Vue lecture

Thousands of Palo Alto Networks Firewalls Compromised This Week After Critical Security Hole

Palo Alto Networks boasts 70,000 customers in 150 countries, including 85% of the Fortune 500. But this week "thousands of Palo Alto Networks firewalls were compromised by attackers exploiting two recently patched security bug," reports the Register: The intruders were able to deploy web-accessible backdoors to remotely control the equipment as well as cryptocurrency miners and other malware. Roughly 2,000 devices had been hijacked as of Wednesday — a day after Palo Alto Networks pushed a patch for the holes — according to Shadowserver and Onyphe. As of Thursday, the number of seemingly compromised devices had dropped to about 800. The vendor, however, continues to talk only of a "limited number" of exploited installations... The Register has asked for clarification, including how many compromised devices Palo Alto Networks is aware of, and will update this story if and when we hear back from the vendor. Rumors started swirling last week about a critical security hole in Palo Alto Networks appliances that allowed remote unauthenticated attackers to execute arbitrary code on devices. Exploitation requires access to the PAN-OS management interface, either across the internet or via an internal network. The manufacturer did eventually admit that the firewall-busting vulnerability existed, and had been exploited as a zero-day — but it was still working on a patch. On Tuesday, PAN issued a fix, and at that time said there were actually two vulnerabilities. The first is a critical (9.3 CVSS) authentication bypass flaw tracked as CVE-2024-0012. The second, a medium-severity (6.9 CVSS) privilege escalation bug tracked as CVE-2024-9474. The two can be chained together to allow remote code execution (RCE) against the PAN-OS management interface... once the attackers break in, they are using this access to deploy web shells, Sliver implants, and/or crypto miners, according to Wiz threat researchers.

Read more of this story at Slashdot.

Flamewar Leads to Declining of Bcachefs Pull Requests During Linux 6.13 Kernel Development Cycle

"Get your head examined. And get the fuck out of here with this shit." That's how Bcachefs developer Kent Overstreet ended a post on the Linux kernel mailing list. This was followed by "insufficient action to restore the community's faith in having otherwise productive technical discussions without the fear of personal attacks," according to an official ruling by committee enforcing the kernel community's code of conduct. After formalizing an updated enforcement process for unacceptable behaviors, it then recommended that during the Linux 6.13 kernel development cycle, Overstreet's participation should be restricted (with his pull requests declined). Phoronix covered their ruling, and ItsFOSS and The Register offer some of the backstory. Overstreet had already acknowledged that "Things really went off the rails (and I lost my cool, and earned the ire of the CoC committee)" in a 6,200-word blog post on his Patreon page. But he also emphasized that "I'm going to keep writing code no matter what. Things may turn into more of a hassle to actually get the code, but people who want to keep running bcachefs will always be able to (that's the beauty of open source, we can always fork), and I will keep supporting my users..." More excerpts from Overstreet's blog post: I got an emails from multiple people, including from Linus, to the effect of "trust me, you don't want to be known as an asshole — you should probably send him an apology"... Linus is a genuinely good guy: I know a lot of people reading this will have also seen our pull request arguments, so I specifically wanted to say that here: I think he and I do get under each other's skin, but those arguments are the kind of arguments you get between people who care deeply about their work and simply have different perspectives on the situation... [M]y response was to say "no" to a public apology, for a variety of reasons: because this was the result of an ongoing situation that had now impacted two different teams and projects, and I think that issue needs attention — and I think there's broader issues at stake here, regarding the CoC board. But mostly, because that kind of thing feels like it ought to be kept personal... I'd like a better process that isn't so heavy handed for dealing with situations where tensions rise and communications break down. As for that process: just talk to people... [W]e're a community. We're not interchangeable cogs to be kicked out and replaced when someone is "causing a problem", we should be watching out for each other... Another note that I was raising with the CoC is that a culture of dismissiveness, of finding ways to avoid the technical discussions we're supposed to be having, really is toxic, and moreso than mere flamewars... we really do need to be engaging properly with each other in order to do our work well. After the official response from the committee, Overstreet responded on the kernel mailing list. "I do want to apologize for things getting this heated the other day, but I need to also tell you why I reacted the way I did... I do take correctness issues very seriously, and I will get frosty or genuinely angry if they're being ignored or brushed aside."

Read more of this story at Slashdot.

