175790711
submission
jd writes:
Two South Korean 737s suffered near-identical hydraulic failure, with at least one also suffering a near-total loss of electrical power as well. The first jet attempted a belly landing, ending up smashing into a concrete post and exploding. All 737s in South Korea are now grounded for an emergency investigation.
But this raises several important questions. Firstly, why are no other 737s being checked? Until the crash investigation is complete, assuming it's a problem affecting one country only seems perplexing, especially given Boeing's current profile.
Secondly, why would a plane suffer multiple failures? If systems are isolated and independent, that sounds perplexing. Either they're not independent, or the reporting is problematic.
From the linked article:
The Boeing 737-800 involved in the latest incident was the same model as the Jeju Air plane that crashed on Sunday killing 179 people after coming down without its landing gear engaged.
Seoul said on Monday it would conduct a special inspection of all 101 Boeing 737-800 planes in operation in the country, with US investigators, possibly including from plane manufacturer Boeing, joining the probe into the crash.
The BBC adds the following information:
Indication of electrical fault in 'perplexing crash', aviation expert suggests
published at 12:39
12:39
"This is one of the most perplexing crashes I have ever seen. Nothing about it makes any sense," aviation expert Geoffrey Thomas tells the BBC.
Speaking from Perth, he notes that while a bird strike may have played a role, once the pilot issued a mayday call the air traffic control data cut out.
The sudden loss of data — which allows the flights to be tracked — "indicates an electrical fault of some kind", Thomas suggests.
Following the call, the plane was also allowed to land in the opposite direction to usual.
But the wheels were up, the flaps not set correctly and it landed halfway down the runway before careering into the localiser and exploding, he says.
Thomas says there are workarounds if an electrical or hydraulic problem arises, but these were not used.
"It just doesn’t make any sense. We're going to have to wait for voice recorder details before we can get a handle on what on earth went on."
175734185
submission
jd writes:
A new attempt yo produce quantum relativity is in the works. This time, the physicists have taken the line that if you allow for faster-than-light particles, you can solve a lot of the difficulties of merging the two theories. But it comes with a consequence.
You end up with three time dimensions and one spacial dimension.
The argument is that special cases constitute the real difficulty in merging the two ideas, so the physicists looked for a way to generalise outside the normal bounds, and to have relativity (despite its classical nature) produce the randomness in quantum mechanics.
From the article:
Quantum mechanics is an incredibly successful theory and yet the statistical nature of its predictions is hard to accept and has been the subject of numerous debates. The notion of inherent randomness, something that happens without any cause, goes against our rational understanding of reality. To add to the puzzle, randomness that appears in non-relativistic quantum theory tacitly respects relativity, for example, it makes instantaneous signaling impossible. Here, we argue that this is because the special theory of relativity can itself account for such a random behavior. We show that the full mathematical structure of the Lorentz transformation, the one which includes the superluminal part, implies the emergence of non-deterministic dynamics, together with complex probability amplitudes and multiple trajectories. This indicates that the connections between the two seemingly different theories are deeper and more subtle than previously thought.
175295515
submission
jd writes:
Linus Torvalds is not a happy camper and is condemning hardware vendors for poor security and the plethora of actual and theoretical attacks, especially as some of the new features being added impact the workarounds. These workarounds are now getting very expensive, CPU-wise.
TFA quotes Linus Torvalds:
"Honestly, I'm pretty damn fed up with buggy hardware and completely theoretical attacks that have never actually shown themselves to be used in practice.
So I think this time we push back on the hardware people and tell them it's *THEIR* damn problem, and if they can't even be bothered to say yay-or-nay, we just sit tight.
Because dammit, let's put the onus on where the blame lies, and not just take any random shit from bad hardware and say "oh, but it *might* be a problem".
Linus"
175133295
submission
jd writes:
Looks like there's a storm brewing, and it's not good news. Whether or not the bugs are classically security defects or not, this is extremely bad PR for the Linux and Open Source community. It's not clear from the article whether thus affects other Open Source projects, such as FreeBSD.
From TFA:
A critical unauthenticated Remote Code Execution (RCE) vulnerability has been discovered, impacting all GNU/Linux systems.
