SoylentNews

upstart writes:

Researchers are warning about a dangerous wave of unwiped, secondhand core-routers:

Cameron Camp had purchased a Juniper SRX240H router last year on eBay to use in a honeypot network he was building to study remote desktop protocol (RDP) exploits and attacks on Microsoft Exchange and industrial control systems devices. When the longtime security researcher at Eset booted up the secondhand Juniper router, to his surprise it displayed a hostname.

After taking a closer look at the device, Camp contacted Tony Anscombe, Eset's chief security evangelist, to alert him what he found on the router. "This thing has a whole treasure trove of Silicon Valley A-list software company information on it," Camp recalls telling Anscombe.

"We got very, very concerned," Camp says.

Camp and Anscombe decided to test their theory that this could be the tip of the iceberg for other decommissioned routers still harboring information from their previous owners' networks. They purchased several more decommissioned core routers -- four Cisco Systems ASA 5500, three Fortinet FortiGate, and 11 Juniper Networks SRX Series Services Gateway routers.

After dropping a few from the mix after one failed to power up and another two were actually mirrored routers from a former cluster, they found that nine of the remaining 16 held sensitive core networking configuration information, corporate credentials, and data on corporate applications, customers, vendors, and partners. The applications exposed on the routers were big-name software used in many enterprises: Microsoft Exchange, Lync/Skype, PeopleSoft, Salesforce, Microsoft SharePoint, Spiceworks, SQL, VMWare Horizon View, voice over IP, File Transfer Protocol (FTP), and Lightweight Directory Access Protocol (LDAP) applications.

[...] The routers contained one or more IPSec or VPN credentials, or hashed root passwords, and each had sufficient data for the researchers to identify the actual previous owner/operator of the device. Nearly 90% included router-to-router authentication keys and details on applications connected to the networks; some 44% had network credentials to other networks (such as a supplier or partner); 33% included third-party connections to the network; and 22% harbored customer information.

upstart writes:

An old NASA spacecraft will crash to Earth on Wednesday:

A retired NASA spacecraft will reenter Earth's atmosphere on Wednesday, with some parts of the vehicle expected to crash to the planet's surface.

While most of the Reuven Ramaty High Energy Solar Spectroscopic Imager (RHESSI) spacecraft is expected to burn up as it enters the atmosphere at high speed, some parts of the 660-pound (300-kilogram) machine are likely to survive the descent.

The good news is that NASA says that the risk of harm coming to folks on terra firma is low at "approximately 1 in 2,467." Still, for anyone wishing to don a hard hat just in case, RHESSI is expected to reenter the atmosphere at about 9:30 p.m. ET on Wednesday, April 19, though the forecast comes with an uncertainty of plus/minus 16 hours.

[...] RHESSI entered service in 2002 and, until its retirement in 2018, it observed solar flares and coronal mass ejections from its low-Earth orbit. Its work enabled scientists to learn more about the underlying physics of how these powerful bursts of energy occur.

The spacecraft's activities included imaging the high-energy electrons that carry a large part of the energy released in solar flares. Using its imaging spectrometer, RHESSI became the first-ever mission to record gamma-ray images and high-energy X-ray images of solar flares.

[...] The mission also helped to improve measurements of the sun's shape, and demonstrated that terrestrial gamma ray flashes — described by NASA as "bursts of gamma rays emitted from high in Earth's atmosphere" and which occur above some thunderstorms — happen more frequently than first thought.

NASA said it retired RHESSI in 2018 after maintaining communications with it became difficult. After retaining its low-Earth orbit for the last five years, the spacecraft is about to meet a fiery end.

Original Submission

Woodherd writes:

So it says at The Register.

NASA's Ingenuity Mars Helicopter was designed to fly just five times, but last week the little rotorcraft that could clocked up its 50th flight in the red planet's thin atmosphere.

Flight 50 departed Airfield Lambda on April 13th and required 145.7 seconds to reach Airfield Mu, a 322-meter flight at a brisk 4.6 meters per second, cruising at a new height record of 18 meters above Martian soil.

