Slashdot

Dan Goodin reports via Ars Technica: A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January. A change GitLab implemented in May 2023 made it possible for users to initiate password changes through links sent to secondary email addresses. The move was designed to permit resets when users didn't have access to the email address used to establish the account. In January, GitLab disclosed that the feature allowed attackers to send reset emails to accounts they controlled and from there click on the embedded link and take over the account. While exploits required no user interaction, hijackings worked only against accounts that weren't configured to use multi-factor authentication. Even with MFA, accounts remained vulnerable to password resets. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of a possible 10. The vulnerability, classified as an improper access control flaw, could pose a grave threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects or plant backdoors that could infect anyone using software built in the compromised environment. An example of a similar supply chain attack is the one that hit SolarWinds in 2021, infecting more than 18,000 of its customers. Other recent examples of supply chain attacks are here, here, and here. These sorts of attacks are powerful. By hacking a single, carefully selected target, attackers gain the means to infect thousands of downstream users, often without requiring them to take any action at all. According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances. In order to protect your system, you should enable MFA and install the latest patch. "GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits," notes Goodin.Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: Microsoft has changed its policy to ban U.S. police departments from using generative AI through the Azure OpenAI Service, the company's fully managed, enterprise-focused wrapper around OpenAI technologies. Language added Wednesday to the terms of service for Azure OpenAI Service prohibits integrations with Azure OpenAI Service from being used "by or for" police departments in the U.S., including integrations with OpenAI's text- and speech-analyzing models. A separate new bullet point covers "any law enforcement globally," and explicitly bars the use of "real-time facial recognition technology" on mobile cameras, like body cameras and dashcams, to attempt to identify a person in "uncontrolled, in-the-wild" environments. [...] The new terms leave wiggle room for Microsoft. The complete ban on Azure OpenAI Service usage pertains only to U.S., not international, police. And it doesn't cover facial recognition performed with stationary cameras in controlled environments, like a back office (although the terms prohibit any use of facial recognition by U.S. police). That tracks with Microsoft's and close partner OpenAI's recent approach to AI-related law enforcement and defense contracts. Last week, taser company Axon announced a new tool that uses AI built on OpenAI's GPT-4 Turbo model to transcribe audio from body cameras and automatically turn it into a police report. It's unclear if Microsoft's updated policy is in response to Axon's product launch.Read more of this story at Slashdot.

Ecobee, the company that pioneered smart thermostats with its Ecobee Smart in 2008, has announced it will end online support for the device and its commercial counterpart, the Ecobee Energy Management System, on July 31, 2024. The move will disable internet-dependent features such as web portal control, smart integrations, and weather-related functionality, while basic HVAC control and scheduling will remain operational.Read more of this story at Slashdot.

An anonymous reader shares a column: When Apple CEO Tim Cook and a bunch of his deputies take the virtual stage next week to announce new iPads, they're going to spend a lot of time talking about specs. If the rumors are true, we're going to get new iPad Pros with OLED screens and thinner bodies, new Airs with faster chips and a correctly placed front camera, and a couple of new accessories. Before they even launch, I feel confident telling you these are the best iPads ever. But after all these years, I still don't know how to tell you whether you should want an iPad. Or what you'd want to do with it. This has been true forever, of course. The iPad is the jack-of-all-trades in Apple's lineup, a terrific device in many ways that still feels increasingly redundant now that so many people have big phones and long-lasting laptops. Apple seems to have spent the last decade-plus enamored with the idea of the iPad as a shapeshifter -- a device that can be exactly what you need at any given time. The company loves that the iPad's use case is hard to pin down, that it means different things to different people. It's a fun, good, ambitious idea: The One Gadget To Rule Them All. The way to make that happen, though, is not to upgrade the chips or move the buttons or redesign the rounded corners. It's to focus less on the iPad itself and more on the things you attach to it. [...] The iPad is a screen and a processor, and everything else should be an add-on for whenever you need it. Give the gamers a controller and an external GPU. Give the music lovers a speaker dock, and give the smart home fanatics a bunch of buttons that connect to various devices. The photographers need lenses; the spreadsheeters need a keyboard with function keys. The Pencil and the Magic Keyboard are a start, but Apple needs to do much more. The company needs to spend less time worrying about the iPad itself -- a device famous for how long it lasts and that hardly anyone is using to its full potential -- and more time on how to make it more than just a tablet. (Plus, bonus for Apple: it's going to be a lot easier to get people to buy accessories than to convince them to upgrade their iPad when they don't need to.)Read more of this story at Slashdot.

The FBI cut its warrantless searches of American data in half in 2023, according to a government report released on Tuesday. From a report: According to the Office of the Director of National Intelligence's annual transparency report, the FBI conducted 57,094 searches of "US person" data under Section 702 of the Foreign Intelligence Surveillance Act last year -- a 52 percent decrease from 2022. In a press briefing, a senior FBI official said that the drop was due to reforms the agency implemented in 2021 and 2022, The Record reports. Despite the drop in overall searches of Americans' data, the report also notes that the number of foreign targets whose data could be searched in the Section 702 database rose to 268,590, a 9 percent increase from the previous year. The number of "probable cause" targets also increased significantly, from 417 in 2022 to 759 in 2023. Of those, 57 percent are estimated to be "US persons," which includes US citizens and permanent residents.Read more of this story at Slashdot.

Google is making its last attempt to fight back against a historic effort by the US Department of Justice to break the tech giant's grip on online search, as the most significant antitrust trial in 25 years comes to a close in Washington. From a report: A federal court in Washington began hearing closing arguments on Thursday after a 10-week trial in which the DoJ accused Alphabet, the parent company of Google, of suppressing search rivals by paying tens of billions annually for anti-competitive agreements with wireless carriers, browser developers and device manufacturers. During the hearing on Thursday, John Schmidtlein, a lawyer from Williams & Connolly representing Google, sought to push back on claims that it had hindered rivals' efforts to gain a foothold in online search, and argued that users had plenty of alternatives. Unsealed court documents revealed this week that Alphabet paid Apple $20bn in 2022 alone to be the default search engine for its iPhone and Safari browser on its other devices. "Google winning agreements because it has a better product is not a harm to the competitive process, even if it gives it scale to improve its product," Schmidtlein told the court. A lawyer for the government, Kenneth Dintzer, told the court that Google's "anti-competitive conduct harms competition and is self perpetuating." Defaults "are a powerful way to drive searches, otherwise Google wouldn't pay billions of dollars for them," he added. Amit Mehta, the judge hearing the case, noted that search "today looks a lot different than it dida 10 to 15 years ago. He pushed back on the DoJ's contention that the quality of search had suffered due to the lack of competition, although he also noted that only two "substantial competitors" had entered the search market in the past decade. "Doesn't that tell us all we need to know in terms of barriers of entry," he asked.Read more of this story at Slashdot.

