Slash Boxes

SoylentNews is people

Log In

Log In

Create Account  |  Retrieve Password

Site News

Join our Folding@Home team:
Main F@H site
Our team page

Funding Goal
For 6-month period:
2022-07-01 to 2022-12-31
(All amounts are estimated)
Base Goal:



Covers transactions:
2022-07-02 10:17:28 ..
2022-10-05 12:33:58 UTC
(SPIDs: [1838..1866])
Last Update:
2022-10-05 14:04:11 UTC --fnord666

Support us: Subscribe Here
and buy SoylentNews Swag

We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.

What was highest label on your first car speedometer?

  • 80 mph
  • 88 mph
  • 100 mph
  • 120 mph
  • 150 mph
  • it was in kph like civilized countries use you insensitive clod
  • Other (please specify in comments)

[ Results | Polls ]
Comments:67 | Votes:260

posted by janrinok on Tuesday April 16, @04:42AM   Printer-friendly
from the internal-combustion-for-the-win? dept.

Tesla has announced layoffs of "more than 10%" of its global workforce in an internal company-wide email:

For the last few months, it has looked like Tesla might be preparing for a round of layoffs. Tesla told managers to identify critical team members, and paused some stock rewards while canceling some employees' annual reviews. It also reduced production at Gigafactory Shanghai.

Then, over the weekend, we heard rumors that these layoffs were about to happen, which came to us from multiple independent sources, as we reported on yesterday. The rumors indicated that layoffs could be as high as 20%, and in addition we heard that Tesla would shorten Cybertruck production shifts at Gigafactory Texas (despite CEO Elon Musk's recent insistence that Cybertruck is currently production constrained).

Now those rumors have been confirmed – though with a lower number – in a company-wide email sent by Musk, which leaked soon after it was sent.

[...] The news follows a bad quarterly delivery report in which Tesla significantly missed delivery estimates, and had a rare year-over-year reduction in sales. While Tesla does not break out sales by geographical region, the main dip seems to have come from China, where Chinese EV makers are ramping quickly both in the domestic and export market.

Full text of email available at TFA.

Previously: Tesla is Reportedly Planning Layoffs

Original Submission

posted by janrinok on Monday April 15, @11:51PM   Printer-friendly

Researchers have tracked muscle contractions in a bird's vocal tract, and reconstructed the song it was silently singing in its sleep. The resulting audio is a very specific call, allowing the team to figure out what the bird's dream was about.

When birds sleep, the part of their brains dedicated to daytime singing remains active, showing patterns that resemble those produced while awake. Researchers from the University of Buenos Aires (UBA) previously demonstrated that these brain patterns activate a bird's vocal muscles, enabling them to silently 'replay' a song during sleep.

But, until now, it hasn't been possible to map how that nocturnal activity gets processed. In their new study, the UBA researchers turned the vocal muscle movements made during avian dreaming into synthetic songs.

"Dreams are one of the most intimate and elusive parts of our existence," said Gabriel Mindlin, a specialist in the physical mechanisms behind birdsong and corresponding author of the study. "Knowing that we share this with such a distant species is very moving. And the possibility of entering the mind of a dreaming bird – listening to how that dream sounds – is a temptation impossible to resist."

A bird's vocal sounds are made by a unique organ only they possess, the syrinx. Located at the base of the windpipe (trachea), passing air causes some or all of the organ's walls to vibrate, while a surrounding air sac acts like a resonating chamber. The pitch of the sound produced depends on the tension surrounding muscles exert on the syrinx and the airways.

[...] Custom-made electromyography (EMG) electrodes were implanted in the birds to measure the muscle response and electrical activity in the obliquus ventralis muscle, the most prominent muscle producing the kiskadee's birdsong. EMG and birdsong audio were recorded simultaneously while the birds were awake and asleep. An existing dynamical systems model of the kiskadee's sound production mechanism was used to translate the information into synthetic songs. In basic terms, a dynamical systems model breaks down what occurs in the syrinx when sound is produced into a series of mathematical equations.

