SoylentNews

Arthur T Knackerbracket has processed the following story:

Tropical storms and hurricanes like Helene could indirectly cause up to 11,000 deaths in the 15 years that follow the initial destruction. Hurricane Helene may have already hammered the Southeast, but its lethal aftermath could last a decade or more.

Tropical cyclones, which include hurricanes like Helene and other whirling storms, boost local death rates for up to 15 years after whipping along U.S. coastlines, scientists report October 2 in Nature. Each storm may indirectly cause between 7,000 and 11,000 deaths, estimate University of California, Berkeley environmental economist Rachel Young and Stanford University economist Solomon Hsiang.

That’s a Mount Everest of an estimate compared to the official number of deaths — 24 — that the National Oceanic and Atmospheric Administration attributes to the average storm in the team’s analysis. The results suggest that “hurricanes and tropical storms are a much greater public health concern than anyone previously thought,” Young says. 

Using a statistical model, she and Hsiang analyzed the impact of all 501 tropical cyclones that hit the contiguous United States from 1930 to 2015. They measured changes in mortality for up to 20 years after each of these storms. Their analysis suggests that an individual hurricane may indirectly lead to thousands of lives lost. And taken together, the storms could have spurred as many as 5 percent of all deaths over that time period. Infants were particularly vulnerable, as were Black populations, the team found. 

Young and Hsiang don’t know all the ways hurricanes may contribute to mortality, but they have some ideas. It’s possible the stress of a surviving such a storm, or the pollution left in the wake of destruction, harms people’s health (SN: 10/1/24). Or maybe local governments have less money to spend on health care after rebuilding ravaged infrastructure. It could be some combination of these and other factors, Young says. She’s interested in digging into what’s going on. 

In the meantime, Young thinks her team’s work highlights the need for new disaster response polices — ones that account for hurricanes’ impact long term. “We really pull together after these disasters to help people immediately in the aftermath,” she says. But “we need to be thinking about these folks long after those initial responses are over.”

Original Submission

upstart writes:

California enacts car data privacy law to curb domestic violence:

California Governor Gavin Newsom has signed a bill that requires automakers selling internet-connected cars to do more to protect domestic abuse survivors, a move that may expand such safeguards nationwide.

As automakers add ever more sophisticated technology to their cars, instances of stalking and harassment using features such as location tracking and remote controls have begun to emerge.

The bill passed the California state legislature with overwhelming support, and Newsom signed it on Friday along with several other measures intended to protect domestic violence survivors. The law could lead to the new standards being implemented beyond California, as automakers tend to avoid producing different cars for different states.

Legislative analysts cited reporting from Reuters and the New York Times about carmakers which did not help women who alleged they were being targeted by their partners. One woman unsuccessfully sued Tesla, alleging the company failed to act after she repeatedly complained that her husband was stalking and harassing her with the automaker's technology despite a restraining order.

Among its provisions, the California bill requires automakers to set up a clear process for drivers to submit a copy of a restraining order or other documentation and request termination of another driver's remote access within two business days. It also mandates that carmakers enable drivers to easily turn off location access from inside the vehicle.

No carmaker officially opposed the law. The Alliance for Automotive Innovation, which counts several car manufacturers as members, said it supports the goal of protecting victims of domestic abuse. The Alliance raised some concerns about technical feasibility during the legislative process, and a spokesman said in an email on Monday it has discussed ways to potentially address those issues next year.

Original Submission

upstart writes:

Thousands of Linux systems infected by stealthy malware since 2021:

Thousands of machines running Linux have been infected by a malware strain that's notable for its stealth, the number of misconfigurations it can exploit, and the breadth of malicious activities it can perform, researchers reported Thursday.

The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33426, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that's found on many Linux machines.

The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.

Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:

• Stopping activities that are easy to detect when a new user logs in
• Using a Unix socket over TOR for external communications
• Deleting its installation binary after execution and running as a background service thereafter
• Manipulating the Linux process pcap_loop through a technique known as hooking to prevent admin tools from recording the malicious traffic
• Suppressing mesg errors to avoid any visible warnings during execution.

The malware is designed to ensure persistence, meaning the ability to remain on the infected machine after reboots or attempts to delete core components. Two such techniques are (1) modifying the ~/.profile script, which sets up the environment during user login so the malware loads ahead of legitimate workloads expected to run on the server and (2) copying itself from memory to multiple disk locations. The hooking of pcap_loop can also provide persistence by allowing malicious activities to continue even after primary payloads are detected and removed.

Besides running using the machine resources to mine cryptocurrency, Perfctl also turns the machine into a profit-making proxy that paying customers use to relay their Internet traffic. Aqua Security researchers have also observed the malware serving as a backdoor to install other families of malware.

Assaf Morag, Aqua Security's threat intelligence director, wrote in an email:

Perfctl malware stands out as a significant threat due to its design, which enables it to evade detection while maintaining persistence on infected systems. This combination poses a challenge for defenders and indeed the malware has been linked to a growing number of reports and discussions across various forums, highlighting the distress and frustration of users who find themselves infected.

Perfctl uses a rootkit and changes some of the system utilities to hide the activity of the cryptominer and proxy-jacking software. It blends seamlessly into its environment with seemingly legitimate names. Additionally, Perfectl's architecture enables it to perform a range of malicious activities, from data exfiltration to the deployment of additional payloads. Its versatility means that it can be leveraged for various malicious purposes, making it particularly dangerous for organizations and individuals alike.

Arthur T Knackerbracket has processed the following story:

At this point, it seems many people are starting to give up on the impact Generative AI was supposed to have. After all, haven't we already fallen into the dreaded "trough of disillusionment"? The tenor of media coverage, social media posts, and more has clearly shifted from giddy excitement to weary skepticism, driven by a fear of overhyping the technology.

But out in the real world, it's clear that GenAI initiatives across businesses of all sizes and industries are actually just starting to shift into higher gear.

A new study by TECHnalysis Research emphasizes this point. "The Intelligent Path Forward: GenAI in the Enterprise" is based on a web survey of over 1,000 US-based IT decision makers across ten industries and both medium businesses (100-999 employees) and large enterprises (1,000+ employees).

The study results show that not only are investments in GenAI initiatives continuing, but companies are also finding new sources of funding to support these efforts. Over half of the survey respondents said they're using funds outside traditional IT to help pay for these efforts – 31% from special budgets dedicated to GenAI, and another 22% from other corporate budgets or initiatives, such as business units.

Fig. 1

The results shown in Figure 1 above. It's an amazing statistic that highlights how companies continue to be enthusiastic about their GenAI-related efforts (as well as how disconnected many short-term thinking pundits are from what's really happening!).

In addition to their continued enthusiasm, companies are evolving their thinking about how and where GenAI deployments are taking place. Due to the need to use vast amounts of critical, often sensitive, data to train and fine-tune the models driving their GenAI applications, many organizations are interested in conducting more of this work within their own data centers or colocation facilities.

While cloud-based GenAI efforts continue to dominate and will likely remain the majority for some time, a remarkable 80% of respondents expressed some degree of interest in local deployments. This shift from established industry practices represents a significant opportunity for GenAI industry participants to develop new products, services, and solutions to meet these needs.

As Figure 2 highlights below, there are still several challenges that need to be addressed before these local efforts become a reality – not the least of which is a dramatic need for more education and training – but the potential pivot opens up some very interesting new paths for industry evolution.

Fig. 2

Freeman writes:

https://arstechnica.com/science/2024/10/why-trolls-extremists-and-others-spread-conspiracy-theories-they-dont-believe/

There has been a lot of research on the types of people who believe conspiracy theories, and their reasons for doing so. But there's a wrinkle: My colleagues and I have found that there are a number of people sharing conspiracies online who don't believe their own content.