On The Register's analysis of NASA's flight log Ingenuity's records are:

        Longest duration flight – 169.5 seconds on August 16th, 2021, during flight 12
        Longest distance – 704 meters on April 8th, 2022, during flight 25
        Fastest flight – 6.5 meters per second on April 2nd, 2023, during flight 49
        Total flight time – 5,349.9 seconds, or just over 89 minutes
        Total horizontal flight distance – 11,546 meters

"When we first flew, we thought we would be incredibly lucky to eke out five flights," said Teddy Tzanetos, Ingenuity team lead at JPL, in a blog post celebrating the 50th flight . "We have exceeded our expected cumulative flight time since our technology demonstration wrapped by 1,250 percent and expected distance flown by 2,214 percent."

The Ingenuity team is now planning a 51st flight to bring the 'copter close to the "Fall River Pass" region of Jezero Crater. Future flights will head towards "Mount Julian," from where the craft will enjoy panoramic views of the nearby Belva Crater, an 800-metre dent in Mars' surface.

Original Submission

upstart writes:

A new report sees threat actors swarming to digital bazaars to collaborate, buy and sell malware and credentials:

A new report from cyberthreat intelligence company Cybersixgill sees threat actors swarming to digital bazaars to collaborate, buy and sell malware and credentials.

Threat actors are consolidating their use of encrypted messaging platforms, initial access brokers and generative AI models, according to security firm Cybersixgill's new report, The State of the Cybercrime Underground 2023. This report notes this is lowering the barriers to entry into cybercrime and "streamlining the weaponization and execution of ransomware attacks."

The study is built upon 10 million posts on encrypted platforms and other kinds of data dredged up from the deep, dark and clear web. Brad Liggett, director of threat intel, North America, at Cybersixgill, defined those terms:

• Clear web: Any site that is accessible via a regular browser and not needing special encryption to access (e.g., CNN.com, ESPN.com, WhiteHouse.gov).
• Deep web: Sites that are unindexed by search engines, or sites that are gated and have restricted access.
• Dark web: Sites that are only accessible using encrypted tunneling protocols such as Tor (the onion router browser), ZeroNet and I2P.

"What we're collecting in the channels across these platforms are messages," he said. "Much like if you are in a group text with friends/family, these channels are live chat groups."

Tor is popular among malefactors for the same reason: It gives people trapped in repressive regimes a way to get information to the outside world, said Daniel Thanos, vice president and head of Arctic Wolf Labs.

"Because it's a federated, peer-to-peer routing system, fully encrypted, you can have hidden websites, and unless you know the address, you're not going to get access," he said. "And the way it's routed, it's virtually impossible to track someone."

Cybercriminals use encrypted messaging platforms to collaborate, communicate and trade tools, stolen data and services partly because they offer automated functionalities that make them an ideal launchpad for cyberattacks. However, the Cybersixgill study suggests the number of threat actors is decreasing and concentrating on a handful of platforms.

upstart writes:

New CFO sees interesting in-tray at 20 percent year-on-year growth database company:

Database vendor MariaDB has cut a number of jobs and reiterated a "going concern" warning over its medium-term financial viability.

In a statement to the stock market [PDF] late last month, the company, which floated on the New York Stock Exchange at the end of 2022, said it was reducing its headcount by 26 "to achieve cost reduction goals and to focus the Company on key initiatives and priorities."

In December, CEO Michael Howard told The Register the company was looking to hire more people following $104 million in funding and $18 million through private investment in public equity through the special purpose acquisition company that enabled the flotation.

Although the job losses may be a fraction of the reported 340 people the company employs, other details in the filing may highlight further cause for concern over its financial viability.

It includes a mention of MariaDB's February 10Q warning that the company's current cash and cash equivalents "would not be sufficient to fund our operations, including capital expenditure requirements for at least 12 months from... February 13, 2023, raising substantial doubt about our ability to continue as a going concern."

The March 24 statement said it anticipated that the money raised by database subscriptions and services would not be enough to meet its projected working capital and operating needs. "We are currently seeking additional capital to meet our projected working capital, operating, and debt repayment needs for periods after September 30, 2023 ... Going forward, we cannot be certain when or if our operations will generate sufficient cash to fully fund our ongoing operations or the growth of our business," it says.

upstart writes:

SpaceX Starship launch countdown: all of the news on its first test flight:

Elon Musk's stated goal of putting humans on Mars relies heavily on the development of a next-generation reusable spacecraft, and Starship (formerly known as Big Falcon Rocket or BFR) is ready for its first orbital test flight. It's not the "six months" goal Musk projected in 2019, but after a number of suborbital tests that included some terrific successes and fantastic, fiery failures, the big day is finally almost here.