Craigslist Founder Gives $300M to Fund Critical US Infrastructure Cybersecurity

Craig Newmark "is alarmed about potential cybersecurity risks in the U.S.," according to Yahoo Finance. The 71-year-old Craigslist founder says "our country is under attack now" in a new interview with Yahoo Finance executive editor Brian Sozzi on his Opening Bid podcast. But Newmark also revealed what he's doing about it: [H]e started Craig Newmark Philanthropies to primarily invest in projects to protect critical American infrastructure from cyberattacks. He told Sozzi he is now spending $200 million more to address the issue, on top of an initial $100 million pledge revealed in September of this year. He encouraged other wealthy people to join him in the fight against cyberattacks. "I tell people, 'Hey, the people who protect us could use some help. The amounts of money comparatively are small, so why not help out,'" he said... The need for municipalities and other government entities to act rather than react remains paramount, warns Newmark. "I think a lot about this," said Newmark. "I've started to fund networks of smart volunteers who can help people protect infrastructure, particularly [for] the small companies and utilities across the country who are responsible for most of our electrical and power supplies, transportation infrastructure, [and] food distribution.... A lot of these systems have no protection, so an adversary could just compromise them, saying unless you do what we need, we can start shutting off these things," he continued. Should that happen, recovery "could take weeks and weeks without your water supply or electricity." A web page at Craig Newmark Philanthropies offers more details Craig was part of the whole "duck and cover" thing, in the 50s and 60s, and realizes that we need civil defense in the cyber domain, "cyber civil defense." This is patriotism, for regular people. He's committed $100 million to form a Cyber Civil Defense network of groups who are starting to protect the country from cyber threats. Attacks on our power grids, our cyber infrastructure and even the internet-connected gadgets and appliances in our homes are real. If people think that's alarmist, tell them to "Blame Craig." The core of Cyber Civil Defense [launched in 2022] includes groups like Aspen Digital, Global Cyber Alliance, and Consumer Reports, focusing on citizen cyber education and literacy, cyber tool development, and cybersecurity workforce programs aimed at diversifying the growing field. It's already made significant investments in groups like the Ransomware Task Force and threat watchdog group Shadowserver Foundation...

Read more of this story at Slashdot.

Solar Glut: Half of California's Solar Power Sometimes Goes to Waste, Research Shows

Some days more than half of California's available solar power goes to waste, according to research from the California Institute for Energy and Environment. "In the last 12 months, California's solar farms have curtailed production of more than 3 million megawatt hours of solar energy," according to a data analysis by the Los Angeles Times — enough to power 518,000 California homes for a year. And it was curtailed "either on the orders of the state's grid operator or because prices had plummeted because of the glut. The waste would have been even larger if California had not paid utilities in other states to take the excess solar energy, documents from the state's grid operator show." That means green energy paid for by California electricity customers is sent away, lowering bills for residents of other states. Arizona's largest public utility reaped $69 million in savings last year by buying from the market California created to get rid of its excess solar power. The utility returned that money to its customers as a credit on their bills. Also reaping profits are electricity traders, including banks and hedge funds. The increasing oversupply of solar power has created a situation where energy traders can buy the excess at prices so low they become negative, said energy consultant Gary Ackerman, the former executive director of the Western Power Trading Forum. That means the solar plant is paying the traders to take it. "This is all being underwritten by California ratepayers," Ackerman said... The solar glut also means higher electricity bills for Californians, since they are effectively paying to generate the power but not using it. California's electric rates are roughly twice the nation's average, with only Hawaii having higher rates. Rates at Southern California Edison and Pacific Gas & Electric increased by 51% over the last three years. "Ratepayers aren't getting the energy they've paid for," said Ron Miller, an energy industry consultant in Denver. He calculates that the retail value of the solar energy thrown away in a year would be more than $1 billion. Gov. Gavin Newsom's advisors and those who manage the state's electric grid say they are working to reduce the curtailments, including by building more industrial-scale battery storage facilities that soak up the excess solar power during the day and then release it at night. Officials in the governor's office declined to be interviewed, but issued a statement saying the curtailments are often because of congestion on transmission lines, rather than a statewide oversupply of power. The state has been spending heavily to upgrade transmission lines to ease the congestion. "It's also important to have extra energy resources available that can help the state during periods of extreme weather and historic heatwaves when demand is particularly high, which have happened the past few years," the statement said... The commercial solar industry contends that the expansion of storage capacity to bank solar power will eventually eliminate the glut.

Read more of this story at Slashdot.

World Agrees on $300B Climate Aid Financial Deal - After COP29 Summit 'Nearly Implodes'

"At points there was fear the talks would implode, as groups representing vulnerable small island states and the least-developed countries walked out of negotiations Saturday," according to a new report from CNN. But after weeks of international climate talks at COP29, "the world agreed to a new climate deal... "with wealthy countries pledging to provide $300 billion annually by 2035 to poorer countries to help them cope with the increasingly catastrophic impacts of the climate crisis." The amount pledged, however, falls far short of the $1.3 trillion economists say is needed to help developing countries cope with a climate crisis they have done least to cause — and there has been a furious reaction from many developing countries. a fiery speech immediately after the gavel went down, India's representative Chandni Raina slammed the $300 billion as "abysmally poor" and a "paltry sum," calling the agreement "nothing more than an optical illusion" and unable to "address the enormity of the challenge we all face." Others were equally damning in their criticism. We are leaving with a small portion of the funding climate-vulnerable countries urgently need," said Tina Stege, Marshall Islands climate envoy. Stege heavily criticized the talks as showing the "very worst of political opportunism." Fossil fuel interests "have been determined to block progress and undermine the multilateral goals we've worked to build," she said in a statement... There was also a push for richer emerging economies such as China and Saudi Arabia to contribute to the climate funding package, but the agreement only "encourages" developing countries to make voluntary contributions, and places no obligations on them... Saudi Arabia, the world's top oil exporter, which has pushed against ambitious action at past climate summits, seemed even more emboldened in Baku, publicly and explicitly rejecting any reference to oil, coal and gas in the deal. The package "is also being criticised as short-sighted from the richer world's perspective," notes the BBC: The argument runs that if you want to keep the world safe from rising temperatures, then wealthier nations need to help emerging economies cut their emissions, because that is where 75% of the growth in emissions has occurred in the past decade. But "Delegations more optimistic about the agreement said this deal is headed in the right direction," writes the Associated Press, "with hopes that more money flows in the future." The text included a call for all parties to work together using "all public and private sources" to get closer to the $1.3 trillion per year goal by 2035. That means also pushing for international mega-banks, funded by taxpayer dollars, to help foot the bill. And it means, hopefully, that companies and private investors will follow suit on channeling cash toward climate action. The agreement is also a critical step toward helping countries on the receiving end create more ambitious targets to limit or cut emissions of heat-trapping gases.

