Slashdot

"On December 28 2023, bugreport 12604 was filed in the curl issue tracker," writes cURL lead developer Daniel Stenberg: The title stated of the problem in this case was quite clear: flag -cacert behavior isn't consistent between macOS and Linux , and it was filed by Yuedong Wu. The friendly reporter showed how the curl version bundled with macOS behaves differently than curl binaries built entirely from open source. Even when running the same curl version on the same macOS machine. The curl command line option --cacert provides a way for the user to say to curl that this is the exact set of CA certificates to trust when doing the following transfer. If the TLS server cannot provide a certificate that can be verified with that set of certificates, it should fail and return error. This particular behavior and functionality in curl has been established since many years (this option was added to curl in December 2000) and of course is provided to allow users to know that it communicates with a known and trusted server. A pretty fundamental part of what TLS does really. When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise. Therefore, when a user runs the check with a trimmed and dedicated CA cert file, it will not fail if the system CA store contains a cert that can verify the server! This is a security problem because now suddenly certificate checks pass that should not pass. "We don't consider this something that needs to be addressed in our platforms," Apple Product Security responded. Stenberg's blog post responds, "I disagree." Long-time Slashdot reader lee1 shares their reaction:I started to sour on MacOS about 20 years ago when I discovered that they had, without notice, substituted their own, nonstandard version of the Readline library for the one that the rest of the Unix-like world was using. This broke gnuplot and a lot of other free software... Apple is still breaking things, this time with serious security and privacy implications.Read more of this story at Slashdot.

"Microsoft confirmed that a memory leak introduced with the March 2024 Windows Server security updates is behind a widespread issue causing Windows domain controllers to crash," BleepingComputer reported Thursday. Friday Microsoft wrote that the issue "was resolved in the out-of-band update KB5037422," only available via the Microsoft Update Catalog. (The update "is not available from Windows Update and will not install automatically.") BleepingComputer reported the leak only affected "enterprise systems using the impacted Windows Server platform," and home users were not affected. But Microsoft confirmed it impacted all domain controller servers with the latest Windows Server 2012 R2, 2016, 2019, and 2022 updates:As BleepingComputer first reported on Wednesday and as many admins have warned over the last week, affected servers are freezing and restarting unexpectedly due to a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with this month's cumulative updates. "Since installation of the March updates (Exchange as well as regular Windows Server updates) most of our DCs show constantly increasing lsass memory usage (until they die)," one admin said. "Our symptoms were ballooning memory usage on the lsass.exe process after installing KB5035855 (Server 2016) and KB5035857 (Server 2022) to the point that all physical and virtual memory was consumed and the machine hung," another Windows admin told BleepingComputer. The leak "is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests," Microsoft wrote. "Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of underlying domain controllers..." "We strongly recommend you do not apply the March 2024 security update on DCs and install KB5037422 instead..."Read more of this story at Slashdot.

An anonymous reader quotes a report from Wired: Former president Donald Trump'sTruth Social, a shameless Twitter clone, is set to become a publicly traded company as soon as next week. Shareholders of Digital World Acquisition Corp. voted on Friday to merge with Trump Media and Technology Group, the company behind Truth Social. The vote is a culmination of a years-long saga attempting to merge Trump Media with a publicly traded company in what's known as a SPAC deal. The company will trade under the ticker DJT once it goes public. [...] Truth Social looks nearly identical to Twitter, with some key distinctions. Instead of "tweeting," users post a "truth." A "retweet" is called a "retruth." Unlike many right-wing Twitter clones, the site functions well, has remained mostly online, and actually appears to have a somewhat active user base. But since launching in February 2022, after Trump was kicked off of mainstream platforms for inciting violence during the January 6 riot at the Capitol, the company has been mired in controversy.Read more of this story at Slashdot.

Jessica Lyons reports via The Register: Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University. In a paper presented at the 2024 Network and Distributed System Security Symposium, associate professor Jeremy Daily and systems engineering graduate students Jake Jepson and Rik Chatterjee demonstrated how ELDs can be accessed over Bluetooth or Wi-Fi connections to take control of a truck, manipulate data, and spread malware between vehicles. "These findings highlight an urgent need to improve the security posture in ELD systems," the trio wrote [PDF]. The authors did not specify brands or models of ELDs that are vulnerable to the security flaws they highlight in the paper. But they do note there's not too much diversity of products on the market. While there are some 880 devices registered, "only a few tens of distinct ELD models" have hit the road in commercial trucks. A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven -- but they aren't required to have tested safety controls built in. And according to the researchers, they can be wirelessly manipulated by another car on the road to, for example, force a truck to pull over. The academics pointed out three vulnerabilities in ELDs. They used bench level testing systems for the demo, as well as additional testing on a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD. [...] For one of the attacks, the boffins showed how anyone within wireless range could use the device's Wi-Fi and Bluetooth radios to send an arbitrary CAN message that could disrupt of some of the vehicle's systems. A second attack scenario, which also required the attacker to be within wireless range, involved connecting to the device and uploading malicious firmware to manipulate data and vehicle operations. Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby. After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices. "Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications," the researchers warned.Read more of this story at Slashdot.

An AI tool named Mia, tested by the NHS, successfully detected signs of breast cancer in 11 women which had been missed by human doctors. The BBC reports: The tool, called Mia, was piloted alongside NHS clinicians and analyzed the mammograms of over 10,000 women. Most of them were cancer-free, but it successfully flagged all of those with symptoms, as well as an extra 11 the doctors did not identify. At their earliest stages, cancers can be extremely small and hard to spot. The BBC saw Mia in action at NHS Grampian, where we were shown tumors that were practically invisible to the human eye. But, depending on their type, they can grow and spread rapidly. Barbara was one of the 11 patients whose cancer was flagged by Mia but had not been spotted on her scan when it was studied by the hospital radiologists. Because her 6mm tumor was caught so early she had an operation but only needed five days of radiotherapy. Breast cancer patients with tumors which are smaller than 15mm when discovered have a 90% survival rate over the following five years. Barbara said she was pleased the treatment was much less invasive than that of her sister and mother, who had previously also battled the disease. Without the AI tool's assistance, Barbara's cancer would potentially not have been spotted until her next routine mammogram three years later. She had not experienced any noticeable symptoms. "These results are encouraging and help to highlight the exciting potential AI presents for diagnostics. There is no question that real-life clinical radiologists are essential and irreplaceable, but a clinical radiologist using insights from validated AI tools will increasingly be a formidable force in patient care." said Dr Katharine Halliday, President of the Royal College of Radiologists.Read more of this story at Slashdot.

An anonymous reader quotes a report from InterestingEngineering: A concept that began as a doodle at a conference years ago is now becoming a reality. RocketStar Inc. has showcased (PDF) its advanced nuclear-based propulsion technology called the FireStar Drive. It is said to be the world's first electric device for spacecraft propulsion boosted by nuclear fusion. Recently, the company announced the successful initial demonstration of this electric propulsion technology. The FireStar Drive harnesses the power of nuclear fusion to improve the performance of RocketStar's "water-fueled pulsed plasma thruster." A spacecraft's thrusters perform various functions, including propulsion, orbital changes, and even docking with other orbiting platforms. Moreover, the device employs a unique sort of aneutronic nuclear fusion, which is a fusion reaction that generates few to no neutrons as a byproduct. "The base thruster generates high-speed protons through the ionization of water vapor," noted the press release. Therefore, these protons collide with the nucleus of a boron atom, which starts the fusion reaction. The FireStar Drive begins a fusion process by adding boron into the thruster exhaust, resulting in high-energy particles that increase thrust. RocketStar's current thruster is dubbed M1.5. Plans to test the FireStar Drive are now ongoing. The in-space technological demonstration will take place aboard D-Orbit's patented OTV ION Satellite Carrier. The SpaceX Transporter rideshare mission will likely launch the demo test in July and October 2024. Furthermore, the team plans to undertake ground tests this year, with more in-space demonstrations scheduled for February 2025. The FireStar Drive will undergo testing as a payload aboard Rogue Space System's Barry-2 spacecraft in the same month. The thruster M1.5 is already ready for delivery to clients.Read more of this story at Slashdot.