With just over five minutes to go before its first scheduled launch attempt Monday morning, SpaceX announced that due to a pressurization issue with the first stage, the attempt became a "wet dress rehearsal," and the countdown ended with 10 seconds to go. SpaceX now says it's targeting April 20th for another attempt, with a launch window between  8:28AM CT (9:28AM ET) and 9:30 AM CT (10:30AM ET).

If all goes according to plan, the Starship will fly to orbital velocity after separating from its Super Heavy booster rocket about three minutes into the trip, then splashdown in the Pacific Ocean near Hawaii.

The entire trip should take about 90 minutes to complete, and SpaceX is livestreaming the events on its YouTube channel.

Previously: SpaceX's First Orbital Test Flight of Starship Imminent [Scrubbed]

Original Submission

upstart writes:

mjg59 | PSA: upgrade your LUKS key derivation function:

Many Linux users rely on LUKS for their disk encryption but perhaps they need to pay a bit more attention to it. If the disk was encrypted more than a few years ago (LUKS Version 1) it appears that it might not be secure enough to withstand a concerted attack. It is time to check whether you are using Version 2, and if not the fix takes a few minutes. [JR]

Here's an article from a French anarchist describing how his (encrypted) laptop was seized after he was arrested, and material from the encrypted partition has since been entered as evidence against him. His encryption password was supposedly greater than 20 characters and included a mixture of cases, numbers, and punctuation, so in the absence of any sort of opsec failures this implies that even relatively complex passwords can now be brute forced, and we should be transitioning to even more secure passphrases.

Or does it? Let's go into what LUKS is doing in the first place. The actual data is typically encrypted with AES, an extremely popular and well-tested encryption algorithm. AES has no known major weaknesses and is not considered to be practically brute-forceable - at least, assuming you have a random key. Unfortunately it's not really practical to ask a user to type in 128 bits of binary every time they want to unlock their drive, so another approach has to be taken.

This is handled using something called a "key derivation function", or KDF. A KDF is a function that takes some input (in this case the user's password) and generates a key. As an extremely simple example, think of MD5 - it takes an input and generates a 128-bit output, so we could simply MD5 the user's password and use the output as an AES key. While this could technically be considered a KDF, it would be an extremely bad one! MD5s can be calculated extremely quickly, so someone attempting to brute-force a disk encryption key could simply generate the MD5 of every plausible password (probably on a lot of machines in parallel, likely using GPUs) and test each of them to see whether it decrypts the drive.

upstart writes:

The proposed legislation also poses 'an unnecessary economic and technological risk to the EU':

More than a dozen open source industry bodies have published an open letter asking the European Commission (EC) to reconsider aspects of its proposed Cyber Resilience Act (CRA), saying it will have a "chilling effect" on open source software development if implemented in its current form.

Thirteen organizations, including the Eclipse Foundation, Linux Foundation Europe, and the Open Source Initiative (OSI), also note that the Cyber Resilience Act as its written "poses an unnecessary economic and technological risk to the EU."

The purpose of the letter, it seems, is for the open source community to garner a bigger say in the evolution of the CRA as it progresses through the European Parliament.

The letter reads:

We write to express our concern that the greater open source community has been underrepresented during the development of the Cyber Resilience Act to date, and wish to ensure this is remedied throughout the co-legislative process by lending our support. Open source software represents more than 70% of the software present in products with digital elements in Europe. Yet, our community does not have the benefit of an established relationship with the co-legislators.

The software and other technical artefacts produced by us are unprecedented in their contribution to the technology industry along with our digital sovereignty and associated economic benefits on many levels. With the CRA, more than 70% of the software in Europe is about to be regulated without an in-depth consultation.

[...] Penalties for non-compliance may include fines of up to €15M, or 2.5% of global turnover.

upstart writes:

Parler's new owner immediately took the social network offline:

Months after Ye dropped his bid, Parler has a new owner... and is out of commission for the time being. Starboard, the owner of pro-conservative news outlets like American Wire News, has shut down Parler on a temporary but indefinite basis after completing its acquisition of the social network from Parlement Technologies. The buyer says it will conduct a "strategic assessment" of the platform during the downtime, and hopes to integrate Parler's audience into all its existing channels.

Starboard isn't shy about its strategy. While it still sees a market for communities that believe they've been censored or marginalized, it considers a Parler revamp virtually necessary. "No reasonable person believes that a Twitter clone just for conservatives is a viable business any more," the company says.

