SoylentNews

owl writes:

https://ryancor.medium.com/hardware-trojans-under-a-microscope-bf542acbcc29

While the security industry generally focuses on software cyber attacks, we can't forget the security impact of lower level hardware flaws, such as those that affect semiconductors. The surface for silicon level attacks has widened over the past several years; as integrated circuit (IC) fabrication evolves for increasingly advanced microelectronics, the risk of flaws creeping into these complex systems also increases.

This article gives an overview and background of Hardware Trojans including netlists, die preparations, electron microscope images, and circuit testing. We will additionally be making our own physical layout design of a Hardware Trojan that will be analyzed using Klayout.

Original Submission

upstart writes:

Servers running unpatched versions of ESXi are sitting ducks for ESXiArgs attacks:

An explosion of cyberattacks is infecting servers around the world with crippling ransomware by exploiting a vulnerability that was patched two years ago, it was widely reported on Monday.

The hacks exploit a flaw in ESXi, a hypervisor VMware sells to cloud hosts and other large-scale enterprises to consolidate their hardware resources. ESXi is what's known as a bare-metal, or Type 1, hypervisor, meaning it's essentially its own operating system that runs directly on server hardware. By contrast, servers running the more familiar Type 2 class of hypervisors, such as VMware's VirtualBox, run as apps on top of a host operating system. The Type 2 hypervisors then run virtual machines that host their own guest OSes, such as Windows, Linux, or, less commonly, macOS.

[...] The vulnerability being exploited to infect the servers is CVE-2021-21974, which stems from a heap-based buffer overflow in OpenSLP, an open network-discovery standard that's incorporated into ESXi. When VMware patched the vulnerability in February 2021, the company warned it could be exploited by a malicious actor with access to the same network segment over port 427. The vulnerability had a severity rating of 8.8 out of a possible 10. Proof-of-concept exploit code and instructions for using it became available a few months later.

[...] Researchers from the YoreGroup Tech Team, Enes Sonmez and Ahmet Aykac, reported that the encryption process for ESXiArgs can make mistakes that allow victims to restore encrypted data. OVH's Levrard said his team tested the restoration process the researchers described and found it successful in about two-thirds of the attempts.

Anyone who relies on ESXi should stop whatever they're doing and check to ensure patches for CVE-2021-21974 have been installed. The above-linked advisories also provide more guidance for locking down servers that use this hypervisor.

Original Submission

hubie writes:

Vitamin D deficiency increases risk of losing muscle strength by 78%:

Vitamin D plays an important role in the regulation of calcium and phosphorus absorption by the organism. It also helps keep the brain and immune system working. Researchers at the Federal University of São Carlos (UFSCar) in Brazil and University College London (UCL) in the United Kingdom have now shown that vitamin D supplementation reduces the risk of dynapenia in older people by 78%.

Dynapenia is an age-associated loss of muscle strength. It can be partially explained by muscle atrophy and is a major risk factor for physical incapacity later in life. People with dynapenia are more likely to fall, need to go to hospital, be prematurely institutionalized, and die.

[...] "Vitamin D is known to participate in various functions of the organism. Actually, it's a hormone and its many roles include helping to repair muscles and releasing calcium for muscle contraction kinetics. It was therefore expected to cause muscle alterations of some kind. That's exactly what our study proved," said Tiago da Silva Alexandre, last author of the article. Alexandre is a professor of gerontology at UFSCar.

Bone and muscle tissue are interconnected not just mechanically and physically but also biochemically. "Endocrine disorders such as vitamin D deficiency or insufficiency can lead to loss of bone mineral density as well as a reduction in muscle mass, strength and function," he said.

[...] Our body only synthesizes vitamin D when large areas of skin are exposed to sunlight, Alexandre recalled. "It's necessary to explain to people that they risk losing muscle strength if they don't get enough vitamin D. They need to expose themselves to the sun, eat food rich in vitamin D or take a supplement, and do resistance training exercises to maintain muscle strength," he said.