[...] Analyzing muscular activity during sleep revealed consistent activity patterns corresponding to the trills produced by kiskadees during daytime territorial fights. Interestingly, the 'dreaming trills' were associated with raised head feathers, the same as during the daytime. The researchers created a synthetic version of one of the trills from the data they'd collected.

Original Submission

posted by janrinok on Monday April 15, @07:06PM   Printer-friendly

No patch yet for unauthenticated code-execution bug in Palo Alto Networks firewall:

Highly capable hackers are rooting multiple corporate networks by exploiting a maximum-severity zero-day vulnerability in a firewall product from Palo Alto Networks, researchers said Friday.

The vulnerability, which has been under active exploitation for at least two weeks now, allows the hackers with no authentication to execute malicious code with root privileges, the highest possible level of system access, researchers said. The extent of the compromise, along with the ease of exploitation, has earned the CVE-2024-3400 vulnerability the maximum severity rating of 10.0. The ongoing attacks are the latest in a rash of attacks aimed at firewalls, VPNs, and file-transfer appliances, which are popular targets because of their wealth of vulnerabilities and direct pipeline into the most sensitive parts of a network.

The zero-day is present in PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls when they are configured to use both the GlobalProtect gateway and device telemetry. Palo Alto Networks has yet to patch the vulnerability but is urging affected customers to follow the workaround and mitigation guidance provided here. The advice includes enabling Threat ID 95187 for those with subscriptions to the company's Threat Prevention service and ensuring vulnerability protection has been applied to their GlobalProtect interface. When that's not possible, customers should temporarily disable telemetry until a patch is available.

Volexity, the security firm that discovered the zero-day attacks, said that it's currently unable to tie the attackers to any previously known groups. However, based on the resources required and the organizations targeted, they are "highly capable" and likely backed by a nation-state. So far, only a single threat group—which Volexity tracks as UTA0218—is known to be leveraging the vulnerability in limited attacks. The company warned that as new groups learn of the vulnerability, CVE-2024-3400, is likely to come under mass exploitation, just as recent zero-days affecting products from the likes of Ivanti, Atlassian, Citrix, and Progress have in recent months.

[...] The earliest attacks Volexity has seen took place on March 26 in what company researchers suspect was UTA0218 testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability. On April 7, the researchers observed the group trying unsuccessfully to install a backdoor on a customer's firewall. Three days later, the group's attacks were successfully deploying malicious payloads. Since then, the threat group has deployed custom, never-before-seen post-exploitation malware. The backdoor, which is written in the Python language, allows the attackers to use specially crafted network requests to execute additional commands on hacked devices.

Original Submission

posted by janrinok on Monday April 15, @02:23PM   Printer-friendly

Tesla Model 3 Traps TikToker Inside 115-Degree Car During A Software Update:

Tesla warns owners that opening their doors or windows while installing a software update could damage the vehicle, so she stayed put

According to the Tesla owner's manual, "Vehicle functions, including some safety systems and opening or closing the doors or windows, may be limited or disabled when installation is in progress and you could damage the vehicle." Janel chose to heed Tesla's warning and did not attempt to open her doors or windows during the installation process for fear of damaging her vehicle, but this seems like a very dangerous oversight on Tesla's part that she was able to be stuck inside at all.

The door mechanisms on the Tesla Model 3 and Model Y are electrically operated, and under normal circumstances are opened from the inside using a simple button to unlatch the door. Should the vehicle have no power, these models do have auxiliary manual cable release levers also found on the door panel, but Tesla warns against using the manual mechanism, citing that it should only be used when the car has no power. Janel said she was aware of this option but didn't want to risk damaging her car, and she felt confident that she could stick out the heat.

In contrast to Tesla's potentially dangerous warnings, Lucid Motors requires all occupants to exit the vehicle before the installation process begins, and the Lucid Air owners manual states that owners will not be able to lock or unlock the doors during an update. The Air will start a two-minute countdown when an owner chooses to install an update, giving them enough time to get out prior to the update beginning.

Original Submission

posted by hubie on Monday April 15, @09:37AM   Printer-friendly
from the hug-your-local-robot dept.