Read more of this story at Slashdot.

Microsoft's Controversial 'Recall' Feature is Already Experiencing Some Issues

Microsoft's controversial "Recall" feature (in a public preview of Windows 11) already has some known issues, Microsoft admitted Friday. For example: - Recall can be enabled or disabled from "Turn Windows features on or off". We are caching the Recall binaries on disk while we test add/remove. In a future update we will completely remove the binaries. - You must have Secure Boot enabled for Recall to save snapshots. - Some users experience a delay before snapshots first appear in the timeline while using their device. If snapshots do not appear after 5 minutes, reboot your device. If saving snapshots is enabled, but you see snapshots are no longer being saved, reboot your device. - Clicking links within Recall to submit feedback may experience a delay in loading the Feedback Hub application. Be patient and it will display. CNBC adds that according to Microsoft Recall "won't work with some accessibility programs, and if you specify that Recall shouldn't save content from a given website, it might get captured anyway while using the built-in Edge browser..." But those aren't the only issues CNBC noticed: - While you might expect that your computer will be recording every last thing you look at once you've turned on Recall, it can go several minutes between making snapshots, leaving gaps in the timeline. - Recall allows you to prevent screenshots from being made when you're accessing specific apps. But a few apps installed on my Surface Pro are not shown on that list. - When you enter a search string to find words, results might be incomplete or incorrect. Recall clearly had two screen images that mention "Yankees," but when I typed that into the search box, only one of them came up as a text match. I typed in my last name, which appeared in eight images, but Recall produced just two text matches. - Recall made a screenshot while I was scrolling through posts on social network BlueSky, and one contains a photo of a New York street scene. You can see a stoplight, a smokestack and street signs. I typed each of those into the search box, but Recall came up with no results... - The search function is fast, but flipping through snapshots in Recall is not. It can take a couple of seconds to load screenshots as you swipe between them.

Read more of this story at Slashdot.

Coding Boot Gamp Graduates Find Tough Prospects In an AI-Powered World

An anonymous reader shared this report from the New York Times: Between the time [construction worker Florencio] Rendon applied for the coding boot camp and the time he graduated, what Mr. Rendon imagined as a "golden ticket" to a better life had expired. About 135,000 start-up and tech industry workers were laid off from their jobs, according to one count. At the same time, new artificial intelligence tools like ChatGPT, an online chatbot from OpenAI, which could be used as coding assistants, were quickly becoming mainstream, and the outlook for coding jobs was shifting. Mr. Rendon says he didn't land a single interview. Coding boot camp graduates across the country are facing a similarly tough job market. In Philadelphia, Mal Durham, a lawyer who wanted to change careers, was about halfway through a part-time coding boot camp late last year when its organizers with the nonprofit Launchcode delivered disappointing news. "They said: 'Here is what the hiring metrics look like. Things are down. The number of opportunities is down,'" she said. "It was really disconcerting." In Boston, Dan Pickett, the founder of a boot camp called Launch Academy, decided in May to pause his courses indefinitely because his job placement rates, once as high as 90 percent, had dwindled to below 60 percent. "I loved what we were doing," he said. "We served the market. We changed a lot of lives. The team didn't want that to turn sour." Compared with five years ago, the number of active job postings for software developers has dropped 56 percent, according to data compiled by CompTIA. For inexperienced developers, the plunge is an even worse 67 percent. "I would say this is the worst environment for entry-level jobs in tech, period, that I've seen in 25 years," said Venky Ganesan, a partner at the venture capital firm Menlo Ventures. A Stack Overflow survey of 65,000 developers found that 60% had used AI coding tools this year, the article points out. And it includes two predictions about the future: Armando Solar-Lezama, leader of MIT's Computer-Assisted Programming Group, "believes that A.I. tools are good news for programming careers. If coding becomes easier, he argues, we'll just make more, better software. We'll use it to solve problems that wouldn't have been worth the hassle previously, and standards will skyrocket." Zach Sims, a co-founder of Codecademy, said of the job prospects for coding boot camp graduates" "I think it's pretty grim."

Read more of this story at Slashdot.