They are opportunists. These people share conspiracy theories to promote conflict, cause chaos, recruit and radicalize potential followers, make money, harass, or even just to get attention.
[...]
Coaxing conspiracists—the extremists

In our chapter of a new book on extremism and conspiracies, my colleagues and I discuss evidence that certain extremist groups intentionally use conspiracy theories to entice adherents. They are looking for a so-called "gateway conspiracy" that will lure someone into talking to them, and then be vulnerable to radicalization.
[...]
Combative conspiracists—the disinformants

Governments love conspiracy theories. The classic example of this is the 1903 document known as the "Protocols of the Elders of Zion," in which Russia constructed an enduring myth about Jewish plans for world domination. More recently, China used artificial intelligence to construct a fake conspiracy theory about the August 2023 Maui wildfire.

Often the behavior of the conspiracists gives them away. Years later, Russia eventually confessed to lying about AIDS in the 1980s.
[...]
Forgeries aren't created by accident. They knew they were lying.
[...]
Chaos conspiracists–the trolls

Freeman writes:

https://arstechnica.com/tech-policy/2024/10/harvard-students-make-auto-doxxing-smart-glasses-to-show-need-for-privacy-regs/

Two Harvard students recently revealed that it's possible to combine Meta smart glasses with face image search technology to "reveal anyone's personal details," including their name, address, and phone number, "just from looking at them."

In a Google document, AnhPhu Nguyen and Caine Ardayfio explained how they linked a pair of Meta Ray Bans 2 to an invasive face search engine called PimEyes to help identify strangers by cross-searching their information on various people-search databases. They then used a large language model (LLM) to rapidly combine all that data, making it possible to dox someone in a glance or surface information to scam someone in seconds—or other nefarious uses, such as "some dude could just find some girl's home address on the train and just follow them home," Nguyen told 404 Media.

This is all possible thanks to recent progress with LLMs, the students said.

[...] To prevent anyone from being doxxed, the co-creators are not releasing the code, Nguyen said on social media site X. They did, however, outline how their disturbing tech works and how shocked random strangers used as test subjects were to discover how easily identifiable they are just from accessing with the smart glasses information posted publicly online.

[...] But while privacy is clearly important to the students and their demo video strove to remove identifying information, at least one test subject was "easily" identified anyway, 404 Media reported. That test subject couldn't be reached for comment, 404 Media reported.

So far, neither Facebook nor Google has chosen to release similar technologies that they developed linking smart glasses to face search engines, The New York Times reported.

[...] In the European Union, where collecting facial recognition data generally requires someone's direct consent under the General Data Protection Regulation, smart glasses like I-XRAY may not be as big of a concern for people who prefer to be anonymous in public spaces. But in the US, I-XRAY could be providing bad actors with their next scam.

"If people do run with this idea, I think that's really bad," Ardayfio told 404 Media. "I would hope that awareness that we've spread on how to protect your data would outweigh any of the negative impacts this could have."

owl writes:

https://blog.cloudflare.com/patent-troll-sable-pays-up/

Back in February, we celebrated our victory at trial in the U.S. District Court for the Western District of Texas against patent trolls Sable IP and Sable Networks. This was the culmination of nearly three years of litigation against Sable, but it wasn't the end of the story.

Today we're pleased to announce that the litigation against Sable has finally concluded on terms that we believe send a strong message to patent trolls everywhere — if you bring meritless patent claims against Cloudflare, we will fight back and we will win.

[...] While Sable's technical expert tried his hardest to convince the jury that various software and hardware components of Cloudflare's servers constitute "line cards," his explanations defied credibility. The simple fact is that Cloudflare's servers do not have line cards.

[...] Ultimately, the jury understood, returning a verdict that Cloudflare does not infringe claim 25 of the '919 patent.

