More work to do as most deadlines are missed and worst bugs still take months to fix

The deadlines associated with CISA's Known Exploited Vulnerabilities (KEV) catalog only apply to federal agencies, but fresh research shows they're having a positive impact on private organizations too.…

In addition to approving -O3 optimized Python builds, the Fedora Engineering and Steering Committee (FESC)) this week unanimously approved a Fedora 41 change proposal for making RPM package builds more reproducible...

Over the past year there's been much work happening within the Linux kernel's sysctl code for clearing up ~64 bytes of bloat per array throughout the kernel by dropping the last sysctl "sentinel" entry at the end of each array. This also helps in reducing the build time of the kernel and is a nice improvement. With Linux 6.10, the sysctl sentinel clearing throughout different subsystems is set to happen...

Thousands of ID cards plus CCTV snaps of suspects found online

Exclusive  A UK-based physical security business let its guard down, exposing nearly 1.3 million documents via a public-facing database, according to an infosec researcher.…

For the past several months AMD Linux engineers have been working on AMD Core Performance Boost support for their P-State CPU frequency scaling driver. The ninth iteration of these patches were posted on Monday and besides the global enabling/disabling support for Core Performance Boost, it's now possible to selectively toggle the feature on a per-CPU core basis...

GCC 14.1 has been released today as the first stable compiler release in the GCC 14 series. GCC 14.1 brings one year worth of improvements to this open-source compiler from new CPU support and new ISA extensions to new C/C++ language features, static analyzer improvements, new AMD GPU support, and many other additions...

The Register provides a retrospective look at how Microsoft "absorbed the handset division of Nokia" ten years ago, only to kill the unit two years later and write it off as a tax loss. What went wrong? "It was a fatal combination of bad management, a market evolving in ways hidebound people didn't predict, and some really (with a few superb exceptions) terrible products," reports The Register. From the report: Like Nokia, Windows Mobile's popularity peaked in 2007, then started to drop away. The iPhone was the tech item of choice for fashionistas, Blackberry was seen as essential for serious business, and Android -- with Google as its new owner -- was gaining traction. Microsoft by that time had a new CEO in Steve Ballmer, who completely and famously failed to see the shifting sands in the mobile market. He dismissed the iPhone as a threat to what he thought was Windows Mobile's unassailable market position, and was roundly mocked for it. So the scene was set for a mobile standards war, and Steve Ballmer staked his professional pride on winning it. Microsoft recruited Nokia to help out. [...] Under [Executive VP of Microsoft Stephen Elop's] leadership, a closer working relationship with Microsoft was a given -- but in 2013 Redmond announced it was going the whole hog and buying Nokia's handset business outright for $7.2 billion. The deal was done in April 2014, a decade ago from today. Microsoft also got a ten-year license on Nokia's patents and the option to renew in perpetuity. It also got Elop back, as executive vice president of the Microsoft Devices Group. That meant stepping down as CEO of Nokia, for which he trousered an 18.8 million bonus package -- a payoff the Finnish prime minister at the time called "outrageous." Nokia retained its networking business in Finland. It purchased Siemens' half of the Nokia Siemens Networks joint venture and renamed in Nokia Networks. The Nokia board rolled the dice again on hiring another non-Suomi manager, Rajeev Suri, and this time hit a double D20 in D&D terms. When Ballmer stepped down from the helm at Microsoft in 2014 -- shortly before the Nokia deal completion -- he left a hot mess to deal with. His plan had been to develop the mobile operating system in conjunction with Windows 10, and Windows Mobile 10 was supposed to be a part of a unified code environment. While Windows 10 on the desktop wasn't a bad operating system, Windows Mobile 10 really was. The promised synergy just didn't happen -- it was power-hungry, clunky, and about as popular as a rattlesnake in a pinata. It was this mess that Satya Nadella faced when he took over the reins. Nadella was never very keen on the phone platform and spent more time in press conferences talking about cricket or the cloud than Microsoft's mobile ambitions. It was clear to all that this really wasn't working. Elop was laid off by Redmond a year later. It was clear that Windows Mobile wasn't going to work. Android and iOS were drinking Microsoft's milkshake, and Redmond realized the game was up. Microsoft started shedding mobile jobs -- both in Finland and Redmond. While mobile was still publicly touted as the way forward for Microsoft with Ballmer gone, the impetus wasn't there and support for the mobile OS shriveled. In 2015 Microsoft declared it was writing off $7.6 billion on the Phone Hardware division as "goodwill and asset impairment charges" -- $400 million more than it had originally paid for the Finnish firm. Nokia bought European networking giant Alcatel-Lucent in a $16.7 billion deal in 2015. Around the same time, Suri announced a move into tablets, since it had a non-compete agreement with Microsoft on mobiles. Meanwhile a bunch of former Nokia execs who'd fled Elop and Microsoft had started a mobile biz of their own: HMD. It was Finnish, but outsourced production to Foxconn in China, and was planning to make cheapish Android devices. In 2016 Microsoft sold its mobile hardware arm to HMD for an undisclosed -- but probably not large -- sum. Nadella clearly wanted out of the whole business and the Finnish startup concentrated on selling good-enough Android smartphones to Nokia's traditional cheap markets.

