Saturday, March 23rd, 2024

Time	Event
12:02a	General Motors Quits Sharing Driving Behavior With Data Brokers An anonymous reader quotes a report from the New York Times: General Motors said Friday that it had stopped sharing details about how people drove its cars with two data brokers that created risk profiles for the insurance industry. The decision followed a New York Times report this month that G.M. had, for years, been sharing data about drivers' mileage, braking, acceleration and speed with the insurance industry. The drivers were enrolled -- some unknowingly, they said -- in OnStar Smart Driver, a feature in G.M.'s internet-connected cars that collected data about how the car had been driven and promised feedback and digital badges for good driving. Some drivers said their insurance rates had increased as a result of the captured data, which G.M. shared with two brokers, LexisNexis Risk Solutions and Verisk. The firms then sold the data to insurance companies. Since Wednesday, "OnStar Smart Driver customer data is no longer being shared with LexisNexis or Verisk," a G.M. spokeswoman, Malorie Lucich, said in an emailed statement. "Customer trust is a priority for us, and we are actively evaluating our privacy processes and policies." Read more of this story at Slashdot. (Comment on this)
12:45a	Users Shocked To Find Instagram Limits Political Content By Default Instagram has been limiting recommended political content by default without notifying users. Ars Technica reports: Instead, Instagram rolled out the change in February, announcing in a blog that the platform doesn't "want to proactively recommend political content from accounts you don't follow." That post confirmed that Meta "won't proactively recommend content about politics on recommendation surfaces across Instagram and Threads," so that those platforms can remain "a great experience for everyone." "This change does not impact posts from accounts people choose to follow; it impacts what the system recommends, and people can control if they want more," Meta's spokesperson Dani Lever told Ars. "We have been working for years to show people less political content based on what they told us they want, and what posts they told us are political." To change the setting, users can navigate to Instagram's menu for "settings and activity" in their profiles, where they can update their "content preferences." On this menu, "political content" is the last item under a list of "suggested content" controls that allow users to set preferences for what content is recommended in their feeds. There are currently two options for controlling what political content users see. Choosing "don't limit" means "you might see more political or social topics in your suggested content," the app says. By default, all users are set to "limit," which means "you might see less political or social topics." "This affects suggestions in Explore, Reels, Feed, Recommendations, and Suggested Users," Instagram's settings menu explains. "It does not affect content from accounts you follow. This setting also applies to Threads." "Did [y'all] know Instagram was actively limiting the reach of political content like this?!" an X user named Olayemi Olurin wrote in an X post. "I had no idea 'til I saw this comment and I checked my settings and sho nuff political content was limited." "This is actually kinda wild that Instagram defaults everyone to this," another user wrote. "Obviously political content is toxic but during an election season it's a little weird to just hide it from everyone?" Read more of this story at Slashdot. (Comment on this)
1:25a	Database For UK Nurse Registration 'Completely Unacceptable' Lindsay Clark reports via The Register: The UK Information Commissioner's Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration. Employment as a nurse or midwife depends on enrollment with the NMC in the UK. According to whistleblower evidence seen by The Register, the databases on which the personal information is held lack rudimentary technical standards and practices. The NMC said its data was secure with a high level of quality, allowing it to fulfill its regulatory role, although it was on "a journey of improvement." But without basic documentation, or the primary keys or foreign keys common in database management, the Microsoft SQL Server databases -- holding information about 800,000 registered professionals -- are difficult to query and manage, making assurances on governance nearly impossible, the whistleblower told us. The databases have no version control systems. Important fields for identifying individuals were used inconsistently -- for example, containing junk data, test data, or null data. Although the tech team used workarounds to compensate for the lack of basic technical standards, they were ad hoc and known by only a handful of individuals, creating business continuity risks should they leave the organization, according to the whistleblower. Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register. The NMC stores sensitive data on behalf of the professionals that it registers, including gender, sexual orientation, gender identity, ethnicity and nationality, disability details, marital status, as well as other personal information. The whistleblower's complaint claims the NMC falls well short of [the standards required under current UK law for data protection and the EU's General Data Protection Regulation (GDPR)]. The statement alleges that the NMC's "data management and data retrieval practices were completely unacceptable." "There is not even much by way of internal structure of the databases for self-documentation, such as primary keys, foreign keys (with a few honorable exceptions), check constraints and table constraints. Even fields that should not be null are nullable. This is frankly astonishing and not the practice of a mature, professional organization," the statement says. For example, the databases contain a unique ten-digit number (or PRN) to identify individuals registered to the NMC. However, the fields for PRNs sometimes contain individuals' names, start with a letter or other invalid data, or are simply null. The whistleblower's complaint says that the PRN problem, and other database design deficiencies, meant that it was nearly impossible to produce "accurate, correct, business critical reports ... because frankly no one knows where the correct data is to be found." A spokesperson for the NMC said the register was "organized and documented" in the SQL Server database. "For clarity, the register of all our nurses, midwives and nursing practitioners is held within Dynamics 365 which is our system of record. This solution and the data held within it, is secure and well documented. It does not rely on any SQL database. The SQL database referenced by the whistleblower relates to our data warehouse which we are in the process of modernizing as previously shared." Read more of this story at Slashdot. (Comment on this)
2:02a	New 'GoFetch' Apple CPU Attack Exposes Crypto Keys "There is a new side channel attack against Apple 'M' series CPUs that does not appear to be fixable without a major performance hit," writes Slashdot reader EncryptedSoldier. SecurityWeek reports: A team of researchers representing several universities in the United States has disclosed the details of a new side-channel attack method that can be used to extract secret encryption keys from systems powered by Apple CPUs. The attack method, dubbed GoFetch, has been described as a microarchitectural side-channel attack that allows the extraction of secret keys from constant-time cryptographic implementations. These types of attacks require local access to the targeted system. The attack targets a hardware optimization named data memory-dependent prefetcher (DMP), which attempts to prefetch addresses found in the contents of program memory to improve performance. The researchers have found a way to use specially crafted cryptographic operation inputs that allow them to infer secret keys, guessing them bits at a time by monitoring the behavior of the DMP. They managed to demonstrate end-to-end key extraction attacks against several crypto implementations, including OpenSSL Diffie-Hellman Key Exchange, Go RSA, and the post-quantum CRYSTALS-Kyber and CRYSTALS-Dilithium. The researchers have conducted successful GoFetch attacks against systems powered by Apple M1 processors, and they have found evidence that the attack could also work against M2 and M3 processors. They have also tested an Intel processor that uses DMP, but found that it's 'more robust' against such attacks. The experts said Apple is investigating the issue, but fully addressing it does not seem trivial. The researchers have proposed several countermeasures, but they involve hardware changes that are not easy to implement or mitigations that can have a significant impact on performance. Apple told SecurityWeek that it thanks the researchers for their collaboration as this work advances the company's understanding of these types of threats. The tech giant also shared a link to a developer page that outlines one of the mitigations mentioned by the researchers. The researchers have published a paper (PDF) detailing their work. Ars Technica's Dan Goodin also reported on the vulnerability. Read more of this story at Slashdot. (Comment on this)