"There is a new side channel attack against Apple 'M' series CPUs that does not appear to be fixable without a major performance hit," writes Slashdot reader EncryptedSoldier. SecurityWeek reports: A team of researchers representing several universities in the United States has disclosed the details of a new side-channel attack method that can be used to extract secret encryption keys from systems powered by Apple CPUs. The attack method, dubbed GoFetch, has been described as a microarchitectural side-channel attack that allows the extraction of secret keys from constant-time cryptographic implementations. These types of attacks require local access to the targeted system. The attack targets a hardware optimization named data memory-dependent prefetcher (DMP), which attempts to prefetch addresses found in the contents of program memory to improve performance. The researchers have found a way to use specially crafted cryptographic operation inputs that allow them to infer secret keys, guessing them bits at a time by monitoring the behavior of the DMP. They managed to demonstrate end-to-end key extraction attacks against several crypto implementations, including OpenSSL Diffie-Hellman Key Exchange, Go RSA, and the post-quantum CRYSTALS-Kyber and CRYSTALS-Dilithium. The researchers have conducted successful GoFetch attacks against systems powered by Apple M1 processors, and they have found evidence that the attack could also work against M2 and M3 processors. They have also tested an Intel processor that uses DMP, but found that it's 'more robust' against such attacks. The experts said Apple is investigating the issue, but fully addressing it does not seem trivial. The researchers have proposed several countermeasures, but they involve hardware changes that are not easy to implement or mitigations that can have a significant impact on performance. Apple told SecurityWeek that it thanks the researchers for their collaboration as this work advances the company's understanding of these types of threats. The tech giant also shared a link to a developer page that outlines one of the mitigations mentioned by the researchers. The researchers have published a paper (PDF) detailing their work. Ars Technica's Dan Goodin also reported on the vulnerability.Read more of this story at Slashdot.

Lindsay Clark reports via The Register: The UK Information Commissioner's Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration. Employment as a nurse or midwife depends on enrollment with the NMC in the UK. According to whistleblower evidence seen by The Register, the databases on which the personal information is held lack rudimentary technical standards and practices. The NMC said its data was secure with a high level of quality, allowing it to fulfill its regulatory role, although it was on "a journey of improvement." But without basic documentation, or the primary keys or foreign keys common in database management, the Microsoft SQL Server databases -- holding information about 800,000 registered professionals -- are difficult to query and manage, making assurances on governance nearly impossible, the whistleblower told us. The databases have no version control systems. Important fields for identifying individuals were used inconsistently -- for example, containing junk data, test data, or null data. Although the tech team used workarounds to compensate for the lack of basic technical standards, they were ad hoc and known by only a handful of individuals, creating business continuity risks should they leave the organization, according to the whistleblower. Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register. The NMC stores sensitive data on behalf of the professionals that it registers, including gender, sexual orientation, gender identity, ethnicity and nationality, disability details, marital status, as well as other personal information. The whistleblower's complaint claims the NMC falls well short of [the standards required under current UK law for data protection and the EU's General Data Protection Regulation (GDPR)]. The statement alleges that the NMC's "data management and data retrieval practices were completely unacceptable." "There is not even much by way of internal structure of the databases for self-documentation, such as primary keys, foreign keys (with a few honorable exceptions), check constraints and table constraints. Even fields that should not be null are nullable. This is frankly astonishing and not the practice of a mature, professional organization," the statement says. For example, the databases contain a unique ten-digit number (or PRN) to identify individuals registered to the NMC. However, the fields for PRNs sometimes contain individuals' names, start with a letter or other invalid data, or are simply null. The whistleblower's complaint says that the PRN problem, and other database design deficiencies, meant that it was nearly impossible to produce "accurate, correct, business critical reports ... because frankly no one knows where the correct data is to be found." A spokesperson for the NMC said the register was "organized and documented" in the SQL Server database. "For clarity, the register of all our nurses, midwives and nursing practitioners is held within Dynamics 365 which is our system of record. This solution and the data held within it, is secure and well documented. It does not rely on any SQL database. The SQL database referenced by the whistleblower relates to our data warehouse which we are in the process of modernizing as previously shared."Read more of this story at Slashdot.

Instagram has been limiting recommended political content by default without notifying users. Ars Technica reports: Instead, Instagram rolled out the change in February, announcing in a blog that the platform doesn't "want to proactively recommend political content from accounts you don't follow." That post confirmed that Meta "won't proactively recommend content about politics on recommendation surfaces across Instagram and Threads," so that those platforms can remain "a great experience for everyone." "This change does not impact posts from accounts people choose to follow; it impacts what the system recommends, and people can control if they want more," Meta's spokesperson Dani Lever told Ars. "We have been working for years to show people less political content based on what they told us they want, and what posts they told us are political." To change the setting, users can navigate to Instagram's menu for "settings and activity" in their profiles, where they can update their "content preferences." On this menu, "political content" is the last item under a list of "suggested content" controls that allow users to set preferences for what content is recommended in their feeds. There are currently two options for controlling what political content users see. Choosing "don't limit" means "you might see more political or social topics in your suggested content," the app says. By default, all users are set to "limit," which means "you might see less political or social topics." "This affects suggestions in Explore, Reels, Feed, Recommendations, and Suggested Users," Instagram's settings menu explains. "It does not affect content from accounts you follow. This setting also applies to Threads." "Did [y'all] know Instagram was actively limiting the reach of political content like this?!" an X user named Olayemi Olurin wrote in an X post. "I had no idea 'til I saw this comment and I checked my settings and sho nuff political content was limited." "This is actually kinda wild that Instagram defaults everyone to this," another user wrote. "Obviously political content is toxic but during an election season it's a little weird to just hide it from everyone?"Read more of this story at Slashdot.

An anonymous reader quotes a report from the New York Times: General Motors said Friday that it had stopped sharing details about how people drove its cars with two data brokers that created risk profiles for the insurance industry. The decision followed a New York Times report this month that G.M. had, for years, been sharing data about drivers' mileage, braking, acceleration and speed with the insurance industry. The drivers were enrolled -- some unknowingly, they said -- in OnStar Smart Driver, a feature in G.M.'s internet-connected cars that collected data about how the car had been driven and promised feedback and digital badges for good driving. Some drivers said their insurance rates had increased as a result of the captured data, which G.M. shared with two brokers, LexisNexis Risk Solutions and Verisk. The firms then sold the data to insurance companies. Since Wednesday, "OnStar Smart Driver customer data is no longer being shared with LexisNexis or Verisk," a G.M. spokeswoman, Malorie Lucich, said in an emailed statement. "Customer trust is a priority for us, and we are actively evaluating our privacy processes and policies."Read more of this story at Slashdot.

