SoylentNews

upstart writes:

Amazon RDS Vulnerability Led to Exposure of Credentials:

Amazon Web Services (AWS) on Monday announced that it recently addressed a vulnerability in Amazon Relational Database Service (RDS) that could lead to the exposure of internal credentials.

Amazon RDS is a managed database service that offers support for several database engines, including Amazon Aurora, AWS's own database engine, which offers support for MySQL and PostgreSQL.

The addressed security issue was identified in the Aurora PostgreSQL engine, more specifically in the third-party open-source PostgreSQL extension "log_fdw," which allows a user to leverage the SQL interface to access the database engine log, as well as to build foreign tables.

[...] The log_fdw extension, AWS also notes, is pre-installed in both Aurora PostgreSQL and Amazon RDS for PostgreSQL. A privileged, authenticated user able to trigger the bug could use the leaked credentials to gain elevated access to database resources.

"They would not be able to use the credentials to access internal RDS services or move between databases or AWS accounts. The credentials could only be used to access resources associated with the Aurora database cluster from which the credentials were retrieved," AWS notes.

The researcher reported the vulnerability to Amazon on December 9, 2021. An initial patch was released on December 14, but roughly three months were needed to deploy the fix to all customers.

The company updated both Aurora PostgreSQL and RDS for PostgreSQL to resolve the issue and also deprecated a series of minor versions, preventing users from creating new instances with those versions.

Original Submission

upstart writes:

Qualcomm completes Arriver acquisition to bulk up software prowess in ADAS, self-driving vehicles:

Qualcomm wrapped up its acquisition of Veoneer's advanced driver assistance/self driving vehicle software arm on Monday, highlighting the San Diego company's bid to become a key technology supplier to automakers as it diversifies beyond smartphones.

Financial details regarding the complex transaction were not available. Qualcomm plans to discuss the terms during its quarterly earnings conference call later this month.

But the acquisition of Veoneer's Arriver software division positions Qualcomm to compete head-to-head against industry leader Mobileye in the camera-based autonomous driving and vehicle safety technologies market.

[...] Qualcomm already is a significant silicon supplier to automakers, with sales topping $1 billion last year. The company has a $13 billion backlog of pending orders.

This pipeline, however, is centered on technologies that provide 4G/5G, Bluetooth and Wi-Fi connectivity, navigation and entertainment, vehicle diagnostics and digital dashboards.

Recently, Qualcomm added Snapdragon Ride to its automotive product line-up. It delivers Advanced Driver Assistance Systems (ADAS) and limited self-driving features.

To date, Snapdragon Ride customers include General Motors, BMW, Ferrari and Renault. Arriver was a Qualcomm partner before the acquisition.

With this deal, Qualcomm isn't aiming to deliver full-fledged driverless capabilities known as Level 4/Level 5 autonomy—at least not yet.

Instead, it is targeting Level 2+ and Level 3 autonomy. That means motorists remain behind the wheel but gain ADAS safety features and limited self-driving functionality.

Original Submission

upstart writes:

Elon Musk isn't joining Twitter's board of directors after all:

Elon Musk's stint on Twitter's board of directors has ended before it even began. The SpaceX and Tesla CEO has scrapped plans to buff his resumé with a seat on Twitter's board, though his status as the company's biggest shareholder will still give him some influence over the platform.

The change in plans was announced by Twitter CEO Parag Agrawal on Sunday night. In an internal note he subsequently posted to Twitter, Agrawal stated that Musk had directly discussed joining Twitter's board with them, and that the board had offered him a seat, but that he pulled out at the last minute on the day he was to be officially appointed.

[...] "We announced on Tuesday that Elon would be appointed to the Board contingent on a background check and formal acceptance," Agrawal continued. "Elon's appointment to the board was to become officially effective 4/9, but Elon shared that same morning that he will no longer be joining the board."

Though Agrawal did not provide a reason why Musk backed down, and Musk has not commented publicly, it's reasonable to speculate that the restrictions placed on Twitter's board members may have been a contributing factor.

upstart writes:

Researchers discover novel way to inhibit key cancer driver, other mutated genes:

CU Boulder researchers have discovered a new way to inhibit the most commonly mutated gene underlying human tumor growth, opening the door to new therapeutic strategies for cancer and a host of other diseases.