Apple is tweaking how it applies a new fee that can apply to iOS developers in the European Union as it continues to configure its approach to the bloc's Digital Markets Act (DMA): Developers of free apps will be able to avoid the fee entirely under changes it announced Thursday, which apply from today, while other developers earning under a certain revenue threshold will get longer before they have to pay Apple the fee. From a report: The so-called "core technology fee" remains opt in for iOS developers in the region, as Apple continues to offer its standard business terms, but those wanting to take up new entitlements the DMA has required Apple to offer -- such as allowing sideloading of apps, third party app stores, and support for alternative payment tech than Apple's own -- must agree to the set of business terms that include the CTF (as Apple calls it). The fee remains under scrutiny in the region where the Commission, which enforces the DMA on Apple and other gatekeepers -- and opened its first investigations including on Apple in March -- is actively exploring whether the mechanism is enabling the iPhone maker to avoid its obligations to open up the App Store to competition, such as from third party app stores. But so far the EU hasn't prevented Apple from charging a fee.Read more of this story at Slashdot.

Microsoft is fully rolling out passkey support for all consumer accounts today. From a report: After enabling them in Windows 11 last year, Microsoft account owners can also now generate passkeys across Windows, Android, and iOS. This makes it effortless to sign in to a Microsoft account without having to type a password in every time.Read more of this story at Slashdot.

Alphabet paid Apple $20 billion in 2022 for Google to be the default search engine in the Safari browser, according to newly unsealed court documents in the Justice Department's antitrust lawsuit against Google. From a report: The deal between the two tech giants is at the heart of the landmark case, in which antitrust enforcers allege Google has illegally monopolized the market for online search and related advertising. The Justice Department and Google will offer closing arguments in the case Thursday and Friday, with a decision expected later this year. Google and Apple had hoped to shield the payment amount from public disclosure. At the trial last fall, Apple executives testified that Google paid "billions," without specifying a number. A Google witness later accidentally disclosed that Google pays 36% of the revenue it earns from search ads to Apple. Court documents filed late Tuesday ahead of the closing arguments mark the first public confirmation of the figures by Apple's senior vice president of services, Eddy Cue. Such numbers aren't disclosed by either company in their securities filings. The documents also revealed the importance of the payments to Apple's bottom line. For instance, in 2020, Google's payments to Apple constituted 17.5% of the iPhone maker's operating income.Read more of this story at Slashdot.

Huawei, the Chinese telecommunications giant blacklisted by the US, is secretly funding cutting-edge research at American universities including Harvard through an independent Washington-based foundation. From a report: Huawei is the sole funder of a research competition that has awarded millions of dollars since its inception in 2022 and attracted hundreds of proposals from scientists around the world, including those at top US universities that have banned their researchers from working with the company, according to documents and people familiar with the matter. The competition is administered by the Optica Foundation, an arm of the nonprofit professional society Optica, whose members' research on light underpins technologies such as communications, biomedical diagnostics and lasers. The foundation "shall not be required to designate Huawei as the funding source or program sponsor" of the competition and "the existence and content of this Agreement and the relationship between the Parties shall also be considered Confidential Information," says a nonpublic document reviewed by Bloomberg. The findings reveal one strategy Shenzhen, China-based Huawei is using to remain at the forefront of funding international research despite a web of US restrictions imposed over the past several years in response to concerns that its technology could be used by Beijing as a spy tool.Read more of this story at Slashdot.

Joshua Dean, a former quality auditor at Boeing supplier Spirit AeroSystems and one of the first whistleblowers to allege Spirit leadership had ignored manufacturing defects on the 737 MAX, died Tuesday morning after a struggle with a sudden, fast-spreading infection. Seattle Times: Known as Josh, Dean lived in Wichita, Kan., where Spirit is based. He was 45, had been in good health and was noted for having a healthy lifestyle. He died after two weeks in critical condition, his aunt Carol Parsons said. Dean had given a deposition in a Spirit shareholder lawsuit and also filed a complaint with the Federal Aviation Administration alleging "serious and gross misconduct by senior quality management of the 737 production line" at Spirit. Spirit fired Dean in April 2023, and he had filed a complaint with the Department of Labor alleging his termination was in retaliation for raising concerns related to aviation safety. Parsons said Dean became ill and went to the hospital because he was having trouble breathing just over two weeks ago. He was intubated and developed pneumonia and then a serious bacterial infection, MRSA. His condition deteriorated rapidly, and he was airlifted from Wichita to a hospital in Oklahoma City, Parsons said. There he was put on an ECMO machine, which circulates and oxygenates a patient's blood outside the body, taking over heart and lung function when a patient's organs don't work on their own.Read more of this story at Slashdot.

An anonymous reader quotes a report from Reuters: Microsoft said on Thursday it will invest $2.2 billion over the next four years in Malaysia to expand cloud and artificial intelligence (AI) services in the company's latest push to promote its generative AI technology in Asia. The investment, the largest in Microsoft's 32-year history in Malaysia, will include building cloud and AI infrastructure, creating AI-skilling opportunities for 200,000 people, and supporting the country's developers, the company said. Microsoft will also work with the Malaysian government to establish a national AI Centre of Excellence and enhance the nation's cybersecurity capabilities, the company said in a statement. Prime Minister Anwar Ibrahim, who met Nadella on Thursday, said the investment supported Malaysia's efforts in developing its AI capabilities. Microsoft is trying to expand its support for the development of AI globally. Nadella this week announced a $1.7 billion investment in neighboring Indonesia and said Microsoft would open its first regional data centre in Thailand. "We want to make sure we have world class infrastructure right here in the country so that every organization and start-up can benefit," Microsoft Chief Executive Satya Nadella said during a visit to Kuala Lumpur.Read more of this story at Slashdot.

The Google Phone app is rolling out "Audio Emoji" to some users as part of an incoming update in the beta channel, version 128. As 9to5Google reports, they are "essentially stock sound effects attached to one of six different emoji." The list includes: clapping (applause), laughing, party, crying (trombone), poop, and sting (ba dum tss). From the report: When you, as the caller, select one of these "Audio Emoji," the Google Phone app will play a fun animation while a sound effect plays for a couple of seconds. The sound effect is heard on both ends of the phone call. There does seem to be a limit on how often you can use these sound effects, as there's a bit of a "cooldown" in between that prevents you from playing sounds back to back. That's probably for the best in the case of some of these.Read more of this story at Slashdot.

