2022-01-01 06:02:19 ..
2022-06-22 11:02:34 UTC
2022-06-27 11:52:53 UTC --fnord666
We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.
In this one, there's a heap overflow bug in the legacy_parse_param in the Linux kernel's fs/fs_context.c program. This parameter is used in Linux filesystems during superblock creation for mount and superblock reconfiguration for a remount. The superblock records all of a filesystem's characteristics such as file size, block size, empty and filled storage blocks. So, yeah, it's important.
The legacy_parse_param() "PAGE_SIZE - 2 - size" calculation was mistakenly made anunsigned type. This means a large value of "size" results in a high positive value instead of a negative value as expected. Whoops.
This, in turn, meant you copy data beyond the memory slab allocated for it. And, as all programmers know, writing beyond the memory your program is supposed to have access to is a terrible thing.
[...] So, how bad is it? By the Common Vulnerability Scoring System (CVSS) v3.1 scoring test, it's a solid 7.7. That's considered a high-security vulnerability.
A local attacker can use it to escalate their user privileges or crash the system. This can be done with a specially crafted program that triggers this integer overflow. That done, it's trivial to execute arbitrary code and give the attacker root privileges.
To exploit it requires the CAP_SYS_ADMIN privilege to be enabled. If that's the case, an unprivileged local user can open a filesystem that does not support the File System Context application programming interface (API). In this situation, it drops back to legacy handling, and from there, the flaw can escalate an attacker's system privileges.
A rise in cheap, easy-to-use malware means it's easier than ever for cyber criminals to steal cryptocurrency.
[...] the growing value of cryptocurrency means it has quickly become a key target for cyber criminals and they're increasingly launching attacks which aim to steal cryptocurrency from the wallets of individual users.
Research by Chainalysis warns that cryptocurrency users are increasingly under threat from malware including information stealers, clippers – which allow attackers to replace text the user has copied, redirecting cryptocurrency to their own wallets – and trojans, all of which can be purchased for what's described as "relatively little money" on cyber criminal forums.
For example, a form of info stealer malware called Redline is advertised on Russian cyber crime forums at $150 for a month's subscription or $800 for 'lifetime' access. For a cyber criminal looking to steal cryptocurrency, it's sadly highly likely they'll make back the money paid for the malware within a handful of attacks.
The illicit service also provides users with a tool which allows attackers to encrypt the malware so it's more difficult for anti-virus software to detect, increasingly the likelihood of attacks successfully stealing cryptocurrency from compromised victims.
"The proliferation of cheap access to malware families like Redline means that even relatively low-skilled cybercriminals can use them to steal cryptocurrency," warns the report.
Overall, the malware families in the report have received 5,974 transfers from victims in 2021, up from 5,449 in 2020 - although that's down significantly on 2019 which saw more that 7,000 transfers.
What do you call a broken satellite? Today, it's a multimillion-dollar piece of dangerous space junk.
But a new collision-avoidance system developed by students at the University of Cincinnati [UC] is getting engineers closer to developing robots that can fix broken satellites or spacecraft in orbit.
UC College of Engineering and Applied Science doctoral students Daegyun Choi and Anirudh Chhabra presented their project at the Science and Technology Forum and Exposition in January in San Diego, California. Hosted by the American Institute of Aeronautics and Astronautics, it's the world's largest aerospace engineering conference.
"We have to provide a reliable collision-avoidance algorithm that operates in real time for autonomous systems to perform a mission safely. So we proposed a new collision-avoidance system using explainable artificial intelligence," Choi said.
He has been working on similar projects at UC for the past two years, publishing three articles in peer-reviewed journals based on Choi's novel algorithms.
UC researchers tested their system in simulations, first by deploying robots in a two-dimensional space. Their chosen digital battlefield? A virtual supermarket where multiple autonomous robots must safely navigate aisles to help shoppers and employees.
"This scenario presents many of the same obstacles and surprises that an autonomous car sees on the road," study co-author and UC assistant professor Donghoon Kim said.
