waspleg - Slashdot User

Submission + - Users ditch Glassdoor, stunned by site adding real names without consent (arstechnica.com)

Submitted by waspleg on Wednesday March 20, 2024 @07:28AM

waspleg writes: Glassdoor, where employees go to leave anonymous reviews of employers, has recently begun adding real names to user profiles without users' consent.

Glassdoor acquired Fishbowl, a professional networking app that integrated with Glassdoor last July. This acquisition meant that every Glassdoor user was automatically signed up for a Fishbowl account. And because Fishbowl requires users to verify their identities, Glassdoor's terms of service changed to require all users to be verified.

Ever since Glassdoor's integration with Fishbowl, Glassdoor's terms say that Glassdoor "may update your Profile with information we obtain from third parties. We may also use personal data you provide to us via your resume(s) or our other services." This effort to gather information on Fishbowl users includes Glassdoor staff consulting publicly available sources to verify information that is then used to update Glassdoor users' accounts.

Submission + - AMD 'Zenbleed' Bug Leaks Data From Zen 2 Ryzen, EPYC CPUs (tomshardware.com)

Submitted by waspleg on Wednesday July 26, 2023 @06:13PM

waspleg writes: Tavis Ormandy, a researcher with Google Information Security, posted today about a new vulnerability he independently found in AMD's Zen 2 processors. The 'Zenbleed' vulnerability spans the entire Zen 2 product stack, including AMD's EPYC data center processors and the Ryzen 3000/4000/5000 CPUs, allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via javascript on a webpage.

The Zenbleed vulnerability is filed as CVE-2023-20593 and allows data exfiltration (theft) at a rate of 30kb per core, per second, thus providing adequate throughput to steal sensitive information flowing through the processor. This attack works across all software running on the processor, including virtual machines, sandboxes, containers, and processes. The ability for this attack to read data across virtual machines is particularly threatening for cloud service providers and those who use cloud instances.

"The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization2, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.

We now know that basic operations like strlen, memcpy and strcmp will use the vector registers — so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!

This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file," says Ormandy.

TFA has a long list of affected models and patch date estimations.

Submission + - Dev Boots Linux 292,612 Times to Find Kernel Bug (tomshardware.com)

Submitted by waspleg on Friday June 16, 2023 @11:29AM

waspleg writes: Red Hat Linux developer Richard WM Jones has shared an eyebrow raising tale of Linux bug hunting. Jones noticed that Linux 6.4 has a bug which means it will hang on boot about 1 in 1,000 times. Jones set out to pinpoint the bug, and prove he had caught it red handed. However, his headlining travail, involving booting Linux 292,612 times (and another 1,000 times to confirm the bug) apparently "only took 21 hours." It also seems that the bug is less common with Intel hardware than AMD based machines.

Submission + - The story behind Google's in-house desktop Linux (computerworld.com)

Submitted by waspleg on Friday July 29, 2022 @11:09AM

waspleg writes: For more than a decade, Google has been baking and eating its own homemade Linux desktop distribution. The first version was Goobuntu. (As you'd guess from the name, it was based on Ubuntu.)

In 2018, Google moved its in-house Linux desktop from the Goobuntu to a new Linux distro, the Debian-based gLinux. Why? Because, as Google explained, Ubuntu's Long Term Support (LTS) two-year release "meant that we had to upgrade every machine in our fleet of over 100,000 devices before the end-of-life date of the OS."

That was a pain. Add in the time-consuming need to fully customize engineers' PCs, and Google decided that it cost too much. Besides, the "effort to upgrade our Goobuntu fleet usually took the better part of a year. With a two-year support window, there was only one year left until we had to go through the same process all over again for the next LTS. This entire process was a huge stress factor for our team, as we got hundreds of bugs with requests for help for corner cases."

So, when Google had enough of that, it moved to Debian Linux (though not just vanilla Debian). The company created a rolling Debian distribution: GLinux Rolling Debian Testing (Rodete). The idea is that users and developers are best served by giving them the latest updates and patches as they're created and deemed ready for production.

To make all this work without a lot of blood, sweat, and tears, Google created a new workflow system, Sieve. Whenever Sieve spots a new version of a Debian package, it starts a new build. These packages are built in package groups since separate packages often must be upgraded together. Once the whole group has been built, Google runs a virtualized test suite to ensure no core components and developer workflows are broken. Next, each group is tested separately with a full system installation, boot, and local test suite run. The package builds complete within minutes, but testing can take up to an hour.