The Dutch pirate site blocklist has expanded with two new targets, shadow libraries Anna's Archive and Library Genesis. The court order was obtained by local anti-piracy group BREIN, acting on behalf of major publishers. Interestingly, Z-Library isn't listed in the blocking order, despite explicit warnings previously issued by BREIN. TorrentFreak reports: All blocking requests were submitted by local anti-piracy group BREIN, which acts on behalf of rightsholders. These include the major Hollywood studios but BREIN's purview is much broader. Last week, it obtained the latest blocking order, this time on behalf of the publishing industry. Issued by the Rotterdam District Court, the order requires a local Internet provider to block two well-known shadow libraries; "Anna's Archive" and "Library Genesis" (LibGen). News of this new court order was shared by BREIN which notes that both sites were found to make copyright infringing works available on a large scale. At the time of writing, a published copy is not available but, based on the covenant, all large Internet providers are expected to implement the blockades. "These types of illegal shadow libraries are very harmful. The only ones who benefit are the anonymous owners of these illegal services. Authors and publishers see no return on their efforts and investments," BREIN comments. "Copyright holders deserve an honest living. There are numerous legal ways to obtain ebooks. If desired, this can also be done very cheaply; through the library for example." The Rotterdam court issued a so-called 'dynamic' blocking order, meaning that rightsholders can update the targeted domains and IP addresses if the sites switch to new ones in the future. This also applies to mirrors and increases the blockades' effectiveness, as there is no need to return to court. Previously, Internet provider KPN challenged these 'dynamic' orders, suggesting that they are too broad. The court rejected this argument, however, noting that the process hasn't led to any major problems thus far. BREIN further reports that Google is voluntarily offering a helping hand. As reported in detail previously, the search engine removes blocked domains from its local search results after being notified about an ISP blocking order. "The effectiveness of the blocking measure is increased because Google cooperates in combating these infringements and, at the request of BREIN, completely removes all references to websites that are blocked by order of the Dutch court from the search results," BREIN writes.Read more of this story at Slashdot.

Boom Supersonic's first aircraft, the XB-1, completed its first flight today and met "all of its test objectives." From a report: This initial test only saw the aircraft 7,120 feet above sea level and fly at a top speed of 238 knots (274 mph) -- far from Mach 1, the speed of sound. The first flight of XB-1 took place at the Mojave Air & Space Port in California, in the same airspace where the X-1 broke the sound barrier, the X-15 conducted test flights for altitude and speed records, and the SR-71 Blackbird was also tested. According to Boom, the XB-1 will be testing, among other things: Augmented reality vision system: Two nose-mounted cameras, digitally augmented with attitude and flight path indications, feed a high-resolution pilot display enabling excellent runway visibility. This system allows for improved aerodynamic efficiency without the weight and complexity of a movable nose.Digitally-optimized aerodynamics: Engineers used computational fluid dynamics simulations to explore thousands of designs for XB-1. The result is an optimized design that combines safe and stable operation at takeoff and landing with efficiency at supersonic speeds.Carbon fiber composites: XB-1 is almost entirely made from carbon fiber composite materials, enabling it to realize a sophisticated aerodynamic design in a strong, lightweight structure.Supersonic intakes: XB-1's engine intakes slow supersonic air to subsonic speeds, efficiently converting kinetic energy into pressure energy and allowing conventional jet engines to power XB-1 from takeoff through supersonic flight. Another thing being tested by XB-1 is the construction of a safety culture. With XB-1 now a flying test vehicle, there are many flights ahead before we get to Overture One's first flight, much less dramatically expanding access to supersonic flight. This work will require much engineering and a resilient safety culture. But the first flight of the first step was carried out by Boom Supersonic today, March 22, 2024.Read more of this story at Slashdot.

An anonymous reader quotes a report from KrebsOnSecurity: The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep's CEO to admit that he has founded dozens of people-search networks over the years. Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches. On March 14, KrebsOnSecurity published a story showing that Onerep's Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story. But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 -- around the same time he launched Onerep. Shelest maintained that Nuwber has "zero cross-over or information-sharing with Onerep," and said any other old domains that may be found and associated with his name are no longer being operated by him. "I get it," Shelest wrote. "My affiliation with a people search business may look odd from the outside. In truth, if I hadn't taken that initial path with a deep dive into how people search sites work, Onerep wouldn't have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I'm aiming to do better in the future." The full statement is available here (PDF). In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product. "Though customer data was never at risk, the outside financial interests and activities of Onerep's CEO do not align with our values," Mozilla wrote. "We're working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first." KrebsOnSecurity also reported that Shelest's email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University. Shelest denied ever being associated with Spamit. "Between 2010 and 2014, we put up some web pages and optimize them -- a widely used SEO practice -- and then ran AdSense banners on them," Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). "As we progressed and learned more, we saw that a lot of the inquiries coming in were for people." Shelest also acknowledged that Onerep pays to run ads on "on a handful of data broker sites in very specific circumstances." "Our ad is served once someone has manually completed an opt-out form on their own," Shelest wrote. "The goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep."Read more of this story at Slashdot.

DOJ, in the court filing (PDF): Many prominent, well-financed companies have tried and failed to successfully enter the relevant markets because of these entry barriers. Past failures include Amazon (which released its Fire mobile phone in 2014 but could not profitably sustain its business and exited the following year); Microsoft (which discontinued its mobile business in 2017); HTC (which exited the market by selling its smartphone business to Google in September 2017); and LG (which exited the smartphone market in 2021). Today, only Samsung and Google remain as meaningful competitors in the U.S. performance smartphone market. Barriers are so high that Google is a distant third to Apple and Samsung despite the fact that Google controls development of the Android operating system.Read more of this story at Slashdot.

An Internet service provider that admitted lying to the FCC about where it offers broadband will pay a $10,000 fine and implement a compliance plan to prevent future violations. ArsTechnica: Jefferson County Cable (JCC), a small ISP in Toronto, Ohio, admitted that it falsely claimed to offer fiber service in an area that it hadn't expanded to yet. A company executive also admitted that the firm submitted false coverage data to prevent other ISPs from obtaining government grants to serve the area. Ars helped expose the incident in a February 2023 article. The FCC announced the outcome of its investigation on March 15, saying that Jefferson County Cable violated the Broadband Data Collection program requirements and the Broadband DATA Act, a US law, "in connection with reporting inaccurate information or data with respect to the Company's ability to provide broadband Internet access service." The FCC said: "To settle this matter, Jefferson County Cable agrees to pay a $10,000 civil penalty to the United States Treasury. Jefferson County Cable also agrees to implement enhanced compliance measures. This action will help further the Commission's efforts to bridge the digital divide by having accurate data of locations where broadband service is available."Read more of this story at Slashdot.

Search Engine Land: Google is now testing AI overviews in the main Google Search results, even if you have not opted into the Google Search Generative Experience labs feature. Google said this is an experience on a "subset of queries, on a small percentage of search traffic in the U.S.," a Google spokesperson told Search Engine Land.Read more of this story at Slashdot.

The U.S. Department of Transportation has announced it will conduct a review of the data practices of the country's ten largest airlines, amid concerns over potential misuse of customer information for upselling, overcharging, targeted advertising, and third-party data sales, as well as the security of systems handling sensitive data such as passport numbers. From a report: The probe will look at air carriers' policies and procedures to determine if they are safeguarding personal info properly, unfairly or deceptively monetizing it, or sharing it with third parties, the agency said yesterday. If they're indeed doing anything "problematic," they can look forward to scrutiny, fines, and new rules, says the DOT. "Airline passengers should have confidence that their personal information is not being shared improperly with third parties or mishandled by employees," said US Transportation Secretary Pete Buttigieg. "This review of airline practices is the beginning of a new initiative by DOT to ensure airlines are being good stewards of sensitive passenger data." The ten airlines going under the magnifying glass are Delta, United, American, Southwest, Alaska, JetBlue, Spirit, Frontier, Hawaiian and Allegiant.Read more of this story at Slashdot.

