The long-running Advent of Code site just entered its 10th year, with 162,809 people completing both of its Day One puzzles (which involve a hunt for the missing historian of the North Pole). But its not the only site offering Christmas-themed programming puzzles:

• Hundreds of SQL lovers are trying the daily challenges from the "Advent of SQL" site.

• You can sign up for daily emails with webdev challenges from the Advent of JavaScript and Advent of CSS sites.

• The "Advent of No-Code" site challenges you to build something new every day using no-code tools like AI-powered dev environments or the social coding site Val Town.

• TryHackMe.com is publishing "beginner-friendly, daily gamified cyber security challenges" in an event they're calling the "Advent of Cyber."

• And Norway's biggest chess club (founded by world champion Magnus Carlsen) has even launched a site with daily chess puzzles called — what else? — Advent of Chess. (It promises at the end of the event someone will win a chessboard signed by Magnus Carlsen).

An anonymous reader shared this report from NBC News: Amid an unprecedented cyberattack on telecommunications companies such as AT&T and Verizon, U.S. officials have recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers...

In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China's intercepting their communications. "Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible," Greene said. The FBI official said, "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant" multi-factor authentication for email, social media and collaboration tool accounts...

The FBI and other federal law enforcement agencies have a complicated relationship with encryption technology, historically advocating against full end-to-end encryption that does not allow law enforcement access to digital material even with warrants. But the FBI has also supported forms of encryption that do allow some law enforcement access in certain circumstances.
Officials said the breach seems to include some live calls of specfic targets and also call records (showing numbers called and when). "The hackers focused on records around the Washington, D.C., area, and the FBI does not plan to alert people whose phone metadata was accessed."

"The scope of the telecom compromise is so significant, Greene said, that it was 'impossible" for the agencies "to predict a time frame on when we'll have full eviction.'"

China-linked spies are still lurking inside U.S. telecommunications networks roughly six months after American officials started investigating the intrusions, senior officials told reporters Tuesday. From a report: This is the first time U.S. officials have confirmed reports that Salt Typhoon hackers still have access to critical infrastructure -- and they're proving difficult to kick out. Officials added that they don't yet know the full scope of the intrusions, despite starting the investigation in late spring.

The Cybersecurity and Infrastructure Security Agency and FBI released guidance Tuesday for the communications sector to harden their networks against Chinese state-sponsored hackers. The guide includes basic steps like maintaining logs of activity on the network, keeping an inventory of all devices in the telecom's environment and changing any default equipment passwords. The hack has given Salt Typhoon unprecedented access to records from U.S. telecommunications networks about who Americans are communicating with, a senior FBI official told reporters during a briefing.

The Federal Trade Commission on Tuesday announced sweeping action against some of the most important companies in the location data industry, including those that power surveillance tools used by a wide spread of U.S. law enforcement agencies and demanding they delete data related to certain sensitive areas like health clinics and places of worship. From a report: Venntel, through its parent company Gravy Analytics, takes location data from smartphones, either through ordinary apps installed on them or through the advertising ecosystem, and then provides that data feed to other companies who sell location tracking technology to the government or sells the data directly itself.

Venntel is the company that provides the underlying data for a variety of other government contractors and surveillance tools, including Locate X. 404 Media and a group of other journalists recently revealed Locate X could be used to pinpoint phones that visited abortion clinics. The FTC says in a proposed order that Gravy and Venntel will be banned from selling, disclosing, or using sensitive location data, except in "limited circumstances" involving national security or law enforcement.

The cyber risks facing the United Kingdom are being "widely underestimated," the country's new cyber chief will warn on Tuesday as he launches the National Cyber Security Centre's (NCSC) annual review. From a report: In his first major speech since joining the NCSC -- part of the signals and cyber intelligence agency GCHQ -- Richard Horne will drive a shift in tone in how the cybersecurity agency communicates these risks. Despite some evidence showing cyberattacks growing year-on-year for half a decade, the NCSC has not previously confirmed the trend nor expressed alarm about it.

"What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us," Horne will say, according to an advance preview of his speech on Tuesday. Citing the intelligence that NCSC has access to as an agency within GCHQ, Horne will warn that "hostile activity in UK cyberspace has increased in frequency, sophistication and intensity," adding that despite growing activity from Russian and Chinese threat actors, the agency believes British society as a whole is failing to appreciate the severity of the risk. The annual review reveals that the agency's incident management team handled a record number of cyber incidents over the past 12 months -- 430 compared to 371 last year -- 89 of which were considered nationally significant incidents.

