SoylentNews

upstart writes in with two stories on a Zoom exploit affecting macOS users:

The Zoom installer let a researcher hack his way to root access on macOS:

A security researcher has found a way that an attacker could leverage the macOS version of Zoom to gain access over the entire operating system.

[...] The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom's signing certificate would be enough to pass the test — so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

[...] "To me that was kind of problematic [Zoom not responding to his disclosure for 8 months] because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code," Wardle told The Verge in a call before the talk. "So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users' computers vulnerable."

upstart writes:

Inaccurate maps are delaying the Bipartisan Infrastructure Law's broadband funding:

Nearly nine months after Congress passed President Biden's $1 trillion infrastructure bill, the federal government has yet to allocate any of the $42.5 billion in funding the legislation set aside for expanding broadband service in underserved communities, according to The Wall Street Journal. Under the law, the Commerce Department can't release that money until the Federal Communications Commission (FCC) publishes new coverage maps that more accurately show homes and businesses that don't have access to high-speed internet.

Inaccurate coverage data has long derailed efforts by the federal government to address the rural broadband divide. The previous system the FCC used to map internet availability relied on Form 477 filings from service providers. Those documents have been known for their errors and exaggerations. In 2020, Congress began requiring the FCC to collect more robust coverage data as part of the Broadband DATA Act. However, it wasn't until early 2021 that lawmakers funded the mandate and in August of that same year that the Commission published its first updated map.

Following a contractor dispute, the FCC will publish its latest maps sometime in mid-November. Once they're available, both consumers and companies will a chance to challenge the agency's data. As a result of that extra step, funding from the broadband plan likely won't begin making its way to ISPs until the end of 2023, according to one analyst The Journal interviewed.

Original Submission

upstart writes:

To Fix Tech, Democracy Needs to Grow Up:

There is growing recognition that rapid technology development is producing society-scale risks: state and private surveillance, widespread labor automation, ascending monopoly and oligopoly power, stagnant productivity growth, algorithmic discrimination, and the catastrophic risks posed by advances in fields like AI and biotechnology. Less often discussed, but in my view no less important, is the loss of potential advances that lack short-term or market-legible benefits. These include vaccine development for emerging diseases and open source platforms for basic digital affordances like identity and communication.

At the same time, as democracies falter in the face of complex global challenges, citizens (and increasingly, elected leaders) around the world are losing trust in democratic processes and are being swayed by autocratic alternatives. Nation-state democracies are, to varying degrees, beset by gridlock and hyper-partisanship, little accountability to the popular will, inefficiency, flagging state capacity, inability to keep up with emerging technologies, and corporate capture. While smaller-scale democratic experiments are growing, locally and globally, they remain far too fractured to handle consequential governance decisions at scale.

This puts us in a bind. Clearly, we could be doing a better job directing the development of technology towards collective human flourishing—in fact, this may be one of the greatest challenges of our time. If actually existing democracy is so riddled with flaws, it doesn't seem up to the task. This is what rings hollow in many calls to "democratize technology": Given the litany of complaints, why subject one seemingly broken system to governance by another?

At the same time, as we deal with everything from surveillance to space travel, we desperately need ways to collectively negotiate complex value trade-offs with global consequences, and ways to share in their benefits. This definitely seems like a job for democracy, albeit a much better iteration. So how can we radically update democracy so that we can successfully navigate toward long-term, shared positive outcomes?

canopic jug writes:

A while back, retired journalist and octogenarian, Chris Biddle, had an excellent interview with author and digital rights activist Cory Doctorow about digital restrictions. They speak in particular about digital restrictions technologies which have been spread within agricultural equipment through the equipment's firmware. Their conversation starts out with mention of the use of network-connected firmware to brick the tractors which were looted from dealership sales lots in Ukraine by the invading Russian army. Cory gives a detailed overview of the issues hidden away by the mainstream press under the feel-good stories about the incident.

But was the bigger picture more worrying? I speak with Cory Doctorow, author, Guardian journalist with a special interest in protecting human rights in this digital age.

He says that whilst 'kill-switches' used to disable the machinery provide a security benefit, it is possible that widely available 'hacking' technology could also be used to disrupt the world's agricultural infrastructure by those with more sinister motives.

All of which feeds into the Right to Repair cases currently going through the US courts. It is also all about who owns the tractor, who owns data, and who owns the rights to the embedded software?

Deere contends that a customer can never fully own connected machinery because it holds exclusive rights to the software coding.

Some US farmers have attempted to unlock the embedded by purchasing illegal firmware –mostly developed by sophisticated hackers based in Ukraine!

The interview is just under 45 minutes.