Human hugs > robot hugs > no hugs

A systematic review and multivariate meta-analysis of the physical and mental health benefits of touch interventions:

The sense of touch has immense importance for many aspects of our life. It is the first of all the senses to develop in newborns and the most direct experience of contact with our physical and social environment. Complementing our own touch experience, we also regularly receive touch from others around us, for example, through consensual hugs, kisses or massages.

The recent coronavirus pandemic has raised awareness regarding the need to better understand the effects that touch—and its reduction during social distancing—can have on our mental and physical well-being. The most common touch interventions, for example, massage for adults or kangaroo care for newborns, have been shown to have a wide range of both mental and physical health benefits, from facilitating growth and development to buffering against anxiety and stress, over the lifespan of humans and animals alike. [...]

A critical issue highlighted in the pandemic was the lack of touch due to social restrictions. To accommodate the need for touch in individuals with small social networks (for example, institutionalized or isolated individuals), touch interventions using objects/robots have been explored in the past (for a review, see ref. 11). We show here that touch interactions outside of the human–human domain are beneficial for mental and physical health outcomes. [...]

[...] In conclusion, we show clear evidence that touch interventions are beneficial across a large number of both physical and mental health outcomes, for both healthy and clinical cohorts, and for all ages. These benefits, while influenced in their magnitude by study cohorts and intervention characteristics, were robustly present, promoting the conclusion that touch interventions can be systematically employed across the population to preserve and improve our health.

Original Submission

posted by hubie on Monday April 15, @04:52AM   Printer-friendly
from the suprising-citrate-synthase-Sierpinski-self-similarity dept.

An international team of researchers led by groups from the Max Planck Institute in Marburg and the Philipps University in Marburg has stumbled upon the first regular molecular fractal in nature. They discovered a microbial enzyme—citrate synthase from a cyanobacterium—that spontaneously assembles into a pattern known as the Sierpinski triangle. Electron microscopy and evolutionary biochemistry studies indicate that this fractal may represent an evolutionary accident.

The study is published in Nature.

Snowflakes, fern leaves, romanesco cauliflower heads: many structures in nature have a certain regularity. Their individual parts resemble the shape of the whole structure. Such shapes, which repeat from the largest to the smallest, are called fractals. But regular fractals that match almost exactly across scales, as in the examples above, are very rare in nature.

Molecules also have a certain regularity. But if you look at them from a great distance, you can no longer see any signs of this. Then you see smooth matter whose features no longer match those of the individual molecules. The degree of fine structure we see depends on our magnification—in contrast to fractals, where self-similarity persists at all scales. In fact, regular fractals at the molecular level are completely unknown in nature.

This is somewhat surprising. After all, molecules can assemble themselves into all sorts of wonderful shapes. Scientists have extensive catalogues of self-assembled complex molecular structures. However, there has never been a regular fractal among them. It turns out that almost all regular-looking self-assemblies lead to the kind of regularity that becomes smooth on large scales.

An international team of researchers led by groups from the Max Planck Institute in Marburg and Phillips University in Marburg has now discovered the first regular molecular fractal in nature. They discovered a microbial enzyme—citrate synthase from a cyanobacterium—that spontaneously assembles into a regular fractal pattern known as the Sierpiński triangle. This is an infinitely repeating series of triangles made up of smaller triangles.

"We stumbled on this structure completely by accident and almost couldn't believe what we saw when we first took images of it using an electron microscope," says first author Franziska Sendker.

"The protein makes these beautiful triangles and as the fractal grows, we see these larger and larger triangular voids in the middle of them, which is totally unlike any protein assembly we've ever seen before," she continues.

Journal Reference:
Sendker, F.L., Lo, Y.K., Heimerl, T. et al. Emergence of fractal geometries in the evolution of a metabolic enzyme. Nature (2024).

Original Submission

posted by hubie on Monday April 15, @12:10AM   Printer-friendly
from the messaging-wants-to-be-free dept. owner Automattic acquires multiservice messaging app Beeper for $125M: owner Automattic is acquiring Beeper, the company behind the iMessage-on-Android solution that was referenced by the Department of Justice in its antitrust lawsuit against Apple. The deal, which was for $125 million according to sources close to the matter, is Automattic's second acquisition of a cross-platform messaging solution after buying last October.