The discovery, published April 5 in the journal Cell Reports, marks an important step forward in the decades-long quest to target transcription factors (TFs), a notoriously hard-to-block class of proteins which, when mutated or dysregulated, can disrupt cell function and drive illness.

"This class of proteins represents one of the most high-impact therapeutic targets in biomedicine," said senior author and biochemistry Professor Dylan Taatjes. "We provide a completely new strategy for blocking transcription factor function that could have broad applications to many diseases, including and beyond cancer."

[...] "A decades-long goal has been to target drug transcription factors directly," said Taatjes. "Here we have found a way to get the functional equivalent without actually targeting the transcription factor but Mediator instead. And, importantly, this does not negatively affect other transcription factors in the cell."

Taatjes stressed that the work is a proof-of-concept study, and that much more research must be done before such a strategy could become implemented in the clinic.

Ultimately, he said the approach could be applied to many other TFs that have been implicated in disease, opening the door to new treatment strategies for everything from heart disease to neurological disorders.

Journal Reference:
Benjamin L. Allen et al, Suppression of p53 response by targeting p53-Mediator binding with a stapled peptide, Cell Reports (2022). (DOI: 10.1016/j.celrep.2022.110630)

Original Submission

upstart writes:

Activision Blizzard's new full-time jobs come with a bit of union busting:

Hours after announcing it would convert over 1,000 temporary and contract QA employees to full time and provide a minimum pay of $20 per hour, Activision Blizzard is stating that Raven Software QA workers will not be part of that deal. According to a report from Bloomberg, the QA testers at Raven Software who recently organized as the Game Workers Alliance will not be able to take advantage of the new pay minimum — something Activision Blizzard failed to mention upfront when it sent the initial news to media outlets. Excluding organizing employees from company-wide benefits seems to be Activision Blizzard's latest move against the burgeoning labor movement going on at the company.

[...] In addition to that statement, Activision Blizzard also provided The Verge with a copy of the email that Brian Raffel, Raven Software studio head, sent out to employees.

[...] The email seems expertly crafted to have a chilling effect on the Game Workers Alliance's continued efforts to establish the company's first union. Phrasing like "through direct dialogue with each other, we improved pay, expanded benefits, and provided professional opportunities" sends the message that organizers' union activities have prevented them from enjoying the benefits the company is extending to others.

Original Submission

upstart writes:

Trend says hackers have weaponized SpringShell to install Mirai malware:

Researchers on Friday said that hackers are exploiting the recently discovered SpringShell vulnerability to successfully infect vulnerable Internet of Things devices with Mirai, an open source piece of malware that wrangles routers and other network-connected devices into sprawling botnets.

When SpringShell (also known as Spring4Shell) came to light last Sunday, some reports compared it to Log4Shell, the critical zero-day vulnerability in the popular logging utility Log4J that affected a sizable portion of apps on the Internet. That comparison proved to be exaggerated because the configurations required for SpringShell to work were by no means common. To date, there are no real-world apps known to be vulnerable.

Researchers at Trend Micro now say that hackers have developed a weaponized exploit that successfully installs Mirai. A blog post they published didn't identify the type of device or the CPU used in the infected devices. The post did, however, say a malware file server they found stored multiple variants of the malware for different CPU architectures.

"We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region," Trend Micro researchers Deep Patel, Nitesh Surana, and Ashish Verma wrote. The exploits allow threat actors to download Mirai to the "/tmp" folder of the device and execute it following a permission change using "chmod."

Original Submission

upstart writes:

Astronomers capture surprising changes in Neptune's temperatures:

An international team of astronomers have used ground-based telescopes, including the European Southern Observatory's Very Large Telescope (ESO's VLT), to track Neptune's atmospheric temperatures over a 17-year period. They found a surprising drop in Neptune's global temperatures followed by a dramatic warming at its south pole.

[...] Like Earth, Neptune experiences seasons as it orbits the Sun. However, a Neptune season lasts around 40 years, with one Neptune year lasting 165 Earth years. It has been summertime in Neptune's southern hemisphere since 2005, and the astronomers were eager to see how temperatures were changing following the southern summer solstice.

Astronomers looked at nearly 100 thermal-infrared images of Neptune, captured over a 17-year period, to piece together overall trends in the planet's temperature in greater detail than ever before.

