Slashdot

Slashdot reader quonset writes: In an effort to more personalize a customer's experience, the U.S. restaurant chain Panera Bread is rolling out palm-scanning technology which will link the palm print with the customer's loyalty program. According to Panera Bread CEO Niren Chaudhary, the move will allow a "frictionless, personalized, and convenient" evolution of Panera's loyalty program, which boasts 52 million members. The claim is this will allow the company to offer menu choices based on a customer's order history, allow staff to personally greet the customer, and offer further suggestions. Privacy advocates are not so sure. From the story: Panera says the technology will securely store its customers' biometric data. However, digital rights activists worry that information could be tapped by federal agencies or accessed by hackers. "Federal agencies like Customs and Border Protection have experienced devastating hacks where large databases of biometric information have been stolen," Fight for the Future told CBS MoneyWatch in an email. "Do we really expect Amazon, or Panera, to have better cybersecurity practices?" The scanners are already installed at locations in St. Louis, Panera announced Wednesday, and scanners will "expand to additional locations in the coming months." (Panera has 2,113 locations in 48 states.) "After a simple scan of the palm, Panera associates will be able to greet guests by name, communicate their available rewards, reorder their favorite menu items, or take another order of their choice," the announcement gushes, "extending the guest experience into a true and meaningful relationship. "When they are done ordering, guests can simply scan their palm again to pay."

Read more of this story at Slashdot.

It's one of America's best hospitals — a nonprofit "academic medical center" called the Cleveland Clinic. And this week it installed an IBM-managed quantum computer to accelerate healthcare research (according to an announcement from IBM). IBM is calling it "the first quantum computer in the world to be uniquely dedicated to healthcare research." The clinic's CEO said the technology "holds tremendous promise in revolutionizing healthcare and expediting progress toward new cares, cures and solutions for patients." IBM's CEO added that "By combining the power of quantum computing, artificial intelligence and other next-generation technologies with Cleveland Clinic's world-renowned leadership in healthcare and life sciences, we hope to ignite a new era of accelerated discovery." em>Inside HPC points out that "IBM Quantum System One" is part of a larger biomedical research program applying high-performance computing, AI, and quantum computing, with IBM and the Cleveland Clinic "collaborating closely on a robust portfolio of projects with these advanced technologies to generate and analyze massive amounts of data to enhance research." The Cleveland Clinic-IBM Discovery Accelerator has generated multiple projects that leverage the latest in quantum computing, AI and hybrid cloud to help expedite discoveries in biomedical research. These include: - Development of quantum computing pipelines to screen and optimize drugs targeted to specific proteins; - Improvement of a quantum-enhanced prediction model for cardiovascular risk following non-cardiac surgery; - Application of artificial intelligence to search genome sequencing findings and large drug-target databases to find effective, existing drugs that could help patients with Alzheimer's and other diseases. The Discovery Accelerator also serves as the technology foundation for Cleveland Clinic's Global Center for Pathogen & Human Health Research, part of the Cleveland Innovation District. The center, supported by a $500 million investment from the State of Ohio, Jobs Ohio and Cleveland Clinic, brings together a team focused on studying, preparing and protecting against emerging pathogens and virus-related diseases. Through the Discovery Accelerator, researchers are leveraging advanced computational technology to expedite critical research into treatments and vaccines.

Read more of this story at Slashdot.