[...] The deal, which closed on April 1, represents a big bet from Automattic: that the future of messaging will be open-source and will work across services, instead of being tied up in proprietary platforms, like Meta's WhatsApp or Apple's iMessage. In fact, Migicovsky says, the eventual plan after shifting people to the Beeper cross-platform app for managing their messages is to move them to Beeper's own chat protocol — an open-source protocol called Matrix — under the hood.

[...] Matrix, a sort of "spiritual successor" to XMPP, as Migicovsky describes it, offers an open-source, end-to-end encrypted client and server communications system, where servers can federate with one another, similar to open-source Twitter/X alternative Mastodon. However, instead of focusing on social networking, like Mastodon, it focuses on messaging.

[...] "I've known Matt [Mullenweg, Automattic founder and CEO] for years now," Migicovsky said, adding that the founder had shown commitment to open-source technology, like Beeper, where about half its product is already open-source. "We were looking to find a partner that could financially support this. One of the reasons why there are no other people building this type of app is it costs a surprisingly large amount of money to build a damn good chat app," Migicovsky noted.

[...] In this rewritten version of Beeper, the company is starting to roll out fully end-to-end encrypted messages across Signal. That will be soon followed by WhatsApp, Messenger, and Google Messages.

Because of Apple's restrictions, iMessage only works if you have an iPhone in the mix, Migicovsky says, and will not be a focus for Beeper, given the complications it saw with Apple's shutdown of Beeper Mini. However, Beeper is hopeful regulations could change things, pointing to the DoJ lawsuit and FCC investigation. In the meantime, Beeper supports RCS, which solves iMessage to Android problems like low-res images and videos, lack of typing indicators and encryption.

[...] The team expects to have feature parity across platforms in a matter of months as they overhaul the iOS and desktop apps.

In time, they plan to add other services to Beeper as well, including Google Voice, Snapchat, and Microsoft Teams. Beeper also offers a widget API so developers can build on top of Beeper. Plus, since Matrix is an open standard, developers will be able to build alternative clients for Beeper, as well.

The app will generate revenue via a premium subscription, where the final price may be a couple of dollars per month, but pricing decisions haven't yet been fully nailed down. Beeper is currently free to use.

Original Submission

posted by hubie on Sunday April 14, @07:23PM   Printer-friendly

Google should be barred from "treating Epic differently," Epic Games says:

Epic Games has filed a proposed injunction that would stop Google from restricting third-party app distribution outside Google Play Store on Android devices after proving that Google had an illegal monopoly in markets for Android app distribution.

Epic is suggesting that competition on the Android mobile platform would be opened up if the court orders Google to allow third-party app stores to be distributed for six years in the Google Play Store and blocks Google from entering any agreements with device makers that would stop them from pre-loading third-party app stores. This would benefit both mobile developers and users, Epic argued in a wide-sweeping proposal that would greatly limit Google's control over the Android app ecosystem.

[...] "Epic's filing to the US Federal Court shows again that it simply wants the benefits of Google Play without having to pay for it," Google's spokesperson said. "We'll continue to challenge the verdict, as Android is an open mobile platform that faces fierce competition from the Apple App Store, as well as app stores on Android devices, PCs, and gaming consoles."

If Donato accepts Epic's proposal, Google would be required to grant equal access to the Android operating system and platform features to all developers, not just developers distributing apps through Google Play. This would allow third-party app stores to become the app update owner, updating any apps downloaded from their stores as seamlessly as Google Play updates apps.

Under Epic's terms, any app downloaded from anywhere would operate identically to apps downloaded from Google Play, without Google imposing any unnecessary distribution fees. Similarly, developers would be able to provide their own in-app purchasing options and inform users of out-of-app purchasing options, without having to use Google's APIs or paying Google additional fees.

[...] Unsurprisingly, Epic's proposed injunction includes an "anti-retaliation" section specifically aimed at protecting Epic from any further retaliation. If Donato accepts the terms, Google would be violating the injunction order if the tech giant fails to prove that it is not "treating Epic differently than other developers" by making it "disproportionately difficult or costly" for Epic to develop, update, and market its apps on Android.

