RSS 생중계

Normally, when a new vulnerability is discovered and releases are coordinated with those affected, the announcement is done at a convenient time—not generally right before the end-of-year holidays, for example. The SMTP Smuggling vulnerability has taken a different path, however, with its announcement landing on December 18. That may well have been unpleasant for some administrators that had not yet updated, but it was particularly problematic for some projects that had not been made aware of the vulnerability at all—though it was known to affect several open-source mailers.

A federal criminal complaint has revealed that state and local agencies in New Jersey bought millions of dollars worth of banned Chinese surveillance cameras. The cameras were purchased from a local company that rebranded the banned equipment made by Dahua Technology, a company that has been implicated in the surveillance of the Uyghur people in Xinjiang. According to 404 Media, "At least $15 million of the equipment was bought using federal COVID relief funds." From the report: The feds charged Tamer Zakhary, the CEO of the New Jersey-based surveillance company Packetalk, with three counts of wire fraud and a separate count of false statements for repeatedly lying to state and local agencies about the provenance of his company's surveillance cameras. Some of the cameras Packetalk sold to local agencies were Dahua cameras that had the Dahua logo removed and the colors of the camera changed, according to the criminal complaint. Dahua Technology is the second largest surveillance camera company in the world. In 2019, the U.S. government banned the purchase of Dahua cameras using federal funds because their cameras have "been implicated in human rights violations and abuses in the implementation of China's campaign of repression, mass arbitrary detention, and high-technology surveillance against Uyghurs, Kazakhs, and other members of Muslim minority groups in Xingjiang." The FCC later said that Dahua cameras "pose an unacceptable risk to U.S. national security." Dahua is not named in the federal complaint, but [404 Media's Jason Koebler] was able to cross-reference details in the complaint with Dahua and was able to identify specific cameras sold by Packetalk to Dahua's product. According to the FBI, Zakhary sold millions of dollars of surveillance equipment, including rebranded Dahua cameras, to agencies all over New Jersey despite knowing that the cameras were illegal to sell to public agencies. Zakhary also specifically helped two specific agencies in New Jersey (called "Victim Agency-1" and "Victim Agency-2" in the complaint) justify their purchases using federal COVID relief money from the CARES Act, according to the criminal complaint. The feds allege, essentially, that Zakhary tricked local agencies into buying banned cameras using COVID funds: "Zakhary fraudulently misrepresented to the Public Safety Customers that [Packetalk's] products were compliant with Section 889 of the John S. McCain National Defense Authorization Act for 2019 [which banned Dahua cameras], when, in fact, they were not," the complaint reads. "As a result of Zakhary's fraudulent misrepresentations, the Public Safety Customers purchased at least $35 million in surveillance cameras and equipment from [Packetalk], over $15 million of which was federal funds and grants."

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch. "Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email. In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers. The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing. From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe's DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform. In other words, by hacking into only 14,000 customers' accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked. But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that "users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe." "Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures," the letter reads. [...] 23andMe's lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims. "The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe's platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature. Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver's license number, or any payment or financial information)," the letter read. "This finger pointing is nonsensical," said Zavareei. "23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing -- especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform." "The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe's platform, not because they used recycled passwords," added Zavareei. "Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe's attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever."

Read more of this story at Slashdot.

smooth wombat writes: The advent of streaming services heralded a new era of movie watching. No longer tied to an inconvenient time at a theater, movies could now be watched at your convenience any time of the day or night in your own home. However, with that convenience comes a sinister side: those same movies disappearing from streaming services. Once the movie is removed from the streaming service you can't watch it again. As a result, more people, particularly younger people, are buying DVDs, and even records, to preserve their ability to watch and listen to what they want when they want. Before his release of Oppenheimer, Christopher Nolan encouraged fans to embrace "a version you can buy and own at home and put on a shelf so no evil streaming service can come steal it from you". From the BBC article: Other directors have chimed in to sing the praises of physical media. James Cameron told Variety:"The streamers are denying us any access whatsoever to certain films. And I think people are responding with their natural reaction, which is 'I'm going to buy it, and I'm going to watch it any time I want.'" Guillermo del Toro posted on X that "If you own a great 4K HD, Blu-ray, DVD etc etc of a film or films you love... you are the custodian of those films for generations to come." His tweet prompted people to reply, sharing evidence of their vast DVD collections. [...]

Read more of this story at Slashdot.

LastPass notified customers today that they are now required to use complex master passwords with a minimum of 12 characters to increase their accounts' security. From a report: Even though LastPass has repeatedly said that there is a 12-character master password requirement since 2018, users have had the ability to use a weaker one. "Historically, while a 12-character master password has been LastPassâ(TM) default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so," LastPass said in a new announcement today. LastPass has begun enforcing a 12-character master password requirement since April 2023 for new accounts or password resets, but older accounts could still use passwords with fewer than 12 characters. Starting this month, LastPass is now enforcing the 12-character master password requirement for all accounts. Furthermore, LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.

