Linux fréttir

Dan Goodin reports via Ars Technica: Software maker Ivanti is urging users of its end-point security product to patch a critical vulnerability that makes it possible for unauthenticated attackers to execute malicious code inside affected networks. The vulnerability, in a class known as a SQL injection, resides in all supported versions of the Ivanti Endpoint Manager. Also known as the Ivanti EPM, the software runs on a variety of platforms, including Windows, macOS, Linux, Chrome OS, and Internet of Things devices such as routers. SQL injection vulnerabilities stem from faulty code that interprets user input as database commands or, in more technical terms, from concatenating data with SQL code without quoting the data in accordance with the SQL syntax. CVE-2023-39336, as the Ivanti vulnerability is tracked, carries a severity rating of 9.6 out of a possible 10. "If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication," Ivanti officials wrote Friday in a post announcing the patch availability. "This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server." RCE is short for remote code execution, or the ability for off-premises attackers to run code of their choice. Currently, there's no known evidence the vulnerability is under active exploitation. Ivanti has also published a disclosure that is restricted only to registered users. A copy obtained by Ars said Ivanti learned of the vulnerability in October. [...] Putting devices running Ivanti EDM behind a firewall is a best practice and will go a long way to mitigating the severity of CVE-2023-39336, but it would likely do nothing to prevent an attacker who has gained limited access to an employee workstation from exploiting the critical vulnerability. It's unclear if the vulnerability will come under active exploitation, but the best course of action is for all Ivanti EDM users to install the patch as soon as possible.

Read more of this story at Slashdot.

Shortly after the premium email service Hey announced a standalone Hey Calendar app, co-founder David Heinemeier Hansson said it was rejected by Apple for violating App Store rules. "Apple just called to let us know they're rejecting the HEY Calendar app from the App Store (in current form)," wrote DHH on X. "Same bullying tactics as last time: Push delicate rejections to a call with a first-name-only person who'll softly inform you it's your wallet or your kneecaps. Since it's clear we're never going to pay them the extortionate 30% ransom, they're back to the bullshit about 'the app doesn't do anything when you download it.' Despite the fact that after last time, they specifically carved out HEY in App Store Review Guidelines 3.1.3 (f)!" The Verge's Amrita Khalid reports: New users can't sign up for Hey Calendar directly on the app -- Basecamp, which makes Hey, makes users first sign up through a browser. Apple's App Store rules require most paid services to offer users the ability to pay and sign up through the app, ensuring the company gets up to a 30 percent cut. The controversial rule has a ton of gray areas and carve-outs (i.e. reader apps like Spotify and Kindle get an exception) and is the subject of antitrust fights in multiple countries. But as Hansson detailed on X and in a subsequent blog post, he found Apple's rejection insulting for another reason. Close to four years ago, the company rejected Hey's original iOS app for its email service for the exact same reason. The outcome of the 2020 fight actually worked out in Hey's favor. After days of back and forth between Apple's App Store Review Board and Basecamp, the Hey team agreed to a rather creative solution suggested by Apple exec Phil Schiller. Hey would offer a free option for the iOS app, allowing new users to sign up directly. But the company had a slight twist -- users who signed up via the iOS app got a free, temporary randomized email address that worked for 14 days -- after which they had to pay to upgrade. Currently, Hey email users can only pay for an account through the browser. Following the saga with Hey, Apple made a carve-out to its App Store rules that stated that free companion apps to certain types of paid web services were not required to have an in-app payment mechanism. But, as Hansson mentions on X, a calendar app wasn't mentioned in the list of services that Apple now makes an exception for, which includes VOIP, cloud storage, web hosting -- and of course -- email. Hansson plans to fight Apple's decision without elaborating on exactly how he intends to do so.

Read more of this story at Slashdot.

