and its role in Debian, but it may well be of interest further afield.

After a 7.1 tremor struck southwestern Japan on Thursday, the country's meteorological agency issued its first-ever alert for a possible "megaquake." It marks the first time the warning has been issued under new rules drawn up after a 2011 earthquake, tsunami and nuclear disaster killed almost 20,000 people. Phys.org reports: The JMA's "megaquake advisory" warns that "if a major earthquake were to occur in the future, strong shaking and large tsunamis would be generated." "The likelihood of a new major earthquake is higher than normal, but this is not an indication that a major earthquake will definitely occur during a specific period of time," it added. The advisory concerns the Nankai Trough "subduction zone" between two tectonic plates in the Pacific Ocean, where massive earthquakes have hit in the past. [...] Japan's government has previously said the next magnitude 8-9 megaquake along the Nankai Trough has a roughly 70 percent probability of striking within the next 30 years. In the worst-case scenario 300,000 lives could be lost, experts estimate, with some engineers saying the damage could reach $13 trillion with infrastructure wiped out. "The history of great earthquakes at Nankai is convincingly scary," geologists Kyle Bradley and Judith A Hubbard wrote in their Earthquake Insights newsletter. And "while earthquake prediction is impossible, the occurrence of one earthquake usually does raise the likelihood of another", they explained. "A future great Nankai earthquake is surely the most long-anticipated earthquake in history -- it is the original definition of the 'Big One'."

Read more of this story at Slashdot.

The FDA has rejected a first-of-its-kind proposal to use the psychedelic drug MDMA as a treatment for post-traumatic stress disorder (PTSD), according to drugmaker Lykos Therapeutics. NBC News reports: There had been intense political pressure on the FDA to approve the drug. Friday's decision was the first time the agency had considered a Schedule 1 psychedelic for medical use. If approved, it would have been the first new treatment for PTSD in more than two decades. Lykos Therapeutics had asked the FDA to approve the drug as part of a treatment regimen, given alongside talk therapy. The agency's decision came after an independent advisory committee in June declined to recommend approval of the drug, saying there was not enough evidence that the therapy was safe and effective. The committee cited a myriad of concerns, including poorly designed studies, allegations of sexual misconduct during a midstage clinical trial and the potential for serious health risks after taking the drug, including heart problems and abuse. A review by FDA scientists, published ahead of the June meeting, also raised concerns about how the trials were carried out, including that a number of patients and therapists likely were able to guess who was given the medication and who got the placebo. Despite the rejection, experts say they expect that psychedelic therapies are still on their way to FDA approval. There are around four dozen MDMA trials in various stages of clinical development, according to ClinicalTrials.gov. "I think it will be a temporary setback," said Holly Fernandez Lynch, an associate professor of medical ethics at the University of Pennsylvania. "The advisory committee and FDA gave very clear indications of what they're looking for in terms of study design and adverse event reporting, so Lykos and other companies should know pretty clearly how to proceed going forward if they want to get psychedelics approved."

Read more of this story at Slashdot.

Russia has blocked access to the encrypted Signal messaging app to "prevent the messenger's use of terrorist and extremist purposes." YouTube is also facing mass outages following repeated slowdowns in recent weeks. The Associated Press reports: Russian authorities expanded their crackdown on dissent and free media after Russian President Vladimir Putin sent troops into Ukraine in February 2022. They have blocked multiple independent Russian-language media outlets critical of the Kremlin, and cut access to Twitter, which later became X, as well as Meta's Facebook and Instagram. In the latest blow to the freedom of information, YouTube faced mass outages on Thursday following repeated slowdowns in recent weeks. Russian authorities have blamed the slowdowns on Google's failure to upgrade its equipment in Russia, but many experts have challenged the claim, arguing that the likely reason for the slowdowns and the latest outage was the Kremlin's desire to shut public access to a major platform that carries opposition views.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Wired: Security flaws in your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it. At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they're calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006, or possibly even earlier. Nissim and Okupski note that exploiting the bug would require hackers to already have obtained relatively deep access to an AMD-based PC or server, but that the Sinkclose flaw would then allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a "bootkit" that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot -- which the researchers warn encompasses the large majority of the systems they tested -- a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system. Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says. Nissim sums up that worst-case scenario in more practical terms: "You basically have to throw your computer away." In a statement shared with WIRED, AMD said it "released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon." The company also noted that it released patches for its EPYC processors earlier this year. It did not answer questions about how it intends to fix the Sinkclose vulnerability.