Unpublished Slashdot Submission Dragged Into Reddit Drama About C++ Paper's Title

Reddit's moderators drew some criticism after "locking" a discussion about C++ paper/proposal author Andrew Tomazos. The URL (in the post with the locked discussion) had led to a submission for Slashdot's queue of potential (but unpublished) stories, which nevertheless attracted 178 upvotes on Reddit and another 85 comments. That unpublished Slashdot submission was also submitted to Hacker News, where it drew another 38 upvotes but was also eventually flagged. Back on Reddit's C++ subreddit (which has 300,000 members), a "direct appeal" was submitted to the moderators to unlock Reddit's earlier discussion (drawing over 100 upvotes). But there's one problem with this drama, as Slashdot reader brantondaveperson pointed out. "There appears to be no independent confirmation of this story anywhere. The only references to it are this Slashdot story, and a Reddit story. Neither cite sources or provide evidence." This drew a response from the person submitting the potential story to Slashdot: You raise a valid point. The communication around this was private. The complaint about the [paper's] title, the author's response, and the decision to expel were all communicated by either private email, on private mailing lists or in private in-person meetings. These private communications could be quoted by participants in said communications. Please let us know if that would be sufficient. The paper had already drawn some criticism in a longer blog post by programmer Izzy Muerte (which called it "a fucking cleaned up transcript of a ChatGPT conversation".) It's one of six papers submitted this year by Tomaszos to the ISO's "WG21" C++ committee. Tomazos (according to his LinkedIn profile) is "lead programmer" of videogame company Fury Games (founded by him and his wife). It also shows an earlier two-year stint as a Google senior software engineer. There were two people claiming direct knowledge of the situation posting on Reddit. A user named kritzikratzi posted: I contacted Andrew Tomazos directly. According to him the title "The Undefined Behavior Question" caused complaints inside WG21. The Standard C++ Foundation then offered two choices (1) change the paper title (2) be expelled. Andrew Tomazos chose (2). A Reddit user Dragdu posted: He wasn't expelled for that paper, but rather this was the last straw. And he wasn't banned from the [WG21] committee, that is borderline impossible, but rather the organization he was representing told him to fuck off and don't represent them anymore. If he can find different organization to represent, he can still attend... Tomazos has been on lot of people's shit list, because his contributions suck... He decided that the title is too important to his ViSiOn for the chatgpt BS submitted as a paper, and that he won't change the title. This was the straw that broke the camel's back and his "sponsor" told him to fuck off.... There was also some back-and-forth on Hacker News. bun_terminator: r/cpp mods just woke up, banning everyone who question... this lunatic behavior. (Reddit moderator): We did not go on a banning spree, we banned only one person, you. After removing the comment where you insulted someone, I checked your history, noticed that you did not meaningfully participate in r/cpp outside this thread, and decided to remove someone from the community who'd only be there to cause trouble.

Read more of this story at Slashdot.

MacFORTH Code for 1984 Robot-Coding Game 'ChipWits' from 1984 is Now Open Source

Back in the mid-1980s Mark Roth was in 5th grade when the game ChipWits "helped kindle his interest in coding," according to an online biography. ("By middle school, he wrote his first Commodore 64 assembler and by high school he authored a 3D Graphics library for DOS.") And 40 years later, Slashdot reader markroth8 writes that the programming puzzle/logic game "inspired many people to become professional coders": ChipWits was first released for Mac in 1984, and was later ported to Commodore 64 and Apple II in 1985. To celebrate the game's 40th anniversary, the team behind the new Steam reboot of ChipWits (including its original co-creator Doug Sharp, also of fame for the game King of Chicago) is announcing the recovery and open source release of the original game's source code, written in the FORTH programming language, for both Mac and Commodore 64 platforms. Recovering data from 40-year old 5.25" and 3.5" disks was a challenge in and of itself, and most of the data survived unscathed! It's interesting to read the 40-year-old code, and compare it to modern game development. "Our goal for open sourcing the original version of ChipWits is to ensure its legacy lives on," according to the announcement. (It adds that "We also wanted to share an appreciation for what cross-platform software development for 8-bit microcomputers was like in 1984.")

Read more of this story at Slashdot.

GitHub Announces New Open Source Fund with Security Mentoring

The GitHub Secure Open Source Fund launched this week with an initial commitment of $1.25 million, reports TechCrunch, using "capital from contributors including American Express, 1Password, Shopify, Stripe, and GitHub's own parent company Microsoft." GitHub briefly teased the new initiative at its annual GitHub Universe developer conference last month, but Tuesday it announced full details and formally opened the program for applicants, which will be reviewed "on a rolling basis" through the closing date of January 7, 2025, with programming and funding starting shortly after... Tuesday's news builds on a number of previous GitHub initiatives designed to support project maintainers that work on key components of critical software, including GitHub Sponsors which landed in 2019 (and which is powering the new fund), but more directly the GitHub Accelerator program that launched its first cohort last year — the GitHub Secure Open Source Fund is essentially an extension of that. "We're trying to acknowledge the fact that we're the home of open source, ultimately, and we have an obligation to help ensure that open source can continue to thrive and have the support that it needs," GitHub Chief Operating Officer Kyle Daigle told TechCrunch in an interview. Qualifying projects can be pretty much any project that has an open source license, but of course GitHub will be looking at those that need the funds most — so Kubernetes can hold fire with its application. "We're looking for the outsized impact, which tends to be big projects with few maintainers that we all rely on," Daigle said. The sum of $1.25 million might sound like a reasonable amount, but it will be split across 125 projects, which means just $10,000 each — better than nothing, for sure, but a drop in the ocean on the grand scheme of things. However, Daigle is quick to stress that money is only part of the prize here — as with the initial accelerator program, maintainers embark on a three-week program, which includes mentorship, certification, education workshops, and ongoing access to GitHub tools. From GitHub's announcement: Since introducing support for organizations through GitHub Sponsors, more than 5,800 organizations, including Microsoft and Stripe, have invested in maintainers and projects on GitHub, up nearly 40% YoY. Cumulatively, the platform has unlocked over $60 million in funding for maintainers to help them spend more time working on their projects. But we know we're just scratching the surface when it comes to organizations and corporate support of open source. This summer, we partnered with the Linux Foundation and researchers from Laboratory for Innovation Science at Harvard (LISH) to learn more about the state of open source funding today. Diving in, we assessed organizations funding behaviors, potential misalignments, and opportunities to improve. In the report launched today, we found: - Responding organizations annually invest $1.7 billion in open source, which can be extrapolated to estimate that approximately $7.7 billion is invested across the entire open source ecosystem annually. - 86% of investment is in the form of contribution labor by employees and contractors working for the funding organization, with the remaining 14% being direct financial contributions. - Organizations generally know how and where they contribute (65%) but lack specific clarity of their contributions (38%). - Security efforts focus on bugs and maintenance; only a few (6%) said comprehensive security audits are a priority. We all stand to benefit from unlocking more funding for open source. By tackling problems like open source security as an ecosystem, we believe we can help create more available funding and resources that are vital to the sustainability of open source. Not every open source project or maintainer has access to funding and training for security. That's why we created a fund that everyone potentially eligible can apply for... This is the beginning of a journey into helping find ways to secure open source. On its own, it's not the answer, but we are confident it will help. We will be monitoring the impact of these investments and share what we learn as we go.