A new battery from Energizer comes with "color alert technology" to alert parents if their child has swallowed one. When the coin lithium battery comes into contact with saliva, it activates a blue dye "so parents and caregivers know that medical attention could be required," reports the New York Times. The battery also features more secure packaging and a nontoxic bitter coating. From the report: The new coin lithium battery features more secure packaging, a nontoxic bitter coating to discourage swallowing and "color alert technology" that activates a blue dye when the battery comes into contact with moisture, like saliva, so parents and caregivers know that medical attention could be required. The new battery was announced in a video last week by Energizer and Trista Hamsmith, whose 18-month-old daughter died after swallowing a button battery from a remote control. Ms. Hamsmith founded a nonprofit organization focused on children's safety, successfully advocated for legislation, known as Reese's Law, that requires a secure compartment of the batteries in products that use them as well as stronger warning labels on all packaging, and is now working to make the batteries themselves safer. Ingested coin or button batteries result in thousands of emergency hospital visits each year, according to the U.S. Consumer Product Safety Commission, which notes that "the consequences of a child swallowing a battery can be immediate, devastating and deadly." "A button cell battery can burn through a child's throat or esophagus in as little as two hours if swallowed," according to the agency. Secure packaging and bitter coatings for batteries have long existed, but "the massive breakthrough here is the color alert technology, which helps give caretakers that indicator that something has happened," Jeff Roth, the global category leader for batteries at Energizer, said in an interview on Wednesday. "The most significant part about this is getting help early in the process," he said. "That's really what the color alert technology allows the family to do."Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: A controversial bill that would require all new cars to be fitted with AM radios looks set to become a law in the near future. Yesterday, Senator Edward Markey (D-Mass) revealed that the "AM Radio for Every Vehicle Act" now has the support of 60 US Senators, as well as 246 co-sponsors in the House of Representatives, making its passage an almost sure thing. Should that happen, the National Highway Traffic Safety Administration would be required to ensure that all new cars sold in the US had AM radios at no extra cost. "Democrats and Republicans are tuning in to the millions of listeners, thousands of broadcasters, and countless emergency management officials who depend on AM radio in their vehicles. AM radio is a lifeline for people in every corner of the United States to get news, sports, and local updates in times of emergencies. Our commonsense bill makes sure this fundamental, essential tool doesn't get lost on the dial. With a filibuster-proof supermajority in the Senate, Congress should quickly take it up and pass it," said Sen. Markey and his co-sponsor Sen. Ted Cruz (R-Texas). About 82 million people still listen to AM radio, according to the National Association of Broadcasters, which as you can imagine was rather pleased with the congressional support for its industry. "Broadcasters are grateful for the overwhelming bipartisan support for the AM Radio for Every Vehicle Act in both chambers of Congress," said NAB president and CEO Curtis LeGeyt. "This majority endorsement reaffirms lawmakers' recognition of the essential service AM radio provides to the American people, particularly in emergency situations. NAB thanks the 307 members of Congress who are reinforcing the importance of maintaining universal access to this crucial public communications medium." "Requiring the installation of analog AM radios in automobiles is an unnecessary action that would impact EV range, efficiency and affordability at a critical moment of accelerating adoption," said Albert Gore, executive director of ZETA, a clean vehicle advocacy group that opposes the AM radio requirement. "Mandating AM radio would do little to expand drivers' ability to receive emergency alerts. At a time when we are more connected than ever, we encourage Congress to allow manufacturers to innovate and produce designs that meet consumer preference, rather than pushing a specific communications technology," Gore said in a statement.Read more of this story at Slashdot.

New submitter berghem shares a report from The Guardian: For the first time, researchers have formally shown that exposure to toxic PFAS increases the likelihood of death by cardiovascular disease, adding a new level of concern to the controversial chemicals' wide use. The findings are especially significant because proving an association with death by chemical exposure is difficult, but researchers were able to establish it by reviewing death records from northern Italy's Veneto region, where many residents for decades drank water highly contaminated with PFAS, also called "forever chemicals." Records further showed an increased likelihood of death from several cancers, but stopped short of establishing a formal association because of other factors. [...] Veneto's drinking water was widely contaminated by a PFAS-production plant between 1985 and 2018. Researchers first found an excess of about 4,000 deaths during this period, or about one every three days. Part of the region was supplied with water from a different source, giving researchers the opportunity to compare records for tens of thousands of people who drank contaminated water and lived near those who did not. Though PFAS can affect the cardiovascular system in different ways, it is largely a problem because it produces stubbornly high and dangerous levels of cholesterol. The levels are difficult to control because they aren't caused by dietary or lifestyle choices that can be addressed with adjustments, but hormonal changes that affect the metabolism and the body's ability to control plaque in arteries. The study's authors suspect that post-traumatic stress disorder caused by the environmental disaster, which upended lives across the region, may also be contributing to circulatory disease. The evidence of a jump in kidney cancer was also "very clear," [said Annibale Biggeri, the peer-reviewed study's lead author, and a researcher with the University of Padua]. In the study's first five years, 16 cases were recorded, while 65 were recorded in the last five years. It also found elevated levels of testicular cancer during some time periods. The records "showed clearly" that earlier life exposures led to higher levels of mortality, except for women who have multiple children. Previous research has found levels were higher in women with only one child. The chemicals accumulate in placentas and are passed on to children during pregnancy, which reduces levels in the body. Mortality levels among women who were of child-bearing age were generally lower, but increased in older women. The chemicals will be passed down to children for generations, said Laura Facciolo, a Veneto resident who drank contaminated water. She said the findings underscore the need to ban PFAS, and the disaster's injustice. The findings have been published in the journal Environmental Health.Read more of this story at Slashdot.

According to CNBC, Google is laying off at least 200 employees from its "Core" teams and moving some roles to India and Mexico. From the report: The Core unit is responsible for building the technical foundation behind the company's flagship products and for protecting users' online safety, according to Google's website. Core teams include key technical units from information technology, its Python developer team, technical infrastructure, security foundation, app platforms, core developers, and various engineering roles. At least 50 of the positions eliminated were in engineering at the company's offices in Sunnyvale, California, filings show. Many Core teams will hire corresponding roles in Mexico and India, according to internal documents viewed by CNBC. Asim Husain, vice president of Google Developer Ecosystem, announced news of the layoffs to his team in an email last week. He also spoke at a town hall and told employees that this was the biggest planned reduction for his team this year, an internal document shows. "We intend to maintain our current global footprint while also expanding in high-growth global workforce locations so that we can operate closer to our partners and developer communities," Husain wrote in the email. [...] "Announcements of this sort may leave many of you feeling uncertain or frustrated," Husain wrote in the email to developers. He added that his message to developers is that the changes "are in service of our broader goals" as a company. The teams involved in the reorganization have been key to the company's developer tools, an area Google is streamlining as it incorporates more artificial intelligence into the products.Read more of this story at Slashdot.

Unity has appointed Matthew Bromberg, former CEO of Zynga, as its new CEO, president and board member. "Filling a role that has been temporarily filled by former Red Hat CEO Jim Whitehurst, Bromberg will formally join Unity as CEO on May 15," reports VentureBeat. "Whitehurst will serve as executive chair of the Unity board, and Roelof Botha will transition from chairman to lead independent board member." From the report: Bromberg fills a slot vacated by John Riccitiello, who resigned last fall after a pricing debacle that left game developers extremely angry at Unity. They calmed down after Unity walked back major parts of the price increase. It's an important time for Unity as it is about to ship Unity 6, the latest version of its game engine, in competition with Epic Games' Unreal Engine 5.4. Whitehurst will also return to Silver Lake, one of Unity's two largest shareholders, where he had previously been a senior advisor and will now join as a managing director leading both operating and investment team initiatives. Bromberg brings over 20 years of experience across the gaming industry, having previously served as Chief Operating Officer of leading mobile game developer and publisher Zynga, where he played a key role in the company's turnaround, and was responsible for Zynga's game studios globally, while also overseeing product development and design, technology, data, and analytics. Bromberg also held multiple leadership roles at Electronic Arts, where he helped scale the company's mobile division and led teams on four continents that built popular games across all major genres.Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: The Federal Communications Commission chair today made a final plea to Congress, asking for money to continue a broadband-affordability program that gave out its last round of $30 discounts to people with low incomes in April. The Affordable Connectivity Program (ACP) has lowered monthly Internet bills for people who qualify for benefits, but Congress allowed funding to run out. People may receive up to $14 in May if their ISP opted into offering a partial discount during the program's final month. After that there will be no financial help for the 23 million households enrolled in the program. "Additional funding from Congress is the only near-term solution for keeping the ACP going," FCC Chairwoman Jessica Rosenworcel wrote in a letter to members of Congress today. "If additional funding is not promptly appropriated, the one in six households nationwide that rely on this program will face rising bills and increasing disconnection. In fact, according to our survey of ACP beneficiaries, 77 percent of participating households report that losing this benefit would disrupt their service by making them change their plan or lead to them dropping Internet service entirely." The ACP started with $14.2 billion allocated by Congress in late 2021. The $30 monthly ACP benefit replaced the previous $50 monthly subsidy from the Emergency Broadband Benefit Program.Read more of this story at Slashdot.