400 undersea cables carry 95% of the world's international internet traffic, reports Reuters (citing figures from Washington-based telecommunications research firm TeleGeography). But now there's "a growing proxy war between the United States and China over technologies that could determine who achieves economic and military dominance for decades to come." In February, American subsea cable company SubCom LLC began laying a $600-million cable to transport data from Asia to Europe, via Africa and the Middle East, at super-fast speeds over 12,000 miles of fiber running along the seafloor. That cable is known as South East Asia-Middle East-Western Europe 6, or SeaMeWe-6 for short. It will connect a dozen countries as it snakes its way from Singapore to France, crossing three seas and the Indian Ocean on the way. It is slated to be finished in 2025. It was a project that slipped through China's fingers.... The Singapore-to-France cable would have been HMN Tech's biggest such project to date, cementing it as the world's fastest-rising subsea cable builder, and extending the global reach of the three Chinese telecom firms that had intended to invest in it. But the U.S. government, concerned about the potential for Chinese spying on these sensitive communications cables, ran a successful campaign to flip the contract to SubCom through incentives and pressure on consortium members.... It's one of at least six private undersea cable deals in the Asia-Pacific region over the past four years where the U.S. government either intervened to keep HMN Tech from winning that business, or forced the rerouting or abandonment of cables that would have directly linked U.S. and Chinese territories.... Justin Sherman, a fellow at the Cyber Statecraft Initiative of the Atlantic Council, a Washington-based think tank, told Reuters that undersea cables were "a surveillance gold mine" for the world's intelligence agencies. "When we talk about U.S.-China tech competition, when we talk about espionage and the capture of data, submarine cables are involved in every aspect of those rising geopolitical tensions," Sherman said.

Read more of this story at Slashdot.

An anonymous reader quotes Neowin: Google Project Zero is a security team responsible for discovering security flaws in Google's own products as well as software developed by other vendors. Following discovery, the issues are privately reported to vendors and they are given 90 days to fix the reported problems before they are disclosed publicly.... Now, the security team has reported several flaws in CentOS' kernel. As detailed in the technical document here, Google Project Zero's security researcher Jann Horn learned that kernel fixes made to stable trees are not backported to many enterprise versions of Linux. To validate this hypothesis, Horn compared the CentOS Stream 9 kernel to the stable linux-5.15.y stable tree.... As expected, it turned out that several kernel fixes have not been made deployed in older, but supported versions of CentOS Stream/RHEL. Horn further noted that for this case, Project Zero is giving a 90-day deadline to release a fix, but in the future, it may allot even stricter deadlines for missing backports.... Red Hat accepted all three bugs reported by Horn and assigned them CVE numbers. However, the company failed to fix these issues in the allotted 90-day timeline, and as such, these vulnerabilities are being made public by Google Project Zero. Horn is urging better patch scheduling so "an attacker who wants to quickly find a nice memory corruption bug in CentOS/RHEL can't just find such bugs in the delta between upstream stable and your kernel."

Read more of this story at Slashdot.

An anonymous reader shares this report from the New York Post: Disgruntled Amazon corporate employees are reportedly devastated after a top human resources executive shot down an internal petition that asked the tech giant's leaders to nix its return-to-office plan. Approximately 30,000 workers had signed a petition begging CEO Andy Jassy to cancel his directive that most employees work on site at least three days per week. The return-to-office plan is slated to take effect on May 1. Beth Galetti, Amazon's HR chief, shot down the petition in a message to organizers obtained by Insider and signaled that the return-to-office plan will move forward as scheduled. "Given the large size of our workforce and our wide range of businesses and customers, we recognize this transition may take time, but we are confident it will result in long-term benefits to increasing our ability to deliver for our customers, bolstering our culture, and growing and developing employees," Galetti said in the memo.... In the petition, which first surfaced last month, Amazon workers argued they are more productive and enjoy a better work-life balance in a remote work environment. The workers also asserted that the three-day-per-week requirement runs contrary to Amazon's stances on issues such as affordable housing, diversity and climate change.... Meanwhile, Jassy has argued that working more days on site will help build effective collaboration and "deliver for customers and the business."

Read more of this story at Slashdot.

Hackaday recently shared some thoughts on "purpose-built" distros: Some examples are Kali for security testing, DragonOS for software-defined radio, or Hannah Montana Linux for certain music fans. Anyone can roll their own Linux distribution with the right tools, including [Shadly], who recently created one which only loads enough software to launch the 1993 classic DOOM.... It loads the Linux kernel and the standard utilities via BusyBox, then runs fbDOOM, which is a port of the game specifically designed to run on the Linux framebuffer with minimal dependencies. Their report includes video of the distro booting up and playing Doom. "The entire distribution is placed into a bootable ISO file that can be placed on any bootable drive."

