💾 Archived View for kernelzechs.com › feeds › slashdot.gmi captured on 2022-06-11 at 20:43:43. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-06-03)
-=-=-=-=-=-=-
Last Updated: 2022-06-11 4:30:01 PM
General Motors couldn't produce the component it needed for its 2022 SUV, the Chevrolet Tahoe, reports CNET. So the company's engineers "turned to a novel solution: 3D printing..."
GM made a major investment in the tech in 2020, dedicating 15,000 square feet of space to a facility dubbed the Additive Industralization Center, then filling it with HP Multi Jet Fusion 3D printers, among others.... A year later, GM's big investment paid off. Chevrolet engineers made a late change to the 2022 Tahoe's design, necessitating the creation of an additional part: A new, flexible "spoiler closeout seal" fills a gap at the rear of the big SUV. Developing the tooling to injection-mold the things would have taken too long, delaying the delivery of 30,000 vehicles.
Enter 3D printing. Engineers were able to quickly design and print the components using a flexible material that met GM's criteria. They even used a process called vapor polishing to give the parts a perfect shine... Since each Tahoe requires two seals, Chevrolet needed a whopping 60,000 of them. From design to completion took just five weeks. That's less than half the time going the injection-molding route would have taken, which got all those SUVs out the door on time.
CNET calls it "almost certainly the largest deployment of additive tech in a production car" — and "an interesting preview of what's to come."
Ars Technica reports:
Researchers have unearthed a discovery that doesn't occur all that often in the realm of malware: a mature, never-before-seen Linux backdoor that uses novel evasion techniques to conceal its presence on infected servers, in some cases even with a forensic investigation.
On Thursday, researchers and the BlackBerry Threat Research & Intelligence Team said that the previously undetected backdoor combines high levels of access with the ability to scrub any sign of infection from the file system, system processes, and network traffic. Dubbed Symbiote, it targets financial institutions in Brazil and was first detected in November.
Researchers for Intezer and BlackBerry wrote:
"What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability...."
So far, there's no evidence of infections in the wild, only malware samples found online. It's unlikely this malware is widely active at the moment, but with stealth this robust, how can we be sure?
"When hooked functions are called, the malware first dynamically loads libc and calls the original function..." according to Blackberry's blog post. "If the calling application is trying to access a file or folder under /proc, the malware scrubs the output from process names that are on its list.... If the calling application is not trying to access something under /proc, the malware instead scrubs the result from a file list....
"Symbiote also has functionality to hide network activity on the infected machine."
"Ethereum creator Vitalik Buterin believes that unfriendly artificial intelligence poses the biggest risk to humanity..." reports a recent article from Benzinga:
[In a tweet] Buterin shared a paper by AI theorist and writer Eliezer Yudkowsky that made a case for why the current research community isn't doing enough to prevent a potential future catastrophe at the hands of artificially generate intelligence. [The paper's title? "AGI Ruin: A List of Lethalities."]
When one of Buterin's Twitter followers suggested that World War 3 is likely a bigger risk at the moment, the Ethereum co-founder disagreed. "Nah, WW3 may kill 1-2b (mostly from food supply chain disruption) if it's really bad, it won't kill off humanity. A bad AI could truly kill off humanity for good."
In 2019 SEO toolset provider Ahrefs announced it would build it's own search engine, remembers Search Engine Land. After investing $60 million of its own money, this month that search engine has finally launched with the name of "Yep", and Ahrefs "is positioning it as a Googe competitor.
"However, we've seen plenty of Google competitors and Google "killers" come and go over the past two decades. So for now, let's just call it a Google alternative...
Yep will not collect personal information (e.g., geolocation, name, age, gender) by default. Your Yep search history will not be stored anywhere.
What Yep will rely on is aggregated search statistics to improve algorithms, spelling corrections, and search suggestions, the company said. "In other words, we do save certain data on searches, but never in a personally identifiable way," said Ahrefs CEO Dmytro Gerasymenko.... What Yep will use is a searcher's:
- Entered keywords.
- Language preference received from the browser.