That part of the injunction would seem important since, last month, Epic announced that an Epic Games Store was "coming to iOS and Android" later this year. According to Inc, Epic told Game Developers Conference attendees that its app-distribution platform will be the "first ever game-focused, multiplatform store," working across "Android, iOS, PC and macOS."

[...] Under the proposed injunction, Google would be restricted from introducing any unnecessary steps that might keep users from quickly accessing third-party app stores "beyond the steps required to access the Google Play Store when it is preinstalled."

[...] But otherwise, "Google must allow consumers to download apps from wherever they choose without interference, whether it's from the Google Play Store, a third-party app store, another app, or the web," Epic's blog said. "Under Epic's proposed injunction, Google can't use scare screens and dire warnings that deter consumers from downloading apps from the Internet to their phones."

Epic additionally wants Google to be blocked from seeking pretty much any form of exclusivity for the Google Play Store. That partly means Google wouldn't be able to share revenue from the Play Store with distributors to stop competing app stores from being preinstalled or placed on a device's home screen. They also wouldn't be able to pay developers to exclusively launch or distribute apps through Google Play, including restricting any agreements on special pricing in the Google Play Store. Additionally, Google couldn't stop developers from removing apps from Google Play without Google's consent.

[...] "Google has a history of malicious compliance and has attempted to circumvent legislation and regulation meant to rein in their anti-competitive control over Android devices," Epic's blog said. "Our proposed injunction seeks to block Google from repeating past bad-faith tactics and open up Android devices to competition and choice for all developers and consumers."

Original Submission

posted by janrinok on Sunday April 14, @04:38PM   Printer-friendly
from the mt.dooooooooooooooooooooooooooooom dept.

For those times when you have nothing to do for the next six evenings. How about some Lord of the Rings opera, 15 hours long spread out 30 chapters and being performed over six evenings. Coming "soon" to a stage in Wales?

For those times when the 9 hour movie trilogy wasn't long enough. I guess they have less special effects to hide behind.

Who will play the Balrog? I guess he doesn't have to many lines ...

This fully operatic setting has now become a companion work on the same scale as The Silmarillion. This adaptation takes place over thirty "chapters" designed to be performed over six evenings – over fifteen hours of music.

Original Submission

posted by hubie on Sunday April 14, @02:39PM   Printer-friendly

Google announced Friday that it will temporarily remove links to news websites in California for a small number of users, representing an escalation in the Bay Area tech giant's fight with state lawmakers over a bill authored by Assemblymember Buffy Wicks, a Democrat from Oakland.

At issue is Assembly Bill 886, officially called the "California Journalism Preservation Act." The measure, which Wicks introduced last year, would require large platforms like Google to pay websites for articles the platforms feature on their sites. Critics of the measure, like the California Taxpayers Association, have called the bill a "link tax."

Jaffer Zaidi, Google's vice president of global news partnerships, said in a Friday blog post that the company will begin testing the possible ramifications of the bill's passage on its "product experience" by temporarily removing links to California news websites for "a small percentage of users." That means links to California news websites, like SFGATE, may not appear in Google searches for some users.

[...] Wicks' bill is meant to provide a financial lifeline for news outlets that have struggled to compete for ad dollars — a major funding source for them — in the digital age. The bill would require online platforms like Google, Facebook and Microsoft to pay online publishers a percentage of the revenue those companies make from selling digital ads alongside the outlet's content.

The "journalism usage fee" would be determined by an arbitration process, and an eligible outlet would have to spend at least 70% of the new dollars on hiring additional journalists and support staff.

Original Submission

posted by hubie on Sunday April 14, @09:50AM   Printer-friendly

About 4.5 billion years ago, a small planet smashed into the young Earth, flinging molten rock into space. Slowly, the debris coalesced, cooled and solidified, forming our moon. This scenario of how the Earth's moon came to be is the one largely agreed upon by most scientists. But the details of how exactly that happened are "more of a choose-your-own-adventure novel," according to researchers in the University of Arizona Lunar and Planetary Laboratory who published a paper in Nature Geoscience.

The findings offer important insights into the evolution of the lunar interior, and potentially for planets such as the Earth or Mars.