In the shadow of a massive monument glorifying nuclear power, over 30 nations from around the world pledged to use the controversial energy source to help achieve a climate-neutral globe while providing countries with an added sense of strategic security. Associated Press: The idea of a Nuclear Energy Summit would have been unthinkable a dozen years ago after the 2011 Fukushima nuclear accident in Japan, but the tide has turned in recent years. A warming planet has made it necessary to phase out fossil fuels, while the war in Ukraine has laid bare Europe's dependence on Russian energy. "We have to do everything possible to facilitate the contribution of nuclear energy," said Rafael Grossi, the head of the International Atomic Energy Agency. "It is clear: Nuclear is there. It has an important role to play," he said. In a solemn pledge, 34 nations, including the United States, China, France, Britain and Saudi Arabia, committed "to work to fully unlock the potential of nuclear energy by taking measures such as enabling conditions to support and competitively finance the lifetime extension of existing nuclear reactors, the construction of new nuclear power plants and the early deployment of advanced reactors." The statement adds: "We commit to support all countries, especially emerging nuclear ones, in their capacities and efforts to add nuclear energy to their energy mixes."Read more of this story at Slashdot.

Switch emulator Suyu -- a fork of the Nintendo-targeted and now-defunct emulation project Yuzu -- has been taken down from GitLab following a DMCA request Thursday. But the emulation project's open source files remain available on a self-hosted git repo on the Suyu website, and recent compiled binaries remain available on an extant GitLab repo. From a report: While the DMCA takedown request has not yet appeared on GitLab's public repository of such requests, a GitLab spokesperson confirmed to The Verge that the project was taken down after the site received notice "from a representative of the rightsholder."Read more of this story at Slashdot.

An anonymous reader shares a report: Thanks to the vaccination program that began in 1995, chickenpox is now relatively rare. Cases of the miserable, itchy condition have fallen more than 97 percent. But, while children have largely put the oatmeal baths and oven mitts behind them, doctors have apparently let their diagnostic skills get a little crusty. According to a study published Thursday, public health researchers in Minnesota found that 55 percent of people diagnosed with chickenpox based on their symptoms were actually negative for the varicella-zoster virus, the virus that causes chickenpox. The study noted that the people were all diagnosed in person by health care providers in medical facilities. But, instead of chickenpox, lab testing showed that some of the patients were actually infected with an enterovirus, which can cause a rash, or the herpes simplex virus 1, which causes cold sores. The study, published in the Centers for Disease Control and Prevention's Morbidity and Mortality Weekly Report, supports expanding laboratory testing for suspected chickenpox cases in the state's program and highlights that diagnoses based on symptoms are "unreliable." For one thing, doctors simply see far fewer chickenpox cases these days because of the protection from vaccines. While chickenpox cases in the US previously reached 4 million each year, with 10,500 to 13,500 hospitalizations and 100 to 150 deaths, there are now fewer than 150,000 cases,1,400 hospitalizations, and 30 deaths each year, the CDC reports. Vaccination is more than 90 percent effective at preventing the disease. In the rare cases where a vaccinated person contracts chickenpox, the muted rashes are challenging to identify by eye. But even in unvaccinated children, chickenpox can be tricky to pick out; it can easily be confused with measles, insect bites, enterovirus, skin infections such as scabies and impetigo, herpes viruses, and hand, foot, and mouth disease.Read more of this story at Slashdot.

The guardians of the world's official geological timescale have firmly rejected a proposal to declare an Anthropocene epoch, after an epic academic row. From a report: The proposal would have designated the period from 1952 as the Anthropocene to reflect the planet-changing impact of humanity. It would have ended the Holocene epoch, the 11,700 years of stable climate since the last ice age and during which human civilisation arose. The International Union of Geological Sciences (IUGS) has announced, however, that geologists have rejected the idea in a series of votes. Those objecting noted a much longer history of human impacts on Earth, including the dawn of agriculture and the industrial revolution, and unease about including a new unit in the geological timescale with a span of less than less than a single human lifetime, it said. Most units span thousands or millions of years. It also acknowledged: "The Anthropocene as a concept will continue to be widely used not only by Earth and environmental scientists, but also by social scientists, politicians and economists, as well as by the public at large. As such, it will remain an invaluable descriptor in human-environment interactions." The Anthropocene working group (AWG), which was formed by the Subcommission on Quaternary Stratigraphy (SQS), in turn part of the IUGS, took 15 years to develop the proposal. It concluded that the radioactive isotopes spread worldwide by hydrogen bomb tests were the best marker of humanity's transformation of the planet. Geological time units also need a specific location to typify the unit and the Crawford sinkhole lake in Canada was chosen.Read more of this story at Slashdot.

An anonymous reader shares a report: On Monday, the Biden administration announced that six new countries had joined an international coalition to fight the proliferation of commercial spyware, sold by companies such as NSO Group or Intellexa. Now, some investors have announced that they too are committed to fighting spyware. But at least one of those investors, Paladin Capital Group, has previously invested in a company that developed malware, according to a leaked 2021-dated slide deck obtained by TechCrunch, although the firm tells TechCrunch it "got out" of the firm some time ago. In the last couple of years, the U.S. government has led an effort to limit or at least restrain the use of spyware across the world by putting surveillance tech makers like NSO Group, Candiru, and Intellexa on blocklists, as well as imposing export controls on those companies and visa restrictions on people involved in the industry. More recently, the government has imposed economic sanctions not only on companies, but also directly on the executive who founded Intellexa. These actions have put others in the spyware industry on alert. In a call with reporters on Monday that TechCrunch attended, a senior Biden administration official said that a representative from Paladin participated in meetings at the White House on March 7, as well as this week in Seoul, where governments gathered for the Summit for Democracy to discuss spyware. Paladin, one of the biggest investors in cybersecurity startups, and several other venture firms published a set of voluntary investment principles, noting that they would invest in companies that "enhance the defense, national security, and foreign policy interests of free and open societies." "For us, it was an important first step in having an investor outline both recognition that investments should not be going towards companies that are undertaking selling products, and selling to clients that can undermine free and fair societies," the senior administration official said in the call, where journalists agreed not to quote the officials by name.Read more of this story at Slashdot.

Food prices and overall inflation will rise as temperatures climb with climate change, a new study by an environmental scientist and the European Central Bank found. From a report: Looking at monthly price tags of food and other goods, temperatures and other climate factors in 121 nations since 1996, researchers calculate that "weather and climate shocks" will cause the cost of food to rise 1.5 to 1.8 percentage points annually within a decade or so, even higher in already hot places like the Middle East, according to a study in Thursday's journal Communications, Earth and the Environment. And that translates to an increase in overall inflation of 0.8 to 0.9 percentage points by 2035, just caused by climate change extreme weather, the study said. Those numbers may look small, but to banks like the U.S. Federal Reserve that fight inflation, they are significant, said study lead author Max Kotz, a climate scientist at the Potsdam Institute for Climate Impact Research in Germany. "The physical impacts of climate change are going to have a persistent effect on inflation," Kotz said. "This is really from my perspective another example of one of the ways in which climate change can undermine human welfare, economic welfare."Read more of this story at Slashdot.

An anonymous reader shares a report: The U.S. Department of Justice filed a lawsuit against Apple Thursday, accusing the company led by CEO Tim Cook of engaging in anti-competitive business practices. The allegations include claims that Apple prevents competitors from accessing certain iPhone features and that the company's actions impact the "flow of speech" through its streaming service, Apple TV+. However, even if the DOJ proves any of the allegations, it is highly unlikely that Apple will face material changes for years, as history shows that such lawsuits often take a significant amount of time to reach the trial, let alone a resolution. The DOJ's ongoing case against Google, filed in 2020, only went to trial in 2023, with no remedies or financial implications expected for up to two more years. This is not the first time Apple has faced legal action from the DOJ. In 2012, the agency sued Apple for conspiring with publishers to increase ebook prices, a lawsuit that was not settled until 2016. "Precedents suggest that resolution of the complaint will take three to five years, including appeals," Bernstein analysts wrote in a note.Read more of this story at Slashdot.