- Approximate geographical area at the origin of the search at the scale of a region or a city (deduced from the IP address)....
AhrefsBot visits more than 8 billion webpages every 24 hours, which makes it the second most active crawler on the web, behind only Google, Ahrefs said. For 12 years, AhrefsBot has been crawling the web. They had just been using the AhrefsBot data to power its link database and SEO insights. The Yep search index is updated every 15 to 30 minutes. Daily, the company adds 30 million webpages and drops 20 million.
Ahrefs said its Singapore data center is powered by around 1,000 servers that store and process 100 petabytes of web data (webpages, links between them, and the search index). Each server uses at least 2x 100GB connections... Before the end of the year, Ahrefs plans to open a U.S.-based data center.
"It's a unique proposition," reports TechCrunch, "running its own search index, rather than relying on APIs from Google or Bing.
"As for the name? I dunno; Yep seems pretty daft to me, but I guess at least the name is one character shorter than Bing, the other major search engine I'll only ever use by accident."
Name aside, Yep is taking a fresh new path through the world of internet advertising, claiming that it's giving 90% of its ad revenues to content creators. The pitch is pretty elegant:
"Let's say that the biggest search engine in the world makes $100B a year. Now, imagine if they gave $90B to content creators and publishers," the company paints a picture of the future it wants to live in. "Wikipedia would probably earn a few billion dollars a year from its content. They'd be able to stop asking for donations and start paying the people who polish their articles a decent salary."
It's an impressively quixotic windmill to fight for the bootstrapped company Ahrefs. Its CEO sheds some light on why this makes sense to him:
"Creators who make search results possible deserve to receive payments for their work...."
Perhaps it sounds a little idealistic, but damn it, that's what made me excited about Yep in the first place. It represents the faintest of echoes from a web more innocent and more hopeful than the social-media poisoned cesspool of chaos and fake news we often find ourselves in today.
Search Engine Land points out that DuckDuckGo, which launched in 2008, "gets as many searches per year (~15.7 billion) as Google gets in about two or three days. Even Microsoft Bing — which is owned by Microsoft, the third-largest company on the planet by market cap — has failed to make a significant dent in Google's search market share since 2009."
But they also quote Ahrefs CEO Dmytro Gerasymenko as saying in 2019, "If we succeed in our endeavors, Google will finally get some long overdue competition for search."
"Power-hungry, fossil-fuel dependent Japan has successfully tested a system that could provide a constant, steady form of renewable energy, regardless of the wind or the sun," reports Bloomberg:
For more than a decade, Japanese heavy machinery maker IHI Corp. has been developing a subsea turbine that harnesses the energy in deep ocean currents and converts it into a steady and reliable source of electricity.... Called Kairyu, the 330-ton prototype is designed to be anchored to the sea floor at a depth of 30-50 meters (100-160 feet).
In commercial production, the plan is to site the turbines in the Kuroshio Current, one of the world's strongest, which runs along Japan's eastern coast, and transmit the power via seabed cables.... Japan's New Energy and Industrial Technology Development Organization (NEDO) estimates the Kuroshio Current could potentially generate as much as 200 gigawatts — about 60% of Japan's present generating capacity....
Japan is already the world's third largest generator of solar power and is investing heavily in offshore wind, but harnessing ocean currents could provide the reliable baseline power needed to reduce the need for energy storage or fossil fuels.
Thanks to long-time Slashdot reader AmiMoJo for sharing the article!
"Researchers at MIT have discovered an unfixable vulnerability in Apple Silicon that could allow attackers to bypass a chip's 'last line of defense'," writes the Apple Insider blog, "but most Mac users shouldn't be worried."
More specifically, the team at MIT's Computer Science & Artificial Intelligence Laboratory found that Apple's implementation of pointer authentication in the M1 system-on-chip can be overcome with a specific hardware attack they've dubbed "PACMAN." Pointer authentication is a security mechanism in Apple Silicon that makes it more difficult for attackers to modify pointers in memory. By checking for unexpected changes in pointers, the mechanism can help defend a CPU if attackers gain memory access.... The flaw comes into play when an attacker successfully guesses the value of a pointer authentication code and disables it.