3:30a	World's First Nuclear Fusion-Powered Electric Propulsion Drive Unveiled An anonymous reader quotes a report from InterestingEngineering: A concept that began as a doodle at a conference years ago is now becoming a reality. RocketStar Inc. has showcased (PDF) its advanced nuclear-based propulsion technology called the FireStar Drive. It is said to be the world's first electric device for spacecraft propulsion boosted by nuclear fusion. Recently, the company announced the successful initial demonstration of this electric propulsion technology. The FireStar Drive harnesses the power of nuclear fusion to improve the performance of RocketStar's "water-fueled pulsed plasma thruster." A spacecraft's thrusters perform various functions, including propulsion, orbital changes, and even docking with other orbiting platforms. Moreover, the device employs a unique sort of aneutronic nuclear fusion, which is a fusion reaction that generates few to no neutrons as a byproduct. "The base thruster generates high-speed protons through the ionization of water vapor," noted the press release. Therefore, these protons collide with the nucleus of a boron atom, which starts the fusion reaction. The FireStar Drive begins a fusion process by adding boron into the thruster exhaust, resulting in high-energy particles that increase thrust. RocketStar's current thruster is dubbed M1.5. Plans to test the FireStar Drive are now ongoing. The in-space technological demonstration will take place aboard D-Orbit's patented OTV ION Satellite Carrier. The SpaceX Transporter rideshare mission will likely launch the demo test in July and October 2024. Furthermore, the team plans to undertake ground tests this year, with more in-space demonstrations scheduled for February 2025. The FireStar Drive will undergo testing as a payload aboard Rogue Space System's Barry-2 spacecraft in the same month. The thruster M1.5 is already ready for delivery to clients. Read more of this story at Slashdot. (Comment on this)
7:00a	AI Surpasses Doctors In Spotting Early Breast Cancer Signs In NHS Trial An AI tool named Mia, tested by the NHS, successfully detected signs of breast cancer in 11 women which had been missed by human doctors. The BBC reports: The tool, called Mia, was piloted alongside NHS clinicians and analyzed the mammograms of over 10,000 women. Most of them were cancer-free, but it successfully flagged all of those with symptoms, as well as an extra 11 the doctors did not identify. At their earliest stages, cancers can be extremely small and hard to spot. The BBC saw Mia in action at NHS Grampian, where we were shown tumors that were practically invisible to the human eye. But, depending on their type, they can grow and spread rapidly. Barbara was one of the 11 patients whose cancer was flagged by Mia but had not been spotted on her scan when it was studied by the hospital radiologists. Because her 6mm tumor was caught so early she had an operation but only needed five days of radiotherapy. Breast cancer patients with tumors which are smaller than 15mm when discovered have a 90% survival rate over the following five years. Barbara said she was pleased the treatment was much less invasive than that of her sister and mother, who had previously also battled the disease. Without the AI tool's assistance, Barbara's cancer would potentially not have been spotted until her next routine mammogram three years later. She had not experienced any noticeable symptoms. "These results are encouraging and help to highlight the exciting potential AI presents for diagnostics. There is no question that real-life clinical radiologists are essential and irreplaceable, but a clinical radiologist using insights from validated AI tools will increasingly be a formidable force in patient care." said Dr Katharine Halliday, President of the Royal College of Radiologists. Read more of this story at Slashdot. (Comment on this)
10:00a	Truck-To-Truck Worm Could Infect Entire US Fleet Jessica Lyons reports via The Register: Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University. In a paper presented at the 2024 Network and Distributed System Security Symposium, associate professor Jeremy Daily and systems engineering graduate students Jake Jepson and Rik Chatterjee demonstrated how ELDs can be accessed over Bluetooth or Wi-Fi connections to take control of a truck, manipulate data, and spread malware between vehicles. "These findings highlight an urgent need to improve the security posture in ELD systems," the trio wrote [PDF]. The authors did not specify brands or models of ELDs that are vulnerable to the security flaws they highlight in the paper. But they do note there's not too much diversity of products on the market. While there are some 880 devices registered, "only a few tens of distinct ELD models" have hit the road in commercial trucks. A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven -- but they aren't required to have tested safety controls built in. And according to the researchers, they can be wirelessly manipulated by another car on the road to, for example, force a truck to pull over. The academics pointed out three vulnerabilities in ELDs. They used bench level testing systems for the demo, as well as additional testing on a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD. [...] For one of the attacks, the boffins showed how anyone within wireless range could use the device's Wi-Fi and Bluetooth radios to send an arbitrary CAN message that could disrupt of some of the vehicle's systems. A second attack scenario, which also required the attacker to be within wireless range, involved connecting to the device and uploading malicious firmware to manipulate data and vehicle operations. Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby. After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices. "Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications," the researchers warned. Read more of this story at Slashdot. (Comment on this)