Read more of this story at Slashdot.

The Free Software Foundation held their annual LibrePlanet conference last week — and announced that Eli Zaretskii, co-maintainer of GNU Emacs, won their "Advancement of Free Software" award. "He has been a contributor to Emacs for more than thirty years," notes the FSF announcement, "and as co-maintainer, coordinates the work of more than two hundred active contributors. During Zaretskii's tenure as co-maintainer, the Emacs development community has implemented several important new features, including native compilation of the editor's Emacs Lisp backbone into machine code." Zaretskii was honored with a recorded message from the original author/principal maintainer of GNU Emacs back in 1985, Richard Stallman: "For many years, I was the principal maintainer of GNU Emacs, but then others came along to do the work, and I haven't been heavily involved in Emacs development for many, many years. Nowadays, our principal maintainer of Emacs is extremely diligent and conscientious and has brought about a renaissance in new features and new packages added to Emacs, and the result is very impressive. So I'm happy to give the Free Software Award to Eli Zaretskii, principal maintainer of GNU Emacs. Thank you for your work." In his recorded acceptance of the award, Zaretskii said, "The truth is my contribution to free software in general and to Emacs development in particular is quite modest, certainly compared to those who won this award before me.... And even my modest achievement as the Emacs developer and lately the co-maintainer would have been impossible without all the other contributors and the Emacs community as a whole. No significant free software project can be developed, maintained, and led forward without participation and support of its members. And Emacs is no exception." Their award for Outstanding New Free Software Contributor went to Tad (SkewedZeppelin), the chief developer of DivestOS, a fork of Android which removes many proprietary binaries "and which puts freedom, security, and device longevity as its main concerns," according to the FSF's announcement. "Tad has also contributed to the Replicant distribution of Android, a project fiscally sponsored by the FSF." And their award for Project of Social Benefit went to GNU Jami, a free software videoconferencing tool "that is fully decentralized and encrypted, allowing thousands around the world to communicate in both freedom and security. In contrast to proprietary conferencing programs like Zoom, which are nonfree software, Jami is an official GNU package licensed under the GNU GPLv3+."

Read more of this story at Slashdot.

Toronto-based Feroot Security "found that so-called tracking pixels from the TikTok parent company were present in 30 U.S. state-government websites across 27 states," reports the Wall Street Journal, "including some where the app has been banned from state networks and devices." The review was performed in January and February. The presence of that code means that U.S. state governments around the country are inadvertently participating in a data-collection effort for a foreign-owned company, one that senior Biden administration officials and lawmakers of both parties have said could be harmful to U.S. national security and the privacy of Americans. Administrators who manage government websites use such pixels to help measure the effectiveness of advertising they have purchased on TikTok.... The presence of the TikTok tracking code on government websites underlines the challenge for those who deem the China-owned app a potential data-security threat. Lawmakers in both parties are considering a nationwide ban, but simply uprooting the app from U.S. smartphones wouldn't stop all data-tracking activities.... Feroot found that the average website it studied had more than 13 embedded pixels. Google's were far and away the most common, with 92% of websites examined having some sort of Google tracking pixel embedded. About 50% of the websites the firm examined had Microsoft Corp. or Facebook pixels. TikTok had a presence in less than 10% of sites examined.

Read more of this story at Slashdot.