The researchers found that they could use a side-channel attack to brute-force the code. PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.
[A]ctually carrying out the PACMAN attack requires physical access to a device, meaning the average Mac user isn't going to be at risk of exploit. The flaw affects all kinds of ARM-based chips — not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
MIT has made more information available at the site PACMANattack.com — including answers to frequently asked questions.
Q: Is PACMAN being used in the wild?
A: No.
Q: Does PACMAN have a logo?
A: Yeah!
The MIT team says their discovery represents "a new way of thinking about how threat models converge in the Spectre era." But even then, MIT's announcement warns the flaw "isn't a magic bypass for all security on the M1 chip."
PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug's true potential for use in an attack by finding the correct PAC. There's no cause for immediate alarm, the scientists say, as PACMAN cannot compromise a system without an existing software bug....
The team showed that the PACMAN attack even works against the kernel, which has "massive implications for future security work on all ARM systems with pointer authentication enabled," says Ravichandran. "Future CPU designers should take care to consider this attack when building the secure systems of tomorrow. Developers should take care to not solely rely on pointer authentication to protect their software."
TechCrunch obtained a comment from Apple:
Apple spokesperson Scott Radcliffe provided the following: "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."
Apple's M1 chips have an "unpatchable" hardware vulnerability that could allow attackers to break through its last line of security defenses, MIT researchers have discovered. TechCrunch reports: The vulnerability lies in a hardware-level security mechanism utilized in Apple M1 chips called pointer authentication codes, or PAC. This feature makes it much harder for an attacker to inject malicious code into a device's memory and provides a level of defense against buffer overflow exploits, a type of attack that forces memory to spill out to other locations on the chip. Researchers from MIT's Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.
The attack, appropriately called "Pacman," works by "guessing" a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn't been maliciously altered. This is done using speculative execution -- a technique used by modern computer processors to speed up performance by speculatively guessing various lines of computation -- to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct. What's more, since there are only so many possible values for the PAC, the researchers found that it's possible to try them all to find the right one.
The European Union is nearing an agreement on key legislation to regulate the cryptocurrency sector that would set common rules across the 27 member states, Bloomberg reported Friday, citing people familiar with the matter. From a report: France, which currently chairs the EU, and the European Parliament are optimistic about resolving remaining issues holding up the Markets in Crypto-Assets (MiCA) package and reaching a deal this month, according to the people. Negotiators are expected to meet on June 14 and June 30. MiCA, first presented in 2020, will put European regulators at the forefront of supervising cryptocurrencies by creating unified rules across the $17 trillion economy. Addressing issues such as investor protection and crypto's impact on financial stability has taken on added urgency after last month's collapse of the TerraUSD algorithmic stablecoin.
Member states and the parliament still disagree on several key aspects of MiCA. According to the people, areas of disagreement include:
Whether to include nonfungible tokens in the new set of rules
How to regulate significant stablecoins
Supervision of the largest crypto-asset service providers, or CASPs
Both sides are also discussing how to limit the use of stablecoins as a payment method by introducing a ceiling, in particular for transactions not denominated in euros, the people said, asking not to be identified discussing confidential information.
Apple announced on Friday that it's once again updated its rules about how Dutch dating apps can use third-party payment systems, after the company had "productive conversations with the Netherlands Authority for Consumers and Markets (ACM)." From a report: The updated rules give developers more flexibility about which payment systems they use, change the language users see when they go to pay, and remove other restrictions that the previous rules put in place. While the rules aren't wide-reaching (again, they only apply to Dutch dating apps), they do show what Apple's willing to do to comply with government regulation -- which it could be facing a lot more of as the EU and US gear up to fight tech monopolies, and potentially even force the company to ditch the iPhone's Lightning port.
