SoylentNews

upstart writes:

Many transgressions come from "very large companies that have robust security teams":

Despite more than a decade of reminding, prodding, and downright nagging, a surprising number of developers still can't bring themselves to keep their code free of credentials that provide the keys to their kingdoms to anyone who takes the time to look for them.

The lapse stems from immature coding practices in which developers embed cryptographic keys, security tokens, passwords, and other forms of credentials directly into the source code they write. The credentials make it easy for the underlying program to access databases or cloud services necessary for it to work as intended. I published one such PSA in 2013 after discovering simple searches that turned up dozens of accounts that appeared to expose credentials securing computer-to-server SSH accounts. One of the credentials appeared to grant access to an account on Chromium.org, the repository that stores the source code for Google's open source browser.

In 2015, Uber learned the hard way just how damaging the practice can be. One or more developers for the ride service had embedded a unique security key into code and then shared that code on a public GitHub page. Hackers then copied the key and used it to access an internal Uber database and, from there, steal sensitive data belonging to 50,000 Uber drivers.

Uber lawyers argued at the time that "the contents of these internal database files are closely guarded by Uber," but that contention is undermined by means the company took in safeguarding the data, which was no better than stashing a house key under a door mat.

Freeman writes:

https://arstechnica.com/security/2023/11/teens-with-digital-bazookas-are-winning-the-ransomware-war-researcher-laments/

What do Boeing, an Australian shipping company, the world's largest bank, and one of the world's biggest law firms have in common? All four have suffered cybersecurity breaches, most likely at the hands of teenage hackers, after failing to patch a critical vulnerability that security experts have warned of for more than a month, according to a post published Monday.

[...] All four companies have confirmed succumbing to security incidents in recent days, and China's ICBC has reportedly paid an undisclosed ransom in exchange for encryption keys to data that has been unavailable ever since.

[...] After the CitrixBleed exploit grants initial remote access through software known as Virtual Desktop Infrastructure, LockBit escalates its access to other parts of the compromised network using tools such as Atera, which provides interactive PowerShell interfaces that don't trigger antivirus or endpoint detection alerts. This access remains even after CitrixBleed is patched unless administrators take special actions.

Original Submission

Arthur T Knackerbracket has processed the following story:

ChatGPT's recently-added Code Interpreter makes writing Python code with AI much more powerful, because it actually writes the code and then runs it for you in a sandboxed environment. Unfortunately, this sandboxed environment, which is also used to handle any spreadsheets you want ChatGPT to analyze and chart, is wide open to prompt injection attacks that exfiltrate your data. 

Using a ChatGPT Plus account, which is necessary to get the new features, I was able to reproduce the exploit, which was first reported on Twitter by security researcher Johann Rehberger. It involves pasting a third-party URL into the chat window and then watching as the bot interprets instructions on the web page the same way it would commands the user entered. 

[...] I tried this prompt injection exploit and some variations on it several times over  a few days. It worked a lot of the time, but not always. In some chat sessions, ChatGPT would refuse to load an external web page at all, but then would do so if I launched a new chat. 

In other chat sessions, it would give a message saying that it's not allowed to transmit data from files this way. And in yet other sessions, the injection would work, but rather than transmitting the data directly to http://myserver.com/data.php?mydata=[DATA], it would provide a hyperlink in its response and I would need to click that link for the data to transmit.

I was also able to use the exploit after I'd uploaded a .csv file with important data in it to use for data analysis. So this vulnerability applies not only to code you're testing but also to spreadsheets you might want ChatGPT to use for charting or summarization.

[...] The problem is that, no matter how far-fetched it might seem, this is a security hole that shouldn't be there. ChatGPT should not follow instructions that it finds on a web page, but it does and has for a long time. We reported on ChatGPT prompt injection (via YouTube videos) back in May after Rehberger himself responsibly disclosed the issue to OpenAI in April. The ability to upload files and run code in ChatGPT Plus is new (recently out of beta) but the ability to inject prompts from a URL, video or a PDF is not.

Original Submission

SpaceX's Starship gets all clear for Texas takeoff

DannyB writes:

FAA grants license to fly, though not fry local wildlife:

The US Federal Aviation Administration (FAA) has given SpaceX clearance to try launching the monster Starship / Super Heavy combo from the company's Boca Chica facility.

It has taken some time, at least in terms of the rapid iterative approach adopted by the company for its other vehicles. Still, SpaceX is set for another attempt seven months after April's effort.