Read more of this story at Slashdot.

America's DEA Ordered to Stop Searching Random Travellers at Airports - and Seizing Their Cash

America's Justice Department "has ordered all consensual searches by drug enforcement agents conducted at the nation's airports stopped," reports Georgia's local TV station Atlanta News First — after their series of investigations "uncovered how the agents often search innocent passengers at airport gates, looking for cash." On Thursday, the department made public a November 12, 2024, directive from the deputy attorney general to the U.S. Drug Enforcement Administration (DEA) that it suspend "all consensual encounters at mass transportation facilities unless they are either connected to an ongoing, predicated investigation involving one or more identified targets or criminal networks or approved by the DEA Administrator based on exigent circumstances." The management advisory memorandum was issued by DOJ Inspector General Michael Horowitz. The memo specifically mentioned the case of an airline passenger interviewed by Atlanta News First Chief Investigator Brendan Keefe, author of the Atlanta News First investigation, In Plane Sight. The award-winning series uncovered how drug agents have been seizing anything over $5,000 if airline passengers can't prove — on the spot — that their own money didn't come from drug trafficking. The government seizes the cash when no drugs are found, without arresting the traveler or charging them with a crime, and the DEA gets to keep the money it seizes. After witnessing the Atlanta News First series, the passenger in question — who was departing from Cincinnati and heading to New York, where he lives — refused consent to have his bags searched at the gate... "The DOJ Office of the Inspector General (OIG) further learned that the DEA Task Force Group selected this traveler for the encounter based on information provided by a DEA confidential source, who was an employee of a commercial airline, about travelers who had purchased tickets within 48 hours of the travel," the memo said. "The OIG learned that the DEA had been paying this employee a percentage of forfeited cash seized by the DEA office from passengers at the local airport when the seizure resulted from information the employee had provided to the DEA. The employee had received tens of thousands of dollars from the DEA over the past several years." The news station's investigation "also revealed passengers selected for what the government calls 'random, consensual encounters' are actually profiled by the drug agents who search Black men far more often than any other group of passengers," according to the article. "The reports analyzed data showing that, for drug agents to find just one passenger with money, they have to publicly search 10 departing passengers."

Read more of this story at Slashdot.

Mars Meteorite Reveals New Evidence That Hot Water Flowed on Ancient Mars

"Scientists have found what seems to be the oldest direct evidence of hot water flowing on Mars during its ancient past," reports Space.com. "The discovery could further indicate that the Red Planet, despite its arid and desolate appearance today, may have been capable of supporting life long ago." The evidence was delivered to Earth and sealed within the well-known Martian meteorite NWA7034, found in the Sahara Desert in 2011. Due to its black, highly polished appearance, the Martian rock is also known as "Black Beauty." At an estimated 2 billion years old, Black Beauty is the second oldest Martian meteorite ever discovered. However, the Curtin University team discovered something even older within it: a 4.45 billion-year-old zircon grain that harbors the fingerprints of fluids rich in water. Team member Aaron Cavosie from Curtin's School of Earth and Planetary Sciences thinks this discovery will open up new avenues to understanding hydrothermal systems associated with the activity of volcanic magma that once ran through Mars. "We used nano-scale geochemistry to detect elemental evidence of hot water on Mars 4.45 billion years ago," Cavosie said in a statement. "Hydrothermal systems were essential for the development of life on Earth, and our findings suggest Mars also had water, a key ingredient for habitable environments, during the earliest history of crust formation...." [T]his new research implies that water in liquid form may have existed on Mars even earlier than previously expected in the planet's pre-Noachian period.

Read more of this story at Slashdot.