China banned exports of minerals and metals used in semiconductor manufacturing and military applications to the United States on Tuesday, escalating tensions in the growing technology trade war between the world's two largest economies.

The commerce ministry halted shipments of gallium, germanium, antimony and related compounds, citing national security concerns. These materials are crucial components in advanced electronics and military hardware, with China controlling 98% of global gallium production and 60% of germanium output, according to U.S. Geological Survey data. The move comes in direct response to Washington's new restrictions on semiconductor exports to China, including controls on high-bandwidth memory chips used in AI systems and limits on manufacturing equipment sales.

An anonymous reader shared this report from Reuters: The rapid increase in satellites and space junk will make low Earth orbit unusable unless companies and countries cooperate and share the data needed to manage that most accessible region of space, experts and industry insiders said. A United Nations panel on space traffic coordination in late October determined that urgent action was necessary and called for a comprehensive shared database of orbital objects as well as an international framework to track and manage them. More than 14,000 satellites including some 3,500 inactive surround the globe in low Earth orbit, showed data from U.S.-based Slingshot Aerospace. Alongside those are about 120 million pieces of debris from launches, collisions and wear-and-tear of which only a few thousand are large enough to track... [T]here is no centralised system that all space-faring nations can leverage and even persuading them to use such a system has many obstacles. Whereas some countries are willing to share data, others fear compromising security, particularly as satellites are often dual-use and include defence purposes. Moreover, enterprises are keen to guard commercial secrets.

In the meantime, the mess multiplies. A Chinese rocket stage exploded in August, adding thousands of fragments of debris to low Earth orbit. In June, a defunct Russian satellite exploded, scattering thousands of shards which forced astronauts on the International Space Station to take shelter for an hour... Projections point to tens of thousands more satellites entering orbit in the coming years. The potential financial risk of collisions is likely to be $556 million over five years, based on a modelled scenario with a 3.13% annual collision probability and $111 million in yearly damages, said Montreal-based NorthStar Earth & Space...

[Aarti Holla-Maini, director of the U.N . Office for Outer Space Affairs], said the October panel aimed to bring together public- and private-sector experts to outline steps needed to start work on coordination. It will present its findings at a committee meeting next year. Global cooperation is essential to developing enforceable rules akin to those used by the International Civil Aviation Organization for air traffic, industry experts told Reuters. Such effort would involve the use of existing tools, such as databases, telescopes, radars and other sensors to track objects while improving coverage, early detection and data precision. Yet geopolitical tension and reluctance to share data with nations deemed unfriendly as well as commercial concerns over protecting proprietary information and competitive advantages remain significant barriers. That leaves operators of orbital equipment relying on informal or semi-formal methods of avoiding collisions, such as drawing on data from the U.S. Space Force or groups like the Space Data Association. However, this can involve issues such as accountability and inconsistent data standards.

"The top challenges are speed — as consensus-building takes time — and trust," Holla-Maini said. "Some countries simply can't communicate with others, but the U.N. can facilitate this process. Speed is our biggest enemy, but there's no alternative. It must be done."
Data from Slingshot Aerospace shows a 17% rise in close approaches per satellite over the past year, according to the article. (It adds that SpaceX data "showed Starlink satellites performed nearly 50,000 collision-avoidance manoeuvres in the first half of 2024, about double the previous six months...)

The European Space Agency, which has fewer spacecraft than SpaceX, said in 2021 its manoeuvres have increased to three or four times per craft versus a historical average of one."

Bluesky (Slashdot is on Bluesky here and Threads here) now has more active website users than Threads in the U.S., according to a graph from the Financial Times. And though Threads still leads in app usage, "Prior to November 5 Threads had five times more daily active users in the U.S. than Bluesky... Now, Threads is only 1.5 times larger than its rival, Similarweb said."

But "the influx of new users has opened up new opportunities for scammers and impersonators," Engadget reported this week: A recent analysis by Alexios Mantzarlis, director of the Security Trust and Safety Initiative at Cornell Tech found that 44 percent of the top 100 most-followed accounts on Bluesky had at least one "doppelganger," with most looking like "cheap knock-offs of the bigger account, down to the same bio and profile picture," Mantzarlis wrote in his newsletter Faked Up.
The article highlighted issues with Bluesky's loose account verification policies. And then, Bluesky announced a new change-of-policy Friday. Engadget reports: The Bluesky Safety account said that the social media service is removing accounts that are impersonating other people and those squatting on handles... Bluesky now requires parody, satire or fan accounts to label themselves as such in both their handles and their bio. If they don't, or if they only indicate the nature of their account in one of those elements, then they'll be treated as an impersonator and will be removed from the platform. Bluesky now explicitly prohibits identity churning, as well. Accounts that start as impersonators with the purpose of gaining new users, and who then switch to a different identity in an attempt to circumvent the ban, will still get booted off the app. Finally, it says it's exploring "additional options to enhance account verification," though they're not quite ready for rollout.
Bluesky says they've "quadrupled the size of our moderation team, in part to action impersonation reports more quickly. We still have a large backlog of moderation reports due to the influx of new users as we shared previously, though we are making progress." And in addition, "We are working behind the scenes to help many organizations and high-profile individuals set up their verified domain handles."