The Verge reports: A federal judge has ruled against the Internet Archive in Hachette v. Internet Archive, a lawsuit brought against it by four book publishers, deciding that the website does not have the right to scan books and lend them out like a library. Judge John G. Koeltl decided that the Internet Archive had done nothing more than create "derivative works," and so would have needed authorization from the books' copyright holders — the publishers — before lending them out through its National Emergency Library program. The Internet Archive says it will appeal. The decision was "a blow to all libraries and the communities we serve," argued Chris Freeland, the director of Open Libraries at the Internet Archive. In a blog post he argued the decision "impacts libraries across the U.S. who rely on controlled digital lending to connect their patrons with books online. It hurts authors by saying that unfair licensing models are the only way their books can be read online. And it holds back access to information in the digital age, harming all readers, everywhere. The Verge adds that the judge rejected "fair use" arguments which had previously protected a 2014 digital book preservation project by Google Books and HathiTrust: Koetl wrote that any "alleged benefits" from the Internet Archive's library "cannot outweigh the market harm to the publishers," declaring that "there is nothing transformative about [Internet Archive's] copying and unauthorized lending," and that copying these books doesn't provide "criticism, commentary, or information about them." He notes that the Google Books use was found "transformative" because it created a searchable database instead of simply publishing copies of books on the internet. Koetl also dismissed arguments that the Internet Archive might theoretically have helped publishers sell more copies of their books, saying there was no direct evidence, and that it was "irrelevant" that the Internet Archive had purchased its own copies of the books before making copies for its online audience. According to data obtained during the trial, the Internet Archive currently hosts around 70,000 e-book "borrows" a day.

Read more of this story at Slashdot.

OpenAI took ChatGPT offline earlier this week "due to a bug in an open-source library which allowed some users to see titles from another active user's chat history," according to an OpenAI blog post. "It's also possible that the first message of a newly-created conversation was visible in someone else's chat history if both users were active around the same time.... "Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window." In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user's first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time. We believe the number of users whose data was actually revealed to someone else is extremely low. To access this information, a ChatGPT Plus subscriber would have needed to do one of the following: - Open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time. Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users. These emails contained the last four digits of another user's credit card number, but full credit card numbers did not appear. It's possible that a small number of subscription confirmation emails might have been incorrectly addressed prior to March 20, although we have not confirmed any instances of this. - In ChatGPT, click on "My account," then "Manage my subscription" between 1 a.m. and 10 a.m. Pacific time on Monday, March 20. During this window, another active ChatGPT Plus user's first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date might have been visible. It's possible that this also could have occurred prior to March 20, although we have not confirmed any instances of this. We have reached out to notify affected users that their payment information may have been exposed. We are confident that there is no ongoing risk to users' data. Everyone at OpenAI is committed to protecting our users' privacy and keeping their data safe. It's a responsibility we take incredibly seriously. Unfortunately, this week we fell short of that commitment, and of our users' expectations. We apologize again to our users and to the entire ChatGPT community and will work diligently to rebuild trust. The bug was discovered in the Redis client open-source library, redis-py. As soon as we identified the bug, we reached out to the Redis maintainers with a patch to resolve the issue. "The bug is now patched. We were able to restore both the ChatGPT service and, later, its chat history feature, with the exception of a few hours of history."

Read more of this story at Slashdot.

IHTFISP shares a report from Phys.Org: A quartet of mathematicians from Yorkshire University, the University of Cambridge, the University of Waterloo and the University of Arkansas has discovered a 2D geometric shape that does not repeat itself when tiled. David Smith, Joseph Samuel Myers, Craig Kaplan and Chaim Goodman-Strauss have written a paper describing how they discovered the unique shape and possible uses for it. Their full paper is available on the arXiv preprint server. [...] The shape has 13 sides and the team refers to it simply as "the hat." They found it by first paring down possibilities using a computer and then by studying the resulting smaller sets by hand. Once they had what they believed was a good possibility, they tested it using a combinatorial software program -- and followed that up by proving the shape was aperiodic using a geometric incommensurability argument. The researchers close by suggesting that the most likely application of the hat is in the arts.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Science Magazine: In an unusual move, the U.S. Department of Energy (DOE) has quietly begun a new competition for the contract to run the United States's sole dedicated particle physics laboratory. Announced in January, the rebid comes 1 year after Fermi National Accelerator Laboratory (Fermilab), which is managed in part by the University of Chicago (UChicago), failed an annual DOE performance review and 9 months after it named a new director. DOE would not comment, but observers say its frustrations include cost increases and delays in a gargantuan new neutrino experiment. "I don't think it's surprising at all given the department's evaluation of [Fermilab's] performance," says James Decker, a physicist and consultant with Decker, Garman, Sullivan & Associates, LLC, who served as principal deputy director of DOE's Office of Science from 1973 to 2007. Although Fermilab passed its 2022 performance evaluation, the one for fiscal year 2021 was "one of the most scathing I have seen," Decker says. DOE has already solicited letters of interest and will issue a request for formal proposals this summer. It intends to award the new contract by the end of the next fiscal year, 30 September 2024, and transfer control of the lab, which employs 2100 staff and has an annual budget of $614 million, on January 1, 2025. UChicago hopes to win the contract again, says Paul Alivisatos, president of the university, who is also chair of FRA's board of directors and a former director of DOE's Lawrence Berkeley National Laboratory. "We absolutely will be bidding to continue." [...] How many parties will bid on the contract remains unclear. Managing the lab requires very specific technical expertise but pays $5 million per year, at most. "I don't think that there are too many organizations that could really compete for this contract," Decker says. If just UChicago or URA bid on the new contract, they'll need a new partner, multiple observers say, perhaps one with expertise in huge construction projects. DOE is sure to insist that something changes.

