SoylentNews

looorg writes:

https://www.bbc.com/news/articles/ce784r9njz0o

Scientists have for the first time discovered a cave on the Moon.

At least 100m deep, it could be an ideal place for humans to build a permanent base, they say.

It is just one in probably hundreds of caves hidden in an "underground, undiscovered world", according to the researchers.

https://cosmosmagazine.com/space/exploration/moon-caves-entrance/

Astronomers say they've found a possible way to get into caves under the Moon's surface on the Sea of Tranquillity.

[...] "These caves have been theorized for over 50 years, but it is the first time ever that we have demonstrated their existence

The Moon's surface is dotted with pits, sometimes called skylights, which have been formed by lava tubes caving in.

"Although more than 200 pits have now been detected in various lunar geological settings and latitudes, it remains uncertain whether any of these openings could lead to extended cave conduits underground," write the researchers in their paper.

https://www.nature.com/articles/s41550-024-02302-y

Time to regress to become cave dwellers again, just on another celestial body.

Original Submission

Freeman writes:

https://arstechnica.com/information-technology/2024/07/openai-board-shakeup-microsoft-out-apple-backs-away-amid-ai-partnership-scrutiny/

Microsoft has withdrawn from its non-voting observer role on OpenAI's board, while Apple has opted not to take a similar position, reports Axios and Financial Times. The ChatGPT maker plans to update its business partners and investors through regular meetings instead of board representation. The development comes as regulators in the EU and US increase their scrutiny of Big Tech's investments in AI startups due to concerns about stifling competition.
[...]
Microsoft accepted a non-voting position on OpenAI's board in November following the ouster and reinstatement of OpenAI CEO Sam Altman.

Last week, Bloomberg reported that Apple's Phil Schiller, who leads the App Store and Apple Events, might join OpenAI's board in an observer role as part of an AI deal. However, the Financial Times now reports that Apple will not take up such a position, citing a person with direct knowledge of the matter. Apple did not immediately respond to our request for comment.
[...]
Microsoft remains a critical financial and technology resource for OpenAI, having invested over $10 billion in the company since early 2023.
[...]
While no official source has yet officially linked Microsoft's board withdrawal (and Apple's change of direction on a potential OpenAI board position) to regulatory scrutiny, it's unlikely to be a coincidence. Regulators in both the US and Europe are worried that Big Tech's heavy influence in fast-growing AI startups may unreasonably edge out competition and establish de facto monopolies over key technologies that would stifle smaller competitors.
[...]
Even though Microsoft's financial ties run deep into OpenAI, as Financial Times notes, the ChatGPT maker states: "While our partnership with Microsoft includes a multibillion dollar investment, OpenAI remains an entirely independent company governed by the OpenAI Nonprofit."

Original Submission

VLM writes:

MBed OS and platform are shutting down in 2026, although rumor has it almost all of the devs have already been downsized.

https://os.mbed.com/blog/entry/Important-Update-on-Mbed/

A couple of possible discussion points from the perspective of someone who used it for STM32:

It was one of those FOSS-but-not-really products that was completely corporate controlled and funded and written, but under a FOSS license. It never really gained any traction outside corporate. There is a winner-take-all mentality in microcontroller RTOS... why use Mbed if Zephyr supports 10x as much "stuff" out of the box? Also, given the primary source of funding, it really only practically functioned on ARM processors. Pragmatically it seems multiplatform RTOS are the only ones that survive long-term, single platform seems always doomed, a bit different than the desktop/laptop/phone market.

There was something of a product-tying thing going on with Pelion IoT cloud platform, which used to be free, but the free tier disappeared. It was pretty awesome for hobbyist use until they intentionally got rid of the hobbyists, presumably to "save money". However this seems to be a common pattern for decades, the devs who influence million dollar contracts during the day want to play with pirated/free versions at home at night, so arguably Pelion and thus Mbed shot themselves in their own foot.

I wonder how much C19 killed Mbed a couple years later. After STM32 procs and ARM microcontrollers were unobtainable for couple of years, there was no way to get hardware to run Mbed.