Anthropic has released its Claude AI chatbot on the App Store, bringing the company's ChatGPT competitor to the masses. Compared to OpenAI's chatbot, Claude is built with a focus on reducing harmful outputs and promoting safety, with a goal of making interactions more reliable and ethically aware. You can give it a try here. 9to5Mac reports: Anthropic highlights three launch features for Claude on iPhone: Seamless syncing with web chats: Pick up where you left off across devices.Vision capabilities: Use photos from your library, take new photos, or upload files so you can have real-time image analysis, contextual understanding, and mobile-centric use cases on the go.Open access: Users across all plans, including Pro and Team, can download the app free of charge. The app is also capable of analyzing things that you show it like objects, images, and your environment.Read more of this story at Slashdot.

Roblox announced it'll be rolling out virtual billboards with video advertisements that will be displayed in its virtual worlds. Reuters reports: Users will now see billboards featuring content from brands such as e.l.f beauty, Walmart and Warner Bros Discovery, just as they would in real life. That would give advertisers access to Roblox's nearly 72 million daily active users -- half of whom are Gen-Z customers, a population group prized by marketers and businesses. The company in November began testing the video ads -- that will be served to users who are 13 years and older -- as part of its efforts to reduce reliance on revenue generated from its in-game currency "Robux", which players can use to buy outfits, vehicles and other features inside the company's digital worlds. It charges a fee on all purchases done on its platform, which hosts millions of videogames that are built by its users -- who get a share of any related revenue. That practice will extend to the ads, with creators of the virtual worlds who opt to show the billboards getting a portion of the revenue Roblox makes from them. Roblox is hoping its large Gen-Z user base will give it an edge in the competitive ad market, where it would have to wrestle for marketing dollars with tech giants such as Google and Meta and smaller players such as Snap.Read more of this story at Slashdot.

An anonymous reader quotes a report from Bloomberg: Dropbox said its digital-signature product, Dropbox Sign, was breached by hackers, who accessed user information including emails, user names and phone numbers. The software company said it became aware of the cyberattack on April 24, sought to limit the incident and reported it to law enforcement and regulatory authorities. "We discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and user names, in addition to general account settings," Dropbox said Wednesday in a regulatory filing. "For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication." Dropbox said there is no evidence hackers obtained user accounts or payment information. The company said it appears the attack was limited to Dropbox Sign and no other products were breached. The company didn't disclose how many customers were affected by the hack. The hack is unlikely to have a material impact on the company's finances, Dropbox said in the filing. The shares declined about 2.5% in extended trading after the cyberattack was disclosed and have fallen 20% this year through the close.Read more of this story at Slashdot.

The National Archives and Records Administration (NARA) told employees Wednesday that it is blocking access to ChatGPT on agency-issued laptops to "protect our data from security threats associated with use of ChatGPT," 404 Media reported Wednesday. From the report: "NARA will block access to commercial ChatGPT on NARANet [an internal network] and on NARA issued laptops, tablets, desktop computers, and mobile phones beginning May 6, 2024," an email sent to all employees, and seen by 404 Media, reads. "NARA is taking this action to protect our data from security threats associated with use of ChatGPT." The move is particularly notable considering that this directive is coming from, well, the National Archives, whose job is to keep an accurate historical record. The email explaining the ban says the agency is particularly concerned with internal government data being incorporated into ChatGPT and leaking through its services. "ChatGPT, in particular, actively incorporates information that is input by its users in other responses, with no limitations. Like other federal agencies, NARA has determined that ChatGPT's unrestricted approach to reusing input data poses an unacceptable risk to NARA data security," the email reads. The email goes on to explain that "If sensitive, non-public NARA data is entered into ChatGPT, our data will become part of the living data set without the ability to have it removed or purged."Read more of this story at Slashdot.

Microsoft has confirmed that the April 2024 Windows security updates break VPN connections across client and server platforms. From a report: The company explains on the Windows health dashboard that "Windows devices might face VPN connection failures after installing the April 2024 security update or the April 2024 non-security preview update." "We are investigating user reports, and we will provide more information in the coming days," Redmond added. The list of affected Windows versions includes Windows 11, Windows 10, and Windows Server 2008 and later.Read more of this story at Slashdot.

An anonymous reader shares a report: Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, it's still unclear how many Americans were impacted by the cyberattack. Last month, Andrew Witty, the CEO of Change Healthcare's parent company UnitedHealth Group, said that the stolen files include the personal health information of "a substantial proportion of people in America." On Wednesday, during a House hearing, when Witty was pushed to give a more definitive answer, testifying that the breach impacted "I think, maybe a third [of Americans] or somewhere of that level."Read more of this story at Slashdot.

"Tens of millions" of people are using technical workarounds to secretly access WhatsApp in countries where it is banned, the messaging platform's boss has said. From a report: "You'd be surprised how many people have figured it out," Will Cathcart told BBC News. Like many Western apps, WhatsApp is banned in Iran and North Korea and, intermittently, in Syria. And last month, China joined the list of those banning users from accessing the secure platform. Other countries, including Qatar, Egypt, Jordan and the United Arab Emirates, restrict features such as voice calls. But WhatsApp can see where its users truly are, thanks to their registered phone numbers. "We have a lot of anecdotal reports of people using WhatsApp and what we can do is look at some of the countries where we're seeing blocking and still see tens of millions of people connecting to WhatsApp," Mr Cathcart told BBC News. China ordered Apple to block Chinese iPhone users from downloading WhatsApp from the AppStore in April, a move Mr Cathcart calls "unfortunate" -- although the country was never a major market for the app. "That's a choice Apple has made," he said. "There aren't alternatives. I mean, that is really a situation where they've put themselves in the position to be able to truly stop something."Read more of this story at Slashdot.

ArsTechnica: Sixty years ago, on May 1, 1964, at 4 am in the morning, a quiet revolution in computing began at Dartmouth College. That's when mathematicians John G. Kemeny and Thomas E. Kurtz successfully ran the first program written in their newly developed BASIC (Beginner's All-Purpose Symbolic Instruction Code) programming language on the college's General Electric GE-225 mainframe. Little did they know that their creation would go on to democratize computing and inspire generations of programmers over the next six decades.Read more of this story at Slashdot.