Previously:
(2022) New York State Passes First Electronics Right-to-Repair Bill
(2022) John Deere Remotely Disables Farm Equipment Stolen by Russians from Ukraine Dealership
(2022) A Fight Over the Right to Repair Cars Turns Ugly
(2021) Apple and John Deere Shareholder Resolutions Demand They Explain Their Bad Repair Policies
(2021) The FTC is Investigating Why McDonald's McFlurry Machines are "Always Broken"
(2020) Europe Wants a 'Right to Repair' Smartphones and Gadgets
(2019) New Elizabeth Warren Policy Supports "Right to Repair"
(2016) Sweden Wants to Fight Disposable Culture with Tax Breaks for Repairing Old Stuff

Original Submission

upstart writes:

Rampant Data Broker Sale Of Pregnancy Data Gets Fresh Scrutiny Post Roe:

For decades now, privacy advocates warned we were creating a dystopia through our rampant over-collection and monetization of consumer data. And just as often, those concerns were greeted with calls of "consumers don't actually care about privacy" from overly confident white guys in tech.

Nothing has exposed those flippant responses as ignorant quite like the post-Roe privacy landscape, in which basic female health data can now be weaponized to ruin the lives of those seeking abortions, or those trying to help women obtain foundational health care. Either by states looking to prosecute them, or individual right wing hardliners who often have easy, cheap access to the exact same information.

The latest case in point: Gizmodo did a deep dive into the largely unaccountable data broker space and discovered there are currently 32 different data brokers selling pregnancy status data on 2.9 billion consumer profiles.

Via browsing, app, promotion, and location data, those consumers are quickly deemed "actively pregnant" or "shopping for maternity products." Another 478 million customer profiles are actively labeled "interested in pregnancy" or "intending to become pregnant." As is usually the case, companies (the ones that could be identified) claimed it was no big deal because the data is "anonymized":

Related: Okay, Google: To Protect Women, Collect Less Data About Everyone

Original Submission

upstart writes:

What Are the Five Eyes, Nine Eyes, and Fourteen Eyes?:

The Five, Nine, and Fourteen Eyes are agreements between the surveillance agencies (the "eyes") of several countries. The original group is the Five Eyes (abbreviated as FVEY)—consisting of the U.S., the UK, Canada, Australia, and New Zealand—which shortly after the second world war signed a deal (the UKUSA pact) to share intelligence among each other.

Over the years, four other countries informally joined the original five (the Netherlands, France, Denmark, and Norway), making nine.

A few years after, five more joined (Belgium, Italy, Germany, Spain, and Sweden) to come to the grand total of 14.

However, these three groups are different from each other in what they share with each other.

Naturally, deals struck between spies aren't accessible to regular people, but we do know a fair bit about these three groups, especially the original five. This is because their founding document, the UKUSA agreement, was made public in 2010. The British National Archives has the full text.

upstart writes:

US unmasks alleged Conti ransomware operative, offers $10M for intel – TechCrunch:

The U.S. government said it will offer up to $10 million for information related to five people believed to be high-ranking members of the notorious Russia-backed Conti ransomware gang.

The reward is offered as part of the U.S. State Department's Rewards for Justice (RFJ) program, which on Thursday shared an image of a known Conti ransomware operator known as "Target," marking the first time the U.S. government has publicly identified a Conti operative. The program, which specifically seeks information on national security threats, is offering up to $10 million for information leading to the identification and location of Target, along with four other alleged Conti members known as "Tramp," "Dandis," "Professor," and "Reshaev."

[...] The gang rebranded from Ryuk to Conti in 2020, and later sided with Russia in its war against Ukraine, pledging to respond to any cyber attacks on the Russian government or the country's critical infrastructure. But this backfired when a disgruntled Conti member leaked over 170,000 internal chat conversations between other Conti members and the source code for the ransomware itself.

This breach led to the eventual shutdown of the Conti ransomware brand in June this year, though it's believed members of the gang have quietly moved into other ransomware operations including Hive, AvosLocker, BlackCat, and Hello Kitty.

The RFJ's bounty program was initially launched to gather information on national security threats and terrorists targeting U.S. interests and has expanded to offer rewards for information on cyber criminals. It's also offering bounties for information on the Russia-backed REvil and Evil Corp hacking groups.

Original Submission

upstart writes:

VLC Media Player has been banned in India, but this happened back in February:

One of the most popular media player software and streaming media server VLC media player, developed by VideoLAN project, is banned in India. As per a report by MediaNama, VLC Media Player has been banned in India, but this happened nearly 2 months ago. However, if you have the software installed on your device, it should still be working. Meanwhile, neither the company nor the Indian government revealed any details about the ban.

Some reports suggest that VLC Media Player has been banned in the country because the platform was used by China-backed hacking group Cicada for cyber attacks. Just a few months ago, security experts discovered that Cicada was using VLC Media Player to deploy a malicious malware loader as part of a long-running cyber attack campaign.