In the end, Sable agreed to pay Cloudflare $225,000, grant Cloudflare a royalty-free license to its entire patent portfolio, and to dedicate its patents to the public, ensuring that Sable can never again assert them against another company.

Let's repeat that first part, just to make sure everyone understands:

Sable, the patent troll that sued Cloudflare back in March 2021 asserting around 100 claims across four patents, in the end wound up paying Cloudflare. While this $225,000 can't fully compensate us for the time, energy and frustration of having to deal with this litigation for nearly three years, it does help to even the score a bit. And we hope that it sends an important message to patent trolls everywhere to beware before taking on Cloudflare.

Original Submission

Freeman writes:

https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/

Officials in Ireland have fined Meta $101 million for storing hundreds of millions of user passwords in plaintext and making them broadly available to company employees.

Meta disclosed the lapse in early 2019. The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.
[...]
When Meta disclosed the lapse in 2019, it was clear the company had failed to adequately protect hundreds of millions of passwords.

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," Graham Doyle, deputy commissioner at Ireland's Data Protection Commission, said. "It must be borne in mind, that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."
[...]
To date, the EU has fined Meta more than $2.23 billion (2 billion euros) for violations of the General Data Protection Regulation (GDPR), which went into effect in 2018. That amount includes last year's record $1.34 billion (1.2 billion euro) fine, which Meta is appealing.

Original Submission

upstart writes:

A tale involving deepfakes, politics, and a magician:

Louisiana Democratic political consultant Steven Kramer was indicted in May over the robocalls. The 39-second message, which told people to 'save their votes' for the November presidential election, was created using a text-to-speech tool called ElevenLabs. The calls were spoofed so they appeared to originate from the former chairwoman of the New Hampshire Democratic Party, writes The New York Times.

Kramer had worked for Biden's primary rival, Rep. Dean Phillips, who condemned the calls. Kramer claimed that he paid $500 to have the calls sent to voters as a way of raising awareness about the dangers artificial intelligence can pose to election campaigns, which sounds like a questionable justification.

"For me to do that and get $5 million worth of exposure, not for me," Kramer told CBS New York. "I kept myself anonymous so the regulations could just play themselves out or begin to play themselves out. I don't need to be famous. That's not my intention. My intention was to make a difference."

Making a strange story even weirder, Kramer hired an actual New Orleans magician named Paul Carpenter to make the robocalls. Carpenter said creating the recording only took about 20 minutes and cost $1, and that Kramer paid him $150 via Venmo. He believed what he was doing had been authorized by President Biden's campaign. Carpenter's account has since been shut down by ElevenLabs.

The FCC writes that Kramer violated the Truth in Caller ID Act, which makes spoofed calls illegal when made with the intent to defraud, cause harm, or wrongfully obtain anything of value. The FCC this year voted to have the law apply to deepfakes.

Original Submission

Arthur T Knackerbracket has processed the following story:

California governor Gavin Newsom vetoed the state’s controversial AI safety law known as ‘Senate Bill 1047’ yesterday (29 September).

Newsom said he that did not think this legislation would be the best approach to protect the public from threats posed by AI.

“While well-intentioned, SB 1047 does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data.

“Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it.”

Marred in controversy since its introduction earlier this year, the bill has been opposed by many – including politician Nancy Pelosi who called the bill “well-intentioned but ill-informed” and Silicon Valley heavyweights, including OpenAI which argued for a federal bill rather than a state one, accelerator Y Combinator, which signed a letter along with around 140 start-ups, stating that the bill could “threaten the vibrancy of California’s technology economy,” and AI start-up Anthropic which made suggestions that led to amendments in the bill.

Introduced earlier this year by state senator Scott Wiener, the bill’s aim was to ensure the safe development of AI systems by putting more responsibilities on developers.

[...] Instead of SB 1047, governor Newsom announced that he has enlisted expert assistance, who will “help California develop workable guardrails for deploying GenAI”.