Bank Employees Resign After Executive Demands Return to Offices Without Space for Everyone

Slashdot reader Bruce66423 shared this report from the Guardian: Staff have resigned at Starling Bank after its new chief executive demanded thousands of workers attend its offices more frequently, despite lacking enough space to host them. In his first major policy change since taking over from the UK digital bank's founder, Anne Boden, in March, Raman Bhatia has ordered all hybrid staff — many of whom were in the office only one or two days a week, or on an ad-hoc basis — to travel to work for a minimum of 10 days each month. But the bank, which operates online only, admitted that some of its offices would not be equipped to handle the influx... "We are considering ways in which we can create more space," an email sent by Starling's human resources team and seen by the Guardian said. Starling has 3,231 staff, the vast majority of whom are in the UK with some also in Dublin. However, the Guardian understands that the bank has only about 900 desks, including 260 at its Cardiff site, 320 in its London headquarters and 155 in Southampton. The bank has a further 160 desks in its newest site in Manchester, where it has signed a 10-year lease to occupy the fifth floor of the Landmark building, which also houses Santander UK and HSBC staff... Some staff have already resigned over the "rushed" announcement, while others have threatened to do so... The return to office announcement came a month after the Financial Conduct Authority hit Starling with a £29m fine after discovering "shockingly lax" controls that it said left the financial system "wide open to criminals". That included failures in its automated screening system for individuals facing government sanctions. Starling Bank issued this statement to explain its reasoning. "By bringing colleagues together in person, our aim is to achieve greater collaboration that will benefit our customers as we enter Starling's next phase of growth." The article also notes that the U.K. supermarket chain Asda "has also toughened its stance, making it compulsory for thousands of workers at its offices in Leeds and Leicester to spend at least three days a week at their desks from the new year."

Read more of this story at Slashdot.

'Potentially Toxic' Chemical Byproduct May Be Present in 1/3 of US Drinking Water

NBC News reports that a newly identified chemical byproduct "may be present in drinking water in about a third of U.S. homes, a study found." "Scientists do not yet know whether the byproduct is dangerous. But some are worried that it could have toxic properties because of similarities to other chemicals of concern." The newly identified substance, named "chloronitramide anion," is produced when water is treated with chloramine, a chemical formed by mixing chlorine and ammonia. Chloramine is often used to kill viruses and bacteria in municipal water treatment systems. Researchers said the existence of the byproduct was discovered about 40 years ago, but it was only identified now because analysis techniques have improved, which finally enabled scientists to determine the chemical's structure. It could take years to figure out whether chloronitramide anion is dangerous — it's never been studied. The researchers reported their findings Thursday in the journal Science, in part to spur research to address safety concerns. The scientists said they have no hard evidence to suggest that the compound represents a danger, but that it bears similarities to other chemicals of concern. They think it deserves scrutiny because it's been detected so widely... David Reckhow, a research professor in civil and environmental engineering at the University of Massachusetts, Amherst, who was not involved with the study, said the finding was an important step. The ultimate goal, he said, is understanding whether the substance is a hazard; he concurred that it was likely toxic. "It's a pretty small molecule and it can probably for that reason enter into biological systems and into cells. And it is still a reactive molecule," he said. "Those are the kinds of things you worry about." "It's estimated more than 113 million people drink chloraminated processed water in the U.S.," according to a follow-up article by ABC News. But they also include this quote from Dr. Stephanie Widmer, a board-certified medical toxicologist and emergency medicine physician. "The reality is that no one really knows too much about this chloronitramide and its impact on human health, and more research needs to be done. These disinfecting chemicals have been giving us clean drinking water for decades, so no reason to fear drinking water as a result of this study." Although ABC News tacks on this sentence. "The study authors suggest, in general, adding a carbon filter to a sink or a standalone pitcher may be a good option for those concerned." Thanks to long-time Slashdot reader Greymane for sharing the news.

Read more of this story at Slashdot.

Verify the Rust's Standard Library's 7,500 Unsafe Functions - and Win 'Financial Rewards'

The Rust community has "recognized the unsafety of Rust (if used incorrectly)," according to a blog post by Amazon Web Services. So now AWS and the Rust Foundation are "crowdsourcing an effort to verify the Rust standard library," according to an article at DevClass.com, "by setting out a series of challenges for devs and offering financial rewards for solutions..." Rust includes ways to bypass its safety guarantees though, with the use of the "unsafe" keyword... The issue AWS highlights is that even if developers use only safe code, most applications still depend on the Rust standard library. AWS states that there are approximately 7.5K unsafe functions in the Rust Standard Library and notes that 57 "soundness issues" and 20 CVEs (Common Vulnerabilities and Exposures) have been reported in the last three years. [28% of the soundness issues were discovered in 2024.] Marking a function as unsafe does not mean it is vulnerable, only that Rust does not guarantee its safety. AWS plans to reduce the risk by using tools and techniques for formal verification of key library code, but believes that "a single team would be unable to make significant inroads" for reasons including the lack of a verification mechanism in the Rust ecosystem and what it calls the "unknowns of scalable verification." The plan therefore is to turn this over to the community, by posing challenges and rewarding developers for solutions.... A GitHub repository provides a fork of the Rust code and includes a set of challenges, currently 13 of them... The Rust Foundation says that there is a financial reward tied to each challenge, and that the "challenge rewards committee is responsible for reviewing activity and dispensing rewards." How much will be paid though is not stated. Despite the wide admiration for Rust, there is no formal specification for the language, an issue which impacts formal verification efforts. Thanks to Slashdot reader sean-it-all for sharing the news.