Residing at the bottom of an FAA advisory are three possible dates for flight two of the SpaceX Starship Super Heavy. The primary date is November 17, with backup dates on November 18 and 19.

The FAA grounded SpaceX's Starship after the rocket demolished a chunk of its launchpad and scattered debris over the surrounding area. The launch was aborted a few minutes into flight, although there was a worrying delay between the red button being pushed and the tumbling rocket detonating.

See Also:
YouTube video: Musk Confirms License: Starship To Launch Friday!

Arthur T Knackerbracket has processed the following story:

A tool bag is orbiting Earth. No, this isn't an elaborate Elon Musk joke.

The bag entered orbit during a spacewalk conducted by NASA astronauts and International Space Station residents Jasmin Moghbeli and Loral O'Hara on November 1. During their almost seven-hour space stroll, during which they replaced bearings on a sun-tracking solar array and removed some communications equipment, NASA revealed the tool bag "was inadvertently lost," by one of the dynamic duo.

"Mission Control analyzed the bag's trajectory and determined that risk of recontacting the station is low and that the onboard crew and space station are safe with no action required," the space agency added.

Dr Meganne Christian, a member of the European Space Agency’s 2022 astronaut class, shared a snippet of helmet camera footage from Moghbeli's space suit showing the bag slipping away and the futile scramble to retrieve it.

But the container – a “crew lock bag” in official NASA parlance – didn’t just drift away out of human view.

Astrophysicist Jonathan McDowell of the Harvard Center for Astrophysics confirmed last week that the bag had been catalogued by the US Space Force as 58229/1998-067WC and was being tracked as a new orbital object.

The next day, Japanese ISS resident Satoshi Furukawa snapped a photo of the bag following day as the ISS passed over Japan.

According to McDowell, the bag isn't in a stable orbit, and is expected to re-enter Earth's atmosphere in a few months, when it will burn up completely and won't be a risk to anyone on the ground.

For those interested in observing the bag before it burns up in Earth's atmosphere, that just might be possible with the proper equipment and timing.

The bag's brightness is magnitude six , or just at the edge of the eye's unaided visibility limit under perfect conditions. Binoculars would make spotting it far easier. Sat-spotters seeking a sighting of the space spanners should look a few minutes ahead of the ISS’s expected path, which can be tracked online or with a recently launched mobile app.

Original Submission

hubie writes:

A new study found that more than one million US deaths per year—including many young and working-age adults—could be avoided if the US had mortality rates similar to its peer nations:

In 2021, 1.1 million deaths would have been averted in the United States if the US had mortality rates similar to other wealthy nations, according to a new study led by a School of Public Health researcher.

Published in the journal PNAS Nexus, the study refers to these excess deaths as "Missing Americans," because these deaths reflect people who would still be alive if the US mortality rates were equal to its peer countries.

Comparing age-specific death rates in the U.S. and 21 other wealthy nations from 1933 through 2021, the authors find that current death rates in the US are much higher than other wealthy nations, and the number of excess U.S. deaths has never been larger.

"The number of Missing Americans in recent years is unprecedented in modern times," says study lead and corresponding author Jacob Bor, associate professor of global health and epidemiology.

Nearly 50 percent of all Missing Americans died before age 65 in 2020 and 2021. According to Bor, the level of excess mortality among working age adults is particularly stark. "Think of people you know who have passed away before reaching age 65. Statistically, half of them would still be alive if the US had the mortality rates of our peers. The US is experiencing a crisis of early death that is unique among wealthy nations."

The COVID-19 pandemic contributed to a sharp spike in mortality in the US—more so than in other countries—but the new findings show that the number of excess US deaths has been accelerating over the last four decades. Bor and colleagues analyzed trends in US deaths from 1933 to 2021, including the impact of COVID-19, and then compared these trends with age-specific mortality rates in Canada, Japan, Australia, and 18 European nations.

The US had lower mortality rates than peer countries during World War II and its aftermath. During the 1960's and 1970's, the US had mortality rates similar to other wealthy nations, but the number of Missing Americans began to increase year by year starting in the 1980's, reaching 622,534 annual excess U.S. deaths by 2019. Deaths then spiked to 1,009,467 in 2020 and 1,090,103 in 2021 during the pandemic. From 1980 to 2021, there were a total of 13.1 million Missing Americans.

upstart writes:

'Coyote Vs. Acme': Warner Bros Setting Up Screenings For Streamers Of Axed Looney Tunes Film; Amazon A Prime Candidate - The Dish:

Screenings are being set up this week for streamers Amazon Prime Video, Apple and Netflix to check out and potentially acquire Warner Bros' axed Looney Tunes movieCoyote vs. Acmeafter the studio's phone ran off the hook the entire weekend from angry filmmakers and talent reps over their third feature film kill after Batgirland Scoob Holiday Haunt!