Code within the latest version of the ChatGPT Android app suggests that you'll soon be able to set it as the default assistant app, replacing the Google Assistant. Android Authority's Mishaal Rahman reports: ChatGPT version 1.2023.352, released last month, added a new activity named com.openai.voice.assistant.AssistantActivity. The activity is disabled by default, but after manually enabling and launching it, an overlay appears on the screen with the same swirling animation as the one shown when using the in-app voice chat mode. This overlay appears over other apps and doesn't take up the entire screen like the in-app voice chat mode. So, presumably, you could talk to ChatGPT from any screen by invoking this assistant. However, in my testing, the animation never finished and the activity promptly closed itself before I could speak with the chatbot. This could either be because the feature isn't finished yet or is being controlled by some internal flag. [...] However, the fact that the aforementioned XML file even exists hints that this is what OpenAI intends to do with the app. Making the ChatGPT app Android's default digital assistant app would enable users to launch it by long-pressing the home button (if using three-button navigation) or swiping up from a bottom corner (if using gesture navigation). Unfortunately, the ChatGPT app still wouldn't be able to create custom hotwords or respond to existing ones, since that functionality requires access to privileged APIs only available to trusted, preinstalled apps. Still, given that Google will launch Assistant with Bard any day now, it makes sense that OpenAI wants to make it easier for Android users to access ChatGPT so that users don't flock to Bard just because it's easier to use.

Read more of this story at Slashdot.

An anonymous reader quotes a report from VICE News: Last week border officials in the Punjab region of India revealed they intercepted 107 drug-carrying drones sent by smuggling gangs last year over the border from Pakistan, the highest number on record. Most were carrying heroin or opium from Pakistan to be dropped and received by collaborators in the Punjab, notorious for having India's worst levels of opiate addiction. Last year the head of a police narcotics unit in Lahore, a city in Pakistan which borders the Punjab, was dismissed after he was suspected of running a drug trafficking gang sending drones over to India. But the use of cheap flying robots instead of humans to smuggle drugs across borders is a worldwide phenomenon. [...] [D]rones will likely become an everyday part of drug dealing too, according to Peter Warren Singer, author of multiple books on national security and a Fellow at think tank New America, with legit medicines due to be delivered by drone in the U.S. later this year and maybe in the U.K. too. "We are just scraping the surface of what is possible, as drone deliveries become more and more common in the commercial world, it will be the same with delivery of illicit goods. In our book, Burn-In, we explain how a future city will see drones zipping about delivering everything from groceries and burritos to drugs, both prescribed by a doctor or bought off a dealer. Drones have traditionally been used by governments and corporations for what are known as the "3 D's" jobs that are too dull, dirty, or dangerous for humans. For criminals, it is the same, except add in another D: Dependable. A drone doesn't steal the product and can't be arrested or snitch if caught." Liam O'Shea, senior research fellow for organized crime and policing at defense and security thinktank RUSI, said drones were at the moment of limited value to wholesale traffickers and organized criminal gangs because of their range and the weight they can carry. "It makes sense that smugglers would seek to use drones. They are cheap and easy to acquire. They also lower the risks involved in some transactions, as smugglers do not have to be physically present during transactions. They offer opportunities for smuggling in areas where previous routes were too risky, such as prisons and over securitized borders. "I expect them to be of greater value to smaller players and distributors dealing with smaller quantities. Wholesale drug traffickers will still need to use routes that facilitate smuggling at higher volume or using drones to make multiple trips, which entails risks of detection. That may well change as improvements in technology improve drones' carrying capacity and crime groups are better able to access drones with greater capacity."

Read more of this story at Slashdot.

Tesla and Samsung are joining forces to allow users of Samsung's SmartThings platform to connect to Tesla products so they can keep track of energy production and usage. The Verge reports: When connected to the Powerwall, SmartThings Energy can sync with the "Storm Watch" feature so that you're notified of heavy weather on a Samsung phone or TV, for example. In addition to the Powerwall, SmartThings Energy will be able to connect to other Tesla products, including its electric vehicles, Solar Inverter, and Wall Connector charging solutions. The collaboration is possible thanks to Tesla's API, which Samsung claims SmartThings Energy is the first to take advantage of.

Read more of this story at Slashdot.