It was a bit memory-hungry; IIRC by the time you got a full IoT platform with auto-updates and telemetry over WiFi working on commodity dev board hardware, you were out of either flash, ram, or both so you couldn't run your app.

I have happy memories of being introduced to LwM2M protocol; it was an interesting innovation on MQTT but a little too "organized" for widespread use. Take MQTT and "compress" by turning all common (and uncommon) nouns and verbs into integers; kind of like the old Apollo spacecraft computer, kind of like a fixed compression standard.

A final interesting discussion point is tool manufacturers going out of business is a pretty strong signal the bubble is over. The permanent solution to "The S in IoT stands for security" may very well be the IoT industry drying up and blowing away, and this shutdown is a sign of the start of the end.

Anyone else have fond memories of MbedOS? I thought it was pretty awesome back in the day, although I switched to Zephyr years ago. Other contemporary microcontroller or IoT comments?

Original Submission

upstart writes:

Out-of-control heat is making Earth more "weird":

For the 13th consecutive month, Earth's average monthly temperature has broken all previous records, continuing a streak that began in June 2023. Significantly, the European climate service Copernicus added that that the world has been 1.5 degrees Celsius (2.7 degrees Fahrenheit) higher than pre-industrial levels for more than a year, pushing the planet up against the threshold established by the 2015 Paris climate agreement.

"We see increases in deadly heat waves and droughts, but also an increased experience of 'global weirding' — more extreme weather events producing conditions that are entirely new for communities."

"It's a stark warning that we are getting closer to this very important limit set by the Paris Agreement," Copernicus senior climate scientist Nicolas Julien told NPR. "The global temperature continues to increase. It has at a rapid pace."

[...] "Along with this warming, we see increases in deadly heat waves and droughts, but also an increased experience of 'global weirding,'" Dr. Twila Moon, a climatologist and deputy lead scientist at NASA's National Snow and Ice Data Center, told Salon. Such weirding, she explained, encompasses "more extreme weather events producing conditions that are entirely new for communities, weather whiplash as folks may experience quick swings between hot and cold or drought and flood, and many challenges for crops, wildlife, recreation, and being able to plan for what we previously considered normal weather conditions."

[...] "In addition," Trenberth added, "increasing conflicts around the world (Sudan, Russia-Ukraine, Gaza-Israel, etc.) and increasing wildfires have meant that many emissions are not adequately counted but they nonetheless contribute substantially to well measured atmospheric concentrations. These all counter the considerable progress made in cutting emissions elsewhere."

Original Submission

upstart writes:

PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks:

Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets.

The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024.

"CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP," Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. "The vulnerability itself lies in how Unicode characters are converted into ASCII."

The web infrastructure company said it began observing exploit attempts against its honeypot servers targeting the PHP flaw within 24 hours of it being public knowledge.

This included exploits designed to deliver a remote access trojan called Gh0st RAT, cryptocurrency miners like RedTail and XMRig, and a DDoS botnet named Muhstik.

"The attacker sent a request similar to the others seen previous RedTail operations, abusing the soft hyphen flaw with '%ADd,' to execute a wget request for a shell script," the researchers explained. "This script makes an additional network request to the same Russia-based IP address to retrieve an x86 version of the RedTail crypto-mining malware."

Last month, Imperva also revealed that CVE-2024-4577 is being exploited by TellYouThePass ransomware actors to distribute a .NET variant of the file-encrypting malware.

Users and organizations relying on PHP are recommended to update their installations to the latest version to safeguard against active threats.

"The continuously shrinking time that defenders have to protect themselves after a new vulnerability disclosure is yet another critical security risk," the researchers said. "This is especially true for this PHP vulnerability because of its high exploitability and quick adoption by threat actors."

See also:

• Versions of PHP PHP : Versions and number of related security vulnerabilities

Original Submission

Freeman writes:

https://arstechnica.com/security/2024/07/threat-actors-exploited-windows-0-day-for-more-than-a-year-before-microsoft-fixed-it/

Threat actors carried out zero-day attacks that targeted Windows users with malware for more than a year before Microsoft fixed the vulnerability that made them possible, researchers said Tuesday.