Journal Reference:
Delinocente, M.L.B., Luiz, M.M., de Oliveira, D.C. et al. Are Serum 25-Hydroxyvitamin D Deficiency and Insufficiency Risk Factors for the Incidence of Dynapenia?. Calcif Tissue Int 111, 571–579 (2022). https://doi.org/10.1007/s00223-022-01021-8

Original Submission

upstart writes:

Curiosity Rover Finds Foot-Long Meteorite on Martian Surface:

The rock, dubbed Cacao, is made of iron and nickel, NASA says.

Cacao was first spotted on January 27, in the shadow of the Curiosity rover. The next day, Curiosity repositioned itself to better image the large rock.

It's not the first meteorite Curiosity has spotted. In 2014, the rover found an iron meteorite (nicknamed Lebanon) that measured about 6.5 feet across, and in 2016, it came across a golf ball-sized meteorite nicknamed Egg Rock on the planet's Mount Sharp.

Iron meteorites like these regularly crop up on Earth and have caused stirs throughout human history. Japanese emperors and the pharaoh Tutankhamun had weapons forged from iron meteorites.

There's no way to date the meteorites, the rover team said on Twitter, but the newly discovered rock "could have been here millions of years!"

Cacao was found on Curiosity's 3,724th sol. The rover arrived on Mars in August 2012, and since then has explored the planet's Gale Crater and Mount Sharp, a 3-mile-high mountain in the crater's center.

Original Submission

Freeman writes:

https://arstechnica.com/information-technology/2023/02/until-further-notice-think-twice-before-using-google-to-download-software/

Searching Google for downloads of popular software has always come with risks, but over the past few months, it has been downright dangerous, according to researchers and a pseudorandom collection of queries.

"Threat researchers are used to seeing a moderate flow of malvertising via Google Ads," volunteers at Spamhaus wrote on Thursday. "However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being utilized. This is not 'the norm.'"

The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.

Original Submission

fliptop writes:

Companies are increasingly dropping four-year college degree requirements for their jobs and putting more emphasis on experience. And that is not just entry-level jobs:

A third of those who dropped degree requirements did so for senior-level roles, a recent survey found.

The survey of HR managers by Intelligent.com found 53% of hiring managers said their company eliminated the requirement for a bachelor's degree for some roles in the past year.

"For so many jobs, it is an arbitrary requirement. And it does eliminate people needlessly who could be great employees," said Stacie Haller, a career coach who worked with Intelligent.com for its report.

[...] What companies are increasingly focused on is experience, with 76% of hiring managers surveyed saying they favor real world skills over education.

Evaluating those skills in real-time is proving successful. The vast majority of companies now test candidates in the interview process, and 66% say they have candidates take an assessment to test hard skills. Sixty-four percent say they have applicants complete a test assignment.

Full survey results and methodology available at Intelligent.com.

Previously: America Needs to Get Over its Reverence for the Bachelor's Degree

Original Submission

mrpg writes:

https://www.theguardian.com/australia-news/2023/feb/04/australian-approval-of-mdma-and-psilocybin-a-baby-step-in-the-right-direction-medical-experts-say

The Therapeutic Goods Administration announced on Friday that, from July, approved psychiatrists would be able to prescribe MDMA (ecstasy) for post-traumatic stress disorder and psilocybin (found in magic mushrooms) for treatment-resistant depression. The move makes Australia the first country in the world to officially recognise psychedelics as medicines.

The Royal Australian and New Zealand College of Psychiatrists president, associate professor Vinay Lakra, said the college "cautiously welcomed" the decision, and had been monitoring ongoing research in the area.

"We need to take some baby steps rather than one giant leap," he said. "So this is a baby step in the right direction and what it does is allow us to do things in an appropriately safe way for everyone ... and if necessary take a step back as well."

[...] Psychiatrists will need to get approval by a human research ethics committee, then approval under the TGA's authorised prescriber scheme. To get those approvals they must demonstrate their training, robust patient selection and evidence-based treatment protocols, as well as patient monitoring. They must also satisfy governance and reporting criteria.

"These measures are necessary because there is only limited evidence that the substances are of benefit in treating mental illnesses, and only in controlled medical settings," the TGA said in a statement.

Freeman writes:

200 percent BuzzFeed stock rise might signal start of a "pivot to AI" media trend:

On Thursday, an internal memo obtained by The Wall Street Journal revealed that BuzzFeed is planning to use ChatGPT-style text synthesis technology from OpenAI to create individualized quizzes and potentially other content in the future. After the news hit, BuzzFeed's stock rose 200 percent. On Friday, BuzzFeed formally announced the move in a post on its site.