And there's another problem. "The EU's executive arm on Monday said Bluesky didn't provide information it was required to share under the bloc's Digital Services Act," reports Bloomberg. Bluesky responded that it's working to comply, " consulting with its lawyer to follow the EU's information disclosure rules, a Bluesky spokesperson wrote on Tuesday in an email." "All platforms in the EU have to have a dedicated page on their websites where it says how many user numbers they have in the EU and where they are legally established," Thomas Regnier, the commission's spokesperson on digital matters, told reporters. "This is not the case with Bluesky, so this is not followed...."

Under the DSA, platforms with more than 45 million users in the bloc qualify as "very large online platforms" and need to follow stricter content moderation rules under the commission's supervision. Breaches can result in fines of up to 6% of their global annual sales... Smaller platforms are still required to comply with the law, but are regulated by the EU country where they have a legal presence. That's so far unclear in the case of Bluesky, which was created expressly to avoid a centralized ownership structure.

The commission asked EU member countries' national authorities to investigate "and see if they can find any trace of Bluesky" in their jurisdictions, Regnier said

"Spacecraft, satellites, and space-based systems all face cybersecurity threats that are becoming increasingly sophisticated and dangerous," reports CNBC.

"With interconnected technologies controlling everything from navigation to anti-ballistic missiles, a security breach could have catastrophic consequences." Critical space infrastructure is susceptible to threats across three key segments: in space, on the ground segment and within the communication links between the two. A break in one can be a cascading failure for all, said Wayne Lonstein, co-founder and CEO at VFT Solutions, and co-author of Cyber-Human Systems, Space Technologies, and Threats. "In many ways, the threats to critical infrastructure on Earth can cause vulnerabilities in space," Lonstein said. "Internet, power, spoofing and so many other vectors that can cause havoc in space," he added. The integration of artificial intelligence into space projects has heightened the risk of sophisticated cyber attacks orchestrated by state actors and individual hackers. AI integration into space exploration allows more decision-making with less human oversight.

For example, NASA is using AI to target scientific specimens for planetary rovers. However, reduced human oversight could make these missions more prone to unexplained and potentially calamitous cyberattacks, said Sylvester Kaczmarek, chief technology officer at OrbiSky Systems, which specializes in the integration of AI, robotics, cybersecurity, and edge computing in aerospace applications. Data poisoning, where attackers feed corrupted data to AI models, is one example of what could go wrong, Kaczmarek said. Another threat, he said, is model inversion, where adversaries reverse-engineer AI models to extract sensitive information, potentially compromising mission integrity. If compromised, AI systems could be used to interfere with or take control of strategically important national space missions...

The U.S. government is tightening up the integrity and security of AI systems in space. The 2023 Cyberspace Solarium Commission report stressed the importance of designating outer space as a critical infrastructure sector, urging enhanced cybersecurity protocols for satellite operators... The rivalry between the U.S. and China includes the new battleground of space. As both nations ramp up their space ambitions and militarized capabilities beyond Earth's atmosphere, the threat of cyberattacks targeting critical orbital assets has become an increasingly pressing concern... Space-based systems increasingly support critical infrastructure back on Earth, and any cyberattacks on these systems could undermine national security and economic interests.

"A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites," reports Search Engine Journal.

The authentication bypass vulnerability lets attackers gain full access to websites without a username or password, according to the article, and "Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity..." The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing... [T]he attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn't have a check for that the attackers gain unauthorized access... Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
Thanks to Slashdot reader bleedingobvious for sharing the news.

From a new web project called IMG_0001: Between 2009 and 2012, iPhones had a built-in "Send to YouTube" button in the Photos app. Many of these uploads kept their default IMG_XXXX filenames, creating a time capsule of raw, unedited moments from random lives. Inspired by Ben Wallace, I made a bot that crawled YouTube and found 5 million of these videos! Watch them below, ordered randomly.
The Washington Post reports that it's the same 22-year-old software engineer who created Bop Spotter — that phone on a telephone pole using the Shazam app to identify songs people play in public.