[...] In 2020, the Indian government banned hundreds of Chinese apps, including PUBG Mobile, TikTok, Camscanner and more. In fact, the PUBG Mobile Indian version dubbed BGMI has also been banned in India recently and removed from the Google Play store and Apple App store. The reason behind blocking these apps is that the government feared these platforms were sending user data to China. Notably, VLC Media Player is not backed by a Chinese company. It is developed by VideoLAN, a Paris-based firm.

Original Submission

upstart writes:

Potential hack for some Boeing planes fixed:

A digital vulnerability in the computer systems used on some Boeing Co aircraft that could have allowed malicious hackers to modify data and cause pilots to make dangerous miscalculations has been fixed, security researchers said on Friday, Trend reports with reference to Reuters.

Older versions of a digital tool used to calculate landing and take-off speeds on some aircraft could be tampered with by hackers with direct access to an "Electronic Flight Bag," or EFB, a tablet device used by pilots to plan flights, cybersecurity firm Pen Test Partners said in a report.

"If data modification occurs, and the resulting miscalculations are not detected during the crew's required cross check or verification process, an aircraft could land on a runway too short, or take off at incorrect speeds potentially resulting in a tail strike or runway excursion," said the report, which was presented at the DEF CON hacker convention in Las Vegas on Friday.

In a statement, Boeing said it was not aware of any airplane that had been affected by the issue, but had released a software update to address it.

Original Submission

hubie writes:

Average healthy adult doesn't really get much benefit, Med School professor says:

Are you among the one in three Americans who gulps down a multivitamin every morning, probably with a sip of water? The truth about this popular habit may be hard to swallow.

"Most people would be better off just drinking a full glass of water and skipping the vitamin," says Pieter Cohen, an associate professor of medicine at Harvard Medical School and an internist at Harvard-affiliated Cambridge Health Alliance. In addition to saving money, you'll have the satisfaction of not succumbing to misleading marketing schemes.

That's because for the average American adult, a daily multivitamin doesn't provide any meaningful health benefit, as noted recently by the US Preventive Services Task Force (USPSTF). Their review, which analyzed 84 studies involving nearly 700,000 people, found little or no evidence that taking vitamin and mineral supplements helps prevent cancer and cardiovascular disease that can lead to heart attacks and stroke, nor do they help prevent an early death.

"We have good evidence that for the vast majority of people, taking multivitamins won't help you," says Cohen, an expert in dietary supplement research and regulation.

[...] Surveys suggest people take vitamins to stay healthy, feel more energetic, or gain peace of mind, according to an editorial that accompanied the USPSTF review. These beliefs stem from a powerful narrative about vitamins being healthy and natural that dates back nearly a century.

"This narrative appeals to many groups in our population, including people who are progressive vegetarians and also to conservatives who are suspicious about science and think that doctors are up to no good," says Cohen.

See also: Study Finds No Benefit to Taking Multivitamins and Some Other Supplements

Original Submission

takyon writes:

BITBLAZE Titan BM15 Arm Linux laptop features Baikal-M1 processor

Russian company Prombit has unveiled the BITBLAZE Titan BM15 Arm Linux Laptop equipped with Baikal-M1 octa-core Arm Cortex-A57 processor manufactured by TSMC, up to 128GB RAM [disputed: may only be 32 GB], SSD storage, and a 15.6-inch Full HD display.

[...] There's no mention of the operating system used on the product page, but the laptop most certainly runs the same Astra Linux distribution as the Baikal M hardware launched last year with the Russian office application package, and other programs all approved by the "Ministry of Digital Development, Communications, and Mass Media".

However, the laptop may end up being a collector item, as Tom's Hardware reports TSMC will not manufacture chips for Russian companies due to current sanctions. But we'll have to see, as Chinese companies such as SMIC should still be able to manufacture processors on a 28nm process despite (again) more sanctions. Tom's Hardware further mentions that the laptop is expected to cost between 100,000 and 120,000 rubles (or about $1,600 – $1,930 at current exchange rates), so the price/performance ratio is less than impressive, but that may be the cost of independence. Productions samples, scheduled "earlier than November" may cost less.

Also at Notebookcheck.

Previously:
Desktop and All-in-One Arm Linux Computers Launched with Baikal-M Processor
TSMC Ships First Batch of Baikal BE-M1000 ARM CPUs

Original Submission

mrpg writes:

https://www.unesco.org/en/articles/new-unesco-flagship-report-calls-reinventing-education

During the 41st session of the General Conference, UNESCO launched its latest global report on education.

Sparking a timely global debate was precisely the goal of the International Commission, led by H.E. Ms Sahle-Work Zewde, President of the Federal Democratic Republic of Ethiopia, that spent two years preparing the report, titled Reimagining our Futures Together: A New Social Contract for Education.

More than a million people – experts, young people and teachers but also civil society, government and economic actors – were tapped in the global consultation that informed it.