[...] "The creative process will increasingly become AI-assisted and technology-enabled. If the past 15 years of the internet have been defined by algorithmic feeds that curate and recommend content, the next 15 years will be defined by AI and data helping create, personalize, and animate the content itself. Our industry will expand beyond AI-powered curation (feeds), to AI-powered creation (content). AI opens up a new era of creativity, where creative humans like us play a key role providing the ideas, cultural currency, inspired prompts, IP, and formats that come to life using the newest technologies."

Original Submission

quietus writes:

During the pandemic, Big Tech was booming and hiring new employees as fast as they could. With all that hubbub behind us, and an uncertain economic outlook, those Giants of the Internet are cautiously trimming some of that fat in preparation for leaner times.

That, at least, is the argument for the recent wave of lay-offs at Facebook (Meta), Twitter, Amazon, Stripe, SalesForce, Lyft, DoorDash and Carvana. It seems, though, that the recent layoffs at Google might have been a little different.

Instead of culling the recent hires, the trusted hands at open source teams, and those teams themselves, are being hit especially hard argues an opinion piece at El Reg. Chris DiBona, founder of Google's Open Source Program Office, Jeremy Allison, co-creator of Samba and Google engineer, Cat Allman, former Program Manager for Developer EcoSystems, and Dave Lester, Head of Google's open source security initiatives, are the main names being mentioned.

El Reg's observation might be a coincidence, however; and the way the layoffs are being executed kinda points to that. No exit interviews, but just people's access badges disabled, and firings by e-mail: at least one engineer got the message in the middle of his production shift. Which gave rise to an interesting speculation by former Google engineer Mike Knell:

Best theory I have is that an outside company was hired and given a "clean room" export from the HR systems to work with.

Stripped of identifying information and any demographic data that could incur a *direct* disciminatory bias in the results. They were then told to write code to determine which rows to cut from the dataset based on the output of some weighted formula designed to determine the "fireability" of that employee while maximising the savings achieved by the exercise. They then took the output of that algorithm, stack ranked the results (because Google just LOVES to stack rank things, especially people) and returned the top 12,000 employee IDs.

Original Submission

upstart writes:

Leaked emails show Amazon will only hire students and recent graduates:

Amazon is only hiring current students or newly graduated people for its entry level software developer positions.

According to an internal memo obtained by Insider, starting on January 25, 2023, Amazon limited new job openings for SDE-1s — the lowest software development engineering position — to what it calls "campus" hires, or students in Bachelor's, Master's, or PhD program alongside recent graduates. The memo said those in part-time or executive programs with years of work experience can apply too.

The change will mean that those that have been out of school for more than 12 months, or candidates for more senior SDE-2 positions who might be a better fit for an SDE-1 position would not be considered for the latter.

The internal note said Amazon is making the change because of the "pipeline" of candidates available through student programs, but the memo nor Amazon's spokesperson clarified why the company believes campus hires are better than experienced industry candidates for entry-level positions.

The change is "global and Amazon-wide," the note said, indicating it's applied across the company. Amazon's S-team, a group of over two dozen most senior executives, and top HR leaders made the decision, and exceptions will be made only with a VP or higher approval, it added.

[...] Overhauling Amazon's engineering culture has been a priority for Amazon's CEO Andy Jassy. At an internal staff meeting in 2021, Jassy told employees that he was aware of developer complaints at the company and that the engineering culture needed to be "meaningfully better than what it is today," as Insider previously reported. It also created a new team called "Amazon Software Builder Experience" to address those concerns.

Original Submission

hubie writes:

Interesting study to think about before the big game this weekend:

Certain age-related diseases may arise earlier in professional football players, new study finds:

Former professional football players — particularly linemen — are more likely than nonplayers with similar demographic characteristics to develop diseases typically associated with advanced age when significantly younger, according to new research published Dec. 8 in the British Journal of Sports Medicine.

These former elite athletes also tend to experience age-related conditions — hypertension and diabetes, among others — earlier, compared with the general population. Looking across all conditions, these athletes' health spans were reduced by nearly a decade.