1:00p	Trump's Truth Social Is Going Public An anonymous reader quotes a report from Wired: Former president Donald Trump'sTruth Social, a shameless Twitter clone, is set to become a publicly traded company as soon as next week. Shareholders of Digital World Acquisition Corp. voted on Friday to merge with Trump Media and Technology Group, the company behind Truth Social. The vote is a culmination of a years-long saga attempting to merge Trump Media with a publicly traded company in what's known as a SPAC deal. The company will trade under the ticker DJT once it goes public. [...] Truth Social looks nearly identical to Twitter, with some key distinctions. Instead of "tweeting," users post a "truth." A "retweet" is called a "retruth." Unlike many right-wing Twitter clones, the site functions well, has remained mostly online, and actually appears to have a somewhat active user base. But since launching in February 2022, after Trump was kicked off of mainstream platforms for inciting violence during the January 6 riot at the Capitol, the company has been mired in controversy. Read more of this story at Slashdot. (Comment on this)
2:34p	Microsoft Confirms Windows Server Security Update Caused Memory Leak, 'Unscheduled' Reboots "Microsoft confirmed that a memory leak introduced with the March 2024 Windows Server security updates is behind a widespread issue causing Windows domain controllers to crash," BleepingComputer reported Thursday. Friday Microsoft wrote that the issue "was resolved in the out-of-band update KB5037422," only available via the Microsoft Update Catalog. (The update "is not available from Windows Update and will not install automatically.") BleepingComputer reported the leak only affected "enterprise systems using the impacted Windows Server platform," and home users were not affected. But Microsoft confirmed it impacted all domain controller servers with the latest Windows Server 2012 R2, 2016, 2019, and 2022 updates: As BleepingComputer first reported on Wednesday and as many admins have warned over the last week, affected servers are freezing and restarting unexpectedly due to a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with this month's cumulative updates. "Since installation of the March updates (Exchange as well as regular Windows Server updates) most of our DCs show constantly increasing lsass memory usage (until they die)," one admin said. "Our symptoms were ballooning memory usage on the lsass.exe process after installing KB5035855 (Server 2016) and KB5035857 (Server 2022) to the point that all physical and virtual memory was consumed and the machine hung," another Windows admin told BleepingComputer. The leak "is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests," Microsoft wrote. "Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of underlying domain controllers..." "We strongly recommend you do not apply the March 2024 security update on DCs and install KB5037422 instead..." Read more of this story at Slashdot. (Comment on this)
3:34p	Apple Criticized For Changing the macOS version of cURL "On December 28 2023, bugreport 12604 was filed in the curl issue tracker," writes cURL lead developer Daniel Stenberg: The title stated of the problem in this case was quite clear: flag -cacert behavior isn't consistent between macOS and Linux , and it was filed by Yuedong Wu. The friendly reporter showed how the curl version bundled with macOS behaves differently than curl binaries built entirely from open source. Even when running the same curl version on the same macOS machine. The curl command line option --cacert provides a way for the user to say to curl that this is the exact set of CA certificates to trust when doing the following transfer. If the TLS server cannot provide a certificate that can be verified with that set of certificates, it should fail and return error. This particular behavior and functionality in curl has been established since many years (this option was added to curl in December 2000) and of course is provided to allow users to know that it communicates with a known and trusted server. A pretty fundamental part of what TLS does really. When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise. Therefore, when a user runs the check with a trimmed and dedicated CA cert file, it will not fail if the system CA store contains a cert that can verify the server! This is a security problem because now suddenly certificate checks pass that should not pass. "We don't consider this something that needs to be addressed in our platforms," Apple Product Security responded. Stenberg's blog post responds, "I disagree." Long-time Slashdot reader lee1 shares their reaction: I started to sour on MacOS about 20 years ago when I discovered that they had, without notice, substituted their own, nonstandard version of the Readline library for the one that the rest of the Unix-like world was using. This broke gnuplot and a lot of other free software... Apple is still breaking things, this time with serious security and privacy implications. Read more of this story at Slashdot. (Comment on this)