As per agreements with developers, the flaw, which has existed for over a decade, will be fully disclosed in less than two weeks.
Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, although experts suggest there should be at least three to six.
Leading Linux distributors such as Canonical and RedHat have confirmed the flaw’s severity, rating it 9.9 out of 10. This indicates the potential for catastrophic damage if exploited.
However, despite this acknowledgment, no working fix is still available. Developers remain embroiled in debates over whether some aspects of the vulnerability impact security.
174753108
submission
jd writes:
NIST has formally accepted three algorithms for post-quantum cryptography. Two more, for backup, are being worked on. The idea is to have backup algorithms using very different maths, just in case there's a flaw in the original approach discovered later.
From TFA:
The National Institute of Standards and Technology (NIST) today released the long-awaited post-quantum encryption standards, designed to protect electronic information long into the future – when quantum computers are expected to break existing cryptographic algorithms.
One – ML-KEM (based on CRYSTALS-Kyber) – is intended for general encryption, which protects data as it moves across public networks. The other two – ML-DSA (originally known as CRYSTALS-Dilithium) and SLH-DSA (initially submitted as Sphincs+) – secure digital signatures, which are used to authenticate online identity.
Despite the new ones on the horizon, NIST mathematician Dustin Moody encouraged system administrators to start transitioning to the new standards ASAP, because full integration takes some time.
"There is no need to wait for future standards," Moody advised in a statement. "Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event."
From NIST:
This notice announces the Secretary of Commerce's approval of three Federal Information Processing Standards (FIPS): FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard; FIPS 204, Module-Lattice-Based Digital Signature Standard; and FIPS 205, Stateless Hash-Based Digital Signature Standard. These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions in the NIST post-quantum cryptography standardization project (see https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fcsrc.nist.gov%2Fpqc-standardization).
174618668
submission
jd writes:
Due to grotesque lack of security on SecureBoot, no actual security is provided by many hardware vendors. Indeed, the report says that compromised software was intentionally shipped by manufacturers. This is a serious incident and essentially means there's going to be a panic in the security field for some time. Updating UEFI on embedded systems, in particular, won't be easy.
From TFA:
Security research firm Binarly reports that leaked cryptographic keys have compromised hardware from several major vendors in the PC industry, including Dell, Acer, Gigabyte, Supermicro, and even Intel. Eight percent of firmware images released in the last four years are compromised, with 22 untrusted keys discovered immediately.
One of the more upsetting issues highlighted by the report is that several vendors actually shipped devices with firmware labeled âoeDO NOT TRUSTâ or âoeDO NOT SHIP,â indicating that they knew about the compromised state of the keys⦠and ignored it.
Binarly explains:
leaked private keys from Intel Boot Guard distributed by Intel in their reference code were used in production
Earlier this year, we noticed that the private key from American Megatrends International (AMI) related to the Secure Boot âoemaster keyâ, called Platform Key (PK), was publicly exposed in a data leak.
The devices corresponding to this key are still deployed in the field, and the key is also being used in recently released enterprise devices.
Elsewhere, the following was given:
Critical encrypted file with mere four-character password to blame.
174348519
submission
jd writes:
CRISPR is good, but scientists always try to improve on what they have. A "jumping gene" has now been found that can edit larger sections of DNA with greater precision and greater reliability than the CRISPR method permits.
From TFA:
Genetic engineering researchers have discovered a powerful tool that can be used to edit genes on a larger scale. This tool will allow researchers to rearrange, recombine, invert, duplicate, move, and perform other editing operations on very long DNA sequences. In the future, this is expected to lead to more advanced gene editing therapeutics and treatments for diseases.
This next generation genomic design method, called the bridge recombinase mechanism, exists naturally in our genetic machinery, and can be used to program and edit DNA.
This gene editing method, which exists naturally and has now been discovered, enhances the human ability to edit genomes beyond the capabilities and scope of CRISPR (clustered regularly interspaced short palindromic repeats), a technology that can be used to modify the DNA of living organisms. It utilises mobile genetic elements or “jumping genes”, which cut and paste themselves into genomes and are present in all forms of life, performing on-the-go DNA manipulation through all living beings.