Google's "improved testing suite and integration tests with key partner teams that run critical developer systems also yielded a more stable experience using a Linux distribution that provides the latest versions of the Linux Kernel. Our strong longing for automating everything in the pipeline has significantly reduced toil and stress within the team. It is now also possible for us to report bugs and incompatibilities with other library versions while making sure that Google tools work better within the Linux ecosystem."

Looking ahead, Google's team declared that it’ll work "more closely with upstream Debian and contribute more of our internal patches to maintain the Debian package ecosystem."

Submission + - Fedora sours on Creative Commons 'No Rights Reserved' license (theregister.com)

Submitted by waspleg on Tuesday July 26, 2022 @02:48PM

waspleg writes: Lack of patent rights waiver in CC0 cited as problematic

In order to support the wide re-use of copyrighted content in new works, CC0 provides authors "a way to waive all their copyright and related rights in their works to the fullest extent allowed by law." The license arose in response to the 1998 Sonny Bono Copyright Term Extension Act (CTEA), which extended the duration of copyright by 20 years at the expense of the public domain.

But CC0 explicitly says the licensor does not waive patent rights, which for free and open source software (FOSS) is a potential problem. That means, for instance as described here, if you use CC0-licensed code in your project, and the author of that code later claims your project is infringing a patent they own regarding that code, your defense will be limited.

Avoiding the use of CC0-licensed code is one way to steer clear of these so-called submarine patents that could years later torpedo you.

In an email to The Register, Bruce Perens, co-founder of the Open Source Initiative, drafter of the original Open Source Definition (OSD), and presently CEO of software-defined radio firm Algoram, said that there's a lot of background to this issue.

Submission + - Objective Reality May Not Exist at All, Quantum Physicists Say (popularmechanics.com)

Submitted by waspleg on Wednesday June 29, 2022 @09:02PM

waspleg writes: “We used nuclear magnetic resonance techniques similar to those used in medical imaging,” Roberto M. Serra, a quantum information science and technology researcher at UFABC, who led the experiment, tells Popular Mechanics. Particles like protons, neutrons, and electrons all have a nuclear spin, which is a magnetic property analogous to the orientation of a needle in a compass. “We manipulated these nuclear spins of different atoms in a molecule employing a type of electromagnetic radiation. In this setup, we created a new interference device for a proton nuclear spin to investigate its wave and particle reality in the quantum realm,” Serra explains.

“This new arrangement produced exactly the same observed statistics as previous quantum delayed-choice experiments,” Pedro Ruas Dieguez, now a postdoctoral research fellow at the International Centre for Theory of Quantum Technologies (ICTQT) in Poland, who was part of the study, tells Popular Mechanics. “However, in the new configuration, we were able to connect the result of the experiment with the way waves and particles behave in a way that verifies Bohr’s complementarity principle,” Dieguez continues.

The main takeaway from the April 2022 study is that physical reality in the quantum world is made of mutually exclusive entities that, nonetheless, do not contradict but complete each other.

Submission + - Wikipedia community votes to stop accepting cryptocurrency donations (arstechnica.com)

Submitted by waspleg on Wednesday April 13, 2022 @03:52PM

waspleg writes: More than 200 long-time Wikipedia editors have requested that the Wikimedia Foundation stop accepting cryptocurrency donations. The foundation received crypto donations worth about $130,000 in the most recent fiscal year—less than 0.1 percent of the foundation's revenue, which topped $150 million last year.

In her proposal for the Wikimedia Foundation, GorillaWarfare added that "Bitcoin and Ethereum are the two most highly used cryptocurrencies, and are both proof-of-work, using an enormous amount of energy."

According to one widely cited estimate, the bitcoin network consumes around 200 TWh of energy per year. That's about as much energy as is consumed by 70 million people in Thailand. And it works out to around 2,000 kWh per bitcoin transaction.

Bitcoin defenders countered that bitcoin's energy usage is driven by its mining process, which consumes about the same amount of energy regardless of the number of transactions. So accepting any given bitcoin donation won't necessarily lead to more carbon emissions.