And his new site includes only videos "posted before 2015, with fewer than 150 views each and durations shorter than 150 seconds." In about 12 hours total, Walz said, he coded a website that takes millions of these unedited, raw videos from more than nine years ago and serves them to viewers at random. The resulting project, titled IMG_0001 and hosted on his personal website, plays out like a glimpse into different worlds: Hit play and your first video may show teenagers practicing a dance in a high school hallway. That wraps up, and it rolls into footage of a dog frolicking in a snowy backyard...

Viewers were gripped by the videos' unfiltered nature, a contrast to the heavily produced and camera-aware content found on TikTok and YouTube today. Writer Ryan Broderick wrote in his newsletter Garbage Day that the project is "beautiful, haunting, funny, and sort of magical. Like staring into a security camera of the past." Mashable's Tim Marcin called it "the kind of authenticity that's all too rare online these days."

The website has more than 280,000 views and millions of video plays, Walz said — meaning plenty of viewers are sticking around to watch many of the videos.
The article includes an intesting observation from Christian Sandvig, a digital media professor at the University of Michigan. "The people who made the video might not even remember that they shared them!"

An anonymous reader quotes a report from Space.com: NASA scientists conducting surveys of arctic ice sheets in Greenland got an unprecedented view of an abandoned "city under the ice" built by the U.S. military during the Cold War. During a scientific flight in April 2024, a NASA Gulfstream III aircraft flew over the Greenland Ice Sheet carrying radar instruments to map the depth of the ice sheet and the layers of bedrock below it. The images revealed a new view of Camp Century, a Cold War-era U.S. military base consisting of a series of tunnels carved directly into the ice sheet.

As it turns out, this abandoned "secret city" was the site of a secret Cold War project known as Project Iceworm [that] called for the construction of 2,500 miles (4,023 km) of tunnels that could be used [for] nuclear intermediate range ballistic missiles (IRBMs) at the Soviet Union. "We were looking for the bed of the ice and out pops Camp Century. We didn't know what it was at first," said NASA's Chad Greene, a cryospheric scientist at the agency's Jet Propulsion Laboratory (JPL), in an agency statement. "In the new data, individual structures in the secret city are visible in a way that they've never been seen before." "Weapons, sewage, fuel and other contaminants were buried at Camp Century when it was abandoned, but the thawing Greenland Ice Sheet threatens to unbury these dangerous relics," reports Space.com. In 2017, the U.S. government issued a statement saying it "acknowledges the reality of climate change and the risk it poses" and will "work with the Danish government and the Greenland authorities to settle questions of mutual security" over Camp Century.

Scientists are using Camp Century to serve as a warning and a signpost to measure how climate change is affecting the area. You can learn more about Camp Century in a restored declassified U.S. Army film on YouTube.

A bipartisan group of 12 senators has urged the TSA inspector general to investigate the agency's use of facial recognition technology, citing concerns over privacy, civil liberties, and its expansion to over 430 airports without sufficient safeguards or proven effectiveness. Gizmodo reports: "This technology will soon be in use at hundreds of major and mid-size airports without an independent evaluation of the technology's precision or an audit of whether there are sufficient safeguards in place to protect passenger privacy," the senators wrote. The letter was signed by Jeffrey Merkley (D-OR), John Kennedy (R-LA), Ed Markey (D-MA), Ted Cruz (R-TX), Roger Marshall (R-Kansas), Ron Wyden (D-OR), Steve Daines (R-MT), Elizabeth Warren (D-MA), Bernie Sanders (I-VT), Cynthia Lummis (R-WY), Chris Van Hollen (D-MD), and Peter Welch (D-VT).

While the TSA's facial recognition program is currently optional and only in a few dozen airports, the agency announced in June that it plans to expand the technology to more than 430 airports. And the senators' letter quotes a talk given by TSA Administrator David Pekoske in 2023 in which he said "we will get to the point where we require biometrics across the board." [...] The latest letter urges the TSA's inspector general to evaluate the agency's facial recognition program to determine whether it's resulted in a meaningful reduction in passenger delays, assess whether it's prevented anyone on no-fly lists from boarding a plane, and identify how frequently it results in identity verification errors.