4:34p	Pregnancy May Increase Biological Age 2 Years - But Some End Up 'Younger' Slashdot reader sciencehabit shared this report from Science magazine: Nurturing a growing fetus requires a series of profound physical, hormonal, and chemical changes that may rewire every major organ in the body and can cause serious health complications such as hypertension and preeclampsia. But does being pregnant actually take years off your life...? Today in Cell Metabolism, scientists report that the stress of pregnancy can cause a person's biological age to increase by up to 2 years — a trend that may reverse itself in the months that follow. In some cases, the authors write, those who breastfeed their children after giving birth may end up biologically "younger" than during early pregnancy. The finding represents yet another piece of "compelling" evidence that events during and after pregnancy can have far-reaching health consequences, says Elizabeth Bertone-Johnson, an epidemiologist at the University of Massachusetts Amherst who wasn't involved in the new study... The discovery that biological aging isn't necessarily a linear process "came as a real surprise," says Kieran O'Donnell, a perinatal researcher at the Yale School of Medicine... But blood samples from 68 participants, collected 3 months after giving birth, revealed a dramatic about-face. Although being pregnant had initially aged their cells between 1 and 2 years, says O'Donnell, their biological age now appeared to be 3 to 8 years younger than it had been during early pregnancy — with different epigenetic clocks algorithms providing slightly bigger or smaller estimates. Read more of this story at Slashdot. (Comment on this)
5:34p	Netflix's '3 Body Problem' Draws Mixed Reviews, Sparks Anger in China "My favorite kind of science fiction involves stories rooted in real science..." writes NPR's reviewer. "[T]here is something special about seeing characters wrestle with concepts closer to our current understanding of how the universe works." The Verge calls it an "impressive" and "leaner" story than the book, arguing "it's a good one — and very occasionally a great one" that introduces the author's key ideas, though channelling "the book's spirit but not its brilliance." And Slate calls it a "downright transformative" adaptation, "jettisoning most of the novel's characters and plucking scenes from all three books," while accusing it of "making the trilogy's expansive and philosophical story into something much more pedestrian and digestible." But Reuters notes there's huge interest in China over this adaptation (by the co-creator of Mem>Game of Thrones) for the first Asian novel to win the Hugo Award for best science fiction novel. "The new series was trending on Chinese social media platform Weibo on Friday," reports Reuters, "with 21 million views so far." (The show came in first on Weibo's "top hot" trend rankings, they add, "despite Netflix being officially inaccessible in China. Chinese viewers would have had to watch the Netflix series from behind a VPN or on a pirate site.") So what was their verdict? CNN reports Netflix's adaptation "has split opinions in China and sparked online nationalist anger over scenes depicting a violent and tumultuous period in the country's modern history." Among the country's more patriotic internet users, discussions on the adaptation turned political, with some accusing the big-budget American production of making China look bad. The show opens with a harrowing scene depicting Mao Zedong's Cultural Revolution, which consumed China in bloodshed and chaos for a decade from 1966... "Netflix you don't understand 'The Three Body Problem' or Ye Wenjie at all!" read a comment on social media platform Weibo. "You only understand political correctness!" Others came to the show's defense, saying the scene closely follows depictions in the book — and is a truthful reenactment of history. "History is far more absurd than a TV series, but you guys pretend not to see it," read one comment on Douban, a popular site for reviewing movies, books and music. Author Liu said in an interview with the New York Times in 2019 that he had originally wanted to open the book with scenes from Mao's Cultural Revolution, but his Chinese publisher worried they would never make it past government censors and buried them in the middle of the narrative. The English version of the book, translated by Ken Liu, put the scenes at the novel's beginning, with the author's blessing... Various other aspects of the show, from its casting and visual effects to the radical changes to the story's original setting and characters, also attracted the ire of Chinese social media users. Many compared it to a Chinese television adaptation released last year — a much lengthier and closer retelling of the book that ran to 30 episodes and was highly rated on Chinese review platforms. The Netflix adaptation featured an international cast and placed much of the action in present-day London — thus making the story a lot less Chinese. Read more of this story at Slashdot. (Comment on this)