Parler launched in 2018 as a self-proclaimed free speech alternative to Twitter, which some conservatives claim is biased against right-wing views. It had few rules or moderation controls. Like Gab, though, it also became a haven for people with extreme views. Parler drew flak in January 2021 after word that people involved in the Capitol attack used the social platform to coordinate. Apple and Google kicked Parler off their respective app stores until it improved moderation and kept out users inciting violence.

[...] In an interview with The Wall Street Journal, Starboard chief Ryan Coyne says he expects to keep users on Parler despite rivalries with other sites, such as former President Trump's Truth Social. However, the absence of a revival date doesn't leave members many options. For now, they'll have to use other platforms to express themselves.

Previously: Parler Has Reportedly Cut 'Majority' of Staff in Recent Weeks

Original Submission

upstart writes:

The Great Salt Lake is shrinking. What can we do to stop it?:

At Antelope Island State Park near Salt Lake City in the fall of 2022, three duck hunters dragged a sled across cracked desert sand in search of the water's edge. The birds they sought were bunched in meager puddles far in the distance. Just to the west, the docks of an abandoned marina caved into the dust and a lone sailboat sat beached amid sagebrush.

"Biologists are worried that we're on the brink of ecological collapse of the lake," says Chad Yamane, the regional director of Ducks Unlimited, a nonprofit that conserves, restores and manages habitats for North America's waterfowl, and a waterfowl hunter himself.

Last fall, the Great Salt Lake hit its lowest level since record keeping began. The lake's elevation sank to nearly six meters below the long-term average, shriveling the Western Hemisphere's largest saline lake to half its historic surface area. The lake's shrinking threatens to upend the ecosystem, disrupting the migration and survival of 10 million birds, including ducks and geese.

[...] And the Great Salt Lake isn't unique. Many of the world's saline lakes are facing a double whammy: People are taking more water from the tributaries that feed the lakes, while a hotter, drier climate means it takes longer to refill them.

owl writes:

https://www.thedrive.com/the-war-zone/russian-t-90-tank-from-ukraine-mysteriously-appears-at-u-s-truck-stop

The folks at Peto's Travel Center and Casino in Roanoke, Louisiana see all kinds of vehicles pull up, but Tuesday night was different. What ended up in their parking lot is certainly something of a mystery, to say the least.

Someone left a Russian T-90A tank, which open source intelligence (OSINT) trackers say was captured by Ukraine last fall, on a trailer after the truck hauling it broke down and pulled into this truck stop off U.S. Interstate 10. An employee at Peto's, and the individual who first posted the images on Reddit, shared them with The War Zone.

Original Submission

upstart writes:

The AI Doomers' Playbook:

AI Doomerism is becoming mainstream thanks to mass media, which drives our discussion about Generative AI from bad to worse, or from slightly insane to batshit crazy. Instead of out-of-control AI, we have out-of-control panic.

When a British tabloid headline screams, "Attack of the psycho chatbot," it's funny. When it's followed by another front-page headline, "Psycho killer chatbots are befuddled by Wordle," it's even funnier. If this type of coverage stayed in the tabloids, which are known to be sensationalized, that was fine.

But recently, prestige news outlets have decided to promote the same level of populist scaremongering: The New York Times published "If we don't master AI, it will master us" (by Harari, Harris & Raskin), and TIME magazine published "Be willing to destroy a rogue datacenter by airstrike" (by Yudkowsky).

In just a few days, we went from "governments should force a 6-month pause" (the petition from the Future of Life Institute) to "wait, it's not enough, so data centers should be bombed." Sadly, this is the narrative that gets media attention and shapes our already hyperbolic AI discourse.

[...] Sam Altman has a habit of urging us to be scared. "Although current-generation AI tools aren't very scary, I think we are potentially not that far away from potentially scary ones," he tweeted. "If you're making AI, it is potentially very good, potentially very terrible," he told the WSJ. When he shared the bad-case scenario of AI with Connie Loizo, it was "lights out for all of us."

[...] Altman's recent post "Planning for AGI and beyond" is as bombastic as it gets: "Successfully transitioning to a world with superintelligence is perhaps the most important – and hopeful, and scary – project in human history."