The more egregious Hollywood sin with Coyote vs. Acme is that it's a finished film was intended for a theatrical release, while the other two movies were still in the works.

[...] Amazon also is a great landing pad for Coyote vs. Acme as the studio has three upcoming movies with its star John Cena: Heads of State, Ricky Stanicky and Grand Death Lotto.

Also, during a very noisy weekend for the movie on social media with Coyote vs. Acme and Gravity Oscar winning composer calling Warner Bros. "bizarre anti-art studio financial shenanigans I will never understand," some have told me that the killing of Coyote vs. Acme didn't come from WBD CEO David Zaslav himself. Rather, the blame should be set at the feet of Warner Bros. Motion Picture bosses Michael De Luca and Pam Abdy and Warner Bros. new Animation Head Bill Damaschke, who are being made the scapegoats. The motives here were to protect the Looney Tunes IP and also scrub the studio of product developed by the previous administration.

The only thing wrong with that narrative is that De Luca and Abdy never have had any previous offends of killing a previous administration's films or finished movies. Not until landing at Warner Bros. As my mother use to say, "There's no such thing as a coincidence."

[...] While Warner Bros Discovery CFO Gunnar Wiedenfels said that the media's coverage of Batgirl's cancellation was "blown out of proportion" back in September 2022, I guess he wasn't seeing or hearing the harsh criticism from the Hollywood creative community and the film's creatives and talent, both on social and by phone.

Arthur T Knackerbracket has processed the following story:

Intel's oft-delayed Aurora remains a work in progress.

The Top500 organization released its semi-annual list of the fastest supercomputers in the world, with the AMD-powered Frontier supercomputer retaining its spot at the top of the list with 1.194 Exaflop/s (EFlop/s) of performance, fending off a half-scale 585.34 Petaflop/s (PFlop/s) submission from the Argonne National Laboratory's Intel-powered Aurora supercomputer. Argonne's submission, which only employs half of the Aurora system, lands at the second spot on the Top500, unseating Japan's Fugaku as the second-fastest supercomputer in the world. Intel also made inroads with 20 new supercomputers based on its Sapphire Rapids CPUs entering the list, but AMD's EPYC continues to take over the Top500 as it now powers 140 systems on the list — a 39% year-over-year increase.

Intel and Argonne are currently still working to bring Arora fully online for users in 2024. As such, the Aurora submission represented 10,624 Intel CPUs and 31,874 Intel GPUs working in concert to deliver 585.34 PFlop/s at a total of 24.69 megawatts (MW) of energy. In contrast, AMD's Frontier holds the performance title at 1.194 EFlop/s, which is more than twice the performance of Aurora, while consuming a comparably miserly 22.70 MW of energy (yes, that's less power for the full Frontier supercomputer than half of the Aurora system). Aurora did not land on the Green500, a list of the most power-efficient supercomputers, with this submission, but Frontier continues to hold eighth place on that list. 

However, Aurora is expected to eventually reach up to 2 EFlop/s of performance when it comes fully online. When complete, Auroroa will have 21,248 Xeon Max CPUs and 63,744 Max Series 'Ponte Vecchio' GPUs spread across 166 racks and 10,624 compute blades, making it the largest known single deployment of GPUs in the world. The system leverages HPE Cray EX – Intel Exascale Compute Blades and uses HPE's Slingshot-11 networking interconnect.

AMD is in the process of deploying El Capitan, which is projected to be faster than Aurora with 2 EFlop/s+ of performance, at the Lawrence Livermore National Laboratory. As such, Intel's incessantly delayed Aurora may never take the number one position on the Top500 list — the race is certainly on for the next round of Top500 submissions in June 2024.

[...] Meanwhile, Microsoft's new Eagle supercomputer, deployed in the Azure Cloud, has now taken the number three spot on the list, pushing Japan's Fugaku into fourth place on the leaderboard. Eagle is the first cloud system to break the top ten. The LUMI system in Kajaani, Finland, rounded out the top five with 379.70 PFlop/s of performance.

Original Submission

A Google Witness Let Slip Just How Much It Pays Apple For Safari Search

Arthur T Knackerbracket has processed the following story:

Google gives Apple a 36 percent cut of all search ad revenue that comes from Safari, according to University of Chicago professor Kevin Murphy. Google had fought to keep the number confidential, but Bloomberg reports that Murphy shared the figure while testifying in Google’s defense today at the Google antitrust trial.