The team of experts include the ‘godmother of AI’ Dr Fei-Fei Li; Tino Cuéllar, a member of the National Academy of Sciences Committee on Social and Ethical Implications of Computing Research; and Jennifer Tour Chayes, dean of the College of Computing, Data Science and Society at UC Berkeley.

Original Submission

Arthur T Knackerbracket has processed the following story:

Efficiency and scalability are key benefits of enterprise cloud computing, but they come at a cost. Security threats specific to cloud environments are the leading cause of concern among top executives and they're also the ones organizations are least prepared to address.

That's according to PwC's latest cybersecurity report, released today, which showed that cloud threats are the biggest security concern for most (42 percent) business leaders.

The top five threats, according to PwC's 4,020 respondents, comprise hack and leak operations (38 percent), third-party breaches (35 percent), attacks on connected products (33 percent), and ransomware (27 percent).

If you've just read that and questioned why ransomware is so low on the list, you might be a CISO. The level of concern about ransomware jumped to 42 percent when analyzing responses from CISOs alone.

[...] All the threats that feature in execs' top five deemed "most concerning" are perhaps unsurprisingly also the same as the threats organizations feel least prepared to address, although not quite in the same order.

[...] Of course, it wouldn't be a cybersecurity report in 2024 unless AI got its moment in the spotlight.

Despite generative AI being used for good in many cases, and the majority (78 percent) increasing their investment in the tech in the past year, it's the primary contributor to the widening attack surface faced by organizations.

More than two-thirds of respondents (67 percent) said genAI increased their susceptibility to attacks "slightly" or "significantly" – the most significant factor of any in the past year, although cloud was only narrowly behind at 66 percent.

Freeman writes:

https://arstechnica.com/ai/2024/09/ai-defeats-traffic-image-captcha-in-another-triumph-of-machine-over-man/

Anyone who has been surfing the web for a while is probably used to clicking through a CAPTCHA grid of street images, identifying everyday objects to prove that they're a human and not an automated bot.
[...]
ETH Zurich PhD student Andreas Plesner and his colleagues' new research, available as a pre-print paper, focuses on Google's ReCAPTCHA v2, which challenges users to identify which street images in a grid contain items like bicycles, crosswalks, mountains, stairs, or traffic lights. Google began phasing that system out years ago in favor of an "invisible" reCAPTCHA v3 that analyzes user interactions rather than offering an explicit challenge.
[...]
To craft a bot that could beat reCAPTCHA v2, the researchers used a fine-tuned version of the open source YOLO ("You Only Look Once") object-recognition model, which long-time readers may remember has also been used in video game cheat bots.

Original Submission

Arthur T Knackerbracket has processed the following story:

The UK's last coal plant will sigh out its final pollutants Monday before shutting down for good and officially ending the country's century and a half of coal production. Nottinghamshire's Ratcliffe-on-Soar plant was the last of its kind following Britain's 2015 commitment to close all coal power plants by 2025. Ratcliffe was originally scheduled to shut down in 2022 but stayed open after Russia invaded Ukraine and Europe entered a gas crisis.

The Ratcliffe plant once had 3,000 engineers but only employs 170 staff now. That group will gather to watch a livestream of the plant being turned off, and over 100 of them are set to work on decommissioning the plant over the next two years. Many of the other employees will enter new jobs at different power plants owned by Uniper, Raticliffe's German owner, while others will enter training programs to work on other aspects of the industry.

Britain opened the world's first coal power plant in 1882, London's Holborn Viaduct, with the help of Thomas Edison's Edison Electric Light Company. Coal has played a major part in the UK until very recently. According to a report from energy think tank Ember, coal was responsible for 39 percent of the UK's energy supply in 2012 but shrunk to just two percent in 2019. The decrease in coal production was reportedly equal to double the amount of all greenhouse gases used in the UK in 2023. Between 2012 and 2023, wind and solar generation also increased from six percent to a 34 percent share of the UK's energy. Britain still has a long way to go, but this step has made it the first G7 country to remove all coal power production.