6:34p	Could a Guilty Plea Free Julian Assange From Jail? America's Justice Department "is considering whether to allow Julian Assange to plead guilty to a reduced charge of mishandling classified information," reports the Wall Street Journal, citing "people familiar with the matter." Though Assange faces trial for publishing thousands of confidential U.S. documents in 2010, this development opens up "the possibility of a deal that could eventually result in his release from a British jail," reports the Journal. Where things stand currently: A U.K. court is currently considering whether to allow a last-ditch appeal by the 52-year-old. After U.S. prosecutors charged him in 2019, U.K. law-enforcement officials apprehended him, and he has been in a London prison ever since... Britain's High Court is expected to decide within weeks whether to grant Assange a further right to appeal his extradition to the U.S. If the court rules against him, the U.S. government will likely have 28 days to come and collect Assange and bring him to face trial. But... Justice Department officials and Assange's lawyers have had preliminary discussions in recent months about what a plea deal could look like to end the lengthy legal drama, according to people familiar with the matter, a potential softening in a standoff filled with political and legal complexities. The talks come as Assange has spent some five years behind bars. U.S. prosecutors face diminishing odds that he would serve much more time even if he were convicted stateside. The discussions remain in flux, and talks could fizzle. Any deal would require approval at the highest levels of the Justice Department. Barry Pollack, a lawyer for Assange, said he has been given no indication that the department will take a deal. A Justice Department spokesman declined to comment. If prosecutors allow Assange to plead to a U.S. charge of mishandling classified documents — something his lawyers have floated as a possibility — it would be a misdemeanor offense. Under such a deal, Assange potentially could enter that plea remotely, without setting foot in the U.S. The time he has spent behind bars in London would count toward any U.S. sentence, and he would likely be free to leave prison shortly after any deal was concluded. U.S. authorities "gave a package of assurances, including a pledge he could be transferred to his native Australia to serve any sentence," according to the article. The Australian government, which has largely been supportive of Assange, could shorten any sentence once he landed on Australian soil, said Nick Vamos, a partner at London law firm Peters & Peters and a former head of extradition for England and Wales's Crown Prosecution Service. "I honestly think as soon as he arrived in Australia he would be released," he said. Read more of this story at Slashdot. (Comment on this)
7:33p	New 'Loop DoS' Attack May Impact Up to 300,000 Online Systems BleepingComputer reports on "a new denial-of-service attack dubbed 'Loop DoS' targeting application layer protocols." According to their article, the attack "can pair network services into an indefinite communication loop that creates large volumes of traffic." Devised by researchers at the CISPA Helmholtz-Center for Information Security, the attack uses the User Datagram Protocol (UDP) and impacts an estimated 300,000 host and their networks. The attack is possible due to a vulnerability, currently tracked as CVE-2024-2169, in the implementation of the UDP protocol, which is susceptible to IP spoofing and does not provide sufficient packet verification. An attacker exploiting the vulnerability creates a self-perpetuating mechanism that generates excessive traffic without limits and without a way to stop it, leading to a denial-of-service (DoS) condition on the target system or even an entire network. Loop DoS relies on IP spoofing and can be triggered from a single host that sends one message to start the communication. According to the Carnegie Mellon CERT Coordination Center (CERT/CC) there are three potential outcomes when an attacker leverages the vulnerability: — Overloading of a vulnerable service and causing it to become unstable or unusable. — DoS attack on the network backbone, causing network outages to other services. — Amplification attacks that involve network loops causing amplified DOS or DDOS attacks. CISPA researchers Yepeng Pan and Professor Dr. Christian Rossow say the potential impact is notable, spanning both outdated (QOTD, Chargen, Echo) and modern protocols (DNS, NTP, TFTP) that are crucial for basic internet-based functions like time synchronization, domain name resolution, and file transfer without authentication... The researchers warned that the attack is