Read more of this story at Slashdot.

Does GitHub Copilot Improve Code Quality?

Microsoft-owned GitHub published a blog post asking "Does GitHub Copilot improve code quality? Here's what the data says." Its first paragraph includes statistics from past studies — that GitHub Copilot has helped developers code up to 55% faster, leaving 88% of developers feeling more "in the flow" and 85% feeling more confident in their code. But does it improve code quality? [W]e recruited 202 [Python] developers with at least five years of experience. Half were randomly assigned GitHub Copilot access and the other half were instructed not to use any AI tools... We then evaluated the code with unit tests and with an expert review conducted by developers. Our findings overall show that code authored with GitHub Copilot has increased functionality and improved readability, is of better quality, and receives higher approval rates... Developers with GitHub Copilot access had a 56% greater likelihood of passing all 10 unit tests in the study, indicating that GitHub Copilot helps developers write more functional code by a wide margin. In blind reviews, code written with GitHub Copilot had significantly fewer code readability errors, allowing developers to write 13.6% more lines of code, on average, without encountering readability problems. Readability improved by 3.62%, reliability by 2.94%, maintainability by 2.47%, and conciseness by 4.16%. All numbers were statistically significant... Developers were 5% more likely to approve code written with GitHub Copilot, meaning that such code is ready to be merged sooner, speeding up the time to fix bugs or deploy new features. "While GitHub's reports have been positive, a few others haven't," reports Visual Studio magazine: For example, a recent study from Uplevel Data Labs said, "Developers with Copilot access saw a significantly higher bug rate while their issue throughput remained consistent." And earlier this year a "Coding on Copilot" whitepaper from GitClear said, "We find disconcerting trends for maintainability. Code churn — the percentage of lines that are reverted or updated less than two weeks after being authored — is projected to double in 2024 compared to its 2021, pre-AI baseline. We further find that the percentage of 'added code' and 'copy/pasted code' is increasing in proportion to 'updated,' 'deleted,' and 'moved 'code. In this regard, AI-generated code resembles an itinerant contributor, prone to violate the DRY-ness [don't repeat yourself] of the repos visited."

Read more of this story at Slashdot.

More Business School Researchers Accused of Fabricated Findings

June, 2023: "Harvard Scholar Who Studies Honesty Is Accused of Fabricating Findings." November, 2024: "The Business-School Scandal That Just Keeps Getting Bigger." A senior editor at the Atlantic raises the possibility of systemic dishonesty-rewarding incentives where "a study must be even flashier than all the other flashy findings if its authors want to stand out," writing that "More than a year since all of this began, the evidence of fraud has only multiplied." And the suspect isn't just Francesca Gino, a Harvard Business School professor. One person deeply affected by all this is Gino's co-author, a business school professor from the University of California at Berkeley — Juliana Schroeder — who launched an audit of all 138 studies conducted by Francesca Gino (called "The Many Coauthors Project"): Gino was accused of faking numbers in four published papers. Just days into her digging, Schroeder uncovered another paper that appeared to be affected — and it was one that she herself had helped write... The other main contributor was Alison Wood Brooks, a young professor and colleague of Gino's at Harvard Business School.... If Brooks did conduct this work and oversee its data, then Schroeder's audit had produced a dire twist. The Many Co-Authors Project was meant to suss out Gino's suspect work, and quarantine it from the rest... But now, to all appearances, Schroeder had uncovered crooked data that apparently weren't linked to Gino.... Like so many other scientific scandals, the one Schroeder had identified quickly sank into a swamp of closed-door reviews and taciturn committees. Schroeder says that Harvard Business School declined to investigate her evidence of data-tampering, citing a policy of not responding to allegations made more than six years after the misconduct is said to have occurred... In the course of scouting out the edges of the cheating scandal in her field, Schroeder had uncovered yet another case of seeming science fraud. And this time, she'd blown the whistle on herself. That stunning revelation, unaccompanied by any posts on social media, had arrived in a muffled update to the Many Co-Authors Project website. Schroeder announced that she'd found "an issue" with one more paper that she'd produced with Gino... [Schroeder] said that the source of the error wasn't her. Her research assistants on the project may have caused the problem; Schroeder wonders if they got confused... What feels out of reach is not so much the truth of any set of allegations, but their consequences. Gino has been placed on administrative leave, but in many other instances of suspected fraud, nothing happens. Both Brooks and Schroeder appear to be untouched. "The problem is that journal editors and institutions can be more concerned with their own prestige and reputation than finding out the truth," Dennis Tourish, at the University of Sussex Business School, told me. "It can be easier to hope that this all just goes away and blows over and that somebody else will deal with it...." [Tourish also published a 2019 book decrying "Fraud, Deception and Meaningless Research," which the article notes "cites a study finding that more than a third of surveyed editors at management journals say they've encountered fabricated or falsified data."] Maybe the situation in her field would eventually improve, [Schroeder] said. "The optimistic point is, in the long arc of things, we'll self-correct, even if we have no incentive to retract or take responsibility." "Do you believe that?" I asked. "On my optimistic days, I believe it." "Is today an optimistic day?" "Not really."

Read more of this story at Slashdot.