Google has long paid to be the default search engine in Safari and other browsers like Firefox, spending $26.3 billion in 2021 alone for the privilege. $18 billion of that went to Apple, but the specifics of where the number came from remained secret until now. Google has been trying to keep such details under wraps as the trial goes on, but bits and pieces have seeped out anyway. According to Bloomberg, Google lawyer John Schmidtlein “visibly cringed when Murphy said the number.” Google declined to comment in an email to The Verge; Apple did not immediately respond to a request for comment.

Apple’s Eddy Cue defended the deal in September, saying Apple actually wanted a bigger cut of the money Google makes from Safari traffic, but the companies settled on the lower number Murphy revealed today. While specific numbers were discussed that day, they were only talked about in closed sessions, away from the ears of press.

The US Justice Department filed its antitrust charges alleging its search monopoly following an investigation by 50 US attorneys general that began in 2019. The trial started on September 12th.

upstart writes:

Egyptians often mentioned a trading partner but neglected to say where it was:

One of the most enduring mysteries within archaeology revolves around the identity of Punt, an otherworldly "land of plenty" revered by the ancient Egyptians. Punt had it all—fragrant myrrh and frankincense, precious electrum (a mixed alloy of gold and silver) and malachite, and coveted leopard skins, among other exotic luxury goods.

Despite being a trading partner for over a millennium, the ancient Egyptians never disclosed Punt's exact whereabouts except for vague descriptions of voyages along what's now the Red Sea. That could mean anywhere from southern Sudan to Somalia and even Yemen.

Now, according to a recent paper published in the journal eLife, Punt may have been the same as another legendary port city in modern-day Eritrea, known as Adulis by the Romans. The conclusion comes from a genetic analysis of a baboon that was mummified during ancient Egypt's Late Period (around 800 and 500 BCE). The genetics indicate the animal originated close to where Adulis would be known to come into existence centuries later.

[...] In 2020, a team of researchers led by Nathaniel Dominy, an anthropologist at Dartmouth College, examined radioactive isotopes of strontium and oxygen in the mummified remains of baboons dating back to the New Kingdom (1550 to 1069 BCE) and the Ptolemaic period (305 to 330 BCE). Mapping the isotopic signatures to their approximate geographies, Dominy and his colleagues discovered some of the animals weren't native to Egypt, likely hailing from somewhere in the area of Eritrea, Ethiopia, Djibouti, and Somalia.

"The strontium values, for example, like in your molar teeth, reflect where you were when you were five, six, or seven years old. You move around as an adult and you live in different places but you retain that sort of fingerprint of your early childhood in a particular region," said Dominy. "This was a cool project because we were able to show that some of those baboons spent their entire lives in Egypt, but others we could tell came from some distant place."

Since we know Egyptians obtained baboons from Punt, this helped narrow the location slightly. And it provided some leads for Gisela Kopp, an evolutionary biologist at the University of Konstanz in Germany. In the new paper, her team, which included Dominy, analyzed the mitochondrial DNA of a mummified baboon first excavated in 1905 in Egypt's Valley of the Monkeys located at Luxor's western bank of the Nile River.

fliptop writes:

The vast majority of dog and cat owners will say their pets enrich their lives in countless ways and bring immeasurable levels of extra happiness, but researchers from Michigan State University suggest that most pet owners may just be telling themselves what they want to hear. Their new study found that despite owners claiming pets improve their lives, researchers did not see a reliable association between pet ownership and well-being during the COVID-19 pandemic:

The pandemic was a stressful time for everyone, to put it lightly. Even the most laid-back among us found themselves overwhelmed by the lockdowns and social distancing guidelines that dominated 2020. So, the research team at MSU theorized that the pandemic represented an ideal time to study just how much comfort and happiness pets really provide to their families.

In all, the study authors assessed a total of 767 people on three separate occasions in May 2020. The research team opted to adopt a mixed-method approach that allowed them to simultaneously assess several indicators of well-being, all while also asking participants to reflect on the role of pets from their point of view in an open-ended manner. Generally, pet owners predictably reported their pets made them happy. More specifically, they said their pets helped them feel more positive emotions and provided affection and companionship.

On the other hand, the participants also articulated the dark side of pet ownership, such as worries related to their pet's well-being or having their pets interfere with working remotely.