Read more of this story at Slashdot.

Too many folks who should know better saying info-slurping tactics of Big Tech are just as bad

Opinion  Which China do you want? The innovative good global citizen, adding to the storehouse of knowledge while making better products and services? Or the autocracy, determined to advance the interests of the leadership through any and all means, untrammeled by legal safeguards within its borders and, wherever possible, outside them?…

Possibly its most helpful codename yet

9front, the most active project continuing development of the sequel to Unix, Plan 9 from Bell Labs, emitted a new version. We did not follow its advice.…

What next, trouble at tmill?

A row in the UK has locals and council members at odds over apostrophes, and yes – this does actually have a tech angle. …

"Out of an abundance of caution," Boeing says its historic Starliner launch has been postponed, citing an issue with the oxygen relief valve on the Atlas V rocket's upper stage. It was expected to launch tonight at 10:34 p.m. ET. TechCrunch reports: There are backup launch opportunities on May 7, 10 and 11. After years of delays and over $1 billion in cost overruns, the mission is set to be Boeing's first attempt to transport astronauts to the International Space Station. Once the issue is resolved with the upper stage, the United Launch Alliance Atlas V will carry the CST-100 Starliner capsule to orbit along with the two onboard astronauts -- Butch Wilmore and Sunny Williams -- from Florida's Cape Canaveral at 10:34 PM local time Monday evening. The mission also marks the first time ULA's Atlas will carry crew. The rocket boasts a success rate of 100% across 99 missions. (ULA is a joint venture of Boeing and Lockheed Martin.) The astronauts would now dock at the station at the earliest on Thursday, where they would remain for at least eight days. The two astronauts will return to Earth in the capsule no earlier than May 16. If all goes to plan, Boeing will be able to finally certify its Starliner for human transportation and begin fulfilling the terms of its $4.2 billion NASA astronaut taxi contract. That contract, under the agency's Commercial Crew Program, was awarded in 2014. Elon Musk's SpaceX was also granted a contract under that program, for its Crew Dragon capsule, and has been transporting astronauts to and from the ISS since 2020.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Wired: In April, Apple sent notifications to iPhone users in 92 countries, warning them they'd been targeted with spyware. "Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID," the notification reads. Users quickly took to social media sites including X, trying to work out what the notification meant. Many of those targeted were based inIndia, but others in Europe also reported receiving Apple's warning. Weeks later, little is still known about the latest iPhone attacks. Former smartphone giant Blackberry, now a security firm, has released research indicating they are linked to a Chinese spyware campaign dubbed "LightSpy," but Apple spokesperson Shane Bauer says this is inaccurate. While Apple says the latest spyware notifications aren't linked to LightSpy, the spyware remains a growing threat, particularly to people who may be targeted in Southern Asia, according to Blackberry's researchers. Described as a "sophisticated iOS implant," LightSpy first emerged targeting Hong Kong protesters in 2020. However, the latest iteration is much more capable than the first. "It is a fully-featured modular surveillance toolset that primarily focuses on exfiltrating victims' private information, including hyper-specific location data and sound recording during voice over IP calls," the researchers wrote. April's warnings were not the first time Apple has issued notifications of this kind. The iPhone maker has sent out alerts to people in over 150 countries since 2021 as spyware continues to target high-profile figures across the globe. Spyware can be weaponized by nation-state adversaries -- but this is relatively rare and expensive. Its deployment is typically highly targeted against a very specific group of people, including journalists, political dissidents, government workers, and businesses in certain sectors. "Such attacks are vastly more complex than regular cybercriminal activity and consumer malware, as mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices," Apple wrote in an advisory in April. "Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent. The vast majority of users will never be targeted by such attacks." Plus, Apple says its Lockdown Mode feature can successfully protect against attacks. "As we have said before, we are not aware of anyone using Lockdown Mode being successfully attacked with mercenary spyware," Bauer says. Still, for those who are targeted and caught unaware, spyware is extremely dangerous. There are a number of ways to protect yourself against spyware and zero-click exploits in particular: 1. Regularly Update Devices: Keep your devices updated to the latest software to protect against known vulnerabilities. 2. Restart Devices Daily: Regularly restarting your device can help disrupt persistent spyware infections by forcing attackers to reinfect the device, potentially increasing their chances of detection. 3. Disable Vulnerable Features: Consider disabling features prone to exploits, such as iMessage and FaceTime, especially if you suspect you're a target for spyware. 4. Use Multifactor Authentication and Secure Sources: Employ multifactor authentication and only install apps from verified sources to prevent unauthorized access and downloads. 5. Monitor for Indicators: Be vigilant for signs of infection such as battery drain, unexpected shutdowns, and high data usage, though these may not always be present with more sophisticated spyware. 6. Seek Professional Help: If you suspect a spyware infection, consider professional assistance or helplines like Access Now's Digital Security Helpline for guidance on removal. 7. Utilize Advanced Security Features: Activate security features like Apple's Lockdown Mode, which limits device functionality to reduce vulnerabilities, thus safeguarding against infections.