[...] "Emerging AI is physics-informed rather than relying solely on data," Kim said. "If we know the physical behavior, we can use that as well as the data so we can get more meaningful information and a reliable AI model."
Daegyun Choi, Anirudh Chhabra, and Donghoon Kim. Collision Avoidance of Unmanned Aerial Vehicles Using Fuzzy Inference System-Aided Enhanced Potential Field, (DOI: 10.2514/6.2022-0272)
Inflation and a potential stock market crash. These are the two biggest threats to the US economy and to the financial wellbeing of Americans, so says a survey by personal finance software firm Quicken.
The Menlo Park, Calif.-based Quicken/SurveyMonkey online poll was taken earlier this month, which consisted of a sample of 1,200 US adults ages 18 to 74 from the Cint Consumer Network, according to Quicken's press release.
The survey revealed that nearly three-fourths who responded to the survey (71%) ranked inflation (currently at 7% and the highest since the early 1980s), as the top concern, followed by new COVID-19 variants, supply chain disruptions and a stock market crash. On that last point, the survey noted that 52% surveyed agree that there will be a stock market crash in the next five years. Of that group, 58% expect a looming stock market crash will impact their finances negatively, according to the press release.
Yet not everyone views a potential crash as such a bad prospect. Some Americans saw the financial gains that more aggressive investors had made from the day of the 2008 stock market crash, and are now looking to capitalize for the next one. According to the press release, 52% of self-described "aggressive" investors are likely to say the 2008 crash benefited them financially, compared to 18% of so-called "conservative" investors. What's more, 71% of aggressive investors, compared to 20% of conservative investors, believe a stock market crash in the future would benefit them financially. A notable percentage of respondents who believe there's going to be a crash in the next five years – 35% – agree that they're waiting for a crash in order to invest some extra cash.
A sizable percentage of younger adult generations surveyed – Millennial and Gen Z – also see the benefits to a future stock market crash. According to the survey, 41% of Gen Z and 36% of Millennials agree that they are waiting for a stock crash in order to invest their extra cash. Another 30% of Gen Z and 28% of Millennials say they're waiting for a crash so that they can start investing, according to the press release.
Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.
The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.
On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware – a core element called SPI flash, located on the motherboard.
"Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement," the team noted.
Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, the team says that the firmware image was "modified by attackers in a way that allowed them to intercept the original execution flow of the machine's boot sequence and introduce a sophisticated infection chain."
The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work.
"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices," the researchers explained. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader."
The rapid roll-out of gigabit broadband throughout the UK is a source of pride for the UK government, indeed singled out by prime minister Boris Johnson as one of his personal triumphs, but a report from the UK parliamentary Public Accounts Committee (PAC) is doubting whether the Department for Digital, Culture, Media and Sport (DCMS) will meet even its downgraded target to roll out super-fast, gigabit broadband to 85% of the UK by 2025.
Furthermore, the PAC warns that despite the progress that has been made in taking full-fibre across the country, energising the altnet provider industry, the DCMS is relying too heavily on commercial contractors for the progress that has been made.
[...] However, by November 2020, the UK government began backtracking on its ambitious targets. When announcing his Spending Review in late November 2020, Sunak rowed back, reducing the original commitment to provide £5bn of public funding for hard-to-reach areas that have been traditionally badly served by broadband providers.
[...] The PAC said then that it appeared "clear that government's 2019 election pledge to deliver nationwide gigabit broadband connectivity by 2025 was unachievable", noting the UK government has committed less than a quarter of the £5bn funding needed to support roll-out to the hardest-to-reach 20% of premises. It slammed what it called a "litany" of UK government failures in gigabit broadband roll-out. In 2020, the DCMS accepted its original plan for delivering nationwide gigabit broadband across the country by 2025 was unachievable and revised that target down to 85% coverage by 2025.