In December the ACM announced a ruling that Apple had to let dating apps use payment services besides the one built into iOS, after the regulator received a complaint from Match Group, the company behind dating services like Tinder, Match.com, and OkCupid. Since then, Apple has proposed a variety of solutions for complying with the order, which the regulator has said aren't good enough. In May, the ACM said that Apple's most recent rules, the ones prior to the Friday update, were improvements over its past ideas, but that they still didn't comply with Dutch and European laws. There's been increasing pressure for Apple to comply: even while the company works on changes, it's been racking up tens of millions of Euros in fines.
Nigerian Exchange, plans to start a blockchain-enabled exchange platform next year to deepen trade and lure young investors to the market. From a report: The move follows the introduction of regulations to guide trade in digital assets by the Nigerian Securities and Exchange Commission, and the growing interest to adopt the distributed-ledger technology by businesses and policy makers across the continent including in Kenya and South Africa. The exchange looks to deploy the blockchain technology in settlement of capital market transactions, Temi Popoola, the chief executive of Nigeria Exchange, said in an interview. "For a lot of young and upcoming Nigerians, that is the kind of technology they adopt and we want to see how we can deploy it to grow our market," Temi said. The plan is unfolding in the wake of a rout in cryptocurrency markets following the collapse of the Terra blockchain in May. Bitcoin has plunged more than 50% since reaching a record high last November.
The UK is facing an exodus of star scientists, with at least 16 recipients of prestigious European grants making plans to move their labs abroad as the UK remains frozen out of the EU's flagship science programme. From a report: Britain's participation in Horizon Europe has been caught in the crosshairs of the dispute over Brexit in Northern Ireland, meaning that 143 UK-based recipients of European Research Council fellowships this week faced a deadline of either relinquishing their grant or transferring it to an institute in an eligible country. The UK government has promised to underwrite the funding, totalling about 250m pound ($307m), but a growing number of scientists appear likely to reject the offer and instead relocate, along with entire teams of researchers.
The ERC said 16 academics had recently informed it that they intend to move their lab abroad or are in negotiations about doing so. These researchers, and some others, have been given an extension before their grants are terminated. Moritz Treeck, a group leader at the Francis Crick Institute in London who is due to receive $2.1m over five years from the ERC to study the malaria pathogen, is among those contemplating a move. He said a major downside of the UK offer was the lack of flexibility about moving the funding internationally.
Researchers have found that being outside drastically reduces the risk of developing short-sightedness. From a report: In the early 1980s Taiwan's army realised it had a problem. More and more of its conscripts seemed to be short-sighted, meaning they needed glasses to focus on distant objects. "They were worried that if the worst happened [ie, an attack by China] their troops would be fighting at a disadvantage," says Ian Morgan, who studies myopia at Australian National University, in Canberra. An island-wide study in 1983 confirmed that around 70% of Taiwanese school leavers needed glasses or contact lenses to see properly. These days, that number is above 80%. But happily for Taiwan's generals, the military disparity has disappeared. Over the past few decades myopia rates have soared across East Asia (see chart 1 in the linked story). In the 1960s around 20-30% of Chinese school-leavers were short-sighted. These days they are just as myopic as their cousins across the straits, with rates in some parts of China running at over 80%.
Elsewhere on the continent things are even worse. One study of male high-school leavers in Seoul found 97% were short-sighted. Hong Kong and Singapore are not far behind. And although the problem is worst in East Asia, it is not unique to it. Reliable numbers for America and Europe are harder to come by. But one review article, published in 2015, claimed a European rate of between 20% and 40% -- an order of magnitude higher than that which people working in the field think is the "natural," background rate. For most of those affected, myopia is a lifelong, expensive nuisance. But severe myopia can lead to untreatable vision loss, says Annegret Dahlmann-Noor, a consultant ophthalmologist at Moorfields Eye Hospital, in London. A paper published in 2019 concluded that each one-dioptre worsening in myopia was associated with a 67% increase in prevalence of myopic maculopathy, an untreatable condition that causes blindness. (A dioptre is a measure of a lens's focusing power.) In some parts of East Asia, 20% of young people have severe myopia, defined as -6 dioptres or worse (see chart 2 in linked story). "This is storing up a big problem for the coming decades," says Kathryn Rose, head of orthoptics at the University of Technology, Sydney.