Reimagining Our Futures Together upholds the tradition of past landmark UNESCO reports that have structured education policies around the world. The Faure report, Learning to Be, in 1972, and the Delors report, Learning: The Treasure Within, in 1996, are key references in the debate on learning. The report recommends an urgent, sweeping reform of education globally to repair past injustices and enhance our capacity to act together for a more sustainable future. The report finds that today's teaching and learning methods are outdated and even counterproductive. Education could contribute so much more to creating just and peaceful societies, a healthy planet and shared progress that benefits us all. Instead, how we educate is in effect causing some of our difficulties to address today's challenges.

takyon writes:

Loongson Adds LoongArch Support To LibreOffice

Following GCC 12 introducing LoongArch support earlier this year, Linux 5.19 adding the initial LoongArch port, and Glibc 2.36 adding LoongArch, LibreOffice is now the latest high-profile open-source project adding support for this Chinese processor ISA that started out derived from MIPS64.

Loongson as the company behind LoongArch contributed the native support for running the LibreOffice open-source office suite on LoongArch 64-bit hardware.

Related: Initial Experiments with the Loongson Pi 2K

Original Submission

upstart writes:

Crypto and the US Government Are Headed for a Decisive Showdown:

If you have paid casual attention to crypto news over the past few years, you probably have a sense that the crypto market is unregulated—a tech-driven Wild West in which the rules of traditional finance do not apply.

If you were Ishan Wahi, however, you would probably not have that sense.

Wahi worked at Coinbase, a leading crypto exchange, where he had a view into which tokens the platform planned to list for trading—an event that causes those assets to spike in value. According to the US Department of Justice, Wahi used that knowledge to buy those assets before the listings, then sell them for big profits. In July, the DOJ announced that it had indicted Wahi, along with two associates, in what it billed as the "first ever cryptocurrency insider trading tipping scheme." If convicted, the defendants could face decades in federal prison.

On the same day as the DOJ announcement, the Securities and Exchange Commission made its own. It, too, was filing a lawsuit against the three men. Unlike the DOJ, however, the SEC can't bring criminal cases, only civil ones. And yet it's the SEC's civil lawsuit—not the DOJ's criminal case—that struck panic into the heart of the crypto industry. That's because the SEC accused Wahi not only of insider trading, but also of securities fraud, arguing that nine of the assets he traded count as securities.

This may sound like a dry, technical distinction. In fact, whether a crypto asset should be classified as a security is a massive, possibly existential issue for the crypto industry. The Securities and Exchange Act of 1933 requires anyone who issues a security to register with the SEC, complying with extensive disclosure rules. If they don't, they can face devastating legal liability.

The article continues with a detailed discussion about whether some crypto coins are a security as classified by the SEC and the implications of that determination.

Original Submission

hubie writes:

Rutgers study disentangles two ways of thinking about self-control to examine role willpower plays in restraint

In Greek mythology, the story of Odysseus and the Sirens illustrates a paradigmatic example of self-control.

When the hero of Homer's epic prepared to travel past the Sirens, mythical creatures who lure sailors with their enchanted singing, Odysseus instructs his crew to plug their ears with wax and tie him to the ship's mast. That way, Odysseus can listen to the Sirens as he sails by, and the crew can keep their wits. No matter how much he begs to be released, no one will hear his pleas.

Was Odysseus exercising willpower with his plan, or was he merely removing his ability to cave to temptation?

Researchers have long wondered what tools people successfully use to resist temptations [...]

Bridges said one method is called diachronic regulation, which involves selecting and modifying one's situation and cultivating habits over time to avoid temptation – essentially removing willpower from the equation. A second approach, synchronic regulation, relies on deliberate, effortful willpower in the moment to resist temptation.

Psychologists and economists have increasingly argued that because willpower is difficult to exercise, diachronic regulation is more effective than synchronic regulation. This conclusion is based in part on the failure of willpower-driven campaigns (such as Nancy Regan's "Just Say No" campaign, which had no measurable effects on youth tobacco, alcohol or drug use).

But Bridges and her colleagues hypothesized that such assessments of synchronic regulation rested on a faulty interpretation of the data, that supposed examples of effective purely diachronic strategies involved the use of willpower to implement, and that the popular, or "folk," view of willpower is just as important.

"We theorized that it takes willpower to implement temptation-avoidance strategies," said Bridges.

[...] She added: "People often infer that it's the diachronic strategy doing the self-control work, when really, moments of synchronic regulation are being amplified with diachronic strategy. Understanding the role of willpower in self-control has implications for the way we talk about helping people break habits."

It takes willpower to develop willpower.

Journal Reference:
Zachary C. Irving, Jordan Bridges, Aaron Glasser, et al., Will-powered: Synchronic regulation is the difference maker for self-control, Cognition, 225, 2022. 10.1016/j.cognition.2022.105154

Original Submission