Read more of this story at Slashdot.

Cisco will cut thousands of jobs in a second round of layoffs this year as the U.S. networking equipment maker shifts focus to higher-growth areas, including cybersecurity and AI, Reuters reported Friday, citing sources. From the report: The number of people affected could be similar to or slightly higher than the 4,000 employees Cisco laid off in February, and will likely be announced as early as Wednesday with the company's fourth-quarter results, said the sources, who were not authorized to speak publicly.

Read more of this story at Slashdot.

According to Agrarheute, hackers launched a cyberattack on a Swiss farmer's computer system, disrupting the flow of vital data from a milking robot. Tragically, this led to the death of a cow and her calf. From the report (translated from German into English): According to the CSO, hackers attacked the computers of a farmer from Hagendorn. The dairy farmer's milking robot was also connected to these computers. When the animal owner stopped receiving milking data, he initially suspected a dead zone. But then he learned from the manufacturer of his milking system that he had been hacked. Apparently it was a ransomware attack. The hackers demanded $10,000 to decrypt the data. The farmer considered whether he should give in to the cyber criminals' demands. At first he thought the data on the amount of milk produced was bearable. In addition, the milking robot also worked without a computer or network connection. The cows could therefore continue to be milked. For one cow , however, the cyberattack ended tragically. The farmer normally receives vital data from his cows via the system. This is particularly important and critical for pregnant animals. One cow's calf died in the womb. Because the computer was paralyzed, Bircher was unable to recognize the emergency in time. They tried everything to at least save the cow, but in the end it had to be put down. Overall, the attack caused monetary damages amounting to the equivalent of over 6,400 euros, mainly due to veterinary costs and the purchase of a new computer. However, the hackers came away empty-handed.

Read more of this story at Slashdot.

Michael Larabel reports via Phoronix: Intel Linux engineer Colin Ian King discovered that if aligning the slab in the ACPI code via the "SLAB_HWCACHE_ALIGN" flag will offer a measurable improvement in memory performance and reducing the kernel boot time. Colin explained with this one line kernel patch: "Enabling SLAB_HWCACHE_ALIGN for the ACPI object caches improves boot speed in the ACPICA core for object allocation and free'ing especially in the AML parsing and execution phases in boot. Testing with 100 boots shows an average boot saving in acpi_init of ~35000 usecs compared to the unaligned version. Most of the ACPI objects being allocated and free'd are of very short life times in the critical paths for parsing and execution, so the extra memory used for alignment isn't too onerous."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Back in July 2022, when mobile app metrics firm Branch acquired the popular and well-regarded Nova Launcher for Android, the app's site put up one of those self-directed FAQ posts about it. Under the question heading "What does Branch want with Nova?," Nova founder and creator Kevin Barry started his response with, "Not to mess it up, don't worry!" Branch (formerly/sometimes Branch Metrics) is a firm concerned with helping businesses track the links that lead into their apps, whether from SMS, email, marketing, or inside other apps. Nova, with its Sesame Search tool that helped users find and access deeper links -- like heading straight to calling a car, rather than just opening a rideshare app -- seemed like a reasonable fit. Barry wrote that he had received a number of acquisition offers over the years, but he didn't want to be swallowed by a giant corporation, an OEM, or a volatile startup. "Branch is different," he wrote then, because they wanted to add staff to Nova, keep it available to the public, and mostly leave it alone. Two years later, Branch has left Nova Launcher a bit too alone. As documented on Nova's official X (formerly Twitter) account, and transcripts from its Discord, as of Thursday Nova had "gone from a team of around a dozen people" to just Barry, the founder, working alone. The Nova cuts were part of "a massive layoff" of purportedly more than 100 people across all of Branch, according to now-former Nova workers. Barry wrote that he would keep working on Nova, "However I have less resources." He would need to "cut scope" on an upcoming Nova release, he wrote. Other employees noted that customer support, marketing, and even correspondence would likely be strained or disappear. "While Nova is not dead (despite mine and others' eulogistic tones), it's certainly not positioned to launch bold new features or plot new futures," writes Ars' Kevin Purdy, in closing. "Here's hoping Barry can make a go of Nova Launcher for as long as it's viable for him."