Financial trade publications are starting to raise serious questions about the valuation of Virgin Galactic, which became publicly traded in 2019 via a special-purpose acquisition company [SPAC]. The latest issue involves the company's plans to raise up to $425 million of convertible debt, which essentially allows Virgin Galactic to receive a lower interest rate on debt in exchange for a fixed price on stock shares. The Financial Times explains more here. Apparently, the terms of this deal (the financial wizardry of which is beyond the capacities of a simple space writer) were adverse for existing shareholders.
Publications have also started to take note of the stark disconnect between Virgin Galactic's projections at the time it went SPAC in 2019 and where it is today. For example, Virgin Galactic forecast $398 million in revenues in calendar year 2022, whereas analysts now expect it to bring in $7.9 million. "Let's just hope their aerospace engineering is a touch more precise than their financial engineering. For their customers' sake," the Financial Times says snarkily. Virgin Galactic's stock has fallen from a high of $59.41 in February 2021 to less than $10 today.
Virgin Orbit's [note: not Virgin Galactic] LauncherOne rocket lofted seven small satellites for three different customers on January 13, Space.com reports. This marks the third straight successful mission for the California-based company. LauncherOne flew for the first time in May 2020 on a test flight that carried no satellites. That launch failed after a fuel line in the rocket's first-stage engine ruptured.
Since then, Virgin Orbit's next three flights have all gone orbital. For a company just starting to launch rockets, one launch every six months is an impressive cadence. This month's flight really helps to establish LauncherOne's status as a reasonably timely and reliable small-satellite rocket.
The knock-on effects for the rest of the world might not be limited to intentional reprisals by Russian operatives. Unlike old-fashioned war, cyberwar is not confined by borders and can more easily spiral out of control.
Ukraine has been on the receiving end of aggressive Russian cyber operations for the last decade and has suffered invasion and military intervention from Moscow since 2014. In 2015 and 2016, Russian hackers attacked Ukraine's power grid and turned out the lights in the capital city of Kyiv— unparalleled acts that haven't been carried out anywhere else before or since.
The 2017 NotPetya cyberattack, once again ordered by Moscow, was directed initially at Ukrainian private companies before it spilled over and destroyed systems around the world.
NotPetya masqueraded as ransomware, but in fact it was a purely destructive and highly viral piece of code. The destructive malware seen in Ukraine last week, now known as WhisperGate, also pretended to be ransomware while aiming to destroy key data that renders machines inoperable. Experts say WhisperGate is "reminiscent" of NotPetya, down to the technical processes that achieve destruction, but that there are notable differences. For one, WhisperGate is less sophisticated and is not designed to spread rapidly in the same way. Russia has denied involvement, and no definitive link points to Moscow.
NotPetya incapacitated shipping ports and left several giant multinational corporations and government agencies unable to function. Almost anyone who did business with Ukraine was affected because the Russians secretly poisoned software used by everyone who pays taxes or does business in the country.
The White House said the attack caused more than $10 billion in global damage and deemed it "the most destructive and costly cyberattack in history."
There can be no 'winners' - but are we even ready to defend ourselves against a cyberwar?
The US Air Force is enlisting Elon Musk's help in developing a way to deliver military supplies and humanitarian aid via SpaceX rockets.
The company has signed a contract with the US Department of Defense worth over $102 million to provide point-to-point transit for cargo via space.
[...] The contract, awarded Friday, falls under the Air Force Research Laboratory's rocket cargo program, which aims to take advantage of the falling price of heavy launch capabilities that SpaceX and other companies have brought to the market in recent years.
Program manager Greg Spanjers told SpaceNews earlier this week that the military is "very interested in the ability to deliver the cargo anywhere on Earth to support humanitarian aid and disaster relief."
The contract doesn't specify which SpaceX rocket or vehicle the initiative will utilize. SpaceX has used its Falcon 9 rocket and Falcon Heavy (which is made up of three Falcon 9 boosters) for military missions in the past, but Musk has made clear that he views Starship as the vehicle of the future.