The US could lose out on valuable AI and tech talent if some of its immigration policies are not modernized, Google says in a letter sent to the Department of Labor. From a report: Google says policies like Schedule A, a list of occupations the government "pre-certified" as not having enough American workers, have to be more flexible and move faster to meet demand in technologies like AI and cybersecurity. The company says the government must update Schedule A to include AI and cybersecurity and do so more regularly. "There's wide recognition that there is a global shortage of talent in AI, but the fact remains that the US is one of the harder places to bring talent from abroad, and we risk losing out on some of the most highly sought-after people in the world," Karan Bhatia, head of government affairs and public policy at Google, tells The Verge. He noted that the occupations in Schedule A have not been updated in 20 years. Companies can apply for permanent residencies, colloquially known as green cards, for employees. The Department of Labor requires companies to get a permanent labor certification (PERM) proving there is a shortage of workers in that role. That process may take time, so the government "pre-certified" some jobs through Schedule A. The US Citizenship and Immigration Services lists Schedule A occupations as physical therapists, professional nurses, or "immigrants of exceptional ability in the sciences or arts." While the wait time for a green card isn't reduced, Google says Schedule A cuts down the processing time by about a year.Read more of this story at Slashdot.

Windows 11's market share dropped in April 2024, falling below 26% after reaching an all-time high of 28.16% in February. According to Statcounter, Windows 11 lost 0.97 points, while Windows 10 gained 0.96 points, crossing the 70% mark for the first time since September 2023. Neowin adds: Some argue that Windows 11 still offers little to no benefits for upgrading, especially in light of Microsoft killing some of the system's unique features, such as Windows Subsystem for Android. Add to that the ever-increasing number of ads, some of which are quite shameless, and you get an operating system that has a hard time winning hearts and minds, and retaining its customers.Read more of this story at Slashdot.

LastPass, the password manager company, has officially separated from its parent company, GoTo, following a series of high-profile hacks in recent years. The company will now operate under a shareholder holding company called LMI Parent. LastPass -- owned by private equity firms Francisco Partners and Elliott Management -- has faced criticism for its handling of the breaches, which resulted in the theft of customer data and encryption keys. The company has since enforced a 12-character minimum for master passwords to improve security.Read more of this story at Slashdot.

Microsoft's motivation for investing heavily and partnering with OpenAI came from a sense of falling badly behind Google, according to an internal email released Tuesday as part of the Justice Department's antitrust case against the search giant. Bloomberg: The Windows software maker's chief technology officer, Kevin Scott, was "very, very worried" when he looked at the AI model-training capability gap between Alphabet's efforts and Microsoft's, he wrote in a 2019 message to Chief Executive Officer Satya Nadella and co-founder Bill Gates. The exchange shows how the company's top executives privately acknowledged they lacked the infrastructure and development speed to catch up to the likes of OpenAI and Google's DeepMind. [...] Scott, who also serves as executive vice president of artificial intelligence at Microsoft, observed that Google's search product had improved on competitive metrics because of the Alphabet company's advancements in AI. The Microsoft executive wrote that he made a mistake by dismissing some of the earlier AI efforts of its competitors. "We are multiple years behind the competition in terms of machine learning scale," Scott said in the email. Significant portions of the message, titled 'Thoughts on OpenAI,' remain redacted. Nadella endorsed Scott's email, forwarding it to Chief Financial Officer Amy Hood and saying it explains "why I want us to do this."Read more of this story at Slashdot.

The massive volumes of debt piling up around the globe forced the president of the World Economic Forum to reach back more than 200 years for a comparable period. Fortune: In an interview Sunday with CNBC at a WEF conference in Saudi Arabia, Borge Brende warned overall debt is approaching the world's total economic output. "We haven't seen this kind of debt since the Napoleonic Wars," he said. "We're getting close to 100% of global GDP in debt." According to the International Monetary Fund last year, global public debt hit $91 trillion, or 92% of GDP, by the end of 2022. That was actually a dip from pandemic-era debt levels but remained in line with a decades-long trend higher. Data on global debt during the Napoleonic Wars, which took place in the early 1800s, is harder to come by. But for comparison, some estimates put British government debt at more than 200% of GDP by 1815. Brende also told CNBC that governments need to take fiscal measures to reduce their debts without triggering a recession. For now, global growth is about 3.2% annually, which isn't bad, but it's also below the 4% trend growth the world had seen for decades, he said earlier in the interview. That risks a repeat of the 1970s, when growth was low for a decade, Brende added. But the world can avoid such an outcome if it continues to trade and doesn't engage in more trade wars. "Trade was the engine of growth for decades," he said.Read more of this story at Slashdot.

LinkedIn, the professional network known for job listings and unsolicited career advice, is jumping into gaming. From a report: The platform is officially introducing a set of Wordle-style puzzle games, weeks after they were first spotted in the app. The company is starting with three games: Pinpoint, a word game where players must guess the theme that ties a series of words together; Queens, a puzzle game that's a bit like a cross between Sudoku and Minesweeper; and Crossclimb, a trivia game that involves guessing a series of four-letter words and placing them in the correct order. LinkedIn describes them as "thinking-oriented games," though the format will likely look familiar to fans of The New York Times Games app. Each game can only be played once a day, and players can share their score with friends in cute emoji-filled messages reminiscent of the "Wordle grid." The service will also keep track of "streaks," to encourage players to come back every day. Given the similarities, it shouldn't be surprising that games were developed by LinkedIn's news team, which recently hired a dedicated games editor.Read more of this story at Slashdot.

An anonymous reader shares a report: Harvard geneticist David Sinclair, who has said his "biological age" is roughly a decade younger than his actual one, has put forward his largely unlined face as a spokesman for the longevity movement. The 54-year-old has built his brand on the idea that aging is a treatable disease. The notion has proven so seductive that legions of acolytes follow his online postings about his research and the cocktails of supplements he consumes to stave off the inevitable. His social-media accounts are a platform for assertions that his work is pushing nearer to a fountain of youth. He claimed last year that a gene therapy invented in his Harvard lab and being developed by a company he co-founded, Life Biosciences, had reversed aging and restored vision in monkeys. "Next up: age reversal in humans," he wrote on X and Instagram. On Feb. 29, in the eyes of many other scientists working to unlock the mysteries of aging, he went too far. Another company he co-founded, Animal Biosciences, quoted him in a press release saying that a supplement it had developed had reversed aging in dogs. Scientists who study aging can't even agree on what it means to "reverse" aging, much less how to measure it. The response was swift and harsh. The Academy for Health and Lifespan Research, a group of about 60 scientists that Sinclair co-founded and led, was hit with a cascade of resignations by members outraged by his claims. One scientist who quit referred to Sinclair on X as a "snake oil salesman." Days later, in a tense video meeting, the academy's five other board members pressed Sinclair to resign as president. He contended that the press release contained an inaccurate quote, according to people who were in the meeting, but he later stepped down. Sinclair's work is published regularly in top-tier scientific journals and has brought attention to an emerging field vying for credibility and funding. He has parlayed his research into hundreds of millions of dollars of investment in various companies, more than 50 patents and prominence as a longevity influencer. Along the way, his claims -- especially in his social-media posts, interviews and his book -- have drawn criticism from scientists who have accused him of hyping his research and extolling unproven products, including some from companies in which he had a financial interest. "My lab's ideas and findings are typically ahead of the curve, which is why some peers might feel the research is overstated at the time," Sinclair said to The Wall Street Journal in an email. "I stand behind my track record as a trusted scientist in one of the most competitive professions of all." He said he doesn't engage with social-media critics, including those calling him a snake oil salesman, and that many such comments are "nothing more than mischaracterizations."Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: On Sunday, word began to spread on social media about a new mystery chatbot named "gpt2-chatbot" that appeared in the LMSYS Chatbot Arena. Some people speculate that it may be a secret test version of OpenAI's upcoming GPT-4.5 or GPT-5 large language model (LLM). The paid version of ChatGPT is currently powered by GPT-4 Turbo. Currently, the new model is only available for use through the Chatbot Arena website, although in a limited way. In the site's "side-by-side" arena mode where users can purposely select the model, gpt2-chatbot has a rate limit of eight queries per day -- dramatically limiting people's ability to test it in detail. [...] On Monday evening, OpenAI CEO Sam Altman seemingly dropped a hint by tweeting, "i do have a soft spot for gpt2." [...] OpenAI's fingerprints seem to be all over the new bot. "I think it may well be an OpenAI stealth preview of something," AI researcher Simon Willison told Ars Technica. But what "gpt2" is exactly, he doesn't know. After surveying online speculation, it seems that no one apart from its creator knows precisely what the model is, either. Willison has uncovered the system prompt for the AI model, which claims it is based on GPT-4 and made by OpenAI. But as Willison noted in a tweet, that's no guarantee of provenance because "the goal of a system prompt is to influence the model to behave in certain ways, not to give it truthful information about itself."Read more of this story at Slashdot.