Notably, the effects persisted even after the researchers accounted for body mass index and race, two powerful risk factors for the diseases studied.

[...] Importantly, the health span for each former NFL player age group most closely resembled American men a decade older. For example, 66 percent of the former players in the 30 to 39 age group reported an intact health span, compared with 62 percent of men in the general population ages 40 to 49.

Searching for game-related aspects that might be important for this premature emergence of aging diseases, the researchers separated data from the former football players group into linemen and non-linemen.

This analysis showed that linemen, who experience more contact during games than non-linemen, had notably shorter health spans across all decades of life. This subgroup tended to develop age-related diseases sooner than their non-linemen peers.

Freeman writes:

Intense demand for AI chatbot breaks records and inspires new $20/mo subscription plan:

On Wednesday, Reuters reported that AI bot ChatGPT reached an estimated 100 million active monthly users last month, a mere two months from launch, making it the "fastest-growing consumer application in history," according to a UBS investment bank research note. By comparison, TikTok took nine months to reach 100 million monthly users, and Instagram about 2.5 years, according to UBS researcher Lloyd Walmsley.

"In 20 years following the Internet space, we cannot recall a faster ramp in a consumer internet app," Reuters quotes Walmsley as writing in the UBS note.

[...] Over the past few decades, researchers have noticed that technology adoption rates are quickening, with inventions such as the telephone, television, and the Internet taking shorter periods of time to reach massive numbers of users. Will generative AI tools be next on that list? With the kind of trajectory shown by ChatGPT, it's entirely possible.

Original Submission

upstart writes:

Finland's Most-Wanted Hacker Nabbed in France:

Julius "Zeekill" Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.

In late October 2022, Kivimäki was charged (and "arrested in absentia," according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle "Ransom Man" threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.

When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

upstart writes:

Trust, not tech, is holding back a safer internet:

Opinion The tech sector is failing at cybersecurity. Global spending on the stuff is at $190 billion a year, a quarter of the US defense budget. That hasn't stemmed an estimated $7 trillion in annual cybercriminal damages. People are fond of saying that the Wild West days of the internet are over, but on those numbers an 1875 Dodge City bank vault looks like Fort Knox.

So where's the sheriff? There are plenty of posses; no end of companies both small and large selling security by the bushel. Firewalls, scanners, heuristic, intrinsic, behavioral, managed, managerial, in-cloud, on-prem, you can mix and match the buzzwords and buy into every new idea. What you can't do is make your systems safe.

If you do want a safe bet in cybersecurity, it's that things aren't going to change any time soon without some fundamental shift in how the market works – if 40 years of constant failure can be called working.

We have so little reason to trust what's on offer or those offering it. Several stories last week show this: Apple, which makes a big play of intrinsic platform security, is heading to court for ignoring user consent and silently gathering app data anyway. Microsoft, even as it announces the extension of its security platform into Linux, reveals it fumbled its switches on its service infrastructure and took business-critical access away from its customers. These are the big shots in town, but they can't shoot straight.

It's almost as if we can't rely on the private sector to protect us against crime. Guess what: we never could and we never will. The state has to take on that role – usually late, usually badly, and usually against the wishes of those who like their crimes kept in the private sector, but usually to better effect than the alternatives.

upstart writes:

"When we pass from this world, you will be the reason we are remembered":

The month before Dwarf Fortress was released on Steam (and Itch.io), the brothers Zach and Tarn Adams made $15,635 in revenue, mostly from donations for their 16-year freeware project. The month after the game's commercial debut, they made $7,230,123, or 462 times that amount.

[...] Tarn Adams noted that "a little less than half will go to taxes," and that other people and expenses must be paid. But enough of it will reach the brothers themselves that "we've solved the main issues of health/retirement that are troubling for independent people." It also means that Putnam, a longtime modder and scripter and community member, can continue their work on the Dwarf Fortress code base, having been hired in December.

[...] While the commercial release of Dwarf Fortress has earned the brothers some breathing room and introduced new players with some quality-of-life offerings, the "classic" version—the one Ars editor Casey Johnston detailed over her 10-hour ordeal—is still free to download.

If you haven't tried this game yet, it's interesting.

Original Submission #1  Original Submission #2