RSS 생중계

A new study [PDF] reveals AI-generated code frequently references non-existent third-party libraries, creating opportunities for supply-chain attacks. Researchers analyzed 576,000 code samples from 16 popular large language models and found 19.7% of package dependencies -- 440,445 in total -- were "hallucinated." These non-existent dependencies exacerbate dependency confusion attacks, where malicious packages with identical names to legitimate ones can infiltrate software. Open source models hallucinated at nearly 22%, compared to 5% for commercial models. "Once the attacker publishes a package under the hallucinated name, containing some malicious code, they rely on the model suggesting that name to unsuspecting users," said lead researcher Joseph Spracklen. Alarmingly, 43% of hallucinations repeated across multiple queries, making them predictable targets.

Read more of this story at Slashdot.

South Korean telecom network SK Telecom is providing free SIM card replacements to all 25 million mobile subscribers following an April 19 security breach where malware compromised Universal Subscriber Identity Module data. Despite the company's announcement, only 6 million replacement cards will be available through May 2025. The stolen data potentially includes IMSI numbers, authentication keys, and network usage information, though customer names, identification details, and financial information remain secure. The primary risk is unauthorized SIM swapping attacks, where threat actors could clone SIM cards.

Read more of this story at Slashdot.

Carbon removal technologies, potentially a $250 billion market, are failing to gain traction as buyers remain scarce. The Intergovernmental Panel on Climate Change projects a need for 10 billion metric tons of carbon removals annually by 2050, yet only 175 million tons have been sold to date -- less than 2% of requirements. Microsoft dominates the market, accounting for 35% of all purchases and 76% of engineered removal solutions specifically. The market suffers from significant barriers: unproven technologies, vast price disparities ($80 per ton for forest projects versus $1,000 for direct air capture), and lack of standardization. Industry experts at a recent London gathering concluded that without more buyers willing to accept early adoption risks, the market cannot meaningfully grow.

Read more of this story at Slashdot.

The Karnataka High Court on Tuesday directed India's government to block Switzerland-based email service Proton Mail, citing national security concerns and law enforcement challenges. Justice M Nagaprasanna ordered authorities to initiate proceedings under Section 69A of the Information Technology Act to ban the service, while mandating immediate blocking of "offending URLs" until final decisions are made. The ruling followed a petition from M Moser Design Associates India, which claimed its female employees were targeted with obscene emails containing "AI-generated deepfake images" sent via Proton Mail. Petitioners argued Proton Mail operates servers outside India, making it inaccessible to law enforcement. The court noted several bomb threats to Indian schools were sent using the service, which has already been banned in Russia and Saudi Arabia. Additional Solicitor General Aravind Kamath, representing the government, said authorities would comply with the court's direction.

Read more of this story at Slashdot.

Bitcoin mining has crossed a critical economic threshold, with costs now exceeding market value for most operators. According to data cited by CoinShares, large public mining companies spend over $82,000 to produce a single Bitcoin -- nearly double last quarter's figure -- while smaller operations face even steeper costs of approximately $137,000 per coin. With Bitcoin currently trading around $94,703, the math no longer works for most miners. The economics become particularly challenging in high-electricity-cost regions like Germany, where mining a single coin requires approximately $200,000. Industry analysts suggest larger mining operations are adapting by optimizing energy consumption and positioning their computational infrastructure for alternative uses. These companies can potentially lease their mining setups for other computational tasks during unprofitable mining periods, then resume mining when market conditions improve. For individual miners, however, the era of profitable home operations appears effectively over, as industrial-scale facilities with strategic positioning and optimized technology have fundamentally altered the mining landscape.

Read more of this story at Slashdot.

An anonymous reader shares a report: Reddit's top lawyer, Ben Lee, said the company is considering legal action against researchers from the University of Zurich who ran what he called an "improper and highly unethical experiment" by surreptitiously deploying AI chatbots in a popular debate subreddit. The University of Zurich told 404 Media that the experiment results will not be published and said the university is investigating how the research was conducted. As we reported Monday, researchers at the University of Zurich ran an "unauthorized" and secret experiment on Reddit users in the r/changemyview subreddit in which dozens of AI bots engaged in debates with users about controversial issues. In some cases, the bots generated responses which claimed they were rape survivors, worked with trauma patients, or were Black people who were opposed to the Black Lives Matter movement. The researchers used a separate AI to mine the posting history of the people they were responding to in an attempt to determine personal details about them that they believed would make their bots more effective, such as their age, race, gender, location, and political beliefs.

Read more of this story at Slashdot.

Hackers working for governments were responsible for the majority of attributed zero-day exploits used in real-world cyberattacks last year, per new research from Google. From a report: Google's report said that the number of zero-day exploits -- referring to security flaws that were unknown to the software makers at the time hackers abused them -- had dropped from 98 exploits in 2023 to 75 exploits in 2024. But the report noted that of the proportion of zero-days that Google could attribute -- meaning identifying the hackers who were responsible for exploiting them -- at least 23 zero-day exploits were linked to government-backed hackers. Among those 23 exploits, 10 zero-days were attributed to hackers working directly for governments, including five exploits linked to China and another five to North Korea.