AmiMoJo shares a report from Tech Times: China has reached a major landmark in green transportation with the launch of the world's largest fully electric container ship. Developed and manufactured by China Ocean Shipping Group (Cosco), the vessel is now operating a regular service route between Shanghai and Nanjing, aiming to reduce emissions significantly along its journey. The Greenwater 01, an all-electric container ship, is positioning itself to be a shipping industry pioneer. Equipped with a main battery exceeding 50,000 kilowatt-hours, the vessel can accommodate additional battery boxes for longer voyages. These battery boxes, each containing 1,600 kilowatt-hours of electricity and similar in size to standard 20-foot containers, provide flexibility in extending the ship's travel range. With 24 battery boxes onboard, the Greenwater 01 can complete a journey consuming 80,000 kilowatt-hours of electricity. This is equivalent to saving 15 tons of fuel compared to a standard container ship, highlighting the efficiency of electric propulsion systems. According to Cosco, the vessel can reduce CO2 emissions by 2,918 tons per year, which is equivalent to taking 2,035 family cars off the road or planting 160,000 trees.Read more of this story at Slashdot.

Satellite operator SES plans to buy fellow satellite operator Intelsat, in a $3.1 billion deal that's expected to close next year. According to Space Magazine, the combined company could help it "compete with SpaceX's huge Starlink broadband network." From the report: SES and Intelsat both operate communications satellites in geostationary orbit, which lies 22,236 miles (35,785 kilometers) above Earth. SES also runs a constellation called O3b in medium Earth orbit, at an altitude of about 5,000 miles (8,000 km). As [SES CEO Adel Al-Saleh] noted, there is increasingly fierce competition for the services provided by these satellites -- for example, from SpaceX's Starlink megaconstellation in low Earth orbit. And other LEO megaconstellations are in the works as well. For instance, Amazon launched the first two prototypes for its planned 3,200-satellite Project Kuiper network this past October. "By combining our financial strength and world-class team with that of SES, we create a more competitive, growth-oriented solutions provider in an industry going through disruptive change," Intelsat CEO David Wajsgras said in the same statement. "The combined company will be positioned to meet customers' needs around the world and exceed their expectations," he added.Read more of this story at Slashdot.

An anonymous reader quotes a report from Bloomberg: U.S. wind power slipped last year for the first time in a quarter-century due to weaker-than-normal Midwest breezes, underscoring the challenge of integrating volatile renewable energy sources into the grid. Power produced by turbines slipped 2% in 2023, even after developers added 6.2 gigawatts of new capacity, according to a government report Tuesday. The capacity factor for the country's wind fleet -- how much energy it's actually generating versus its maximum possible output -- declined to an eight-year low of 33.5%. Most of that decline was driven by the central US, a region densely dotted with turbines. Wind is a key component of the effort to cut carbon emissions, but the data highlights the downside of relying on intermittent energy sources tied to the effects of global weather. Last year's low wind speeds came during El Nino, a warming of the equatorial Pacific that tends to weaken trade winds. La Nina, the Pacific cooling pattern that dominated in 2022 and is poised to return later this year, usually has the opposite effect. The U.S. Energy Information Administration shared the findings in a report published earlier today.Read more of this story at Slashdot.

An anonymous reader shares that IPv6rs has debuted a new one-click self hosting system:Everyone seemed like they were talking about self hosting, but we didn't understand why it wasn't more prolific. Thus, we conducted a survey to hear reasons. It turned out the two most common reasons were: 1. Lack of an external IP address2. Too difficult to setup and maintain Our service already solves the first issue. We set out with a self-hostathon to figure out what the blockers were in setting up and running a self-hosted server.... writes IPv6rs on their blog.We needed to make things easier, so we created Cloud Seeder, a one click installer that instantly launches a fully encapsulated server appliance that is externally reachable. At the time of launching, the current version of Cloud Seeder supports 20+ different appliances - from Mastodon which federates with Meta's Threads to Nextcloud which provides an enterprise-level, self-hosted alternative to the big-name collaboration suites. It also automatically handles updates/maintenance. We hope this will bring a new era to self hosting and, in turn, will bring the decentralized internet forest back.Is the self hosting era making its return?Read more of this story at Slashdot.

Kaiser Permanente is the latest healthcare giant to report a data breach. Kaiser said 13.4 million current and former insurance members had their patient data shared with third-party advertisers, thanks to an improperly implemented tracking code the company used to see how its members navigated through its websites. Dark Reading reports: The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia. Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata. "The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome -- an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."Read more of this story at Slashdot.

Mishaal Rahman reports via Android Authority: Earlier today, a Senior Staff Software Engineer at Google who, according to their LinkedIn, leads the Android Systems Team and works on Android's Linux kernel fork, submitted a series of patches to AOSP that "remove ACK's support for riscv64." The description of these patches states that "support for risc64 GKI kernels is discontinued." ACK stands for Android Common Kernel and refers to the downstream branches of the official kernel.org Linux kernels that Google maintains. The ACK is basically Linux plus some "patches of interest to the Android community that haven't been merged into mainline or Long Term Supported (LTS) kernels." There are multiple ACK branches, including android-mainline, which is the primary development branch that is forked into "GKI" kernel branches that correspond to a particular combination of supported Linux kernel and Android OS version. GKI stands for Generic Kernel Image and refers to a kernel that's built from one of these branches. Every certified Android device ships with a kernel based on one of these GKI branches, as Google currently does not certify Android devices that ship with a mainline Linux kernel build. Since these patches remove RISC-V kernel support, RISC-V kernel build support, and RISC-V emulator support, any companies looking to compile a RISC-V build of Android right now would need to create and maintain their own fork of Linux with the requisite ACK and RISC-V patches. Given that Google currently only certifies Android builds that ship with a GKI kernel built from an ACK branch, that means we likely won't see certified builds of Android on RISC-V hardware anytime soon. Our initial interpretation of these patches was that Google was preparing to kill off RISC-V support in Android since that was the most obvious conclusion. However, a spokesperson for Google told us this: "Android will continue to support RISC-V. Due to the rapid rate of iteration, we are not ready to provide a single supported image for all vendors. This particular series of patches removes RISC-V support from the Android Generic Kernel Image (GKI)." Based on Google's statement, Rahman suggests that "there's still a ton of work that needs to be done before Android is ready for RISC-V." "Even once it's ready, Google will need to redo the work to add RISC-V support in the kernel anyway. At the very least, Google's decision likely means that we might need to wait even longer than expected to see commercial Android devices running on a RISC-V chip."Read more of this story at Slashdot.