[...] Because Neptune's temperature variations were so unexpected, the astronomers do not know yet what could have caused them. They could be due to changes in Neptune's stratospheric chemistry, or random weather patterns, or even the solar cycle. More observations will be needed over the coming years to explore the reasons for these fluctuations. Future ground-based telescopes like ESO's Extremely Large Telescope (ELT) could observe temperature changes like these in greater detail, while the NASA/ESA/CSA James Webb Space Telescope will provide unprecedented new maps of the chemistry and temperature in Neptune's atmosphere.

Journal Reference:
Michael T. Roman, et.al., Subseasonal Variation in Neptune's Mid-infrared Emission - IOPscience, The Planetary Science Journal (DOI: 10.3847/PSJ/ac5aa4)

Original Submission

hubie writes:

NASA has been preparing for a wet dress rehearsal for the Artemis I rocket, but have hit several issues causing delays, the most recent being a faulty helium gas check valve. They have now announced that a modified wet dress rehearsal will start with a call to stations on April 12. This rehearsal proceeds through as an actual launch activity that scrubs at the T-10 second point. The modified test will focus on filling the core stage with cryogenic propellant, but with minimal propellant operations on the interim cryogenic propulsion stage (ICPS). Following the test, the rocket will be returned to the Vehicle Assembly Building to replace the helium check valve as well as to assess the launch procedures.

NASA is streaming live video of the rocket and spacecraft on the Kennedy Newsroom YouTube channel.

Original Submission

upstart writes:

Cloud server leasing can leave sensitive data up for grabs:

Renting space and IP addresses on a public server has become standard business practice, but according to a team of Penn State computer scientists, current industry practices can lead to "cloud squatting," which can create a security risk, endangering sensitive customer and organization data intended to remain private.

Cloud squatting occurs when a company, such as your bank, leases space and IP addresses — unique addresses that identify individual computers or computer networks — on a public server, uses them, and then releases the space and addresses back to the public server company, a standard pattern seen every day. The public server company, such as Amazon, Google, or Microsoft, then assigns the same addresses to a second company.  If this second company is a bad actor, it can receive information coming into the address intended for the original company — for example, when you as a customer unknowingly use an outdated link when interacting with your bank — and use it to its advantage — cloud squatting.

"There are two advantages to leasing server space," said Eric Pauley, doctoral candidate in computer science and engineering. "One is a cost advantage, saving on equipment and management.  The other is scalability. Leasing server space offers an unlimited pool of computing resources so, as workload changes, companies can quickly adapt." As a result, the use of clouds has grown exponentially, meaning almost every website a user visits takes advantage of cloud computing.

AnonTechie writes:

Researchers have investigated how to prevent knowledge and skills that were learned long ago and are rarely used from getting rusty. In many industrial plants, all processes are automated. In case of a malfunction, it is important that employees have the necessary skills at their fingertips.

[...] Typically, automation makes everyday work easier for industrial employees. However, when a system malfunctions, it is important that rarely used skills can be applied instantly. A team headed by Marina Klostermann has investigated how to prevent knowledge and skills that were learned long ago and are rarely used from getting rusty. In collaboration with the Federal Institute for Vocational Education and Training, the Work, Organizational and Business psychologists from Ruhr-Universität Bochum (RUB) headed by Professor Annette Kluge evaluated 58 studies.

They've derived tips for learning new skills and for interventions for retaining skills. Their study was published in the journal Safety on 28 March 2022.

ScienceDaily

Original Source:
Ruhr-Universität Bochum

This should be applicable to many industries where automation is increasing, including the software industry. What techniques would you use to ensure that accumulated knowledge and skills are not forgotten ??

Journal Reference:
Marina Klostermann, Stephanie Conein, Thomas Felkl, et al. Factors Influencing Attenuating Skill Decay in High-Risk Industries: A Scoping Review, Safety (DOI: 10.3390/safety8020022)

Original Submission

An Anonymous Coward writes:

https://www.theregister.com/2022/04/09/army_3d_barracks/

Original Submission

upstart writes:

Endeavour Energy showcases 5G drones for electricity grid repair:

Endeavour Energy, together with Optus, Amazon Web Services, and Unleash live, has deployed its first 5G and AI-enabled drones to improve restoration times for unplanned electricity outages, particularly during natural disasters such as storms, floods, and bushfires.