Once a dominant force in music discovery, Spotify's famed playlists like RapCaviar, which significantly influenced mainstream music and artist visibility, are losing ground. As the music industry shifts towards algorithmic suggestions and TikTok emerges as a major music promoter, Spotify's strategy evolves with more automated music discovery and less emphasis on human-curated playlists, signaling a potential end to the era where a few key playlists could make a star overnight. Bloomberg reports: Enter TikTok. In the late 2010s, as the algorithmic controlled, short-form video app emerged as a growing force in music promotion, Spotify took notice. On an earnings call in 2020, Spotify Chief Executive Officer Daniel Ek noted that users were increasingly opting for algorithmic suggestions and that Spotify would be leaning into the trend. "As we're getting better and better at personalization, we're serving better and better content and more and more of our users are choosing that," he said. From there, Spotify began implementing a number of changes that over time significantly altered the fundamental dynamics of how playlists get composed. Among other things, the company had already introduced a standardized pitching form that all artists and managers must use to submit tracks for playlist consideration. One former employee says the tool was created to foster a more merit-based system with a greater emphasis on data -- and less focus on the taste of individual curators. The goal, in part, was to give independent and smaller artists without the resources to personally court key playlist editors a better chance at placements. It was also a way to better protect the public-facing editors who in the early days were sometimes subjected to harassment from people disgruntled over their musical choices. As the automated submission system took hold, the editors gradually grew more anonymous and less associated with particular playlists. In a handbook for the editorial team, Spotify instructed curators not to claim ownership of any one playlist. At the same time, Spotify began introducing multiple splashy features meant to encourage algorithm-driven listening, including an AI DJ and Daylist, two features that constantly change to fit listeners' habits and interests. (Spotify says "human expertise" guides the AI DJ.) Last year, Spotify laid off members of the teams involved in making playlists as part of its various cuts. And over time, the shift in emphasis has had consequences outside the company as well. These days, the same music industry sources who in the late 2010s learned to obsess over what was included and excluded from key Spotify playlists have started noticing something else -- it no longer seems to matter as much. Employees at different major labels say they've seen streams coming from RapCaviar drop anywhere from 30% to 50%. The trend towards automated music discovery at Spotify shows no sign of slowing down. One internal presentation titled "Recapturing the Zeitgeist" encourages editorial curators to better utilize data. According to the people who have seen the plan, in addition to putting together a playlist, editorial curators would tag songs to help the algorithm accurately place them on relevant playlists that are automatically personalized for individual subscribers. The company has also shifted some human-curated playlists to personalized versions, including selections with seven-figure followings, like Housewerk and Indie Pop. These days, Spotify is also promoting something called Discovery Mode, wherein labels and artist teams can submit songs for additional algorithm pushes in exchange for a lower royalty rate. These tracks can only surface on personalized listening sessions, a former employee said, meaning Spotify would have a financial incentive to push people to them over editorially curated playlists. (For now, Discovery Mode songs only surface in radio or autoplay listening sessions.) The shift toward algorithmic distribution isn't necessarily a bad thing, says Dan Smith, US general manager at Armada, an independent dance label. "The way fans discovered new music was radio back in the day, then Spotify editorial playlists, then there were a few years where people only discovered new music through TikTok," Brad said. "All those things still work ... we're all just trying different ways to make sure songs get to the right people."

Read more of this story at Slashdot.

An anonymous reader quotes a report from the New York Times: The Justice Department is in the late stages of an investigation into Apple and could file a sweeping antitrust case taking aim at the company's strategies to protect the dominance of the iPhone as soon as the first half of this year, said three people with knowledge of the matter. The agency is focused on how Apple has used its control over its hardware and software to make it more difficult for consumers to ditch the company's devices, as well as for rivals to compete, said the people, who spoke anonymously because the investigation was active. Specifically, investigators have examined how the Apple Watch works better with the iPhone than with other brands, as well as how Apple locks competitors out of its iMessage service. They have also scrutinized Apple's payments system for the iPhone, which blocks other financial firms from offering similar services, these people said. The Justice Department is closing in on what would be the most consequential federal antitrust lawsuit challenging Apple, which is the most valuable tech company in the world. If the lawsuit is filed, American regulators will have sued four of the biggest tech companies for monopolistic business practices in less than five years. The Justice Department is currently facing off against Google in two antitrust cases, focused on its search and ad tech businesses, while the Federal Trade Commission has sued Amazon and Meta for stifling competition. The Apple suit would likely be even more expansive than previous challenges to the company, attacking its powerful business model that draws together the iPhone with devices like the Apple Watch and services like Apple Pay to attract and keep consumers loyal to its products. Rivals have said that they have been denied access to key Apple features, like the Siri virtual assistant, prompting them to argue the practices are anticompetitive.