Using a combination of cutting-edge computational techniques, the scientists found that under special conditions, these triangular-patterned materials can end up in a mashup of three different phases at the same time. The competing phases overlap, with each wrestling for dominance. As a result, the material counterintuitively becomes more ordered when heated up, the scientists reported in Physical Review X.
"This is uncharted territory," says study lead author Alexander Wietek [...]. "Experimentalists had seen these peculiar properties, but they didn't know what the individual electrons in the materials were doing. Our role as theorists is to understand from the bottom up what's actually happening."
The findings could help researchers develop materials for future electronics, Wietek says. This is because the odd properties, he says, are indicative of an elusive state of matter sought for potential use in error-correcting quantum computing. [...] The researchers investigated how the electrons in the materials behave. Electrons determine almost all a material's properties, from magnetism to conductivity and even color.
Grasping the collective behavior of the electrons is a monumental task. When two particles interact, they become quantum mechanically entangled with one another. Even once they're separated, their fates remain entwined, and they can't be treated separately.
The behavior of electrons in a material depends on the layout of the atoms, and the triangular lattice arrangement is fascinating. That's because electrons have a spin, which can point either up or down. An electron might, for instance, want to have a different spin direction than its neighbors. But in a triangle with three atoms and only two spin directions, "someone is always going to be unhappy," Wietek says. "This causes the system to fluctuate because it doesn't really know what to do." Quantum physicists call this 'geometric frustration.'
Experimentalists had previously observed unexpected behavior in materials with triangular lattices, such as in twisted layers of tungsten diselenide[*] or boron nitride[**]. Wietek and his colleagues investigated by setting up a simple model to see what the electrons were doing. Their model is a grid of triangles, with each connecting point serving as a site that electrons can inhabit. Each site can host up to two electrons so long as they have opposite spins. In the model, there were as many electrons as sites.
Despite the seeming simplicity of the model, calculating the collective electron behavior was daunting. The researchers therefore combined three different computational methods, with each bringing unique strengths to the problem. Using so many approaches to tackle one problem is a recent cultural shift in the field that allows physicists to tackle thornier problems, Wietek says.
The researchers could tweak conditions in their model by raising the temperature or changing the interaction strength between electrons. Higher temperatures provide the electrons with more energy, usually causing them to fluctuate more wildly. A stronger interaction strength results in electrons settling down into a single site, a phenomenon called localization.
The researchers ran their computations with different temperatures and interaction strengths. They observed that the model transitioned from a metallic phase to an insulating phase. The insulating phase was particularly intriguing. Typically, increasing temperature causes electrons to fluctuate freely and act with greater disorder. But in the case of the triangular lattice, the electrons preferred to localize and become more ordered as the thermostat rose.
By looking at what the electrons were doing, the researchers discovered the cause of this paradoxical effect: The electrons were attempting to organize themselves simultaneously in three competing ways. As the material's temperature increased, this effect broke down, and the material became more orderly.
[*] Tungsten diselenide on Wikipedia.
[**] Boron nitride on Wikipedia.
YouTube video https://youtu.be/DVtB-Lu3gn0
Alexander Wietek, Riccardo Rossi, Fedor Šimkovic, IV, et al. Mott Insulating States with Competing Orders in the Triangular Lattice Hubbard Model [open], Physical Review X (DOI: 10.1103/PhysRevX.11.041013)
Since they came into use by physicians and researchers, Brain-Computer Interfaces (BCIs) or Brain-Machine Interfaces (BMIs) have provided ways to treat neurological disorders and shed light on how the brain functions. As beneficial as they've been, BCIs have potential to go far beyond the technology's current capabilities. In a collaboration between the Yale School of Engineering & Applied Science (SEAS) and Yale School of Medicine, a team of researchers are looking to break through these limitations.
"The goal is to build a class of ultra-low-power devices that are safe for chronic implantation in humans," said Abhishek Bhattacharjee, associate professor of computer science. "Chronic implantation opens the door to a number of clinical uses, ranging from implants to treat epilepsy and movement disorders to designing assistive devices for patients with paralysis, as well as many research uses."