[...] "People say that pets make them happy, but when we actually measure happiness, that doesn't appear to be the case," says William Chopik, an associate professor in MSU's Department of Psychology and co-author of the study, in a university release. "People see friends as lonely or wanting companionship, and they recommend getting a pet. But it's unlikely that it'll be as transformative as people think."

As a lifetime pet owner who's had at least a dozen dogs over the years, I take umbrage with the study's findings. My dogs are always thrilled to see me when I arrive home from a long, tiring day of work, and taking them for a walk or just being in their presence immediately lifts my spirits. And I remember the calming effect petting a cat had for my ex-wife when she was pregnant and having a bad day.

Journal Reference:
Chopik, W. J., Oh, J., Weidmann, R., et al. (2023). The Perks of Pet Ownership? The Effects of Pet Ownership on Well-Being During the COVID-19 Pandemic. Personality and Social Psychology Bulletin, 0(0). https://doi.org/10.1177/01461672231203417

Original Submission

Arthur T Knackerbracket has processed the following story:

Nintendo snagged the most nominations of any publisher with 15, followed by Sony (13), Microsoft (10, including Bethesda and Activision Blizzard's nods) and Epic Games (nine). There are 31 awards in total, including Best Adaptation. The nominees in that category this year are Castlevania: Nocturne, Gran Turismo, The Last of Us, The Super Mario Bros. Movie and Twisted Metal.

A bunch of deserving indies picked up nominations as well, including Cocoon, Dave the Diver, Dredge, Tchia, Viewfinder, Pizza Tower and Hello Kitty Island Adventure. Meanwhile, continuing a redemption arc after its disastrous debut three years ago, Cyberpunk 2077 2.0 and its Phantom Liberty expansion racked up four nominations in total.

Original Submission

upstart writes:

Packages downloaded thousands of times targeted people working on sensitive projects:

Highly invasive malware targeting software developers is once again circulating in Trojanized code libraries, with the latest ones downloaded thousands of times in the last eight months, researchers said Wednesday.

Since January, eight separate developer tools have contained hidden payloads with various nefarious capabilities, security firm Checkmarx reported. The most recent one was released last month under the name "pyobfgood." Like the seven packages that preceded it, pyobfgood posed as a legitimate obfuscation tool that developers could use to deter reverse engineering and tampering with their code. Once executed, it installed a payload, giving the attacker almost complete control of the developer's machine. [...]

All eight tools used the string "pyobf" as the first five characters in an attempt to mimic genuine obfuscator tools such as pyobf2 and pyobfuscator. The other seven packages were:

• Pyobftoexe
• Pyobfusfile
• Pyobfexecute
• Pyobfpremium
• Pyobflight
• Pyobfadvance
• Pyobfuse

While Checkmarx focused primarily on pyobfgood, the company provided a release timeline for all eight of them.

SomeGuy writes:

The Verge reports that Google will remove Gmail's Basic HTML view effective January 2024.

Though the vast majority of people use the Standard view on their PCs without question, the HTML version of Gmail has its perks. The stripped-down Gmail experience loads quickly, and users can access it even on older machines or with much slower connections.

The change appears to have been announced around September 19th in a Google support article, and users of the Basic HTML view were shown warnings that it will be discontinued, after which time they will be switched to the current standard view.

The removal of Gmail's basic HTML view is the latest in a long line of products, features, services, and more to be admitted to the Google graveyard. The company has also recently buried its Pixel Pass phone upgrade program, Google Currents, and Nest Secure.

Original Submission

Freeman writes:

https://arstechnica.com/gadgets/2023/11/amazon-fire-tablets-and-other-gear-will-reportedly-switch-away-from-android/

Amazon has been working on an in-house replacement for its Android-based Fire OS, codenamed "Vega" and built for easier app development, according to reporting from Janko Roettgers at Lowpass.

Based on job listings, multiple sources, forum posts, and unguarded LinkedIn boasts, Roettgers writes that Amazon has been working on Vega since at least 2019, is mostly done with the core development, and is now focused on an SDK and developer outreach. Vega would replace the Fire OS that is installed on Fire TV sticks and televisions, Kindle Fire tablets, and other Amazon devices. Vega, based on "a flavor of Linux," uses the popular JavaScript-based React Native as an application framework. This could simplify development for Fire devices alongside other React-ready platforms, including smartphones, desktops, and other smart TVs.
[...]
While an Android base provides a relatively familiar entry for developers that already have Android apps, rebuilding the AOSP project—meant to support a wealth of different devices and carrying years of technical debt—seemingly became frustrating enough for Amazon to push toward an in-house solution.

Original Submission