Arcade giant Dave & Buster's said it will begin allowing customers to bet on arcade games. "Customers can soon make a friendly $5 wager on a Hot Shots basketball game, a bet on a Skee-Ball competition or on another arcade game," reports CNBC. "The betting function, expected to launch in the next few months, will work through the company's app." From the report: Dave & Buster's, started in 1982, now has more than 222 venues in North America, offering everything from bowling to laser tag, plus virtual reality. The company says it has five million loyalty members and 30 million unique visitors to its locations each year. The company's stock is up more than 50% over the past year. As a boom in betting increases engagement among sports fans, digital gamification could have a similar effect within Dave & Buster's customer base by allowing loyalty members to compete with one another and earn rewards. Ultimately, it could mean people spend more time and money at the venues. Dave and Buster's is using technology by gamification software company Lucra. [...] Lucra and Dave & Buster's said there will be a limit placed on the size of bets it will allow, but that they're not publicly disclosing that threshold just yet. Lucra said across its history the average bet size has been $10. "We're creating a new form of kind of a digital experience for folks inside of these ecosystems," said Madding, Lucra's chief operating officer. "We're getting them to engage in a new way and spend more time and money," he added. Lucra says its skills-based games are not subject to the same licenses and regulations gambling operators face with games of chance. Lucra is careful not to use the term "bet" or "wager" to describe its games. "We use real-money contests or challenges," Madding said. Lucra's contests are only available to players age 18 and older. The contests are available in 44 states.Read more of this story at Slashdot.

An anonymous reader quotes a report from Foss Outpost: Systemd lead developer Lennart Poettering has posted on Mastodon about their upcoming v256 release of Systemd, which is expected to include a sudo replacement called "run0". The developer talks about the weaknesses of sudo, and how it has a large possible attack surface. For example, sudo supports network access, LDAP configurations, other types of plugins, and much more. But most importantly, its SUID binary provides a large attack service according to Lennart: "I personally think that the biggest problem with sudo is the fact it's a SUID binary though -- the big attack surface, the plugins, network access and so on that come after it it just make the key problem worse, but are not in themselves the main issue with sudo. SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended for and controlled by unprivileged code. By execution context I mean the myriad of properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on." He's saying that sudo is a Unix concept from many decades ago, and a better privilege escalation system should be in place for 2024 security standards: "So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful manual clean-up is just not how security engineering should be done in 2024 anymore." [...] He also mentioned that there will be more features in run0 that are not just related to the security backend such as: "The tool is also a lot more fun to use than sudo. For example, by default, it will tint your terminal background in a reddish tone while you are operating with elevated privileges. That is supposed to act as a friendly reminder that you haven't given up the privileges yet, and marks the output of all commands that ran with privileges appropriately. It also inserts a red dot (unicode ftw) in the window title while you operate with privileges, and drops it afterwards."Read more of this story at Slashdot.

Binance founder Changpeng Zhao has been sentenced to four months in prison after pleading guilty to charges related to enabling money laundering through his cryptocurrency exchange. CNBC reports: The sentence handed down to Zhao in Seattle federal court was significantly less than the three years that federal prosecutors had been seeking for him. The defense had asked for five months of probation. The sentencing guidelines called for a prison term of 12 to 18 months. In November, Zhao struck a deal with the U.S. government to resolve a multiyear investigation into Binance, the world's largest cryptocurrency exchange. As part of the settlement, Zhao stepped down as the company's CEO. Zhao, who wore a dark navy suit with a light blue tie to court, is accused of willfully failing to implement an effective anti-money laundering program as required by the Bank Secrecy Act, and of allowing Binance to process transactions involving proceeds of unlawful activity, including between Americans and individuals in sanctions jurisdictions. The U.S. ordered Binance to pay $4.3 billion in fines and forfeiture. Zhao agreed to pay a $50 million fine.Read more of this story at Slashdot.

After convincing the world to buy open source and give up the Morse Code test for ham radio licenses, Bruce Perens has a new gambit: develop a license that ensures software developers receive compensation from large corporations using their work. The new Post-Open Zero Cost License seeks to address the financial disparities in open source software use and includes provisions against using content to train AI models, aligning its enforcement with non-profit performing rights organizations like ASCAP. Here's an excerpt from an interview The Register conducted with Perens: The license is one component among several -- the paid license needs to be hammered out -- that he hopes will support his proposed Post-Open paradigm to help software developers get paid when their work gets used by large corporations. "There are two paradigms that you can use for this," he explains in an interview. "One is Spotify and the other is ASCAP, BMI, and SESAC. The difference is that Spotify is a for-profit corporation. And they have to distribute profits to their stockholders before they pay the musicians. And as a result, the musicians complain that they're not getting very much at all." "There are two paradigms that you can use for this," he explains in an interview. "One is Spotify and the other is ASCAP, BMI, and SESAC. The difference is that Spotify is a for-profit corporation. And they have to distribute profits to their stockholders before they pay the musicians. And as a result, the musicians complain that they're not getting very much at all." Perens wants his new license -- intended to complement open source licensing rather than replace it -- to be administered by a 501(c)(6) non-profit. This entity would handle payments to developers. He points to the music performing rights organizations as a template, although among ASCAP, BMI, SECAC, and GMR, only ASCAP remains non-profit. [...] The basic idea is companies making more than $5 million annually by using Post-Open software in a paid-for product would be required to pay 1 percent of their revenue back to this administrative organization, which would distribute the funds to the maintainers of the participating open source project(s). That would cover all Post-Open software used by the organization. "The license that I have written is long -- about as long as the Affero GPL 3, which is now 17 years old, and had to deal with a lot more problems than the early licenses," Perens explains. "So, at least my license isn't excessively long. It handles all of the abuses of developers that I'm conscious of, including things I was involved in directly like Open Source Security v. Perens, and Jacobsen v. Katzer." "It also makes compliance easier for companies than it is today, and probably cheaper even if they do have to pay. It creates an entity that can sue infringers on behalf of any developer and gets the funding to do it, but I'm planning the infringement process to forgive companies that admit the problem and cure the infringement, so most won't ever go to court. It requires more infrastructure than open source developers are used to. There's a central organization for Post-Open (or it could be three organizations if we divided all of the purposes: apportioning money to developers, running licensing, and enforcing compliance), and an outside CPA firm, and all of that has to be structured so that developers can trust it." You can read the full interview here.Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company's systems that weren't protected by multifactor authentication (MFA), according to the chief executive of its parent company, UnitedHealth Group (UHG). UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system. This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare's systems, during which massive amounts of health data were exfiltrated from its systems. UnitedHealth said last week that the hackers stole health data on a "substantial proportion of people in America." According to Witty's testimony, the criminal hackers "used compromised credentials to remotely access a Change Healthcare Citrix portal." Organizations like Change use Citrix software to let employees access their work computers remotely on their internal networks. Witty did not elaborate on how the credentials were stolen. However, Witty did say the portal "did not have multifactor authentication," which is a basic security feature that prevents the misuse of stolen passwords by requiring a second code sent to an employee's trusted device, such as their phone. It's not known why Change did not set up multifactor authentication on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer's systems. "Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data," said Witty. Witty said the hackers deployed ransomware nine days later on February 21, prompting the health giant to shut down its network to contain the breach. Last week, the medical firm admitted that it paid the ransomware hackers roughly $22 million via bitcoin. Meanwhile, UnitedHealth said the total costs associated with the ransomware attack amounted to $872 million. "The remediation efforts spent on the attack are ongoing, so the total costs related to business disruption and repairs are likely to exceed $1 billion over time, potentially including the reported $22 million payment made [to the hackers]," notes The Register.Read more of this story at Slashdot.