Most of what is known about the origin of the moon comes from analyses of rock samples, collected by Apollo astronauts more than 50 years ago, combined with theoretical models. The samples of basaltic lava rocks brought back from the moon showed surprisingly high concentrations of titanium. Later satellite observations found that these titanium-rich volcanic rocks are primarily located on the moon's nearside, but how and why they got there has remained a mystery—until now.

Because the moon formed fast and hot, it was likely covered by a global magma ocean. As the molten rock gradually cooled and solidified, it formed the moon's mantle and the bright crust we see when we look up at a full moon at night. But deeper below the surface, the young moon was wildly out of equilibrium. Models suggest that the last dregs of the magma ocean crystallized into dense minerals including ilmenite, a mineral containing titanium and iron.

"Because these heavy minerals are denser than the mantle underneath, it creates a gravitational instability, and you would expect this layer to sink deeper into the moon's interior," said Weigang Liang, who led the research as part of his doctoral work at LPL.

Somehow, in the millennia that followed, that dense material did sink into the interior, mixed with the mantle, melted and returned to the surface as titanium-rich lava flows that we see on the surface today.

"Our moon literally turned itself inside out," said co-author and LPL associate professor Jeff Andrews-Hanna. "But there has been little physical evidence to shed light on the exact sequence of events during this critical phase of lunar history, and there is a lot of disagreement in the details of what went down—literally."

[...] In a previous study, led by Nan Zhang at Peking University in Beijing, who is also a co-author on the latest paper, models predicted that the dense layer of titanium-rich material beneath the crust first migrated to the near side of the moon, possibly triggered by a giant impact on the far side, and then sunk into the interior in a network of sheetlike slabs, cascading into the lunar interior almost like waterfalls. But when that material sank, it left behind a small remnant in a geometric pattern of intersecting linear bodies of dense titanium-rich material beneath the crust.

"When we saw those model predictions, it was like a lightbulb went on," said Andrews-Hanna, "because we see the exact same pattern when we look at subtle variations in the moon's gravity field, revealing a network of dense material lurking below the crust."

[...] "For the first time we have physical evidence showing us what was happening in the moon's interior during this critical stage in its evolution, and that's really exciting," Andrews-Hanna said. "It turns out that the moon's earliest history is written below the surface, and it just took the right combination of models and data to unveil that story."

"The vestiges of early lunar evolution are present below the crust today, which is mesmerizing," Broquet said. "Future missions, such as with a seismic network, would allow a better investigation of the geometry of these structures."

Journal Reference:
Liang, W., Broquet, A., Andrews-Hanna, J.C. et al. Vestiges of a lunar ilmenite layer following mantle overturn revealed by gravity data. Nat. Geosci. 17, 361–366 (2024).

Original Submission

posted by hubie on Sunday April 14, @05:07AM   Printer-friendly
from the politics-science-and-petty-cash dept.

Says Veritasium: #SaveChandra

NASA Budget Threatens Fate of Veteran X-Ray Telescope, Alarming Astronomers

It might be the end of the road for two of NASA's most iconic telescopes as the space agency looks to reduce the funding for the Hubble Space Telescope and the Chandra X-Ray Observatory, much to the dismay of scientists who rely heavily on the cosmic observations of the missions.

Shortly after the fate of its 2024 budget was sealed, NASA released its budget proposal for 2025, requesting $1.58 billion for its astrophysics division. Despite the 3% increase from what the space agency received this year to spend on astrophysics research, it represents a small reduction in the amount spent on Hubble and a major downgrade for Chandra's budget.

The proposed budget for Hubble Space Telescope in 2025 is $88.9 million, a slight decrease from $98.3 million in 2024, while the Chandra X-Ray Observatory would drop from $68.3 million in 2023 to $41.1 million in 2025 and a further reduction to $26.6 million the following year.

"The reduction to Chandra will start orderly mission drawdown to minimal operations," the budget document read. In its budget request, NASA argues that the Chandra spacecraft "has been degrading over its mission lifetime to the extent that several systems require active management to keep temperatures within acceptable ranges for spacecraft operations. This makes scheduling and the post processing of data more complex, increasing mission management costs beyond what NASA can currently afford."