Read more of this story at Slashdot.

Version 1.8.0 of the Meson build system has been released. Notable changes in this release include the ability to run rustdoc for Rust projects, support for the c2y and gnu2y compiler options, and a new argument (android_exe_type) that makes it possible to use the same meson.build file for Android and non-Android systems.

Version 138.0 of the Firefox web browser has been released. Changes include some profile-management improvements, the ability to get weather-related suggestions in the address bar (US only), and some security fixes.

A former Disney employee who hacked into the company's servers to alter its restaurant menus, including falsifying allergen information and printing profane language, has been sentenced to three years in prison. From a report: Michael Scheuer, a Florida resident, was sentenced last week in federal court and ordered to pay nearly $690,000 in restitution, with most of that going to Disney. He pled guilty in January to one count of computer fraud and one count of aggravated identity theft. "Scheuer remains remorseful and apologetic to his former co-workers. We are grateful that the judge heard all of our arguments and mitigation when fashioning a sentence that was half of what the government was seeking," said David Haas, Scheuer's lawyer, in a statement to CNN. Scheuer worked as a menu production manager for Disney and was fired last June for misconduct, according to the original complaint. He had access to, and also used, secure internal servers for creating and publishing menus for all of Disney's restaurants as part of his job at the company.

Read more of this story at Slashdot.

Tavian Barnes takes on the tedious process of waiting for configure scripts to run.

I paid good money for my 24 CPU cores, but ./configure can only manage to use 69% of one of them. As a result, this random project takes about 13.5× longer to configure the build than it does to actually do the build.

The purpose of a ./configure script is basically to run the compiler a bunch of times and check which runs succeeded. In this way it can test whether particular headers, functions, struct fields, etc. exist, which lets people write portable software. This is an embarrassingly parallel problem, but Autoconf can't parallelize it, and neither can CMake, neither can Meson, etc., etc.

(Thanks to Paul Wise).

Longtime Slashdot reader me34point5 writes: OpenBSD quietly released the new version (7.7) of its "secure by default" operating system. This is the 58th release. Changes include improved hardware and VMM support, along with many kernel improvements. This release brings several specific improvements, including performance boosts on ARM64, Arm SVE support, AMD SEV virtualization enhancements, better low-memory handling on i386, and improved suspend/hibernate and SMP performance. It also updates graphics drivers with support for AMD Ryzen IA 300, Radeon RX 9070, and Intel Arrow Lake, along with expanded hardware support for MediaTek SoCs. A full list of changes can be found here.

Read more of this story at Slashdot.

The kernel's CPU scheduler has to balance a wide range of objectives. The tasks in the system must be scheduled fairly, with latency for any given task kept within bounds. All of the CPUs in the system should be kept busy if there is enough work to do, but unneeded CPUs should be shut down to reduce power consumption. A task should also run on the CPU that is most likely to have cached the memory that task is using. This patch series from Chen Yu aims to improve how the scheduler handles cache locality for multi-threaded processes.

The Kali Linux distribution has announced that software updates will soon start failing for all users:

This is not only you, this is for everyone, and this is entirely our fault. We lost access to the signing key of the repository, so we had to create a new one. At the same time, we froze the repository (you might have noticed that there was no update since Friday 18th), so nobody was impacted yet. But we're going to unfreeze the repository this week, and it's now signed with the new key.

The announcement includes instructions for how to recover from the problem.

Security updates have been issued by AlmaLinux (glibc, php:8.1, and thunderbird), Debian (libreoffice), Fedora (caddy), Mageia (chromium-browser-stable), Red Hat (php:8.1), SUSE (glow), and Ubuntu (kicad, linux-aws-5.15, linux-azure-nvidia, linux-gcp-5.15, mistral, python-mistral-lib, tomcat8, and trafficserver).

An anonymous reader shares a report: Amazon doesn't want to shoulder the blame for the cost of President Donald Trump's trade war. So the e-commerce giant will soon show how much Trump's tariffs are adding to the price of each product, according to a person familiar with the plan. The shopping site will display how much of an item's cost is derived from tariffs -- right next to the product's total listed price.

Read more of this story at Slashdot.