Read more of this story at Slashdot.

The FCC has proposed new rules governing the use of AI-generated phone calls and texts. Part of the proposal centers on create a clear definition for AI-generated calls, with the rest focuses on consumer protection by making companies disclose when AI is being used in calls or texts. A report adds: "This provides consumers with an opportunity to identify and avoid those calls or texts that contain an enhanced risk of fraud and other scams," the FCC said. The agency is also looking ensure that legitimate uses of AI to assist people with disabilities to communicate remains protected.

Read more of this story at Slashdot.

The Canonical Kernel Team has announced a new policy regarding the version of the kernel that will ship with each Ubuntu release; the result will generally be the shipping of newer releases.

To provide users with the absolute latest in features and hardware support, Ubuntu will now ship the absolute latest available version of the upstream Linux kernel at the specified Ubuntu release freeze date, even if upstream is still in Release Candidate (RC) status.

The post goes on to acknowledge that "there are issues with this approach"; there are a lot of policy details that will apply depending on just how raw the shipped kernel is.

Major U.S. companies are tightening eligibility requirements for student discounts, cracking down on graduates who continue to claim benefits years after leaving school. Amazon, Spotify, and other firms are partnering with verification services like SheerID to validate student status, ending an era of lax enforcement that allowed many to exploit discounts long after graduation. While companies aim to build brand loyalty among young consumers, they're also guarding against fraud. SheerID claims it helped clients avoid $2 billion in fraudulent discounts last year. Most streaming services retain over 90% of student customers after graduation, according to SheerID CEO Stephanie Copeland Weber. "They're building trust and loyalty with those consumers," she told WSJ.

Read more of this story at Slashdot.

There's a rot at the heart of modern software development that's destroying innovation, and infosec legend Moxie Marlinspike believes he knows exactly what's to blame: Agile development. Marlinspike argued that Agile methodologies, widely adopted over the past two decades, have confined developers to "black box abstraction layers" that limit creativity and understanding of underlying systems. "We spent the past 20 years onboarding people into software by putting them into black box abstraction layers, and then putting them into organizations composed of black box abstraction layers," Marlinspike said. He contended this approach has left many software engineers unable to do more than derivative work, lacking the deep understanding necessary for groundbreaking developments. Thistle Technologies CEO Window Snyder echoed these concerns, noting that many programmers now lack knowledge of low-level languages and machine code interactions. Marlinspike posited that security researchers, who routinely probe beneath surface-level abstractions, are better positioned to drive innovation in software development.

Read more of this story at Slashdot.

Stressing science education, China is outpacing other countries in research fields like battery chemistry, crucial to its lead in electric vehicles. From a report: China's domination of electric cars, which is threatening to start a trade war, was born decades ago in university laboratories in Texas, when researchers discovered how to make batteries with minerals that were abundant and cheap. Companies from China have recently built on those early discoveries, figuring out how to make the batteries hold a powerful charge and endure more than a decade of daily recharges. They are inexpensively and reliably manufacturing vast numbers of these batteries, producing most of the world's electric cars and many other clean energy systems. Batteries are just one example of how China is catching up with -- or passing -- advanced industrial democracies in its technological and manufacturing sophistication. It is achieving many breakthroughs in a long list of sectors, from pharmaceuticals to drones to high-efficiency solar panels. Beijing's challenge to the technological leadership that the United States has held since World War II is evidenced in China's classrooms and corporate budgets, as well as in directives from the highest levels of the Communist Party. A considerably larger share of Chinese students major in science, math and engineering than students in other big countries do. That share is rising further, even as overall higher education enrollment has increased more than tenfold since 2000. Spending on research and development has surged, tripling in the past decade and moving China into second place after the United States. Researchers in China lead the world in publishing widely cited papers in 52 of 64 critical technologies, recent calculations by the Australian Strategic Policy Institute reveal.

Read more of this story at Slashdot.