The vulnerability, present in both Windows 10 and 11, causes devices to open Internet Explorer, a legacy browser that Microsoft decommissioned in 2022 after its aging code base made it increasingly susceptible to exploits. Following the move, Windows made it difficult, if not impossible, for normal actions to open the browser, which was first introduced in the mid-1990s.

[...] The company fixed the vulnerability, tracked as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release program. The vulnerability, which resided in the MSHTML engine of Windows, carried a severity rating of 7.0 out of 10.

The researchers from security firm Check Point said the attack code executed "novel (or previously unknown) tricks to lure Windows users for remote code execution." A link that appeared to open a PDF file appended a .url extension to the end of the file, for instance, Books_A0UJKO.pdf.url, found in one of the malicious code samples.

[...] "From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated," Haifei Li, the Check Point researcher who discovered the vulnerability, wrote. "For example, if the attacker has an IE zero-day exploit—which is much easier to find compared to Chrome/Edge—the attacker could attack the victim to gain remote code execution immediately. However, in the samples we analyzed, the threat actors didn't use any IE remote code execution exploit. Instead, they used another trick in IE—which is probably not publicly known previously—to the best of our knowledge—to trick the victim into gaining remote code execution."

[...] The Check Point post includes cryptographic hashes for six malicious .url files used in the campaign. Windows users can use the hashes to check if they have been targeted. [Article seemed to be missing this link to the Check Point article]

Original Submission

upstart writes:

Starlink satellites lost on Falcon 9 upper stage failure:

SpaceX says it will not be able to recover the 20 Starlink satellites left in a very low orbit after a malfunction of a Falcon 9 upper stage on a July 11 launch.

In a statement July 12, the company said that the 20 satellites on the Group 9-3 launch have been unable to raise the orbit because the electric propulsion systems on the spacecraft cannot counteract the high atmospheric drag the satellites encounter in their very low orbits.

The rocket's upper stage engine "experienced an anomaly and was unable to complete its second burn," the company stated, which would have circularized the orbit of the stage before satellite deployment. While the stage was able to deploy the satellites, they were left in an orbit with a perigee, or low point, of just 135 kilometers.

That kept them in what SpaceX called an "enormously high-drag environment" that reduced the perigee by at least five kilometers per orbit. "At this level of drag, our maximum available thrust is unlikely to be enough to successfully raise the satellites. As such, the satellites will re-enter Earth's atmosphere and fully demise."

SpaceX Chief Executive Elon Musk posted a few hours after the anomaly that satellite controllers were trying to fire the spacecraft's electric thrusters at maximum levels to overcome atmospheric drag. "We're updating satellite software to run the ion thrusters at their equivalent of warp 9," he stated. "Unlike a Star Trek episode, this will probably not work, but it's worth a shot."

The company added that the satellites "do not pose a threat to other satellites in orbit or to public safety" given their very low orbits and a design that is intended to break up completely on reentry.

The SpaceX statement provided few additional details about the problem with the upper stage. It noted that there was a liquid oxygen leak on the second stage noticed during the first burn of the single Merlin engine. That would explain the unusual ice buildup seen on parts of the engine.

Freeman writes:

https://arstechnica.com/security/2024/07/new-blast-radius-attack-breaks-30-year-old-protocol-used-in-networks-everywhere/

One of the most widely used network protocols is vulnerable to a newly discovered attack that can allow adversaries to gain control over a range of environments, including industrial controllers, telecommunications services, ISPs, and all manner of enterprise networks.

Short for Remote Authentication Dial-In User Service, RADIUS harkens back to the days of dial-in Internet and network access through public switched telephone networks. It has remained the de facto standard for lightweight authentication ever since and is supported in virtually all switches, routers, access points, and VPN concentrators shipped in the past two decades.
[...]
The protocol was developed in 1991 by a company known as Livingston Enterprises. In 1997 the Internet Engineering Task Force made it an official standard, which was updated three years later. Although there is a draft proposal for sending RADIUS traffic inside of a TLS-encrypted session that's supported by some vendors, many devices using the protocol only send packets in clear text through UDP (User Datagram Protocol).
[...]
Since 1994, RADIUS has relied on an improvised, home-grown use of the MD5 hash function. First created in 1991 and adopted by the IETF in 1992
[...]
For a cryptographic hash function, it should be computationally impossible for an attacker to find two inputs that map to the same output. Unfortunately, MD5 proved to be based on a weak design: Within a few years, there were signs that the function might be more susceptible than originally thought to attacker-induced collisions, a fatal flaw that allows the attacker to generate two distinct inputs that produce identical outputs. These suspicions were formally verified in a paper published in 2004 by researchers Xiaoyun Wang and Hongbo Yu and further refined in a research paper published three years later.