easy to exploit, noting that there is no evidence indicating active exploitation at this time. Rossow and Pan shared their findings with affected vendors and notified CERT/CC for coordinated disclosure. So far, vendors who confirmed their implementations are affected by CVE-2024-2169 are Broadcom, Cisco, Honeywell, Microsoft, and MikroTik. To avoid the risk of denial of service via Loop DoS, CERT/CC recommends installing the latest patches from vendors that address the vulnerability and replace products that no longer receive security updates. Using firewall rules and access-control lists for UDP applications, turning off unnecessary UDP services, and implementing TCP or request validation are also measures that can mitigate the risk of an attack. Furthermore, the organization recommends deploying anti-spoofing solutions like BCP38 and Unicast Reverse Path Forwarding (uRPF), and using Quality-of-Service (QoS) measures to limit network traffic and protect against abuse from network loops and DoS amplifications. Thanks to long-time Slashdot reader schneidafunk for sharing the article. Read more of this story at Slashdot. (Comment on this)
8:34p	A Problem for Sun-Blocking Cloud Geoengineering? Clouds Dissipate Slashdot reader christoban writes: In what may be an issue for Sun-obscuring strategies to combat global warming, it turns out that during solar eclipses, low level cumulus clouds rapidly disappear, reducing by a factor of 4, researchers have found. The news comes from the science magazine Eos (published by the nonprofit organization of atmosphere/ocean/space scientists, the American Geophysical Union). Victor J. H. Trees, a geoscientist at Delft University of Technology in the Netherlands, and his colleagues recently analyzed cloud cover data obtained during an annular eclipse in 2005, visible in parts of Europe and Africa. They mined visible and infrared imagery collected by two geostationary satellites operated by the European Organisation for the Exploitation of Meteorological Satellites. Going to space was key, Trees said. "If you really want to quantify how clouds behave and how they react to a solar eclipse, it helps to study a large area. That's why we want to look from space...." [T]hey tracked cloud evolution for several hours leading up to the eclipse, during the eclipse, and for several hours afterward. Low-level cumulus clouds — which tend to top out at altitudes around 2 kilometers (1.2 miles) — were strongly affected by the degree of solar obscuration. Cloud cover started to decrease when about 15% of the Sun's face was covered, about 30 minutes after the start of the eclipse. The clouds started to return only about 50 minutes after maximum obscuration. And whereas typical cloud cover hovered around 40% in noneclipse conditions, less than 10% of the sky was covered with clouds during maximum obscuration, the team noted. "On a large scale, the cumulus clouds started to disappear," Trees said... The temperature of the ground matters when it comes to cumulus clouds, Trees said, because they are low enough to be significantly affected by whatever is happening on Earth's surface... Beyond shedding light on the physics of cloud dissipation during solar eclipses, these new findings also have implications for future geoengineering efforts, Trees and his collaborators suggested. Discussions are underway to mitigate the effects of climate change by, for instance, seeding the atmosphere with aerosols or launching solar reflectors into space to prevent some of the Sun's light from reaching Earth. Such geoengineering holds promise for cooling our planet, researchers agree, but its repercussions are largely unexplored and could be widespread and irreversible. These new results suggest that cloud cover could decrease with geoengineering efforts involving solar obscuration. And because clouds reflect sunlight, the efficacy of any effort might correspondingly decrease, Trees said. That's an effect that needs to be taken into account when considering different options, the researchers concluded. Another article on the site warns that "Planting Trees May Not Be as Good for the Climate as Previously Believed." "The climate benefits of trees storing carbon dioxide is partially offset by dark forests' absorption of more heat from the Sun, and compounds they release that slow the destruction of methane in the atmosphere." Read more of this story at Slashdot. (Comment on this)