Patrick Slane, director of the Chandra X-ray Center, responded in a statement, arguing that, while temperatures of the spacecraft have been increasing, the team has "developed thermal models and processes to manage this situation and have done so with amazing success—experiencing little or no decrease in observing efficiency, which far exceeds the initial requirements for the mission."

In the statement, Slane also expressed confusion over NASA's claim of increasing costs, recalling that there was only one instance in which the Chandra mission requested two additional people on the flight team, resulting in a 1% increase in cost in 2022.

Where TF are the gofundme or buymeacoffee links?

Original Submission

posted by hubie on Sunday April 14, @12:23AM   Printer-friendly
from the secure-chrome-$ dept.

Chrome Enterprise Premium. The future of web browsing for companies. More "security" and blocking, white listing, etc. Yours today for only $6 per user per month. Paying for the browser again, like stepping back in time. The best online security you can rent.

So will normal users buy it? Will it knock out the free "non-secure" version?

Original Submission

posted by janrinok on Saturday April 13, @07:41PM   Printer-friendly
from the ignorance-is-bliss-but-it-causes-cancer dept.

New federal rules require public systems to measure and mitigate certain harmful man-made chemicals:

Cordelia Saunders remembers 2021, the year she and her husband, Nathan, found out that they'd likely been drinking tainted water for more than 30 years. A neighbor's 20 peach trees had finally matured that summer, and perfect-looking peaches hung from their branches. Cordelia watched the fruit drop to the ground and rot: Her neighbor didn't dare eat it.

The Saunderses' home, in Fairfield, Maine, is in a quiet, secluded spot, 50 minutes from the drama of the rocky coast and an hour and 15 minutes from the best skiing around. It's also sitting atop a plume of poison.

For decades, sewage sludge was spread on the corn fields surrounding their house, and on hundreds of other fields across the state. That sludge is suspected to have been tainted with PFAS, a group of man-made compounds that cause a litany of ailments, including kidney and prostate cancers, fertility loss, and developmental disorders. The Saunderses' property is on one of the most contaminated roads in a state just waking up to the extent of an invisible crisis.

Onur Apul, an environmental engineer at the University of Maine and the head of its initiative to study PFAS solutions, told me that in his opinion, the United States has seen "nothing as overwhelming, and nothing as universal" as the PFAS crisis. Even the DDT crisis of the 1960s doesn't compare, he said: DDT was used only as an insecticide and could be banned by banning that single use. PFAS are used in hundreds of products across industries and consumer sectors. Their nearly 15,000 variations can help make pans nonstick, hiking clothes and plumber's tape waterproof, and dental floss slippery. They're in performance fabrics on couches, waterproof mascara, tennis rackets, ski wax. Destroying them demands massive inputs of energy: Their fluorine-carbon bond is the single most stable bond in organic chemistry.

"It's a reality for everyone; it's just a matter of whether they know about it," Apul said. As soon as any place in the U.S. does look squarely at PFAS, it will find the chemicals lurking in the blood of its constituents—in one report, 97 percent of Americans registered some level—and perhaps also in their water supply or farm soils. And more will have to look: Yesterday the Biden administration issued the first national PFAS drinking-water standards and gave public drinking-water systems three years to start monitoring them. The EPA expects thousands of those systems to have PFAS levels above the new standards, and to take actions to address the contamination. Maine is one step ahead in facing PFAS head-on—but also one step ahead in understanding just how hard that is.

Cordelia and Nathan both remember the dump trucks rumbling up the road. They'd stop right across the street every year and disgorge a black slurry—fertilizer, the Saunderses assumed at the time, that posed no particular bother. Now they know that the state approved spreading 32,900 cubic yards of sewage sludge—or more than 2,000 dump-truck loads—within a quarter mile of their house, and that the sludge came in large part from a local paper company. Now they wonder about that slurry.

Maine has a long, proud history as a papermaking state and a long, tortured history with the industry's toxic legacy, most notably from dioxin. In the 1960s, another group of compounds—per- and polyfluoroalkyl substances, or PFAS—began to be used in the papermaking process. The chemicals were miracle workers: A small amount of PFAS could make paper plates and food containers both grease-proof and water-resistant.