Read more of this story at Slashdot.

Xerox will lay off 15% of its workforce as the struggling digital printing company moves to cut costs and jump-start growth. From a report: In announcing the cuts, Xerox said Wednesday it is adopting a new operating model and organizational structure aimed at boosting its core print business, while also forming a new business services unit. CEO Steven Bandrowczak said in a statement that the shift will enhance the company's ability to efficiently bring products and services to market, labeling the strategic pivot at Xerox a "reinvention." As of October 2023, Xerox had roughly 20,000 employees, according to the company's website.

Read more of this story at Slashdot.

John Walker, reporting for Kotaku: Steam is by far the most peculiar of online storefronts. Built on top of itself for the last twenty years, Valve's behemothic PC game distributor is a clusterfuck of overlapping design choices, where algorithms rule over coherence, with 2023 seeing over 14,500 games released into the mayhem. Which is too many games. That breaks down to just under 40 a day, although given how people release games, it more accurately breaks down to about 50 every weekday. 50 games a day. On a storefront that goes to some lengths to bury new releases, and even buries pages where you can deliberately list new releases. Compared to 2022, that's an increase of nearly 2,000 games, up almost 5,000 from five years ago. There's no reason to expect that growth to diminish any time soon. It's a volume of games that not only could no individual ever hope to keep up with, but nor could even any gaming site. Not even the biggest sites in the industry could afford an editorial team capable of playing 50 games a day to find and write about those worth highlighting. Realistically, not even a tenth of the games. And that's not least because of those 50 games per day, about 48 of them will be absolute dross. On one level, in this way Steam represents a wonderful democracy for gaming, where any developer willing to stump up the $100 entry fee can release their game on the platform, with barely any restrictions. On another level, however, it's a disaster for about 99 percent of releases, which stand absolutely no chance of garnering any attention, no matter their quality. The solution: human storefront curation, which Valve has never shown any intention of doing.

Read more of this story at Slashdot.

Intuit is being questioned by US lawmakers who say federal tax credits the company received could have been better spent to build a free government alternative to Intuit's popular online tax preparation software, TurboTax. From a report: "For years, Intuit's corporate lobbyists have argued that the federal government should not set up a program for Americans to file their taxes online and for free because it would be too costly for taxpayers," the lawmakers, including Senators Elizabeth Warren and Bernie Sanders, wrote in a letter to the company. "Your company's disclosure reveals that Intuit's research tax break from 2022 alone could have been enough to fund a year of a free e-File program for millions of Americans." The lawmakers asked Intuit to provide details on its research expenses dating to 2018. Warren, a Massachusetts Democrat, and Sanders, an Independent from Vermont, were joined on the letter by Senator Richard Blumenthal, a Connecticut Democrat, and Representative Katie Porter, a Democrat from California. The Internal Revenue Service, in a report to Congress last year, estimated it would cost $64 million to $249 million annually for the agency to run a free-filing program. In the fiscal year ending in July 2023, Mountain View, California-based Intuit received $106 million in federal research and experimentation credits, which amounted to about 4% of its total R&D expenses, according to a regulatory filing.

Read more of this story at Slashdot.

Montana and North Carolina have joined a growing list of states that now require identification to view porn, or are blocked from viewing it altogether, as new age verification laws went into effect on January 1. From a report: A year ago, Louisiana paved the way for a wave of age verification laws that target porn sites; eight states have since passed copycat age verification laws of their own. Montana's SB 544 and North Carolina's HB 8 are nearly identical to Louisiana's and other states' laws. The laws' text make unsubstantiated claims about the addictive potential of pornography and its apparent harms to viewers' health. North Carolina's law was passed as part of unrelated legislation that adds a computer science course to high school graduation requirements. Rather than try to make its users jump through hoops to view its content, Pornhub's parent company has blocked viewers in Montana and North Carolina altogether, as it has in other states with similar legislation.

Read more of this story at Slashdot.

On his blog, Luc Lenôtre introduces Maestro, "a Unix-like kernel and operating system written from scratch in Rust". Maestro is intended to be "lightweight and compatible-enough with Linux to be usable in everyday life". The project began, in C, back in 2018, but switched over to Rust after a year-and-a-half. The current status: Maestro is a monolithic kernel, supporting only the x86 (in 32 bits) architecture for now.

At the time of writing, 135 out of 437 Linux system calls (roughly 31%) are more or less implemented. The project has 48 800 lines of code across 615 files (all repositories combined, counted using the cloc command).

There is a Hacker News discussion of the project as well.