Read more of this story at Slashdot.

Dozens of the world's largest natural history museums revealed on Thursday a survey of everything in their collections. The global inventory is made up of 1.1 billion objects that range from dinosaur skulls to pollen grains to mosquitoes. The New York Times reports: The survey's organizers, who described the effort in the journal Science, said they hoped the survey would help museums join forces to answer pressing questions, such as how quickly species are becoming extinct and how climate change is altering the natural world. "It gives us intelligence now to start thinking about things that museums can do together that we wouldn't have conceived of before," said Kirk Johnson, the director of the Smithsonian National Museum of Natural History in Washington and one of the leaders of the project. "It's the argument for networking the global museum." Scientists had created smaller inventory databases before. But the new effort, which included 73 museums in 28 countries, was unparalleled, experts said. The survey revealed important gaps in the world's collections. Relatively few objects come from the regions around the earth's poles, which are especially vulnerable to the impact of global warming, for example. Insects, the most diverse group of animal species, were also underrepresented. "The analysis is at a global scale that no one else has managed," said Emily Meineke, an entomologist at the University of California, Davis, who was not involved in the survey. Dr. Meineke said that this survey of large institutions also laid the groundwork for surveys of smaller ones, which might hold even more surprises. "Once these methods are applied down the line to smaller collections, the results are likely to give us a truer picture of biodiversity globally," she said.

Read more of this story at Slashdot.

British satellite company OneWeb is gearing up for the launch of its final batch of internet satellites, completing a constellation in low Earth orbit despite some hiccups along the way. Gizmodo reports: India's heaviest launch vehicle LVM-3 will carry 36 OneWeb satellites, with liftoff slated for Sunday at 11:30 p.m. ET, according to OneWeb. The launch will take place at the Satish Dhawan Space Centre in Sriharikota, India, marking OneWeb's second deployment from India. You can watch the launch at the livestream [here]. OneWeb has been building an internet constellation in low Earth orbit since 2020, and it currently consists of 579 functioning satellites, according to statistics kept by Harvard-Smithsonian astrophysicist Jonathan McDowell. The addition of 36 new units will raise the population of the constellation to 615, completing the first orbital shell. The company had originally planned on building a 648-unit constellation, but it says this final launch will cap it off and allow for global coverage.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: In 2025, United Airlines will fly an air taxi service between the downtown Vertiport Chicago and O'Hare International Airport, using electric vertical takeoff and landing aircraft it is purchasing from Archer Aviation. The Archer Midnight eVTOL aircraft will complete the route in about 10 minutes; according to local resident and Ars Managing Editor Eric Bangeman, that journey by car can take over an hour due to road construction. "Both Archer and United are committed to decarbonizing air travel and leveraging innovative technologies to deliver on the promise of the electrification of the aviation industry," said Michael Leskinen, president of United Airlines Ventures. "Once operational, we're excited to offer our customers a more sustainable, convenient, and cost-effective mode of transportation during their commutes to the airport." If Chicago works out, United plans to add other airport-to-city "trunk routes," with "branch" routes between different communities coming later. The Archer Midnight has a range of 100 miles (160 km) and a top speed of 150 mph (241 km/h). If approved by the FAA, the Chicago air shuttle would be the first commercial eVTOL service to begin operating in North America. Asked about the cost, an Archer spokesperson told the Chicago Sun-Times that the company hopes to make the service competitive with Uber Black, so it will be roughly $100 for the trip.