Then, in the '80s, the state encouraged spreading sewage sludge on fields as fertilizer, a seemingly smart use of an otherwise cumbersome by-product of living, hard to manage in a landfill. In principle, human manure can sub in for animal manure without much compromise. But in reality, sludge often contains a cocktail of chemical residues. "We concentrate them in sludge and then spread them over where we grow food. The initial idea is not great," Apul told me. The Saunderses first found out that the sludge-spreading had contaminated their water after the state found high PFAS levels in milk from a dairy farm two miles away. Maine's limit for six kinds of PFAS was 20 parts per trillion; state toxicologists found so much in the Saunderses' well water that when Nathan worked out the average of all the tests taken in 2021, it came to 14,800 parts per trillion, he told me.

Nathan used to work as an engineer for Maine's drinking-water-safety program, and he quickly pieced together the story of their street's contamination and just how bad it was. After state researchers tested their blood, Nathan remembers, a doctor told him that his levels of one PFAS were so high, they had hit the maximum the test could reliably report—2,000 micrograms per liter. So far, he's healthy, but he feels like he's living on borrowed time. Diseases related to environmental exposures can take decades to emerge, and although studies show that PFAS may degrade health at a population level, why some individuals fall ill and others don't isn't always clear. Cordelia told me that the neighbor who wouldn't eat the peaches is now on three medications for high cholesterol (which has been linked to PFAS), and that other neighbors have bladder or brain cancer.

[...] Several labs across the country are trying to find a way to unmake these chemicals, using foam fractionation, soil washing, mineralization, electron-beam radiation. David Hanigan, an environmental engineer at the University of Nevada at Reno, is studying whether burning PFAS at ultrahigh temperatures can break the carbon-fluorine bond completely. He once thought that PFAS researchers were out of their minds to be testing such wildly expensive solutions, he told me. But he's realized that PFAS are just that tough, and as a scientist, he thinks the original manufacturers of PFAS must have understood that. "It's upsetting from an organic-chemistry standpoint," he told me. Any chemist would have known that these compounds would persist in the environment, he said. Indeed, an investigation by The Intercept found that DuPont, among the original manufacturers of the compounds, did know, and for decades tried to obscure the harms the chemicals posed, something the UN Human Rights Council also contends. DuPont has consistently denied wrongdoing, and recently settled a lawsuit for $1.18 billion, helping create a fund for public water districts to address PFAS contamination. (In a statement to The Atlantic, a spokesperson for DuPont described the current company's history of corporate reorganization, and wrote that "to implicate DuPont de Nemours in these past issues ignores this corporate evolution.")

Original Submission

posted by janrinok on Saturday April 13, @02:53PM   Printer-friendly

Multiple links in the supply chain failed for years to identify an unfixed vulnerability:

Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products.

Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs (Baseboard Management Controllers) are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system—even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs.

For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests.

In 2018, lighttpd developers released a new version that fixed "various use-after-free scenarios," a vague reference to a class of vulnerability that can be remotely exploitable to tamper with security-sensitive memory functions of the affected software. Despite the description, the update didn't use the word "vulnerability" and didn't include a CVE vulnerability tracking number as is customary.

BMC makers including AMI and ATEN were using affected versions of lighttpd when the vulnerability was fixed and continued doing so for years, Binarly researchers said. Server manufacturers, in turn, continued putting the vulnerable BMCs into their hardware over the same multi-year time period. Binarly has identified three of those server makers as Intel, Lenovo, and Supermicro. Intel hardware sold by Intel as recently as last year is affected. Binarly said that both Intel and Lenovo have no plans to release fixes because they no longer support the affected hardware. Affected products from Supermicro are still supported.

"All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code.

Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51.

Attempts to immediately reach lighttpd developers and most of the makers of affected hardware weren't immediately successful. An AMI representative declined to comment on the vulnerability but added the standard statements about security being an important priority.

The lighttpd flaw is what's known as a heap out-of-bounds read vulnerability that's caused by bugs in HTTP request parsing logic. Hackers can exploit it using maliciously designed HTTP requests.

Original Submission