Read more of this story at Slashdot.

Extortionists turning to 'psychological attacks', Mandiant CTO says

RSAC  Ransomware infections have morphed into "a psychological attack against the victim organization," as criminals use increasingly personal and aggressive tactics to force victims to pay up, according to Google-owned Mandiant.…

Swedish energy company Stockholm Exergi and Microsoft have announced a 10-year deal that will provide the tech giant with more than 3.3 million tons of carbon removal certificates through bioenergy with carbon capture and storage. While the value of the deal was not disclosed, it stands as the largest of its kind globally. Carbon Herald reports: Scheduled to commence in 2028 and span a decade, the agreement underscores a pivotal moment in combatting climate change. Anders Egelrud, CEO of Stockholm Exergi, lauded the deal as a "huge step" for the company and its BECCS project, emphasizing its profound implications for climate action. "I believe the agreement will inspire corporations with ambitious climate objectives, and we target to announce more deals with other pioneering companies over the coming months," he said. Recognizing the imperative of permanent carbon removals in limiting global warming to 1.5C or below, the deal aligns with Microsoft's ambitious goal of becoming carbon negative by 2030. "Leveraging existing biomass power plants is a crucial first step to building worldwide carbon removal capacity," Brian Marrs, Microsoft's Senior Director of Energy & Carbon Removal, said, highlighting the importance of sustainable biomass sourcing for BECCS projects, as is the case with Stockholm Exergi. The partners will adhere to stringent quality standards, ensuring transparent reporting and adherence to sustainability criteria. The BECCS facility, once operational, will remove up to 800,000 tons of carbon dioxide (CO2) annually, contributing significantly to atmospheric carbon reduction. With environmental permits secured and construction set to commence in 2025, Stockholm Exergi plans to reach the final investment decision by the end of the year.

Read more of this story at Slashdot.