The latter paper—published in 2007 by researchers Marc Stevens, Arjen Lenstra, and Benne de Weger—described what's known as a chosen-prefix collision
[...]
This type of collision attack is much more powerful because it allows the attacker the freedom to create highly customized forgeries.

Arthur T Knackerbracket has processed the following story:

Scientists in California tested a way to coax certain fat cells to burn calories, rather than simply store energy. In new research involving mice, the team found it was possible to convert existing white fat cells into calorie-burning beige fat cells. The findings could pave the way to a new class of obesity treatments, the study authors say.

Scientists at the University of California San Francisco were trying to get to the root of a problem that has long stymied others in the field. Our fat cells come into three basic flavors: white, brown, and beige. White fat cells are primarily designed to store energy, while brown fat cells play a key role in keeping our body temperature stable. When we’re cold, these cells will burn sugar and fat to heat the body up. The more recently discovered beige fat cells, meanwhile, can carry out the functions of either type, storing or burning energy as needed. These cells are nestled within deposits of white fat cells.

[...] For a long time, scientists have theorized that finding a way to reliably switch white fat cells into either brown or beige fat cells could help prevent or treat these related issues (our bodies can naturally convert white into brown/beige fat cells, though typically only in small amounts from exercise or cold exposure). But so far, these efforts haven’t yet yielded safe and successful treatments. In this latest study, published in the Journal of Clinical Investigation, the UCSF team say they have landed on a new promising approach.

Working with mice, the group had earlier found evidence that a protein called KLF-15 was important to the distinction between white and beige/brown fat cells. In their mice, KLF-15 was much more present in brown and beige fat cells compared to white fat cells. So they decided to breed mice whose white fat cells lacked KLF-15 entirely. Once they did, the mice’s white fat cells suddenly became much more efficient at converting into beige fat cells.

upstart writes:

Expletives fly as admins deal with recommendation to move to Power Automate workflows:

Microsoft has thrown some enterprises into a spin after confirming that, with only a few months' notice, Office 365 connectors within Teams will be cut.

The connectors and webhooks are used to plumb workflows into a Teams channel. For example, users might use them to post an update into a chat stream. This means you can read content and service updates directly in a Teams channel that originated from something like a ticketing platform or a notification from a CI/CD system.

This is the sort of glue that enterprises depend on to make different systems communicate. Or at least it was. From August 15, 2024, Microsoft will block all Connector creation within all clouds. From October 1, 2024, all connectors within all clouds will stop working.

Microsoft has been a little vague on exactly why it is doing this. Its recommendation is for users to switch to Power Automate workflows to "ensure that your integrations are built on an architecture that can grow with your business needs and provide maximum security of your information."

[...] Users have been less than impressed by the news. Comments to the company's post have passed the 100 mark and are generally negative, with some describing the plans as "a greedy cash grab" and others reacting with bewilderment at Microsoft's decision:

[...] Register readers have also been in touch to share the impact the change is having on them. One, who uses RSS feeds and webhooks to send CI/CD notifications to channels, agreed with comments that the change was a "PITA with no benefit to the customer" and noted that the precious few months of notice given wasn't very long.

Original Submission

upstart writes:

Aggressive scratching is a stress response; small children are a common source of stress:

Ah, cats. We love our furry feline overlords despite the occasional hairball and their propensity to scratch the furniture to sharpen their claws. The latter is perfectly natural kitty behavior, but overly aggressive scratching is usually perceived as a behavioral problem. Veterinarians frown on taking extreme measures like declawing or even euthanizing such "problematic" cats. But there are alternative science-backed strategies for reducing or redirecting the scratching behavior, according to the authors of a new paper published in the journal Frontiers in Veterinary Science.