But cryptocurrency critics argued that Wikimedia's de facto endorsement of cryptocurrencies may help to push up their price. And the more expensive bitcoin is, the more energy miners will devote to creating new ones.

If the foundation complies with the community's request, it wouldn't be the first organization to stop using cryptocurrencies due to environmental concerns. Earlier this month, the Mozilla Foundation announced it would stop accepting cryptocurrencies that use the energy-intensive proof-of-work consensus process. These include bitcoin and ether—though the latter is expected to convert to a proof-of-stake model in the future.

Submission + - Microsoft releases emergency OOB updates to rollback January Patch issues. (bleepingcomputer.com)

Submitted by waspleg on Tuesday January 18, 2022 @10:26AM

waspleg writes: "This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount."

All OOB updates released today are available for download on the Microsoft Update Catalog, and some of them can also be installed directly through Windows Update as optional updates.

You will have to manually check for updates if you want to install the emergency fixes through Windows Update because they are optional updates and will not install automatically.

According to admin reports, Windows domain controllers were being plagued by spontaneous reboots, Hyper-V was no longer starting on Windows servers, and Windows Resilient File System (ReFS) volumes were no longer accessible after deploying the January 2021 updates.

Windows 10 users and administrators also reported problems with L2TP VPN connections after installing the recent Windows 10 and Windows 11 cumulative updates and seeing "Can't connect to VPN." errors.

However, since Microsoft also bundles all the security updates with these Windows cumulative updates, removing them will also remove all fixes for vulnerabilities patched during the January 2021 Patch Tuesday.

Windows admins and users need to consider the risks of unpatched vulnerabilities impacting their systems versus the disruption caused by the issues stemming from this month's Windows updates.

Submission + - X-ray analysis confirms forged date on Lincoln pardon of Civil War soldier (arstechnica.com)

Submitted by waspleg on Sunday December 26, 2021 @11:29AM

waspleg writes: A document containing President Abraham Lincoln's signed pardon of a Civil War soldier has been the source of much controversy since its 1998 discovery, after historians concluded that the date had likely been altered to make the document more historically significant. A new analysis by scientists at the National Archives has confirmed that the date was indeed forged (although the pardon is genuine), according to a November paper published in the journal Forensic Science International: Synergy. The authors also concluded that there is no way to restore the document to its original state without causing further damage.

Someone trusted decided they wanted to be famous and got caught. The story goes through the analysis of how it was verified to be a forgery using several techniques.

Submission + - Firefox now shows ads as sponsored address bar suggestions (bleepingcomputer.com) 1

Submitted by waspleg on Thursday October 07, 2021 @02:11PM

waspleg writes: Mozilla is now showing ads in the form of sponsored Firefox contextual suggestions when U.S. users type in the URL address bar. Mozilla says the feature was introduced with Firefox 92 in September to fund development and optimization.

Mozilla describes Firefox Suggest contextual suggestions as opt-in, in BleepingComputer's tests and from what users have reported, the feature is on by default.

Furthermore, Firefox doesn't tag the ads displayed via Firefox Suggest. There is no clear way to identify what a sponsored suggestion and what a regular unsponsored suggestion should look like.

The only way Firefox users will know whether a sponsored suggestion is an ad would be by looking at the URL, but, in many cases, the URL is not clearly visible.

Submission + - Al Jazeera America Terminates All TV and Digital Operations (theintercept.com)

Submitted by waspleg on Wednesday January 13, 2016 @05:33PM

waspleg writes: Executives of Al Jazeera America (AJAM) held a meeting at 2 p.m. Eastern Time to tell their employees that the company is terminating all news and digital operations in the U.S. as of April 2016, resulting in the loss of hundreds of jobs.

AJAM has been losing staggering sums of money from the start. That has become increasingly untenable as the network’s owner and funder, the government of Qatar, is now economically struggling due to low oil prices. The decision was made recently to terminate AJAM, which allows the network to terminate all of its cumbersome distribution contracts with cable companies, and re-launch its successful Al Jazeera English inside the U.S.

Submission + - Google: "Internet of Things" = Ubiquitous Always on ADs 1

Submitted by waspleg on Wednesday May 21, 2014 @01:28PM

waspleg writes: Basically, Google wants ADs crammed in every conceivable facet of your life. From car dash boards (self driving cars anyone?) to refrigerators.

Slashdot Top Deals