Read more of this story at Slashdot.

Intel announced Friday that Gordon Moore, Intel's co-founder, has died at the age of 94: Moore and his longtime colleague Robert Noyce founded Intel in July 1968. Moore initially served as executive vice president until 1975, when he became president. In 1979, Moore was named chairman of the board and chief executive officer, posts he held until 1987, when he gave up the CEO position and continued as chairman. In 1997, Moore became chairman emeritus, stepping down in 2006. During his lifetime, Moore also dedicated his focus and energy to philanthropy, particularly environmental conservation, science and patient care improvements. Along with his wife of 72 years, he established the Gordon and Betty Moore Foundation, which has donated more than $5.1 billion to charitable causes since its founding in 2000.... "Though he never aspired to be a household name, Gordon's vision and his life's work enabled the phenomenal innovation and technological developments that shape our everyday lives," said foundation president Harvey Fineberg. "Yet those historic achievements are only part of his legacy. His and Betty's generosity as philanthropists will shape the world for generations to come." Pat Gelsinger, Intel CEO, said, "Gordon Moore defined the technology industry through his insight and vision. He was instrumental in revealing the power of transistors, and inspired technologists and entrepreneurs across the decades. We at Intel remain inspired by Moore's Law and intend to pursue it until the periodic table is exhausted...." Prior to establishing Intel, Moore and Noyce participated in the founding of Fairchild Semiconductor, where they played central roles in the first commercial production of diffused silicon transistors and later the world's first commercially viable integrated circuits. The two had previously worked together under William Shockley, the co-inventor of the transistor and founder of Shockley Semiconductor, which was the first semiconductor company established in what would become Silicon Valley.

Read more of this story at Slashdot.

Huawei has reportedly completed work on electronic design automation (EDA) tools for laying out and making chips down to 14nm process nodes. The Register reports: Chinese media said the platform is one of 78 being developed by the telecoms equipment giant to replace American and European chip design toolkits that have become subject to export controls by the US and others. Huawei's EDA platform was reportedly revealed by rotating Chairman Xu Zhijun during a meeting in February, and later confirmed by media in China. [...] Huawei's focus on EDA software for 14nm and larger chips reflects the current state of China's semiconductor industry. State-backed foundry operator SMIC currently possesses the ability to produce 14nm chips at scale, although there have been some reports the company has had success developing a 7nm process node. Today, the EDA market is largely controlled by three companies: California-based Synopsys and Cadence, as well as Germany's Siemens. According to the industry watchers at TrendForce, these three companies account for roughly 75 percent of the EDA market. And this poses a problem for Chinese chipmakers and foundries, which have steadily found themselves cut off from these tools. Synopsys and Cadence's EDA tech is already subject to several of these export controls, which were stiffened by the US Commerce Department last summer to include state-of-the-art gate-all-around (GAA) transistors. This January, the White House also reportedly stopped issuing export licenses to companies supplying the likes of Huawei. This is particularly troublesome for Huawei, foundry operator SMIC, and memory vendor YMTC to name a few on the US Entity List, a roster of companies Uncle Sam would prefer you not to do business with. It leaves them unable to access recent and latest technologies, at the very least. So the development of a homegrown EDA platform for 14nm chips serves as insurance in case broader access to Western production platforms is cut off entirely.

Read more of this story at Slashdot.