Apple has held preliminary talks with Baidu about using the Chinese company's generative AI technology in its devices in China, the latest example of the iPhone maker's efforts to widen its AI capabilities. From a report: The U.S. tech giant has been exploring using external partners to help accelerate its AI ambitions. It has held discussions with companies including Google and OpenAI about using their technology to power its mobile features. In China, Apple has been looking for a local generative AI model provider, mainly because China requires such models to be vetted by its cyberspace regulator before being launched to the public, people familiar with the matter said.Read more of this story at Slashdot.

An anonymous reader quotes a report from 404 Media: Texas Attorney General Ken Paxton just sued two more porn sites, xHamster and Chaturbate, alleging they aren't complying with age verification laws. As first reported by local news outlet KXAN, the Office of the Attorney General filed two civil lawsuits on Tuesday afternoon against Hammy Media, which owns xHamster, and Multi Media, which owns Chaturbate. Texas Governor Greg Abbott signed HB 1181 into law in June, which requires porn sites to verify the ages of users through a driver's license or passport. If porn sites don't force consenting adults to hand over a government-issued ID in order to watch other consenting adults have sex on camera, they face heavy fines. Paxton's lawsuit against xHamster asks the court to force the site to pay a civil penalty of up to $1.67 million, with an additional $10,000 a day since filing. For Chaturbate, it's $1.78 million plus $10,000 per day. Last week, Pornhub's parent company Aylo blocked anyone accessing its network of sites from a Texas IP address, and replaced its network of sites -- which include Pornhub, Brazzers, YouPorn and many more -- with a message about its rejection of age verification legislation that requires adults to show government-issued ID to access porn. [...] As of writing, xHamster and Chaturbate are still accessible in Texas and don't have requirements to verify users' ages with a government ID.Read more of this story at Slashdot.

According to a United Nations report, humans are producing electronic waste almost five times faster than we're recycling it. "While e-waste recycling has benefits estimated to include $23 billion of monetized value from avoided greenhouse gas emissions and $28 billion of recovered materials like gold, copper, and iron, it also comes at a cost -- $10 billion associated with e-waste treatment and $78 billion of externalized costs to people and the environment," reports The Register. "Overall, this puts the net annual economic monetary cost of e-waste at $37 billion. And this is expected to reach $40 billion by 2030 if improvements in e-waste management and policies aren't made." From the report: The 2024 Global E-waste Monitor (GEM) [PDF] was prepared by the UN's International Telecommunication Union (ITU) and the UN Institute for Training and Research (UNITAR). The report reveals that annual generation of e-waste -- discarded devices with a plug or battery -- is growing at a rate of 2.6 million metric tons per year (a metric ton is equivalent to roughly 2,204.62 pounds -- all units in this story are metric) and is expected to reach 82 million tons by 2030, from 62 million tons in 2022. Those 62 million tons, the report suggests, would fill 1.55 million 40-ton trucks, which would roughly encircle the equator -- if you parked them end-to-end and paved the relevant oceans. And that's to say nothing of the economic consequences of taking so many trucks out of service and disrupting global shipping routes with an equatorial parking structure, so let's not. Of the 62 million tons of e-waste generated globally in 2022, an estimated 13.8 million tons was documented, collected, and properly recycled. Another 16 million tons is said to have been recycled through undocumented channels in high and middle-income countries with developed waste management infrastructure. A further 18 million tons, it is estimated, was processed in low and middle-low income countries without developed e-waste management systems -- through which toxic chemicals get released. And the final 14 million tons are said to have been thrown away to end up mainly in landfills -- also not ideal. The rate of e-waste creation and recycling varies by region. In Europe, per capita e-waste generation is 17.6 kg and recycling is 7.5 kg. In Oceania, it's 16.1 kg and 6.7 kg respectively. In the Americas, it's 14.1 kg and 4.2 kg. The annual average formal collection and recycling rate in Europe is 42.8 percent, compared to 41.4 percent in Oceania, 30 percent in the Americas, 11.8 percent in Asia, and 0.7 percent in Africa. The report calls for stronger formal e-waste management and for policy makers to make sure that initiatives to promote renewable energy don't end up undermining environmental concerns. It notes, for example, that e-waste from photovoltaic panels -- to generate solar power -- is expected to quadruple from 0.6 million tons in 2022 to 2.4 million tons in 2030.Read more of this story at Slashdot.

"Vernor Vinge, who three times won the Hugo for best novel, has died," writes Slashdot reader Felix Baum. Ars Technica reports: On Wednesday, author David Brin announced that Vernor Vinge, sci-fi author, former professor, and father of the technological singularity concept, died from Parkinson's disease at age 79 on March 20, 2024, in La Jolla, California. The announcement came in a Facebook tribute where Brin wrote about Vinge's deep love for science and writing. "A titan in the literary genre that explores a limitless range of potential destinies, Vernor enthralled millions with tales of plausible tomorrows, made all the more vivid by his polymath masteries of language, drama, characters, and the implications of science," wrote Brin in his post. As a sci-fi author, Vinge won Hugo Awards for his novels A Fire Upon the Deep (1993), A Deepness in the Sky (2000), and Rainbows End (2007). He also won Hugos for novellas Fast Times at Fairmont High (2002) and The Cookie Monster (2004). As Mike Glyer's File 770 blog notes, Vinge's novella True Names (1981) is frequency cited as the first presentation of an in-depth look at the concept of "cyberspace." Vinge first coined the term "singularity" as related to technology in 1983, borrowed from the concept of a singularity in spacetime in physics. When discussing the creation of intelligences far greater than our own in an 1983 op-ed in OMNI magazine, Vinge wrote, "When this happens, human history will have reached a kind of singularity, an intellectual transition as impenetrable as the knotted space-time at the center of a black hole, and the world will pass far beyond our understanding." In 1993, he expanded on the idea in an essay titled The Coming Technological Singularity: How to Survive in the Post-Human Era.Read more of this story at Slashdot.

An anonymous reader quotes a report from CNBC: UnitedHealth Group said Monday that it's paid out more than $2 billion to help health-care providers who have been affected by the cyberattack on subsidiary Change Healthcare. "We continue to make significant progress in restoring the services impacted by this cyberattack," UnitedHealth CEO Andrew Witty said in a press release. "We know this has been an enormous challenge for health care providers and we encourage any in need to contact us." UnitedHealth disclosed nearly a month ago that a cyber threat actor breached part of Change Healthcare's information technology network. The fallout has wreaked havoc across the U.S. health-care system. Change Healthcare offers e-prescription software and tools for payment management, so the interruptions left many providers temporarily unable to fill medications or get reimbursed for their services by insurers. UnitedHealth, which provides care for 152 million people, said on Monday that it began releasing medical claims preparation software, which will be available to thousands of customers in the next several days. The company called it "an important step in the resumption of services." On Friday, UnitedHealth said it restored Change Healthcare's electronic payments platform, after rebooting 99% of its pharmacy network services earlier this month. It also introduced a temporary funding assistance program to help health-care providers experiencing cash flow trouble because of the attack. UnitedHealth said the advances will not need to be repaid until claims flows return to normal. Federal agencies like the Centers for Medicare & Medicaid Services have introduced additional options to ensure that states and other stakeholders can make interim payments to providers, according to a release.Read more of this story at Slashdot.

Microsoft today announced a preview release of Windows Notepad, with built-in spellchecking and an autocorrect feature. BleepingComputer reports: Microsoft says they are rolling out this preview to Insiders in the Windows 11 Canary and Dev channels, but it may take some time before it's available for everyone. "With this update, Notepad will now highlight misspelled words and provide suggestions so that you can easily identify and correct mistakes," reads Microsoft's announcement. "We are also introducing autocorrect which seamlessly fixes common typing mistakes as you type." Once installed, Notepad will now show a red squiggly line under misspelled words that, when clicked, shows suggestions on the correct spelling. It's also possible to ignore words in a single text document or add them to the global dictionary so they are not shown in the future. Microsoft says that this feature will be turned off for log and source code files. This is because it's common for non-standard words to be used in these files, triggering multiple spellcheck errors. Users can control this setting globally or for specific file types in the Notepad app's settings. The autocorrect feature is a bit more seamless, automatically making small changes to grammar and punctuation as you type.Read more of this story at Slashdot.