Original Submission

Arthur T Knackerbracket has processed the following story:

The latest release of the de facto default desktop of most Linux distros brings some new features – but the GNOME 4x transition isn't done yet.

GNOME 47 was released last week, codenamed "Denver" after the venue for this year's GUADEC event. This release returns some touches of customization that had gone away, brings some long-wanted functional improvements, and a few new components.

Both Ubuntu 24.10 and Fedora 41 are in beta testing, and both should arrive in the middle of October with GNOME 47 as their default desktop environments. You can't fully judge GNOME 47 from Ubuntu "Oracular Oriole," though. Canonical tweaks the GNOME desktop environment a little with some pre-installed extensions to make it a little more familiar to long-term Ubuntu users. For instance, Ubuntu's default GNOME desktop has desktop icons, notification icons in the top panel, a permanent dock along the left screen edge, and a tool to assist with tiling windows. Fedora eschews these changes and ships a largely unmodified version, so it's much closer to the stock appearance.

GNOME 47 lets you set your own highlight color, so you're free to pick clashing combinations if you like – click to enlarge

The new feature that receives top billing in the version 47 release notes may thus seem a little puzzling to Ubuntu users: customizable accent colors. This is the color tint that's used to call out or highlight parts of the desktop, such as the current tab or the default button. Ubuntu users already had this, and if you're using GNOME 43 to 46 on a different distro, you can get this via an extension. Now everyone gets this option.

This is noteworthy because since GNOME 40, the environment doesn't permit users to customize their themes. As we described when we looked at GNOME 42, there is one official theme, "Adwaita," and both developers and users are meant to leave it alone, which has proved to be controversial. The Reg FOSS desk tends to leave theming to the professionals, and GNOME has some of the best in the business. GNOME designer Jakub Steiner's level of attention to detail can be discerned from his blog post about the wallpapers in GNOME 47.

[...] The new Text Editor app, which replaces the venerable Gedit, gets better printing and spellcheck. The new GNOME Console terminal emulator has more settings, such as scrollback size. GNOME Maps now has route planning, thanks to the external Transitous service. GNOME Calendar now has drag-and-drop import of ICS files for events, and better network calendar support. GNOME is still one of the best-of-breed FOSS environments for supporting network interoperability with cloud services, and this version gets better support for IMAP config, WebDAV, Microsoft 365, and more efficient Kerberos authentication. The Remote Desktop Connection app can now handle persistent sessions, meaning that it can resume a disconnected login session.

Freeman writes:

https://arstechnica.com/gadgets/2024/09/microsoft-details-security-privacy-overhaul-for-windows-recall-ahead-of-relaunch/

Microsoft is having another whack at its controversial Recall feature for Copilot+ Windows PCs, after the original version crashed and burned amid scrutiny from security researchers and testers over the summer. The former version of Recall recorded screenshots and OCR text of all user activity, and stored it unencrypted on disk where it could easily be accessed by another user on the PC or an attacker with remote access.

The feature was announced in late May, without having gone through any of the public Windows Insider testing that most new Windows features get, and was scheduled to ship on new PCs by June 18; by June 13, the company had delayed it indefinitely to rearchitect it and said that it would be tested through the normal channels before it was rolled out to the public.

Today, Microsoft shared more extensive details on exactly how the security of Recall has been re-architected in a post by Microsoft VP of Enterprise and OS Security David Weston.

Previously on SoylentNews:
Microsoft Will Try the Data-Scraping Windows Recall Feature Again in October - 20240822
"Recall" Will Now Be Opt-In: Microsoft Changes New Windows AI Feature After Backlash - 20240610
Total Recall: Microsoft Dealing With Trust Issues - 20240609
Windows Co-Pilot "Recall" Feature Privacy Nightmare - 20240524

Original Submission