OpenAI's latest AI model, GPT-4o, exhibits unusual behaviors, including voice cloning and random shouting, according to a new "red teaming" report. The model, which powers ChatGPT's Advanced Voice Mode alpha, is OpenAI's first trained on voice, text, and image data. In high-noise environments, GPT-4o occasionally mimics users' voices, a quirk OpenAI attributes to difficulties processing distorted speech. The company said it has implemented a "system-level mitigation" to address this issue. The report also reveals GPT-4o's tendency to generate inappropriate vocalizations and sound effects when prompted.

Read more of this story at Slashdot.

Bruce66423 writes: Sellafield [U.K.'s largest nuclear site] has apologised after pleading guilty to criminal charges relating to a string of cybersecurity failings at Britain's most hazardous nuclear site, which it admitted could have threatened national security. Among the failings at the vast nuclear waste dump in Cumbria was the discovery that 75% of its computer servers were vulnerable to cyber-attacks, Westminster magistrates court in London heard. Information that could threaten national security was left exposed for four years, the nuclear watchdog revealed, and Sellafield said it had been performing critical IT health checks that were not, in fact, being carried out. The Guardian's investigation also revealed concerns about external contractors being able to plug memory sticks into Sellafield's system while unsupervised and that its computer servers were deemed so insecure that the problem was nicknamed Voldemort after the Harry Potter villain because it was so sensitive and dangerous. The good news is that the problem has been spotted. The bad news is that there can be no meaningful punishment for a government owned company. One can only hope that they will do better in the future.

Read more of this story at Slashdot.

Microsoft researchers said on Friday that Iran government-tied hackers tried breaking into the account of a "high ranking official" on the U.S. presidential campaign in June, weeks after breaching the account of a county-level U.S. official. From a report: The breaches were part of Iranian groups' increasing attempts to influence the U.S. presidential election in November, the researchers said in a report that did not provide any further detail on the "official" in question. The report follows recent statements by senior U.S. Intelligence officials that they'd seen Iran ramp up use of clandestine social media accounts with the aim to use them to try to sow political discord in the United States. Iran's mission to the United Nations in New York told Reuters in a statement that its cyber capabilities were "defensive and proportionate to the threats it faces" and that it had no plans to launch cyber attacks.

Read more of this story at Slashdot.

Toxic PFAS "forever chemicals" that leach from landfills into groundwater are among the major pollution sources in the US, and remain a problem for which officials have yet to find an effective solution. Now new research has identified another route in which PFAS may escape landfills and threaten the environment at even higher levels: the air. From a report: PFAS gas that emits from landfill waste ends up highly concentrated in the facilities' gas treatment systems, but the systems are not designed to manage or destroy the chemicals, and much of them probably end up in the environment. The findings, which showed up to three times as much PFAS in landfill gas as in leachate, are "definitely an alarming thing for us to see," said Ashley Lin, a University of Florida researcher and the lead author of the study. "These findings suggest that landfill gas, a less scrutinized byproduct, serves as a major pathway for the mobility of PFAS from landfills," the paper's authors wrote. PFAS are a class of about 16,000 compounds used to make products resistant to water, stains and heat. They are called "forever chemicals" because they do not naturally break down and have been found to accumulate in humans. The chemicals are linked to cancer, birth defects, liver disease, thyroid disease, plummeting sperm counts and a range of other serious health problems. As researchers have begun to understand the chemicals' dangers in recent years, the focus has largely been on water pollution, and regulators have said virtually all leachate from the nation's 200 landfills contain PFAS. But scientists are beginning to understand that PFAS air pollution is also a significant threat.

Read more of this story at Slashdot.

Sometimes, the smallest changes create the longest discussions. As a case in point, a proposal to make a one-line change in an informational text file on systems running the Debian unstable distribution has blown up into an interminable and sometimes unfriendly debate. At its core, though, this discussion comes down to a seemingly simple question: should a program be able to determine whether it is running on a Debian testing or unstable system?

Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBStick. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.

We assume that an unprivileged user has code execution. Additionally, we consider the presence of a heap vulnerability in the Linux kernel. We assume that the Linux kernel incorporates all defense mechanisms available in version 6.4, the most recent Linux kernel version when we started our work. These mechanisms include features such as WˆX, KASLR, SMAP, and kCFI. We do not assume any microarchitectural vulnerabilities, e.g., transient execution, fault injection, or hardware side channels.