Read more of this story at Slashdot.

Remember the good old days when ransomware crooks vowed not to infect medical centers?

Extortionists are now threatening to swat hospital patients — calling in bomb threats or other bogus reports to the police so heavily armed cops show up at victims' homes — if the medical centers don't pay the crooks' ransom demands.…

Microsoft has begun ditching WordPad from Windows and removed the editor from the first Canary Channel build of 2024. From a report: We knew it was coming, but the reality has arrived in the Canary Channel. A clean install will omit WordPad as of build 26020 of Windows 11. At an undisclosed point, the application will be removed on upgrade. The People app is also being axed, as expected, and the Steps Recorder won't be getting any more updates and will instead show a banner encouraging users to try something else. Perhaps ClipChamp? WordPad was always an odd tool. Certainly not something one would want to edit text with, but not much of a word processor either. It feels like a throwback to a previous era. However, it was also free, came with Windows, and didn't insist on having a connection to the internet for it to work.

Read more of this story at Slashdot.

You really think someone would do that? Go on the internet and tell lies?

Predictive and generative AI systems remain vulnerable to a variety of attacks and anyone who says otherwise isn't being entirely honest, according to Apostol Vassilev, a computer scientist with the US National Institute of Standards and Technology (NIST).…

Huawei's newest laptop runs on a chip made by Taiwan Semiconductor Manufacturing Co., a teardown of the device showed, quashing talk of another Chinese technological breakthrough. From a report: The Qingyun L540 notebook contains a 5-nanometer chip made by the Taiwanese company in 2020, around the time US sanctions cut off Huawei's access to the chipmaker, research firm TechInsights found after dismantling the device for Bloomberg News. That counters speculation that Huawei's mainland Chinese chipmaking partner, Semiconductor Manufacturing International Corp., may have achieved a major leap in fabrication technique. Huawei caused a stir in the US and China last August when it released a smartphone with a 7nm processor made by Shanghai-based SMIC. A teardown by the Canada-based research outfit for Bloomberg News showed the Mate 60 Pro's chip was only a few years behind the cutting edge, a feat that US trade curbs were meant to prevent. That revelation spurred celebration across the Chinese tech scene, and a debate in the US about the effectiveness of sanctions.

Read more of this story at Slashdot.

The Food and Drug Administration has allowed Florida to import millions of dollars worth of medications from Canada at far lower prices than in the United States, overriding fierce decades-long objections from the pharmaceutical industry. From a report: The approval, issued in a letter to Florida Friday, is a major policy shift for the United States, and supporters hope it will be a significant step forward in the long and largely unsuccessful effort to rein in drug prices. Individuals in the United States are allowed to buy directly from Canadian pharmacies, but states have long wanted to be able to purchase medicines in bulk for their Medicaid programs, government clinics and prisons from Canadian wholesalers. Florida has estimated that it could save up to $150 million in its first year of the program, importing medicines that treat H.I.V., AIDS, diabetes, hepatitis C and psychiatric conditions. Other states have applied to the F.D.A. to set up similar programs. But significant hurdles remain. The pharmaceutical industry's major lobbying organization, the Pharmaceutical Research and Manufacturers of America, or PhRMA, which has sued over previous importation efforts, is expected to file suit to prevent the Florida plan from going into effect. Some drug manufacturers have agreements with Canadian wholesalers not to export their medicines, and the Canadian government has already taken steps to block the export of prescription drugs that are in short supply.

Read more of this story at Slashdot.

Stockpiled TSMC silicon from 2020 shock!