This latest study builds on the group's prior research investigating the effects of synthetic feline facial pheromones on undesirable scratching in cats, according to co-author Yasemin Salgirli Demirbas, a veterinary researcher at Ankara University in Turkey. "From the beginning, our research team agreed that it was essential to explore broader factors that might exacerbate this issue, such as those influencing stress and, consequently, scratching behavior in cats," she told Ars. "What's new in this study is our focus on the individual, environmental, and social dynamics affecting the level of scratching behavior. This perspective aims to enhance our understanding of how human and animal welfare are interconnected in different scenarios."

[...] The team concluded that there are several factors that influence the scratching behavior of cats, including environmental factors, high levels of certain kinds of play, and increased nocturnal activity. But stress seems to be the leading driver. "Cats might scratch more as a way to relieve stress or mark their territory, especially if they feel threatened or insecure," said Demirbas. And the top source of such stress, the study found, is the presence of small children in the home.

"The presence of children can definitely influence a cat's stress levels, but it is a complex situation," said Demirbas. "Children, especially when young, tend to move quickly and unpredictably, which can be challenging for cats. Their loud noises and sudden movements can be distressing for cats. Additionally, children might not always understand how to approach cats properly. Rough handling, in particular, can make cats feel threatened and stressed. Another factor is that children can invade the cat's safe spaces, playing or resting in areas the cat considers its own core territories."

Japan Deploys Humanoid Robot for Railway Maintenance

upstart writes:

Japan deploys humanoid robot for railway maintenance:

It resembles a malevolent robot from 1980s sci-fi but West Japan Railway's new humanoid employee was designed with nothing more sinister than a spot of painting and gardening in mind.

Starting this month, the machine with a crude head and coke-bottle eyes mounted on a truck -- which can drive on rails -- will be put to use for maintenance work on the firm's network.

Its operator sits in a cockpit on the truck, "seeing" through the robot's eyes via cameras and operating its powerful limbs and hands remotely. With a vertical reach of 12 metres (40 feet), the machine can use various attachments for its arms to carry objects as heavy as 40 kilograms (88 pounds), hold a brush to paint or use a chainsaw.

[...] The technology will help fill worker shortages in ageing Japan as well as reduce accidents such as workers falling from high places or suffering electric shocks, the company says. "In the future, we hope to use machines for all kinds of maintenance operations of our infrastructure," and this should provide a case study for how to deal with the labour shortage, company president Kazuaki Hasegawa told a recent press conference.

JR West to Introduce Humanoid Robot for Railroad Maintenance; Looking to Expand its Use in Japan

upstart writes:

JR West to Introduce Humanoid Robot for Railroad Maintenance; Looking to Expand its Use in Japan:

West Japan Railway Co. (JR West) will introduce a humanoid robot to handle maintenance work, such as painting emplacements along railroad tracks and cutting down fallen trees.

JR West said Thursday that it plans to put the robot into operation in the Kyoto-Osaka-Kobe area in July.

The railroad expects to make improvements in labor and safety by using the robot to perform dangerous and laborious work at elevated positions.

Mounted on a construction vehicle, the robot will be able to work at heights of up to 12 meters with its two arms.

[...] The weight and feel of objects gripped by the robot are transmitted to the control lever, "allowing operators to move the robot as if they were doing the work themselves," JR West President Kazuaki Hasegawa said.

With the introduction of the robot, the manpower required for the work will be reduced by around 30%, according to the firm. JR West will consider expanding the number of units in use and marketing them to other companies while verifying the effectiveness of the robot.

Original Submission #1  Original Submission #2 

upstart writes:

Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories:

Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "complex and persistent" supply chain attack.

"This attack stands out due to the high variability across packages," Phylum said in an analysis published last week.

"The attacker has cleverly hidden the malware in the seldom-used 'end' function of jQuery, which is internally called by the more popular 'fadeTo' function from its animation utilities."