Researchers have discovered a new attack that can force VPN applications to route traffic outside the encrypted tunnel, thereby exposing the user's traffic to potential snooping or manipulation. This vulnerability, named TunnelVision, is found in almost all VPNs on non-Linux and non-Android systems. It's believe that the vulnerability "may have been possible since 2002 and may already have been discovered and used in the wild since then," reports Ars Technica. From the report: The effect of TunnelVision is "the victim's traffic is now decloaked and being routed through the attacker directly," a video demonstration explained. "The attacker can read, drop or modify the leaked traffic and the victim maintains their connection to both the VPN and the Internet." The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. [...] The attack can most effectively be carried out by a person who has administrative control over the network the target is connecting to. In that scenario, the attacker configures the DHCP server to use option 121. It's also possible for people who can connect to the network as an unprivileged user to perform the attack by setting up their own rogue DHCP server. The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that's diverted away from this tunnel will not be encrypted by the VPN and the Internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app. Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there's a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation. The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn't in bridged mode or to connect the VPN to the Internet through the Wi-Fi network of a cellular device. You can learn more about the research here.

Read more of this story at Slashdot.

And the iOS titan doesn't seem that bothered with data leaking out

Updated  Last week, Apple began requiring iOS developers justify the use of a specific set of APIs that could be used for device fingerprinting.…

Abner Li reports via 9to5Google: Since the launch of Health Connect in 2022, Google has been winding down the Google Fit developer APIs. Earlier this week, the company fully detailed how the "Google Fit APIs have been deprecated and will be supported until June 30, 2025." Fitness and exercise apps that previously used Google Fit have until the June 2025 deadline to switch to Health Connect, with Google broadly referring to it as the "Android Health platform." Google's migration guide for developers lists what they're supposed to switch to on Android phones and Wear OS. However, there is no replacement for the Goals API that lets Google Fit users set "how many steps and heart points they want to aim for each day." Google says it will "share more details about what's next for Android Health" at I/O later this month. As of this API shutdown announcement, Google has said nothing about the Google Fit apps on Android, Wear OS, and iOS. They still work to track activity and house your full archive. [...] At this point, it's clear that Google Fit is not the future. On the Pixel Watch, Fitbit is the default, while Samsung and other Wear OS manufacturers have their own health tracking solutions. If Google were to announce a deprecation of the Fit app, having it coincide with the June 2025 developer deadline makes sense.

Read more of this story at Slashdot.

Microsoft-backed super-lab gets direct access to answers – and code forum gets its own AI

Stack Overflow, a community-driven Q&A site, and OpenAI, maker of AI models, have agreed to work to improve each other's products, the latest deal in a series of tie-ups to feed machine learning models' thirst for data.…

An anonymous reader quotes a report from 404 Media: Pokemon Go players are creating a headache for members of the open source map tool OpenStreetMaps by adding fake beaches where they don't exist in hopes of more easily catching Wigletts, a Pokemon that only spawns on beaches. OpenStreetMaps is a free, open source map tool much like Google or Apple maps, but is maintained by a self-governing community of volunteers where anyone is welcome to contribute. An April 27 thread in the OpenStreetMap community forum first spotted the issue, flagging two users in Italy who began marking beaches in all sorts of locations where they don't actually exist. The OpenStreetMap user who noticed the fictitious beaches immediately connected the dots: Pokemon Go, the mega popular mobile game where players catch Pokemon and can engage in different activities depending on their geolocation, introduced different "biomes" like beach, city, forest, and mountains. Each of these have a different look, and critically, some specific Pokemon will only spawn at specific biomes. Wiglett, for example, only spawns at beaches. Some video game sites quickly noticed that Pokemon Go's beaches were appearing in real world locations like golf courses, sports fields, and other places that are not real beaches. Pokemon Go uses OpenStreetMap for its map data, and is how the game knows players are near certain points of interest. The OpenStreetMap user created a filter of OpenStreetMap that surfaced instances where "new mappers" added beaches to the map, revealing a number of clearly fake submissions. [...] It's not clear how often Pokemon Go updates the game with data from OpenStreetMaps, but in theory the people who are manipulating the data would have easier access to the beach biome the next time it does. The OpenStreetMap thread goes on to identify one repeat offender who added dozens of fake beaches. Some are near bodies of water, like lakes, rivers, or docks, and others are landlocked schools, parking lots, and random strips of land. If there was any doubt that some of these changes are being made by Pokemon Go players, the same repeat offender also marked the map with his handle, as well as a poke ball.

Read more of this story at Slashdot.

After very boring first reveal, this could be the real deal

Updated  Cops around the world have relaunched LockBit's website after they shut it down in February – and it's now counting down the hours to reveal documents that could unmask the ransomware group.…