LG touts AI for its 2024 OLED TVs, but don't expect AI assistants onscreen. The Alpha 11 processor in LG's new G4 and M4 series aims to sharpen clarity, color and image quality. The G4 features LG's Micro Lens Array technology for enhanced brightness. The M4 adopts 2023's wireless connectivity to eliminate unsightly cables. The Verge adds: So the AI supposedly now understands creative intent, according to LG, and can adjust your TV's image settings accordingly. Picture purists can always ignore and disable these AI modes, but many people inevitably leave them on -- so if the upgrades are noticeable, they'll be a difference maker for those customers.

Read more of this story at Slashdot.

Version 9.1 of the Vim editor has been released. "This release is dedicated to Bram Moolenaar, Vims lead developer for more than 30 years, who passed away half a year ago. The Vim project wouldn't exist without his work". Changes include new support for classes and objects in the scripting language, smooth scrolling support, an EditorConfig plugin, and more.

Security updates have been issued by Debian (kernel), Fedora (slurm), Oracle (kernel and postgresql:15), Red Hat (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), SUSE (polkit, postfix, putty, w3m, and webkit2gtk3), and Ubuntu (nodejs).

Roku, the maker of TV streaming boxes and software, is debuting its first high-end televisions in a bid to continue sales momentum for the company's devices. From a report: In the spring, Roku will roll out 55-inch, 65-inch and 75-inch Pro Series TVs that will cost consumers as much as $1,500. The new televisions put Roku in competition with Samsung and LG, which offer several models in that price range. It's a step up from the company's current TVs -- the Select and Plus -- which top out at $999. [...] The new TVs include a thinner design with a flat back for mounting on walls, improved picture quality and better audio for cinematic sound, the San Jose, California-based company said in a statement.

Read more of this story at Slashdot.

Amazon-owned Wickr is dead, more than a year after reports showed it had become the app of choice for drug traffickers. 404 Media: If you open the encrypted messaging app Wickr Me today, you'll be greeted with a line of red text: "Reconnecting..." Below that, in white text over a black background, the app says "We're having issues connecting to the Wickr Me network. If the problem persists, try restarting your app or contacting support." Closing and reopening the app will not work. There is no point in contacting support either. That's because on December 31, 2023, Wickr Me, the free version of Wickr, was shut down entirely. Wickr Me is no longer available to download on the Apple App Store or the Google Play Store. The app stopped accepting new users more than a year ago. And now, even current users cannot speak to one another. So ends the story of an app that while never reaching the popularity of other encrypted messaging apps like Signal, nor those that later turned on end-to-end encryption for the masses like WhatsApp, nonetheless played an important role in the adoption of and debate around secure communications.

Read more of this story at Slashdot.

A dinosaur fossil listed for sale in London for $20 million embodies one of the most heated debates in paleontology. From a report: When fossil hunters unearthed the remains of a dinosaur from the hills of eastern Montana five years ago, they carried several key characteristics of a Tyrannosaurus rex: a pair of giant legs for walking, a much smaller pair of arms for slashing prey, and a long tail stretching behind it. But unlike a full-grown T. rex, which would be about the size of a city bus, this dinosaur was more like the size of a pickup truck. The specimen, which is now listed for sale for $20 million at an art gallery in London, raises a question that has come to obsess paleontologists: Is it simply a young T. rex who died before reaching maturity, or does it represent a different but related species of dinosaur known as a Nanotyrannus? The dispute has produced reams of scientific research and decades of debate, polarizing paleontologists along the way. Now, with dinosaur fossils increasingly fetching eye-popping prices at auction, the once-esoteric dispute has begun to ripple through auction houses and galleries, where some see the T. rex name as a valuable brand that can more easily command high prices. "It's ultimately a quite in-the-weeds question of the taxonomy and the classification of one very particular type of dinosaur," said Steve Brusatte, a paleontologist at the University of Edinburgh. "However, it involves T. rex, and the debate always gets a little bit more ferocious when the king of dinosaurs is involved." On the internet, juvenile T. rex versus Nanotyrannus has become something of a meme, providing fuel for jokes on niche social media channels. ("I won't believe in Nanotyrannus until it shows up at my own door and devours me," a paleontology student with the handle "TheDinoBuff" joked recently on the social media site X.) The gallery selling the specimen discovered in Montana -- which is known as Chomper -- was faced with a choice. Call it a juvenile T. rex? Label it a Nanotyrannus? Or embrace the ambiguity of an unresolved scientific debate? The David Aaron gallery in London went with calling it a "rare juvenile Tyrannosaurus rex skeleton." It cited an influential 2020 paper on the subject led by Holly N. Woodward, which used an analysis of growth rings within bone samples from two disputed specimens -- which are estimated to have been similarly sized to Chomper -- to argue that they were juveniles nearing growth spurts.

Read more of this story at Slashdot.