Meta Wants Apple and Google to Verify the Age of App Downloaders

Meta wants to force Apple and Google to verify the ages of people downloading apps from their app stores, reports the Washington Post — and now Meta's campaign "is picking up momentum" with legislators in the U.S. Congress. Federal and state lawmakers have recently proposed a raft of measures requiring that platforms such as Meta's Facebook and Instagram block users under a certain age from using their sites. The push has triggered fierce debate over the best way to ascertain how old users are online. Last year Meta threw its support behind legislation that would push those obligations onto app stores rather than individual app providers, like itself, as your regular host and Naomi Nix reported. While some states have considered the plan, it has not gained much traction in Washington. That could be shifting. Two congressional Republicans are preparing a new age verification bill that places the burden on app stores, according to two people familiar with the matter, who spoke on the condition of anonymity to discuss the plans... The bill would be the first of its kind on Capitol Hill, where lawmakers have called for expanding guardrails for children amid concerns about the risks of social media but where political divisions have bogged down talks. The measure would give parents the right to sue an app store if their child was exposed to certain content, such as lewd or sexual material, according to a copy obtained by the Tech Brief. App stores could be protected against legal claims, however, if they took steps to protect children against harms, such as verifying their ages and giving parents the ability to block app downloads. The article points out that U.S. lawmakers "have the power to set national standards that could override state efforts if they so choose..."

Read more of this story at Slashdot.

Sabotage or Accident? American and European Officials Disagree On What Caused Cuts to Two Undersea Cables

CNN reports that investigators "are trying to crack the mystery of how two undersea internet cables in the Baltic Sea were cut within hours of each other." But there's now two competing viewpoints, "with European officials saying they believe the disruption was an act of sabotage and U.S. officials suggesting it was likely an accident." The foreign ministers of Finland and Germany said in a joint statement that they were "deeply concerned" about the incident and raised the possibility that it was part of a "hybrid warfare," specifically mentioning Russia in their statement. Their assessment was not plucked out of thin air. Russia has been accused of waging a hybrid war against Europe after a string of suspicious incidents, arson attacks, explosions and other acts of sabotage across multiple European countries were traced back to Moscow. And the disruption to the cables came just weeks after the US warned that Moscow was likely to target critical undersea infrastructure. This followed months of suspicious movements of Russian vessels in European waters and the significant beefing up of a dedicated Russian secretive marine unit tasked with surveying the seabed... But two US officials familiar with the initial assessment of the incident told CNN on Tuesday the damage was not believed to be deliberate activity by Russia or any other nation. Instead, the two officials told CNN they believed it likely caused by an anchor drag from a passing vessel. Such accidents have happened in the past, although not in a quick succession like the two on Sunday and Monday. Cloudflare's blog also reminds readers that the two cable cuts resulted in little-to-no observable impact Cloudflare attributes this largely to "the significant redundancy and resilience of Internet infrastructure in Europe." (Their Cloudflare Radar graphs show that after the Sweden-Lithuania cable cut "there was no apparent impact to traffic volumes in either country at the time that the cables were damaged.") Telegeography's submarinecablemap.com illustrates, at least in part, the resilience in connectivity enjoyed by these two countries. In addition to the damaged cable, it shows that Lithuania is connected to neighboring Latvia as well as to the Swedish mainland. Over 20 submarine cables land in Sweden, connecting it to multiple countries across Europe. In addition to the submarine resilience, network providers in both countries can take advantage of terrestrial fiber connections to neighboring countries, such as those illustrated in a European network map from Arelion (formerly Telia), which is only one of the large European backbone providers. Less than a day later, the C-Lion1 submarine cable, which connects Helsinki, Finland and Rostock Germany was reportedly damaged during the early morning hours of Monday, November 18... In this situation as well, as the Cloudflare Radar graphs below show, there was no apparent impact to traffic volumes in either country at the time that the cables were damaged... Telegeography's submarinecablemap.com shows that both Finland and Germany also have significant redundancy and resilience from a submarine cable perspective, with over 10 cables landing in Finland, and nearly 10 landing in Germany, including Atlantic Crossing-1 (AC-1), which connects to the United States over two distinct paths. Terrestrial fiber maps from Arelion and eunetworks (as just two examples) show multiple redundant fiber routes within both countries, as well as cross-border routes to other neighboring countries, enabling more resilient Internet connectivity. See also Does the Internet Route Around Damage?

Read more of this story at Slashdot.

SilverStone's Retro Beige PC Case Turns April Fools' Joke into Actual Product

Slashdot reader jjslash shared this report from TechSpot: The SilverStone FLP01 made quite the impression when it was shared on X for April Fools' Day 2023. Loosely modeled after popular desktops from yesteryear like the NEC PC-9800 series, the chassis features dual 5.25-inch faux floppy bays that could stand to look a bit more realistic. Notably, the covers flip open to reveal access to a more modern (yet still legacy) optical drive and front I/O ports. Modern-looking fan grills can be found on either side of the desktop, serving as yet another hint that the chassis is not as old at it appears on first glance. The grills look to be removable, and probably hold washable dust filters. Like early desktops, the system doubles as a stand for your monitor. The use of a green power LED up front helps round out the retro look; a red LED is used as a storage activity indicator.

Read more of this story at Slashdot.

❌