Longtime Slashdot reader jgulla shares an announcement from Redis: Beginning today, all future versions of Redis will be released with source-available licenses. Starting with Redis 7.4, Redis will be dual-licensed under the Redis Source Available License (RSALv2) and Server Side Public License (SSPLv1). Consequently, Redis will no longer be distributed under the three-clause Berkeley Software Distribution (BSD). The new source-available licenses allow us to sustainably provide permissive use of our source code. We're leading Redis into its next phase of development as a real-time data platform with a unified set of clients, tools, and core Redis product offerings. The Redis source code will continue to be freely available to developers, customers, and partners through Redis Community Edition. Future Redis source-available releases will unify core Redis with Redis Stack, including search, JSON, vector, probabilistic, and time-series data models in one free, easy-to-use package as downloadable software. This will allow anyone to easily use Redis across a variety of contexts, including as a high-performance key/value and document store, a powerful query engine, and a low-latency vector database powering generative AI applications. [...] Under the new license, cloud service providers hosting Redis offerings will no longer be permitted to use the source code of Redis free of charge. For example, cloud service providers will be able to deliver Redis 7.4 only after agreeing to licensing terms with Redis, the maintainers of the Redis code. These agreements will underpin support for existing integrated solutions and provide full access to forthcoming Redis innovations. In practice, nothing changes for the Redis developer community who will continue to enjoy permissive licensing under the dual license. At the same time, all the Redis client libraries under the responsibility of Redis will remain open source licensed. Redis will continue to support its vast partner ecosystem -- including managed service providers and system integrators -- with exclusive access to all future releases, updates, and features developed and delivered by Redis through its Partner Program. There is no change for existing Redis Enterprise customers.Read more of this story at Slashdot.

Apple has launched a new "Documentation" page to its website that provides links to user guides, repair manuals, tech specs, software downloads, and more for a variety of its products. MacRumors reports: Some of this information was previously found across separate pages on Apple's website, and it has now been combined in one place for convenient access. The page includes categories for the Mac, iPhone, iPad, iPod, Vision Pro, Apple Watch, Apple TV, AirPods, HomePod, displays like the Studio Display and Pro Display XDR, accessories like the Apple Pencil and Magic Keyboard, and software. There is also a search tool on the page that provides links to support documents and other relevant information based on the keywords entered.Read more of this story at Slashdot.

An anonymous reader quotes a report from Wired: When thousands of security researchers descend on Las Vegas every August for what's come to be known as "hacker summer camp," the back-to-back Black Hat and Defcon hacker conferences, it's a given that some of them will experiment with hacking the infrastructure of Vegas itself, the city's elaborate array of casino and hospitality technology. But at one private event in 2022, a select group of researchers were actually invited to hack a Vegas hotel room, competing in a suite crowded with their laptops and cans of Red Bull to find digital vulnerabilities in every one of the room's gadgets, from its TV to its bedside VoIP phone. One team of hackers spent those days focused on the lock on the room's door, perhaps its most sensitive piece of technology of all. Now, more than a year and a half later, they're finally bringing to light the results of that work: a technique they discovered that would allow an intruder to open any of millions of hotel rooms worldwide in seconds, with just two taps. Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries. By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel -- say, by booking a room there or grabbing a keycard out of a box of used ones -- then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock's data, and the second opens it. Dormakaba says that it's been working since early last year to make hotels that use Saflok aware of their security flaws and to help them fix or replace the vulnerable locks. For many of the Saflok systems sold in the last eight years, there's no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door. Wouters and Carroll say they were nonetheless told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated. Given that the locks aren't connected to the internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, at the very least. Some older installations may take years.Read more of this story at Slashdot.

In a Threads post today, Meta CEO Mark Zuckerberg announced that the Twitter rival is rolling out a beta of its fediverse integration in the U.S., Canada, and Japan. With the feature enabled, Threads users will be able to cross-post and view likes from other federated platforms, like Mastodon. The Verge reports: Threads previewed its fediverse integration earlier this week during the FediForum. As outlined on its support page, Meta says that you must have a public account to turn on fediverse sharing, which will allow users on other servers to "search for and follow your profile, view your posts, interact with your content, and share your content to anyone on or off their server." There are still a few limitations, though. The beta currently doesn't let users view replies and follows from the fediverse, for example. Meta also can't promise that when you delete a federated post on Threads, it will also get deleted on the other platforms it was shared on.Read more of this story at Slashdot.

couchslug shares a report from ITPro: A European cloud trade body has called for an investigation into Broadcom amid concerns over changes it has made to VMware licensing structures. The Cloud Infrastructure Service Providers in Europe (CISPE) consortium called on regulatory and legislative bodies across Europe to investigate the changes Broadcom has made to the VMware operating model, which it says will "decimate" the region's cloud infrastructure. "CISPE calls upon regulators, legislators and courts across Europe to swiftly scrutinize the actions of Broadcom in unilaterally canceling license terms for essential virtualization software," the trade body said in a statement. Since acquiring VMware in November 2023, Broadcom has embarked on a comprehensive overhaul of software licensing at the firm, which has drawn widespread criticism from customers. Broadcom stated it would continue to support customers under a perpetual licensing agreement for the period defined in the contract, but following this customers would need to exchange any remaining licenses for subscription-based products. This has left both cloud service vendors and customers in limbo, according to CISPE, without any solid information on how, when, or if they will be able to license VMware products essential for their operations from April 2024. Moreover, even if they are able to relicense the VMware software, a number of customers reported dramatic price hikes of as much as 12 times. CISPE's characterisation of the move was far less charitable, arguing Broadcom is using VMware's market dominance, controlling almost 45% of the virtualization market, to charge exorbitant rents from cloud providers. Several CISPE members admitted that without the ability to license VMware products they will be unable to operate and will go bankrupt, with some stating that over 75% of their revenue depends on VMware virtualization tech. Members added that they often received termination notices late, if at all, with short notice periods that spanned just a few weeks. In addition, CISPE also complained about the decision to remove hundreds of products without any notice, and re-bundle the outstanding products under new prohibitive contract terms, despite there being no changes to the products themselves. Francisco Mingorance, secretary general of CISPE, said the changes will hurt both European customers and cloud service providers by increasing costs and reducing choice. At a time when our members are moving to support the requirements for switching and portability between cloud services outlined in the Data Act, Broadcom is holding the sector to ransom by leveraging VMware's dominance of the virtualization sector to enforce unfair license terms and extract unfair rents from European cloud customers," Mingorance said. CISPE noted that for some cloud sector applications that require certifications by software or service providers, VMware products are the only viable option. As such, the association called for Broadcom to be recognized as a designated gatekeeper under the terms of the Digital Markets Act (DMA) that came into force on March 7, 2024. Mingorance argued Broadcom's moves will only further restrict an already limited set of options for cloud providers in Europe, warning that Broadcom has a dangerous degree of control over the region's digital ecosystems. "As well as inflicting financial damage on the European digital economy, these actions will decimate Europe's independent cloud infrastructure sector and further reduce the diversity of choice for customers," he explained. "Dominant software providers, in any sector from productivity software to virtualization, must not be allowed to wield life or death power over Europe's digital ecosystems."Read more of this story at Slashdot.