Jack Dorsey's beef with Web3 has never been a secret. In his view, Web 3 -- blockchain boosters' dream of a censorship resistant, privacy-focused internet of the future -- has become just as problematic as the Web2 which preceded it. Now, he's out with an alternative. From a report: At CoinDesk's Consensus Festival here in Austin, TBD -- the bitcoin-focused subsidiary of Dorsey's Block (SQ) -- announced its new vision for a decentralized internet layer on Friday. Its name? Web5. TBD explained its pitch for Web5 in a statement shared with CoinDesk: "Identity and personal data have become the property of third parties. Web5 brings decentralized identity and data storage to individual's applications. It lets devs focus on creating delightful user experiences, while returning ownership of data and identity to individuals."
While the new project from TBD was announced Friday, it is still under open-source development and does not have an official release date. A play on the Web3 moniker embraced in other corners of the blockchain space, Web5 is built on the idea that incumbent "decentralized internet" contenders are going about things the wrong way. Appearing at a Consensus panel clad in a black and bitcoin-yellow track suit emblazoned with the numeral 5, TBD lead Mike Brock explained that Web5 -- in addition to being "two better than Web3" -- would beat out incumbent models by abandoning their blockchain-centric approaches to a censorship free, identity-focused web experience. "This is really a conversation about what technologies are built to purpose, and I don't think that renting block space, in all cases, is a really good idea for decentralized applications," Brock said. He continued: "I think what we're pushing forward with Web5 -- and I admit it's a provocative challenge to a lot of the assumptions about what it means to decentralize the internet -- really actually is back to basics. We already have technologies that effectively decentralize. I mean, bittorrent exists, Tor exists, [etc]." The full presentation is here.
The UK's Competition and Markets Authority (CMA) has concluded that Google and Apple "hold all the cards" when it comes to mobile phones a year after taking a closer look at their "duopoly." It's now consulting on the launch of a market investigation into the tech giants' market power in mobile browsers, as well as into Apple's cloud gaming restrictions. From a report: In addition, the CMA has launched a separate investigation into Google's Play Store rules -- the one that requires certain app developers to use the tech giant's payment system for in-app purchases, in particular. The CMA has concluded after its year-long study that the tech giants do indeed exhibit an "effective duopoly" on mobile ecosystems. A total of 97 percent of all mobile web browsing in the UK is powered by Apple's and Google's browser engines. iPhones and Android devices typically come with Safari and Chrome pre-installed, which means their browsers have the advantage from the start. Further, Apple requires developers to make sure their iOS and iPadOS apps are using its WebKit engine to browse the web. That limits the incentives Apple may have to invest in Safari, the CMA said.
Wickr Me, an encrypted messaging app owned by Amazon Web Services, has become a go-to destination for people to exchange images of child sexual abuse, according to court documents, online communities, law enforcement and anti-exploitation activists. From a report: It's not the only tech platform that needs to crack down on such illegal content, according to data gathered by the National Center for Missing & Exploited Children, or NCMEC. But Amazon is doing comparatively little to proactively address the problem, experts and law enforcement officials say, attracting people who want to trade such material because there is less risk of detection than in the brighter corners of the internet.
NBC News reviewed court documents from 72 state and federal child sexual abuse or child pornography prosecutions where the defendant allegedly used Wickr (as it's commonly known) from the last five years in the United States, United Kingdom and Australia, using a combination of private and public legal and news databases and search engines. Nearly every prosecution reviewed has resulted in a conviction aside from those still being adjudicated. Almost none of the criminal complaints reviewed note cooperation from Wickr itself at the time of filing, aside from limited instances where Wickr was legally compelled to provide information via a search warrant. Over 25 percent of the prosecutions stemmed from undercover operations conducted by law enforcement on Wickr and other tech platforms. These court cases only represent a small fraction of the problem, according to two law enforcement officers involved in investigating child exploitation cases, two experts studying child exploitation and two people who have seen firsthand how individuals frequently use Wickr and other platforms for criminal transactions on the dark web.