Did Huawei's domestic fab partners somehow develop the means to mass produce a 5nm laptop chip in spite of US sanctions designed to prevent just that? No, they most certainly did not.…

The advent of generative AI has made the attack far more pervasive

The Federal Trade Commission (FTC) is promising a $25,000 reward for the best solution to combat the growing threat of AI voice cloning.…

As the number of bees and other pollinators falls, field pansies are adapting by fertilizing their own seeds, a new study found. From a report: Every spring, trillions of flowers mate with the help of bees and other animals. They lure the pollinators to their flowers with flashy colors and nectar. As the animals travel from flower to flower, they take pollen with them, which can fertilize the seeds of other plants. A new study suggests that humans are quickly altering this annual rite of spring. As toxic pesticides and vanishing habitats have driven down the populations of bees and other pollinators, some flowers have evolved to fertilize their own seeds more often, rather than those of other plants. Scientists said they were surprised by the speed of the changes, which occurred in just 20 generations. "That's rapid evolution," said Pierre-Olivier Cheptou, an evolutionary ecologist at the University of Montpellier in France who led the research. Dr. Cheptou was inspired to carry out the study when it became clear that bees and other pollinators were in a drastic decline. Would flowers that depend on pollinators for sex, he wondered, find another way to reproduce? The study focused on a weedy plant called the field pansy, whose white, yellow and purple flowers are common in fields and on roadsides across Europe. Field pansies typically use bumblebees to sexually reproduce. But they can also use their own pollen to fertilize their own seeds, a process called selfing. Selfing is more convenient than sex, since a flower does not have to wait for a bee to drop by. But a selfing flower can use only its own genes to produce new seeds. Sexual reproduction allows flowers to mix their DNA, creating new combinations that may make them better prepared for diseases, droughts and other challenges that future generations may face. To track the evolution of field pansies in recent decades, Dr. Cheptou and his colleagues took advantage of a cache of seeds that France's National Botanical Conservatories collected in the 1990s and early 2000s. The researchers compared these old flowers with new ones from across the French countryside. After growing the new and old seeds side by side in the lab under identical conditions, they discovered that selfing had increased 27 percent since the 1990s.

Read more of this story at Slashdot.

Little noticed, days before the holiday break, Boeing petitioned the Federal Aviation Administration for an exemption from key safety standards for the 737 MAX 7 -- the still-uncertified smallest member of its newest jet family. Seattle Times: Since August, earlier models of the MAX currently flying passengers in the U.S. have had to limit use of the jet's engine anti-ice system after Boeing discovered a defect in the system with potentially catastrophic consequences. The flaw could cause the inlet at the front end of the pod surrounding the engine -- known as a nacelle -- to break and fall off. In an August Airworthiness Directive, the FAA stated that debris from such a breakup could penetrate the fuselage, putting passengers seated at windows behind the wings in danger, and could damage the wing or tail of the plane, "which could result in loss of control of the airplane." Dennis Tajer, a spokesperson for the Allied Pilots Association, the union representing 15,000 American Airlines pilots, said the flaw in the engine anti-ice system has "given us great concern." He said the pilot procedure the FAA approved as an interim solution -- urging pilots to make sure to turn off the system when icing conditions dissipate to avoid overheating that within five minutes could seriously damage the structure of the nacelle -- is inadequate given the serious potential danger. "You get our attention when you say people might get killed," Tajer said. "We're not interested in seeing exemptions and accommodations that depend on human memory. ... There's just got to be a better way." In its petition to the FAA, Boeing argues the breakup of the engine nacelle is "extremely improbable" and that an exemption will not reduce safety. "The 737 MAX has been in service since 2017 and has accumulated over 6.5 million flight hours. In that time, there have been no reported cases of parts departing aircraft due to overheating of the engine nacelle inlet structure," the filing states.

Read more of this story at Slashdot.

Perfect timing – now BYD can rub that in Tesla's face along with stealing the global EV sales crown

A hot new Tesla import has arrived in China in the form of a pair of forced software updates for nearly every car the US EV maker has sold in the Middle Kingdom. …