[...] The tricky part about this goal is that these implantable BCIs are limited by how much power they use. Federal and international guidelines state that BCIs must not use more than 15 to 40 milliwatts of power, depending on the depth within the brain tissue that the BCI is implanted. Anything beyond that is unsafe for chronic implantation in humans. Excessive power dissipation causes the devices to overheat, which brings the risk of damaging the cellular tissue of the brain. The SEAS researchers' task, then, is broadening the potential of these devices while staying within a very constrained power limit. They're limiting the power of their own device to 15 milliwatts, which would allow it to be placed deeper into the brain, where power constraints are more stringent.
"So, it's power-constrained, but at the same time, there are some serious computation needs here—you need to be able to read and perform fairly sophisticated signal processing on more and more data from the brain for these devices to be more useful," Bhattacharjee said. "How you do all of this under really tight power budgets of 10 to 15 milliwatts is a wide-open question."
To that end, they've developed HALO (Hardware Architecture for Low-power BCIs), a general-purpose architecture for implantable BCIs. The technology allows for the treatment of various conditions, and records and processes data for studies to advance our understanding of the brain. The technology includes a chip and sensors and allows for a microelectrode array that reads roughly 50 megabits per second from 96 distinct parts of the brain. And unlike other BCIs, which are designed for one specific purpose — treating epilepsy, for example — the HALO technology can support numerous tasks. This is all achieved while operating within the team's strict power budget.
[...] "One of the things that I'm particularly excited about in our research is that it shows that if you build BCIs that can balance specialized hardware with general purpose hardware in a principled way, you can actually be under the power limit, while supporting a much broader class of computational functionalities than what existing devices support," Bhattacharjee said. He also believes that the results point to a broader question beyond BCIs, particularly because the waning of Dennard scaling (the principle that as transistors get smaller, their power stays constant) "poses questions about how best to determine what to build hardware accelerators for, how to integrate these hardware accelerators seamlessly, and how to enable a modular platform that can naturally slot in new accelerators. HALO is an exemplar of these research questions."
Shixian Wen, Allen Yin, Tommaso Furlanello, et al. Rapid adaptation of brain–computer interfaces to new neuronal ensembles or participants via generative modelling, Nature Biomedical Engineering (DOI: 10.1038/s41551-021-00811-z)
A U.S. adversary is not engaged in a sustained global campaign aimed at harming or collecting intelligence on hundreds of American diplomats serving abroad, according to an interim CIA finding on the so-called Havana Syndrome.
But there remain a significant number of cases that the agency cannot yet attribute to a specific source. The interim finding, described to POLITICO by three intelligence officials, does not rule out the possibility that a foreign actor or a sophisticated weapon is behind a specific, smaller number of mysterious incidents that have stumped U.S. officials for more than five years.
The new CIA-prepared interim finding assesses that the vast majority of reported cases can be explained by medical, environmental or technical factors — including previously undiagnosed illnesses — and that it is "unlikely" that a malicious state actor is inflicting purposeful harm on U.S. diplomats on a far-reaching, worldwide scale. The broader intelligence community has varying levels of confidence in that assessment.
"There's no one explanation" for the large number of reported cases around the world, a senior CIA official said, insisting "we don't see a global campaign by a foreign actor." There are still unresolved cases, the official continued, and the CIA is still open to the notion that a nation-state or specific device is causing symptoms such as headaches and nausea — if the agency finds evidence to that effect.
[...] "We would definitely not rule out the possibility of foreign-actor involvement in some discrete cases," the official said, adding that "we have not identified a causal mechanism, a novel weapon, that's been used at this point" on a worldwide scale, including a long-suspected directed-energy weapon.
The Federal Employees Compensation Act program has issued guidance on coverage of what it calls the "anomalous health incidents" known as Havana Syndrome [...] Federal employees experiencing such symptoms should file a standard claim form "as current understanding of AHIs are that they are specific events that occur over a single day or work shift" and should designate that as the specific cause, it says. Such claims are to be reviewed by a special claims unit which will consider "medical evidence submitted to determine if any medical conditions have been diagnosed in connection with the AHI incident."