An anonymous reader quotes a report from Reuters: The United Nations General Assembly on Thursday unanimously adopted the first global resolution on artificial intelligence to encourage protecting personal data, monitoring AI for risks, and safeguarding human rights, U.S. officials said. The nonbinding resolution, proposed by the United States and co-sponsored by China and 121 other nations, took three months to negotiate and also advocates strengthening privacy policies, the officials said, briefing reporters before the resolution's passage. "We're sailing in choppy waters with the fast-changing technology, which means that its more important than ever to steer by the light of our values," said one of the senior administration officials, describing the resolution as the "first-ever truly global consensus document on AI." "The improper or malicious design, development, deployment and use of artificial intelligence systems ... pose risks that could ... undercut the protection, promotion and enjoyment of human rights and fundamental freedoms," the measure says. Asked whether negotiators faced resistance from Russia or China -- U.N. member states that also voted in favor of the document -- the officials conceded there were "lots of heated conversations. ... But we actively engaged with China, Russia, Cuba, other countries that often don't see eye to eye with us on issues." "We believe the resolution strikes the appropriate balance between furthering development, while continuing to protect human rights," said one of the officials, who spoke on condition of anonymity.Read more of this story at Slashdot.

India reversed a laptop licensing policy after behind-the-scenes lobbying by U.S. officials, who however remain concerned about New Delhi's compliance with WTO obligations and new rules it may issue, according to U.S. trade officials and government emails seen by Reuters. From the report: In August, India imposed rules requiring firms like Apple, Dell and HP to obtain licences for all shipments of imported laptops, tablets, personal computers and servers, raising fears that the process could slow down sales. But New Delhi rolled back the policy within weeks, saying it will only monitor the imports and decide on next steps a year later. The U.S. government emails -- obtained under a U.S. open records request -- underline the level of alarm the Indian curbs caused in Washington, and how the U.S. scored a rare lobbying win by persuading Prime Minister Narendra Modi's usually inflexible government to reverse policy. U.S. officials have often been concerned about India's sudden policy changes which they say create an uncertain business environment. India maintains it announces policies in the interest of all stakeholders and encourages foreign investments, even though it often promotes local players over foreign ones. Some of the language in the documents was blunt, despite the bonhomie often displayed by both sides in public. U.S. officials were upset India's changes to laptop imports came "out of the blue", without notice or consultation, and were "incredibly problematic" for the business climate and $500 million worth of annual U.S. exports, the documents and emails showed. U.S. Trade Representative Katherine Tai met Indian Commerce Minister Piyush Goyal in New Delhi on Aug. 26, soon after the policy was announced. Although the USTR's public readout said Tai "raised concerns" about the policy and "noted" that stakeholders needed to be consulted, she privately told Goyal during the meeting that the U.S. wanted India to "rescind the requirement", a USTR briefing paper showed.Read more of this story at Slashdot.

Google's second developer preview for Android 15 has arrived, bringing long-awaited support for satellite connectivity alongside several improvements to contactless payments, multi-language recognition, volume consistency, and interaction with PDFs via apps. From a report: These developer-focused betas are a proving ground for features that will likely make it into the final public release scheduled for later this year. According to Google, public beta releases should be available to test between April and July. The latest developer preview addresses some nuisances and security concerns experienced by Android users, such as making apps more aware of why some services might be unavailable when devices are using a satellite connection. This is also the first official confirmation that Android 15 will come with satellite messaging, with Google's press release saying that the new preview includes support for "preloaded RCS applications to use satellite connectivity for sending and receiving messages."Read more of this story at Slashdot.

An anonymous reader shares a report: Even if you decide to stop offering free editions, you don't get to stop providing the source code to FOSS, users of JasperReports Server are complaining. Cloud Software Group -- the post-merger offspring of Citrix and Tibco -- has decided to withdraw the community edition of its JasperReports Server. Now all you can get is the commercial edition, with a 30-day free trial. Effectively, this seems like a similar tactic to Red Hat's unpopular changes to the way that the RHEL source code is distributed. Some of the JasperReports source code is still on Github, but not everything. The JasperSoft community website has the grumbling of unhappy users -- as does Reddit. One user on the community website commented: "Are you aware Jasper Server CE was under the Affero GPL, and you can't delete everything? "You cannot just change the license of the previous versions and call it a day. I mean, we the users, have the right to fork it using the same license or a compatible one," the user protested. JasperSoft has been developing its reporting tools in the open for well over a decade -- the Reg was reporting on it nearly twenty years ago. Tibco acquired the company for some $185 million in 2014. We're not certain that things are going very well for the new outfit. Early last year, the merger was followed by a round of job losses, and the company has also more recently doubled its prices on some offerings.Read more of this story at Slashdot.

Motorola's 2024 Moto G Power impresses with its soft-touch back and contoured edges at a $300 price point, despite an underwhelming camera and LCD panel. Except one thing: the bloatware. The Verge: Scroll through the app drawer and you'll see a handful of automatically downloaded "folders." They are not folders; they are apps. I first encountered them on last year's Moto G Stylus 5G, and I hate them very much. There are three main offenders -- Shopping, Entertainment, and GamesHub -- and each of these apps acts as a little hub. Icons for apps that you have legitimately downloaded will appear in the corresponding "folder." You'll also find tons of other suggested apps to download -- pages and pages of them! Apps as far as the eye can see! Dismissing the suggested apps section replaces it with a "Discover" section. In the shopping app, it invites you to "Unlock the power of shopping" with links to buy stuff like kitschy Easter decor from TJ Maxx. Mercifully, there's a toggle to hide this section. These apps are all made by a company called Swish, and you can't opt out of downloading any of them during the setup process. You can (and should!) opt out of downloading a third-party lock screen from a different service called Glance. The more I dig into the software on this phone, the more I hate it. The preinstalled weather app is festooned with ads and even more suggested apps, plus pithy insights like "Gotta love air conditioning at these high levels of humidity." If you tap the option to remove ads, a pop-up asks you to pay $4 for 1Weather Pro.Read more of this story at Slashdot.

The Coalition for App Fairness, an industry body that represents Epic, Spotify, Match Group and Proton among others, issued the following statement following the U.S. announcing it had sued Apple: "With today's announcement, the Department of Justice is taking a strong stand against Apple's stranglehold over the mobile app ecosystem, which stifles competition and hurts American consumers and developers alike. The DOJ complaint details Apple's long history of illegal conduct -- abusing their App Store guidelines and developer agreements to increase prices, extract exorbitant fees, degrade user experiences, and choke off competition. The DOJ joins regulators around the world, who have recognized the many harms of Apple's abusive behavior and are working to address it. As this case unfolds in the coming years more must be done now to end the anticompetitive practices of all mobile app gatekeepers. It remains imperative that Congress pass bipartisan legislation, like the Open App Markets Act, to create a free and open mobile app marketplace." Further reading: Apple Loses $115 Billion in Market Value as Regulators Close In.Read more of this story at Slashdot.

A newly discovered vulnerability baked into Apple's M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. From a report: The flaw -- a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols -- can't be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster. The threat resides in the chips' data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it's actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel's 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years. Security experts have long known that classical prefetchers open a side channel that malicious processes can probe to obtain secret key material from cryptographic operations. This vulnerability is the result of the prefetchers making predictions based on previous access patterns, which can create changes in state that attackers can exploit to leak information. In response, cryptographic engineers have devised constant-time programming, an approach that ensures that all operations take the same amount of time to complete, regardless of their operands. It does this by keeping code free of secret-dependent memory accesses or structures.Read more of this story at Slashdot.