As part of the first demonstration, Endeavour Energy flew the drones over physical electricity infrastructure located in Sydney's western suburb of St Marys. During the flyover, footage of damaged assets was streamed in real-time using 5G to Endeavour Energy's training ground in Hoxton Park.

With the demonstration a success, according to Optus, Endeavour Energy will now deploy the solution across infrastructure assets in Penrith and Blacktown, which would remove the need to use a large fleet of vehicles, helicopters, and technicians to physically identify and carry out remediation.

Original Submission

upstart writes:

Defying Expectations: NASA's Pioneering Ingenuity Mars Helicopter Awarded Prestigious Collier Trophy:

The National Aeronautic Association has bestowed the prestigious Robert J. Collier Trophy on the team behind NASA's Ingenuity Mars Helicopter, cementing the pioneering rotorcraft's place in aerospace history just as it is about to embark on its second year of flying in the frigid, extremely thin atmosphere of the Red Planet.

Established more than a century ago, the award has marked major achievements in the timeline of flight, including Orville Wright in 1913 for developing the automatic stabilizer, Air Force test pilot Chuck Yeager for his sound-barrier-breaking 1947 flight of the X-1 rocket plane, and the crews of NASA's Apollo 8, 11, and 15 for their missions to the Moon in the late 1960s and early '70s.

The National Aeronautic Association awards the trophy annually for "the greatest achievement in aeronautics or astronautics in America, with respect to improving the performance, efficiency, and safety of air or space vehicles." For the team at NASA's Jet Propulsion Laboratory in Southern California, it's especially meaningful to be included among past winners after the enormous challenges they faced by seeing the project launch and take flight amid a global pandemic.

Original Submission

upstart writes:

Scientists Unveil How Our Memories Are Stored: The Format of Working Memory:

A team of scientists has discovered how working memory is "formatted"—a finding that enhances our understanding of how visual memories are stored.

[...] It's been known for decades that we re-code visual information about letters and numbers into phonological or sound-based codes used for verbal working memory. For instance, when you see a string of digits of a phone number, you don't store that visual information until you finish dialing the number. Rather you store the sounds of the numbers (e.g., what the phone number "867-5309" sounds like as you say it in your head). However, this only indicates that we do re-code—it doesn't address how the brain formats working memory representations, which was the focus of the new Neuron study.

To explore this, the experimenters measured brain activity with functional magnetic resonance imaging (fMRI) while participants performed visual working memory tasks. On each trial, the participants had to remember, for a few seconds, a briefly presented visual stimulus and then make a memory-based judgment. In some trials, the visual stimulus was a tilted grating and on others it was a cloud of moving dots. After the memory delay, participants had to precisely indicate the exact angle of the grating's tilt or the exact angle of the dot cloud's motion.

Despite the different types of visual stimulation (grating vs. dot motion), they found that the patterns of neural activity in visual cortex and parietal cortex—a part of the brain used in memory processing and storage—were interchangeable during memory. In other words, the pattern trained to predict motion direction could also predict grating orientation—and vice versa.

This finding prompted the question—why were those memory representations interchangeable?

Journal Reference:
Yuna Kwak, Clayton E. Curtis, Unveiling the abstract format of mnemonic representations, Neuron, April 07, 2022 (DOI: 10.1016/j.neuron.2022.03.016)

Original Submission

An Anonymous Coward writes:

Bundled version of Node.js simplifies executing downloaded code

Adobe Creative Cloud Experience, a service installed via the Creative Cloud installer for Windows, includes a Node.js executable that can be abused to infect and compromise a victim's PC.

Michael Taggart, a security researcher, recently demonstrated that the node.exe instance accompanying Adobe's service could be exploited by writing a simple proof-of-concept JavaScript file that spawns the Windows Calculator app.

"I have confirmed that the node.exe packaged with the Adobe Customer Experience service can run any JavaScript you point it to," he explained to The Register.

[. . .] Security researchers commenting on Taggart's finding said they'd been under the impression the bundled Node runtime would only execute files signed by Adobe, but evidently that's not the case.

[. . .] "Because the JavaScript is getting invoked by path in C:\Program Files, it would be extremely difficult to detect from a monitoring/threat hunting perspective," explained Taggart, who added that he was able to get his own custom file dropper to run and execute a command-and-control agent without any warning from Windows Defender.

Original Submission