9:34p	''Tetris Reversed'? Alexey Pajitnov Shows Footage From Rediscovered Prototype for 'Tetris' Sequel Tetris creator Alexey Pajitnov and others spoke at the Game Developers Conference about Tetris Reversed, reports VentureBeat — and told the story of "a lost prototype of a Tetris game that was never published." But little did Pajitnov know that an engineer in charge of the game, Vedran Klanac, had kept a copy of it. Through the help of intermediaries, he showed it to Pajitnov and the two shared their memories of what happened to the lost game... Pajitnov has lived in the U.S. since 1991, where he has been involved in the development of games such as Pandora's Box and worked with companies such as Microsoft and WildSnake Software... Klanac is the CEO of Ocean Media, and he is originally from Zagreb, Croatia. He was an aerospace engineer who started his career in the games industry with Croteam where he built the physics engine for Serious Sam 2. Since 2006, he has been running Ocean Media, a game publishing company with a focus on consoles. During the last 20 years, he was involved in production as a programmer and executive producer in more than 200 projects. And it turns out he was the programmer who created the Tetris Reversed code based on instructions from Pajitnov, who had passed them on through a middleman. In 2011, programmer Vedran Klanac went to the NLGD Festival of Games in Utrecht, The Netherlands. He listened to a talk on a charitable effort from Martin de Ronde, a cofounder of game studio Guerrilla Games. Klanac said in an interview with GamesBeat that he listened to De Ronde's talk and offered to help. De Ronde came back months later saying he had an agreement with Pajitnov about creating a new prototype for a Tetris game. De Ronde asked if Klanac if he wanted to make Tetris Reversed by Pajitnov. "Are you kidding me?" Klanac reacted. The idea is still to survive as long as you can, according to the article — but the entire playfield was accessible. "For the first time in public, they showed the video of the prototype in action," according to the article, which also records Pajitnov reaction. "When you see the gameplay video, and when you look at the design elements. This is Tetris for like 300 IQ people." No word on yet on whether the game will ever be officially published. Read more of this story at Slashdot. (Comment on this)
10:34p	Air Industry Trends Safer, But 'Flukish' Second Crash Led Boeing to Mishandled Media Storm, WSJ Argues There's actually "a global trend toward increased air safety," notes a Wall Street Journal columnist. And even in the case of the two fatal Boeing crashes five years ago, he stresses that they were "were two different crashes," with the second happening only "after Boeing and the FAA issued emergency directives instructing pilots how to compensate for Boeing's poorly designed flight control software. "The story should have ended after the first crash except the second set of pilots behaved in unexpected, unpredictable ways, flying a flyable Ethiopian Airlines jet into the ground." Boeing is guilty of designing a fallible system and placing an undue burden on pilots. The evidence strongly suggests, however, that the Ethiopian crew was never required to master the simple remedy despite the global furor occasioned by the first crash. To boot, they committed an additional error by overspeeding the aircraft in defiance of aural, visual and stick-shaker warnings against doing so. It got almost no coverage, but on the same day the Ethiopian government issued its final findings on the accident in late 2022, the U.S. National Transportation Safety Board, in what it called an "unusual step," issued its own "comment" rebuking the Ethiopian report for "inaccurate" statements, for ignoring the crew's role, for ignoring how readily the accident should have been avoided. So the Wall Street Journal columnist challenges whether profit incentives played any role in Boeing's troubles: In reality, the global industry was reorganized largely along competitive profit-and-loss lines after the 1970s, and yet this coincided with enormous increases in safety, notwithstanding the sausage factory elements occasionally on display (witness the little-reported parking of hundreds of Airbus planes over a faulty new engine). The point here isn't blame but to note that 100,000 repetitions likely wouldn't reproduce the flukish second MAX crash and everything that followed from it. Rather than surfacing Boeing's deeply hidden problems, it seems the second crash gave birth to them. The subsequent 20-month grounding and production shutdown, combined with Covid, cost Boeing thousands of skilled workers. The pressure of its duopoly competition with Airbus plus customers clamoring for their backordered planes made management unwisely desperate to restart production. January's nonfatal door-plug blowout of an Alaska Airlines 737 appears to have been a one-off when Boeing workers failed to reinstall the plug properly after removing it to fix faulty fuselage rivets. Not a one-off, apparently, are faulty rivets as Boeing has strained to hire new staff and resume production of half-finished planes. Boeing will sort out its troubles eventually by applying the oldest of manufacturing insights: Training, repetition, standardization and careful documentation are the way to error-free complex manufacturing. As he sees it, "The second MAX crash caught Boeing up in a disorienting global media and political storm that it didn't know how to handle and, indeed, has handled fairly badly." Read more of this story at Slashdot. (Comment on this)

<< Previous Day

2024/03/23 [Calendar]

Next Day >>