Also at NYT.
This actually seem to have started at least early in December. Microsoft (Hotmail) seemed to block all incoming mail from Linode, without alerting the recipient or routing to the spam folder. Looks like the problem is still afflicting Linode customers.
"Microsoft appears to have delivered the unwanted Christmas gift of email blocklisting to Linode IP addresses, and two weeks into 2022 the company does not seem ready to relent.
Problems started as large chunks of the world began packing up for the festive period. Complaints cropped up on Linode's support forums when customers began encountering problems sending email to Microsoft 365 accounts from their own email servers.
[...] More recently, the Linode team has offered to swap out affected IPv4 addresses for unaffected ones – or, for a fee, it will add some new ones to users faced with the problem. "While we cannot control how long it takes for Microsoft to address the issues on their end," said Linode, "we do have potential solutions that we can offer in order to help customers avoid the current 'Banned Sender' bounces."
[...] Blocklisting IP addresses to prevent the delivery of unwanted emails is not a particularly complicated concept, although Microsoft has perhaps been a little more enthusiastic about this than is strictly necessary over the years. In 2019, tsoHost's bulk email domain found itself on the naughty step for Outlook and Hotmail addresses and getting itself off again proved a bit of a challenge.
Linode itself is an infrastructure-as-a-service outfit, with data centres spread around the world. One can host one's applications (including email services) and data on its platform as an alternative to the bigger boys. Right up until Microsoft decides to slap the IP addresses one is sending from on to a blocklist.
The research suggests that organizations that take a hands-off approach to the structure and governance of project teams create an environment of creative flexibility. This built-in flexibility makes teams more responsive to needed changes in the software they're building, boosting performance and customer satisfaction.
"By giving greater autonomy to your teams, you allow them to exercise greater judgment about what would actually work based on their project requirements," said Indranil Bardhan, a professor of information, risk and operations management at UT Austin's McCombs School of Business and co-author of the study. "We show there's no one right way of achieving superior project performance, no one-size-fits-all."
[...] Bardhan and co-author Narayan Ramasubbu of the University of Pittsburgh tested the performance of both agile and traditional project teams over 50 months in a real-world policy experiment at a major software company based in India. The company had 125,000 software developers around the world working on projects that adhered to an ideal operations profile closely monitored through a central unit.
Senior company directors wanted to learn whether greater autonomy for software development teams would hurt or help performance. For the study, they implemented a policy change granting greater autonomy to certain teams and agreeing to provide data on key performance measures -- for both autonomous and nonautonomous teams -- before and after the policy change.
Narayan Ramasubbu and Indranil R. Bardhan. Giving project teams more autonomy boosts productivity and customer satisfaction, MIS Quarterly, 2021 [abstract]
In the latest examples of satellite companies muscling in on the connectivity arena, operator Intelsat has commissioned Thales Alenia Space to build two software-defined satellites to advance its global fabric of software-defined GEO connectivity as part of its 5G software-defined network, while renewable energy firm RWE is using internet of things (IoT)-over satellite technology provided by Inmarsat at its at its hydroelectric power facilities.
[...] The contract is said to enable the continued advancement of Intelsat's planned global software-defined satellite-based network, adding high-speed, dynamically allocated connectivity across Africa, Europe, the Middle East and Asia for commercial and government mobility services and cellular backhaul.
The new craft will be based on the Space Inspire product line, allowing telecommunications mission and services reconfiguration, instant in-orbit adjustment to broadband connectivity demand, and what is claimed to be superior video-broadcasting performance while maximising the effective use of satellite resources.
[...] The two new craft are scheduled to be in service in 2025 and will join two Airbus-constructed software-defined satellites, Intelsat 42 (IS-42) and 43 (IS-43), announced just over a year ago.