Large swathes of Asia are sweltering through a heatwave that has topped temperature records from Myanmar to the Philippines and forced millions of children to stay home from school. From a report: In India, record temperatures have triggered a deadly heatwave and concerns about voter turnout in the nation's marathon election. Extreme heat has also forced Bangladesh to close all schools across the country. Extreme temperatures have also been recorded in Myanmar and Thailand, while huge areas of the Philippines are suffering from a drought. Experts say climate change has made heatwaves more frequent, longer and more intense, while the El Nino weather phenomenon is also driving this year's exceptionally warm weather. Approximate voter turnout data after polls closed on April 26 in India -- when stage two of the nation's seven-stage general election took place -- put voter turnout at 61 per cent. This was lower than the 65 per cent in the first phase, and 68 per cent in the second phase five years ago. Among the states that headed to the polls last week was Kerala in the south, where media reports on April 29 said that at least two people -- a 90-year-old woman and a 53-year-old man -- were suspected to have died of heatstroke. Temperatures in Kerala soared to 41.9 deg C, nearly 5.5 deg C above normal temperatures. At least two people have also died in India's eastern state of Odisha, where temperatures hit 44.9 deg C on April 28 -- the highest recorded in April. In neighbouring Bangladesh, students will continue to stay home this week, after schools across the country were ordered shut on April 29. A two-judge bench of the country's High Court passed an order directing all primary and secondary schools and madrasahs (Islamic schools) nationwide to remain closed till May 5, affecting an estimated 32 million students.Read more of this story at Slashdot.

The Supreme Court on Tuesday refused to block on free speech grounds a provision of Texas law aimed at preventing minors from accessing pornographic content online. From a report: The justices turned away a request made by the Free Speech Coalition, a pornography industry trade group, as well as several companies. The challengers said the 2023 law violates the Constitution's First Amendment by requiring anyone using the platforms in question, including adults, to submit personal information. One provision of the law, known as H.B. 1181, mandates that platforms verify users' ages by requiring them to submit information about their identities. Although the law is aimed at limiting children's access to sexually explicit content, the lawsuit focuses on how those measures also affect adults. "Specifically, the act requires adults to comply with intrusive age verification measures that mandate the submission of personally identifying information over the internet in order to access websites containing sensitive and intimate content," the challengers wrote in court papers.Read more of this story at Slashdot.

Maciej Pocwierz, a senior software engineer Semantive, writing on Medium: A few weeks ago, I began working on the PoC of a document indexing system for my client. I created a single S3 bucket in the eu-west-1 region and uploaded some files there for testing. Two days later, I checked my AWS billing page, primarily to make sure that what I was doing was well within the free-tier limits. Apparently, it wasn't. My bill was over $1,300, with the billing console showing nearly 100,000,000 S3 PUT requests executed within just one day! By default, AWS doesn't log requests executed against your S3 buckets. However, such logs can be enabled using AWS CloudTrail or S3 Server Access Logging. After enabling CloudTrail logs, I immediately observed thousands of write requests originating from multiple accounts or entirely outside of AWS. Was it some kind of DDoS-like attack against my account? Against AWS? As it turns out, one of the popular open-source tools had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they used... the same name that I used for my bucket. This meant that every deployment of this tool with default configuration values attempted to store its backups in my S3 bucket! So, a horde of misconfigured systems is attempting to store their data in my private S3 bucket. But why should I be the one paying for this mistake? Here's why: S3 charges you for unauthorized incoming requests. This was confirmed in my exchange with AWS support. As they wrote: "Yes, S3 charges for unauthorized requests (4xx) as well[1]. That's expected behavior." So, if I were to open my terminal now and type: aws s3 cp ./file.txt s3://your-bucket-name/random_key. I would receive an AccessDenied error, but you would be the one to pay for that request. And I don't even need an AWS account to do so. Another question was bugging me: why was over half of my bill coming from the us-east-1 region? I didn't have a single bucket there! The answer to that is that the S3 requests without a specified region default to us-east-1 and are redirected as needed. And the bucket's owner pays extra for that redirected request. The security aspect: We now understand why my S3 bucket was bombarded with millions of requests and why I ended up with a huge S3 bill. At that point, I had one more idea I wanted to explore. If all those misconfigured systems were attempting to back up their data into my S3 bucket, why not just let them do so? I opened my bucket for public writes and collected over 10GB of data within less than 30 seconds. Of course, I can't disclose whose data it was. But it left me amazed at how an innocent configuration oversight could lead to a dangerous data leak! Lesson 1: Anyone who knows the name of any of your S3 buckets can ramp up your AWS bill as they like. Other than deleting the bucket, there's nothing you can do to prevent it. You can't protect your bucket with services like CloudFront or WAF when it's being accessed directly through the S3 API. Standard S3 PUT requests are priced at just $0.005 per 1,000 requests, but a single machine can easily execute thousands of such requests per second.Read more of this story at Slashdot.

The Biden administration on Tuesday released rules designed to speed up permits for clean energy while requiring federal agencies to more heavily weigh damaging effects on the climate and on low-income communities before approving projects like highways and oil wells. From a report: As part of a deal to raise the country's debt limit last year, Congress required changes to the National Environmental Policy Act, a 54-year-old bedrock law that requires the government to consider environmental effects and to seek public input before approving any project that necessitates federal permits. That bipartisan debt ceiling legislation included reforms to the environmental law designed to streamline the approval process for major construction projects, such as oil pipelines, highways and power lines for wind- and solar-generated electricity. The rules released Tuesday, by the White House Council on Environmental Quality, are intended to guide federal agencies in putting the reforms in place. But they also lay out additional requirements created to prioritize projects with strong environmental benefits, while adding layers of review for projects that could harm the climate or their surrounding communities. "These reforms will deliver smarter decisions, quicker permitting, and projects that are built better and faster," said Brenda Mallory, chair of the council. "As we accelerate our clean energy future, we are also protecting communities from pollution and environmental harms that can result from poor planning and decision making while making sure we build projects in the right places."Read more of this story at Slashdot.