Microsoft has announced two new Surface devices, the Surface Pro 10 for Business and Surface Laptop 6 for Business, both featuring Intel's latest Core Ultra processors, a dedicated Neural Processing Unit (NPU), and a new Copilot key for AI-powered features in Windows 11. The devices, which will start shipping to commercial customers on April 9th, have been designed exclusively for businesses and will not be sold directly to consumers. The Surface Pro 10 for Business, starting at $1,199, offers a choice between Core Ultra 5 135U and Core Ultra 7 165U options, with up to 64GB of RAM and a 256GB Gen4 SSD. It also features an improved 13-inch display with an antireflective coating and a 1440p front-facing camera with a 114-degree field of view. The Surface Laptop 6 for Business, also starting at $1,199, is powered by Intel's Core Ultra H-series chips and is available with up to 64GB of RAM and a 1TB Gen4 SSD. The 15-inch model includes two USB-C Thunderbolt 4 ports, while the 13.5-inch model features a single USB-C Thunderbolt 4 port. Both devices have an optional smart card reader and are Microsoft's most easily serviceable Surface devices to date. Further reading: Microsoft's official blog.Read more of this story at Slashdot.

theodp writes: "Last year," Ian Bogost writes in Universities Have a Computer-Science Problem, "18 percent of Stanford University seniors graduated with a degree in computer science, more than double the proportion of just a decade earlier. Over the same period at MIT, that rate went up from 23 percent to 42 percent. These increases are common everywhere: The average number of undergraduate CS majors at universities in the U.S. and Canada tripled in the decade after 2005, and it keeps growing. Students' interest in CS is intellectual -- culture moves through computation these days -- but it is also professional. Young people hope to access the wealth, power, and influence of the technology sector. That ambition has created both enormous administrative strain and a competition for prestige." "Another approach has gained in popularity," Bogost notes. "Universities are consolidating the formal study of CS into a new administrative structure: the college of computing. [...] When they elevate computing to the status of a college, with departments and a budget, they are declaring it a higher-order domain of knowledge and practice, akin to law or engineering. That decision will inform a fundamental question: whether computing ought to be seen as a superfield that lords over all others, or just a servant of other domains, subordinated to their interests and control. This is, by no happenstance, also the basic question about computing in our society writ large." Bogost concludes: "I used to think computing education might be stuck in a nesting-doll version of the engineer's fallacy, in which CS departments have been asked to train more software engineers without considering whether more software engineers are really what the world needs. Now I worry that they have a bigger problem to address: how to make computer people care about everything else as much as they care about computers.Read more of this story at Slashdot.

For the first time, surgeons have transplanted a kidney from a genetically modified pig into a living person, doctors in Boston said Thursday. From a report: Richard Slayman, 62, of Weymouth, Mass., who is suffering from end-stage kidney disease, received the organ Saturday in a four-hour procedure, Massachusetts General Hospital announced. He is recovering well and is expected to be discharged soon, the hospital said. "I saw it not only as a way to help me, but a way to provide hope for the thousands of people who need a transplant to survive," Slayman said in a statement released by the hospital. The procedure is the latest development in a fast-moving race to create genetically modified pigs to provide kidneys, livers, hearts and other organs to help alleviate the shortage of organs for people who need transplants. "Our hope is that this transplant approach will offer a lifeline to millions of patients worldwide who are suffering from kidney failure," said Dr. Tatsuo Kawai, the hospital's director for clinical transplant tolerance, in the hospital statement. Several biotech companies are racing to develop a supply of cloned pigs whose DNA has been genetically modified so they won't be rejected by the human body, spread pig viruses to people or cause other complications. NPR recently got exclusive access to a research farm breeding these animals for a company in this competition, Revivicor Inc. of Blacksburg, Va. The kidney transplanted in Boston came from a pig created by eGenesis of Cambridge, Mass. The eGenesis pigs are bred with 69 genetic modifications to prepare organs for human transplantation. The changes protect against a virus known to infect pigs as well as delete pig genes and add human genes to make the organs compatible with people.Read more of this story at Slashdot.

A physicist who shot to fame with claims of the discovery of a room-temperature superconductor engaged in research misconduct, a committee tapped to examine his work has concluded after a monthslong investigation. From a report: Ranga Dias, a physicist at the University of Rochester in New York, has had at least four papers he co-wrote, including three involving superconductivity, retracted in the past 18 months by the journals that published them. A committee of outside experts tapped by the university "identified data-reliability concerns in those papers," a Rochester spokesperson told The Wall Street Journal. "The committee concluded, in accordance with university policy and federal regulations, that Dias engaged in research misconduct," the spokesperson said in an emailed statement. The work in the papers was funded by the National Science Foundation, the Energy Department, and the Gordon and Betty Moore Foundation, a private organization that funds scientific research. The Moore foundation discontinued its grant late last year, the organization said. Of the $1.6 million award, about $285,000 was spent. The university refunded the rest. The investigation follows three preliminary reviews by the university of one of the studies, published in Nature in 2020 and retracted in 2022 after criticism from other scientists. Those inquiries didn't find enough evidence to prompt a full investigation. Complaints sent to the university in spring 2023 about additional studies prompted a more thorough review. That investigation was completed by March this year, resulting in the misconduct finding. The journal Nature reported earlier this month that this investigation was complete.Read more of this story at Slashdot.

The Justice Department sued Apple on Thursday, alleging the tech giant blocked software developers and mobile gaming companies from offering better options on the iPhone, resulting in higher prices for consumers. WSJ: The government's antitrust complaint, filed in a New Jersey federal court, alleges Apple used its control of the iPhone to prevent competitors from offering innovative services such as digital wallets and limited the functionality of hardware products that compete with Apple's own devices. The suit also claims that Apple makes it difficult for users to switch to devices that don't use Apple's operating system, such as Android smartphones. "Consumers should not have to pay higher prices because companies violate the antitrust laws," Attorney General Merrick Garland said in a statement. Apple said it plans to vigorously defend against the lawsuit. "This lawsuit threatens who we are and the principles that set Apple products apart in fiercely competitive markets," an Apple spokesman said in a statement. "If successful, it would hinder our ability to create the kind of technology people expect from Apple -- where hardware, software, and services intersect." The case against Apple is the last shoe to drop on the big four tech giants by U.S. antitrust officials.Read more of this story at Slashdot.

The Justice Department is poised to sue Apple as soon as Thursday, accusing the world's second most valuable tech company of violating antitrust laws by blocking rivals from accessing hardware and software features of its iPhone. From a report: The suit, which is expected to be filed in federal court, according to people familiar with the matter, escalates the Biden administration's antitrust fights against most of the biggest US technology giants. The Justice Department is already suing Alphabet's Google for monopolization, while the Federal Trade Commission is pursuing antitrust cases against Meta and Amazon. The coming case will mark the third time that the Justice Department has sued Apple for antitrust violations in the past 14 years, but it is the first case accusing the iPhone maker of illegally maintaining its dominant position.Read more of this story at Slashdot.

An anonymous reader writes: Reddit priced its stock on Wednesday at $34 a share, the top of the anticipated range, a signal that investors are excited about the company's IPO on Thursday. The social media giant raised nearly $500 million in the offering. Excluding employee stock options, the 19-year old company's valuation will start at $5.4 billion, a far cry from its last private market value of $10 billion, set in August 2021, the top of the last tech markets boom. The stock, which is the most anticipated offering of the year so far, will debut on New York Stock Exchange on Thursday with the ticker symbol "RDDT."Read more of this story at Slashdot.

prisoninmate shares a report from 9to5Linux: Dubbed "Kathmandu" after the host city of the GNOME.Asia 2023 conference in Kathmandu, Nepal, the GNOME 46 desktop environment is here to introduce major new features like headless remote desktop support that lets you connect to your GNOME system remotely without there being an existing session. While experimental, Variable Refresh Rate (VRR) support is another major new feature in GNOME 46, which will allow you to change the variable refresh rate of your monitor from the GNOME Settings app in the Displays section. Talking about GNOME Settings, the GNOME 46 release brings a new System panel that incorporates the Region, Language, Date, Time, Users, Remote Desktop, and About panels, as well as new Secure Shell settings. Check out the release notes and the official release video here. GNOME 46 will be available shortly in many distributions, such as Fedora 40 and Ubuntu 24.04. You can try it today by looking for a beta release here.Read more of this story at Slashdot.