It is at this point that you might ask yourself, "Why would someone frame his company like that?" Well, that's a good question. The answer is that making OpenAI's products "the most important and scary – in human history" is part of its marketing strategy. "The paranoia is the marketing."

hubie writes:

Stopping Storms from Creating Dangerous Urban Geysers:

During intense rainstorms, residents of urban areas rely on stormwater sewers to keep streets and homes from flooding. But in some cases, air pockets in sewers combine with fast-moving water to produce waterspouts that can reach dozens of feet high and last for several minutes. These so-called storm geysers can flood the surrounding area, cause damage to nearby structures, injure bystanders, and compromise drainage pipes.

In Physics of Fluids, by AIP Publishing, researchers from Sichuan University, Ningbo University, University of Alberta, and Hohai University developed a computational model of stormwater piping to study storm geysers. They used this model to understand why storm geysers form, what conditions tend to make them worse, and what city planners can do to prevent them from occurring.

Perhaps the biggest cause of storm geysers is poor city planning. With extreme weather events becoming more common due to climate change, cities can often find themselves unprepared for massive amounts of rain. Growing cities are especially vulnerable. Small cities have small drainage pipes, but new streets and neighborhoods result in added runoff, and those small pipes may not be able to handle the increased volume.

[...] The authors say the best cure for a storm geyser is bigger pipes.

"The most effective preventive measure for newly planned drainage pipelines is to increase the pipeline diameter and improve system design, which reduces the likelihood of full-flow conditions and eliminates storm geysers," said Zhang.

upstart writes:

Shooting all-important bytes to a machine 254 million kms away from Earth:

Launched from Cape Canaveral on November 26, 2011, the Curiosity rover was designed for scientific investigations during a two-year mission. Twelve years later, the car-sized machine is still roaming Mars' surface while NASA improves the software side of things from afar.

Between April 3 and 7, Curiosity's science and imaging operations were put "on hold" for planned software maintenance. NASA installed the latest "patch" to its Mars rover's flight software, a major update which was planned for years and designed to further extend the rover's capabilities and longevity in the Red Planet's harsh environment.

NASA started to work on the now-up and running software update back in 2016, when Curiosity got its last software overhaul. The new flight software (R13) brings about 180 changes to the rover's system, two of which will make the Mars robot drive faster and reduce wear and tear on its wheels.

The first major change implemented by NASA in Curiosity software is related to how the machine processes images of its surroundings to plan a route around obstacles. Newer rovers like Perseverance are equipped with onboard computers capable of processing images on-the-fly, while the robots are still in motion. Curiosity, on the other hand, doesn't have that kind of feature and it needs to stop every time to reassess surface conditions and correct its course.

upstart writes:

German artist refuses award after his AI image wins prestigious photography prize:

There's some controversy in the photography world as an AI-generated image won a major prize at a prestigious competition, PetaPixel has reported. An piece called The Electrician by Boris Eldagsen took first prize in the Creative category at the World Photography Organization's Sony World Photography Awards — despite not being taken by a camera. Eldagsen subsequently refused the award, saying "AI is not photography. I applied [...] to find out if the competitions are prepared for AI images to enter. They are not."

Eldagsen's image is part of a series called PSEUDOMNESIA: Fake Memories, designed to evoke a photographic style of the 1940s. However, they are in reality "fake memories of a past, that never existed, that no one photographed. These images were imagined by language and re-edited more between 20 to 40 times through AI image generators, combining 'inpainting', 'outpainting', and 'prompt whispering' techniques."

In a blog, Eldagsen explained that he used his experience as a photographer to create the prize-winning image, acting as a director of the process with the AI generators as "co-creators." Although the work is inspired by photography, he said that the point of the submission is that it is not photography. "Participating in open calls, I want to speed up the process of the Award organizers to become aware of this difference and create separate competitions for AI-generated images," he said.

Eldagsen subsequently declined the prize. "Thank you for selecting my image and making this a historic moment, as it is the first AI-generated image to win in a prestigious international photography competition," he wrote. "How many of you knew or suspected that it was AI generated? Something about this doesn't feel right, does it? AI images and photography should not compete with each other in an award like this. They are different entities. AI is not photography. Therefore I will not accept the award.

When does the processing of a 'photograph' become unacceptable? Techniques such as burning and dodging, plus various types of film processing, can all change the image that is finally produced. Digital photographs can be even more easily modified. At what point does it become an entirely new genre. Does the method of production really matter? [JR]

Original Submission