174054497
submission
jd writes:
There aren't many details yet, but a private company used by the National Health Service in London was hit by a ransomware attack today, leading to cancelled operations and cancelled tests.
The provider has been hit multiple times thus year and is obviously not bothering with making any improvements in cybersecurity. There rely should be legal requirements when it comes to maintaining what is de-facto critical infrastructure.
From the article:
"Major NHS hospitals in London have been hit by a cyber-attack, which is seriously disrupting their services, including blood tests and transfusions.
The ransomware attack is having a “major impact” on the care provided by Guy’s and St Thomas’ NHS trust, its chief executive has told staff in a letter.
The attack is understood to affect other hospitals, including King’s College hospital, and has left them unable to connect to the servers of the private firm that provides their pathology services.
Synnovis, an outsourced provider of lab services to NHS trusts across south-east London, was the target of the attack, believed to be a form of ransomware, a piece of software which locks up a computer system to extort a payment for restoring access.
According to one healthcare worker, the labs were still functional, but communication with them was limited to paper only, imposing a huge bottleneck and forcing cancellation or reassignment of all but the most urgent bloodwork. Direct connections with Synnovis’ servers were cut to limit the risk of the infection spreading. ...
This is the third attack in the last year to hit part of the Synlab group, a German medical services provider with subsidiaries across Europe. In June 2023, ransomware gang Clop hacked and stole data from the French branch of the company just days after it hit headlines for bringing down a payroll provider for companies including BA, Boots and the BBC. Clop published the stolen data later that summer."
173826723
submission
jd writes:
Neuralink’s first attempt at implanting its chip in a human being’s skull hit an unexpected setback after the device began to detach from the patient’s brain, the company revealed on Wednesday.
The patient, Noland Arbaugh, underwent surgery in February to attach a Neuralink chip to his brain, but the device’s functionality began to decrease within the month after his implant. Some of the device’s threads, which connect the miniature computer to the brain, had begun to retract. Neuralink did not disclose why the device partly retracted from Arbaugh’s brain, but stated in a blogpost that its engineers had refined the implant and restored functionality.
The decreased capabilities did not appear to endanger Arbaugh, and he could still use the implant to play a game of chess on a computer using his thoughts, according to the Wall Street Journal, which first broke the news of the issue with the chip. The possibility of removing the implant was considered after the detachment came to light, the Journal reported.
173481378
submission
jd writes:
Peter Higgs, the Nobel prize-winning physicist who discovered a new particle known as the Higgs boson, has died.
Higgs, 94, who was awarded the Nobel prize for physics in 2013 for his work in 1964 showing how the boson helped bind the universe together by giving particles their mass, died at home in Edinburgh on Monday.
After a series of experiments, which began in earnest in 2008, his theory was proven by physicists working at the Large Hadron Collider at Cern in Switzerland in 2012; the Nobel prize was shared with François Englert, a Belgian theoretical physicist whose work in 1964 also contributed directly to the discovery.
A member of the Royal Society and a Companion of Honour, Higgs spent the bulk of his professional life at Edinburgh University, which set up the Higgs centre for theoretical physics in his honour in 2012.
Prof Peter Mathieson, the university’s principal, said: “Peter Higgs was a remarkable individual – a truly gifted scientist whose vision and imagination have enriched our knowledge of the world that surrounds us.
“His pioneering work has motivated thousands of scientists, and his legacy will continue to inspire many more for generations to come.”
173298917
submission
jd writes:
A pet company has twice sent back dog breed results for human swab samples, prompting doubts surrounding the accuracy of dog breed tests.
On Wednesday, WBZ News reported its investigations team receiving dog breed results from the company DNA My Dog after one of its reporters sent in a swab sample – from her own cheek.
According to the results from the Toronto-based company, WBZ News reporter Christina Hager is 40% Alaskan malamute, 35% shar-pei and 25% labrador.
This, apparently, raises questions about the accuracy of dog breed identification by DNA. Actually, it kinda raises questions about claims linking human DNA to geographic places, too. (YDNA and MtDNA tracing is fine, but clearly the use of general markers leaves a lot to be desired.)