[...] The malicious changes, per Phylum, have been introduced in a function named "end," allowing the threat actor to exfiltrate website form data to a remote URL.

Further investigation has found the trojanized jQuery file to be hosted on a GitHub repository associated with an account called "indexsc." Also present in the same repository are JavaScript files containing a script pointing to the modified version of the library.

"It's worth noting that jsDelivr constructs these GitHub URLs automatically without needing to upload anything to the CDN explicitly," Phylum said.

"This is likely an attempt by the attacker to make the source look more legitimate or to sneak through firewalls by using jsDelivr instead of loading the code directly from GitHub itself."

The development comes as Datadog identified a series of packages on the Python Package Index (PyPI) repository with capabilities to download a second-stage binary from an attacker-controlled server depending on the CPU architecture.

See also:

• How npm install scripts can be weaponized: A real-world example of a harmful npm package
• Why NPM and Yarn f*cking suck | HackerNoon

Original Submission

Freeman writes:

https://arstechnica.com/gadgets/2024/07/immensely-disappointing-nike-killing-app-for-350-self-tying-sneakers/

In 2019, Nike got closer than ever to its dreams of popularizing self-tying sneakers by releasing the Adapt BB. Using Bluetooth, the sneakers paired to the Adapt app that let users do things like tighten or loosen the shoes' laces and control its LED lights. However, Nike has announced that it's "retiring" the app on August 6, when it will no longer be downloadable from Apple's App Store or the Google Play Store; nor will it be updated.

In an announcement recently spotted by The Verge, Nike's brief explanation for discontinuing the app is that Nike "is no longer creating new versions of Adapt shoes." The company started informing owners about the app's retirement about four months ago.
[...]
Adapt BB owners have shared disappointment after learning the news. One Reddit user who claimed to own multiple pairs of the shoes called the news "hyper bullshit," while another described it as "immensely disappointing."

Some hope that Nike will open-source the app so that customers can maintain their shoes' original and full functionality. But Nike hasn't shared any plans to do so. Ars Technica asked the company about this but didn't hear back ahead of press time.
[...]
Some may be unsurprised that Nike's attempt at commercializing the shoes from Back to the Future Part II has run into a wall. Nike, for instance, also discontinued NikeConnect, its app for $200 NBA jerseys announced in 2017 that turned wearers into marketing gold.

Casual sneaker wearers would overlook the Adapt BB's flashy features, but the shoe had inherent flaws that could frustrate sneaker fanatics, too. It didn't take long, for example, for a recommended software update to break the shoes, including making them unwearable to anyone who wanted to tighten the laces (at the time, Nike said the problem affected a small number of owners).

Original Submission

Arthur T Knackerbracket has processed the following story:

My friend recently wanted to bring an old laptop back to life. Her aging Intel MacBook was no longer supported by Apple, and instead of letting the machine wind up in a landfill somewhere, she decided to install Linux, an OS she'd never used before.

She started her quest with Linux Mint, which is always a good place to start. Unfortunately, the installation failed for her (mostly because of the doggedly slow nature of the machine), so she reached out.

Given her hardware, there was only one logical suggestion to make -- Linux Lite. This installation went well for her, except the keyboard layout was automatically selected incorrectly. Fortunately, that was an easy fix.

[...] As per usual with a lightweight Linux distribution, Linux Lite performed about as well as any desktop OS I've ever tried. It was fast. I gave the virtual machine I used 3GB of RAM and two CPU cores, and this distribution performed as if it had four times that power. Anyone with a machine that doesn't have the resources to power the latest version of Windows would do very well with this distribution, especially if speed is your thing.

[...] The one thing I did find missing from Linux Lite was a universal package manager, such as Snap or Flatpak. No problem. From within Synaptic, I was able to quickly search for, and install, both.

[...] If my friend, who'd never touched Linux in her life, was able to easily get Linux Lite installed and working, you probably can too. Like I tell everyone… if you can install a Windows app, you can install modern Linux. It really is that simple, and Linux Lite proves that hypothesis.

This lightweight Linux distribution is ideal for anyone new to the open-source operating system or who needs to bring an old machine back to life.

Original Submission