The once-celebrated partnership between OpenAI's Sam Altman and Microsoft's Satya Nadella is deteriorating amid fundamental disagreements over computing resources, model access, and AI capabilities, according to WSJ. The relationship that Altman once called "the best partnership in tech" has grown strained as both companies prepare for independent futures. Tensions center on several critical areas: Microsoft's provision of computing power, OpenAI's willingness to share model access, and conflicting views on achieving humanlike intelligence. Altman has expressed confidence OpenAI can build models with humanlike intelligence soon -- a milestone Nadella publicly dismissed as "nonsensical benchmark hacking" during a February podcast. The companies retain significant leverage over each other. Microsoft can block OpenAI's conversion to a for-profit entity, potentially costing the startup billions if not completed this year. Meanwhile, OpenAI's board can trigger contract clauses preventing Microsoft from accessing its most advanced technology. After Altman's brief ouster in 2023 -- dubbed "the blip" within OpenAI -- Nadella pursued an "insurance policy" by hiring DeepMind co-founder Mustafa Suleyman for $650 million to develop competing models. The personal relationship has also cooled, with the executives now communicating primarily through scheduled weekly calls rather than frequent text exchanges.

Read more of this story at Slashdot.

Amazon successfully launched the first 27 satellites for its Project Kuiper internet constellation, kicking off a major effort to compete with Starlink by deploying over 1,600 satellites by mid-2026. It company is investing $10 billion in Kuiper and plans to begin commercial service later this year. CNBC reports: "We had a nice smooth countdown, beautiful weather, beautiful liftoff, and Atlas V is on its way to orbit to take those 27 Kuiper satellites, put them on their way and really start this new era in internet connectivity," Caleb Weiss, a systems engineer at ULA, said on the livestream following the launch. The satellites are expected to separate from the rocket roughly 280 miles above Earth's surface, at which point Amazon will look to confirm the satellites can independently maneuver and communicate with its employees on the ground. [...] In his shareholder letter earlier this month, Amazon CEO Andy Jassy said Kuiper will require upfront investment at first, but eventually the company expects it to be "a meaningful operating income and ROIC business for us." ROIC stands for return on invested capital. Investors will be listening for any commentary around further capex spend on Kuiper when Amazon reports first-quarter earnings after the bell on Thursday. A livestream can be found here.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Wired: Automakers are increasingly pushing consumers to accept monthly and annual fees to unlock preinstalled safety and performance features, from hands-free driving systems and heated seats to cameras that can automatically record accident situations. But the additional levels of internet connectivity this subscription model requires can increase drivers' exposure to government surveillance and the likelihood of being caught up in police investigations. A cache of more than two dozen police records recently reviewed by WIRED show US law enforcement agencies regularly trained on how to take advantage of "connected cars," with subscription-based features drastically increasing the amount of data that can be accessed during investigations. The records make clear that law enforcement's knowledge of the surveillance far exceeds that of the public and reveal how corporate policies and technologies -- not the law -- determine driver privacy. "Each manufacturer has their whole protocol on how the operating system in the vehicle utilizes telematics, mobile Wi-Fi, et cetera," one law enforcement officer noted in a presentation prepared by the California State Highway Patrol (CHP) and reviewed by WIRED. The presentation, while undated, contains statistics on connected cars for the year 2024. "If the vehicle has an active subscription," they add, "it does create more data." The CHP presentation, obtained by government transparency nonprofit Property of the People via a public records request, trains police on how to acquire data based on a variety of hypothetical scenarios, each describing how vehicle data can be acquired based on the year, make, and model of a vehicle. The presentation acknowledges that access to data can ultimately be limited due to choices made by not only vehicle manufacturers but the internet service providers on which connected devices rely. One document notes, for instance, that when a General Motors vehicle is equipped with an active OnStar subscription, it will transmit data -- revealing its location -- roughly twice as often as a Ford vehicle. Different ISPs appear to have not only different capabilities but policies when it comes to responding to government requests for information. Police may be able to rely on AT&T to help identify certain vehicles based on connected devices active in the car but lack the ability to do so when the device relies on a T-Mobile or Verizon network instead. [...] Nearly all subscription-based car features rely on devices that come preinstalled in a vehicle, with a cellular connection necessary only to enable the automaker's recurring-revenue scheme. The ability of car companies to charge users to activate some features is effectively the only reason the car's systems need to communicate with cell towers. The police documents note that companies often hook customers into adopting the services through free trial offers, and in some cases the devices are communicating with cell towers even when users decline to subscribe.

Read more of this story at Slashdot.

Oracle engineers mistakenly triggered a five-day software outage at a number of Community Health Systems hospitals, causing the facilities to temporarily return to paper-based patient records. From a report: CHS told CNBC that the outage involving Oracle Health, the company's electronic health record (EHR) system, affected "several" hospitals, leading them to activate "downtime procedures." Trade publication Becker's Hospital Review reported that 45 hospitals were hit. The outage began on April 23, after engineers conducting maintenance work mistakenly deleted critical storage connected to a key database, a CHS spokesperson said in a statement. The outage was resolved on Monday, and was not related to a cyberattack or other security incident. CHS is based in Tennessee and includes 72 hospitals in 14 states, according to the medical system's website.

Read more of this story at Slashdot.