173151202
submission
jd writes:
The Register has been running a series of articles about the evolution of Unix, from humble beginnings to the transition to Plan9. There is a short discussion of why Plan9 and its successors never really took off (despite being vastly superior to microkernels), along with the ongoing development of 9Front.
From TFA:
Plan 9 was in some way a second implementation of the core concepts of Unix and C, but reconsidered for a world of networked graphical workstations. It took many of the trendy ideas of late-1980s computing, both of academic theories and of the computer industry of the time, and it reinterpreted them through the jaded eyes of two great gurus, Kenneth Thompson and Dennis Ritchie (and their students) – arguably, design geniuses who saw their previous good ideas misunderstood and misinterpreted.
In Plan 9, networking is front and center. There are good reasons why this wasn't the case with Unix – it was being designed and built at the same time as local area networking was being invented. UNIX Fourth Edition, the first version written in C, was released in 1973 – the same year as the first version of Ethernet.
Plan 9 puts networking right into the heart of the design. While Unix was later used as the most common OS for standalone workstations, Plan 9 was designed for clusters of computers, some being graphical desktops and some shared servers.
Because everything really is a file, displaying a window on another machine can be as simple as making a directory and populating it with some files. You can start programs on other computers, but display the results on yours – all without any need for X11 or any visible networking at all.
This means all the Unixy stuff about telnet and rsh and ssh and X forwarding and so on just goes away. It makes X11 look very overcomplicated, and it makes Wayland look like it was invented by Microsoft.
173043212
submission
jd writes:
It turns out that ZFS has had a bug that corrupts data for some time, but the bug has largely gone unnoticed. The issue involves ZFS send/receive operations on encrypted partitions. The article goes on to say that ZFS encryption is not considered ready for enterprise use. Given that ZFS is considered the premiere enterprise FS, that's a little bit worrying, especially as Microsoft's RelFS is catching up in capabilities.
What, however, is perhaps more interesting is that bugs, old and new, are being catalogued and addressed much more quickly now that core development is done under Linux, even though it is not mainstreamed in the kernel.
172699543
submission
jd writes:
Crystals-Kyber was chosen to be the US government's post-quantum cryptography system of choice last year, but a side-channel attack has been identified.
From TFA, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself.
From TFA:
The exploit relates to "side-channel attacks on up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU," Elena Dubrova, Kalle Ngo, and Joel Gärtner of KTH Royal Institute of Technology said in a paper.
CRYSTALS-Kyber is one of four post-quantum algorithms selected by the U.S. National Institute of Standards and Technology (NIST) after a rigorous multi-year effort to identify a set of next-generation encryption standards that can withstand huge leaps in computing power.
One of the popular countermeasures to harden cryptographic implementations against physical attacks is masking, which randomizes the computation and detaches the side-channel information from the secret-dependent cryptographic variables.
The attack method devised by the researchers involves a neural network training method called recursive learning to help recover message bits with a high probability of success.
The researchers also developed a new message recovery method called cyclic rotation that manipulates ciphertexts to increase the leakage of message bits, thereby boosting the success rate and making it possible to extract the session key.
"Such a method allows us to train neural networks that can recover a message bit with the probability above 99% from high-order masked implementations," they added.
When reached for comment, NIST told The Hacker News that the approach does not break the algorithm itself and that the findings don't affect the standardization process of CRYSTALS-Kyber.
On the mailing list, D. J. Bernstein added this:
Ive been recently carrying out code analysis for some of the KEM implementations submitted to SUPERCOP. In the case of kyber*/ref, I noticed various "/KYBER_Q" occurrences with variable inputs. In at least one case, line 190 of crypto_kem/kyber768/ref/poly.c, this is clearly a secret input. I'd expect measurable, possibly exploitable, timing variations
172537879
submission
jd writes:
Ars Technica is reporting a newly-discovered man-in-the-middle attack against SSH. This only works if you are using "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC", so it isn't a universal flaw. The CVE numbers for this vulnerability are CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446.
From TFA:
At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake—the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.
The Terrapin attack is a novel cryptographic attack targeting the integrity of the SSH protocol, the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. The attack exploits weaknesses in the specification of SSH paired with widespread algorithms, namely ChaCha20-Poly1305 and CBC-EtM, to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.