France announced Friday it is banning the "recreational" use of TikTok, Twitter, Instagram and other apps on government employees' phones because of concern about insufficient data security measures. Reuters reports: The French Minister for Transformation and Public Administration, Stanislas Guerini, said in a statement that ''recreational" apps aren't secure enough to be used in state administrative services and "could present a risk for the protection of data." The ban will be monitored by France's cybersecurity agency. The statement did not specify which apps are banned but noted that the decision came after other governments took measures targeting TikTok. Guerini's office said in a message to The Associated Press that the ban also will include Twitter, Instagram, Netflix, gaming apps like Candy Crush and dating apps. Exceptions will be allowed. If an official wants to use a banned app for professional purposes, like public communication, they can request permission to do so. Case in point: Guerini posted the announcement of the ban on Twitter.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica, written by Jonathan M. Gitlin: A perennial question that has accompanied the spread of Android Automotive has been the question of support. A car has a much longer expected service life than a smartphone, especially an Android smartphone, and with infotainment systems so integral to a car's operations now, how long can we reasonably expect those infotainment systems to be supported? I got the chance to put this question to Dirk Hilgenberg, CEO of CARIAD, Volkswagen Group's software division: Given the much longer service life of a car compared to a smartphone, how does VW plan to keep those cars patched and safe 10 or 15 years from now? "We actually have a contract with the brands, which took a while to negotiate, but lifetime support was utterly important," Hilgenberg told me. The follow-up was obvious: How long is "lifetime"? "Fifteen years after service, and an extra option for brands who would like to have it even longer; you know, we have to guarantee updatability on all legal aspects," he said. "So that's why we are, as you can imagine, very cautious with branches of releases because every branch we need to maintain over this long time. So when you have end of operation and EOP [end of production] and it's 15 years longer, we still have to maintain that; plus, some brands actually said 'because my vehicle is a unicorn, it's something that people want even more, they only occasionally drive it but they want to be safe,'" Hilgenberg told me. (The unicorn reference should make sense in the context of VW Group owning Bugatti, Lamborghini, and Porsche, whose cars are often collected and can be on the road for many decades.) In those cases, CARIAD would provide continued support, Hilgenberg said. "Especially as cybersecurity, all the legal things are concerned, you see that already. Now we do upgrades and releases, whether it's in China, whether it's in the US, whether it's in Europe, we take very cautious steps. Security and safety has, in the Volkswagen group, you know, the utmost importance, and we see it actually as an opportunity to differentiate," he said. In an update to the article, Ars said CARIAD got in touch with them to add some clarifications. "As part of its development services to Volkswagen's automotive brands, CARIAD provides operational services, updates, upgrades and new releases as well as bug fixes and patches relating to its hardware- and software-products. We usually support our hard- and software releases for extended periods of time. In some cases this can be up to 15 years after the end of production ('EOP') for hardware and 10 years after EOP for software releases. Moreover, there are legally mandatory periods we comply with, e.g. cybersecurity as well as safety updates and patches are provided for as long as a function is available. In addition, there may be individual agreements with brands for longer support periods to specifically satisfy their customers' needs," wrote a CARIAD spokesperson. Ars notes: "there's no guarantee that OEMs can make the business model work for this long-term support."

Read more of this story at Slashdot.

GitHub has rotated its private SSH key for GitHub.com after the secret was was accidentally published in a public GitHub repository. BleepingComputer reports: The software development and version control service says, the private RSA key was only "briefly" exposed, but that it took action out of "an abundance of caution." In a succinct blog post published today, GitHub acknowledged discovering this week that the RSA SSH private key for GitHub.com had been ephemerally exposed in a public GitHub repository. "We immediately acted to contain the exposure and began investigating to understand the root cause and impact," writes Mike Hanley, GitHub's Chief Security Officer and SVP of Engineering. "We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change." As some may notice, only GitHub.com's RSA SSH key has been impacted and replaced. No change is required for ECDSA or Ed25519 users.

Read more of this story at Slashdot.