A security researcher discovered an unprotected database belonging to SL Data Services containing over 600,000 sensitive files, including criminal histories and background checks with names, addresses, and social media accounts. The Register reports: We don't know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says he found the Amazon S3 bucket in October and reported it to the data collection company by phone and email every few days for more than two weeks. [The info service provider eventually closed up the S3 bucket, says Fowler, although he never received any response.] In addition to not being password protected, none of the information was encrypted, he told The Register. In total, the open bucket contained 644,869 PDF files in a 713.1 GB archive.

Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges. While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people -- along with their family members and co-workers -- providing everything criminals would need for targeted phishing and/or social engineering attacks.

An anonymous reader quotes a report from Ars Technica: Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines. Researchers at security firm ESET said Wednesday that Bootkitty -- the name unknown threat actors gave to their Linux bootkit -- was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.

Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines. "Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," ESET researchers wrote. "Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats." [...] As ESET notes, the discovery is nonetheless significant because it demonstrates someone -- most likely a malicious threat actor -- is pouring resources and considerable know-how into creating working UEFI bootkits for Linux. Currently, there are few simple ways for people to check the integrity of the UEFI running on either Windows or Linux devices. The demand for these sorts of defenses will likely grow in the coming years.

An anonymous reader quotes a report from KrebsOnSecurity: Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect -- a prolific hacker known as Kiberphant0m -- remains at large and continues to publicly extort victims. However, this person's identity may not remain a secret for long: A careful review of Kiberphant0m's daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.

Kiberphant0m's identities on cybercrime forums and on Telegram and Discord chat channels have been selling data stolen from customers of the cloud data storage company Snowflake. At the end of 2023, malicious hackers discovered that many companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with nothing more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories for some of the world's largest corporations. Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information, phone and text message records for roughly 110 million people. Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen phone records.

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States, which has since indicted him on 20 criminal counts connected to the Snowflake breaches. Another suspect in the Snowflake hacks, John Erin Binns, is an American who is currently incarcerated in Turkey. Investigators say Moucka, who went by the handles Judische and Waifu, had tasked Kiberphant0m with selling data stolen from Snowflake customers who refused to pay a ransom to have their information deleted. Immediately after news broke of Moucka's arrest, Kiberphant0m was clearly furious, and posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris. [...] Also on Nov. 5, Kiberphant0m offered call logs stolen from Verizon's push-to-talk (PTT) customers -- mainly U.S. government agencies and emergency first responders. Kiberphant0m denies being in the U.S. Army and said all these clues were "a lengthy ruse designed to create a fictitious persona," reports Krebs.

"I literally can't get caught," Kiberphant0m said, declining an invitation to explain why. "I don't even live in the USA Mr. Krebs." A mind map illustrates some of the connections between and among Kiberphant0m's apparent alter egos.

Chinese companies are aggressively recruiting foreign tech talent as a key strategy to gain technological supremacy, prompting national security concerns across Western nations and Asia, WSJ reported Wednesday, citing multiple intelligence officials and corporate sources. The campaign focuses particularly on advanced semiconductor expertise, with companies like Huawei offering triple salaries to employees at critical firms like Zeiss SMT and ASML, which produce essential components for cutting-edge chip manufacturing.

These recruitment efforts intensified after Western export controls restricted China's access to advanced technology. While Taiwan and South Korea have implemented strict countermeasures, including criminal penalties for illegal talent transfers, the U.S. and Europe struggle to balance open labor markets with national security concerns.

Chinese firms often obscure their origins through local ventures and persistent recruitment tactics. The strategy has shown results: Former employees have helped Chinese companies advance their technological capabilities, including SMIC's development of 7nm chips with help from ex-TSMC talent.

Nearly 89% of smart device manufacturers fail to disclose how long they will provide software updates for their products, a Federal Trade Commission staff study found this week. The review of 184 connected devices, including hearing aids, security cameras and door locks, revealed that 161 products lacked clear information about software support duration on their websites.

Basic internet searches failed to uncover this information for two-thirds of the devices. "Consumers stand to lose a lot of money if their smart products stop delivering the features they want," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. The agency warned that manufacturers' failure to provide software update information for warranted products costing over $15 may violate the Magnuson Moss Warranty Act. The FTC also cautioned that companies could violate the FTC Act if they misrepresent product usability periods. The study excluded laptops, personal computers, tablets and automobiles from its review.

An anonymous reader quotes a report from TechCrunch: Security researchers have uncovered two previously unknown zero-day vulnerabilities that are being actively exploited by RomCom, a Russian-linked hacking group, to target Firefox browser users and Windows device owners across Europe and North America. RomCom is a cybercrime group that is known to carry out cyberattacks and other digital intrusions for the Russian government. The group -- which was last month linked to a ransomware attack targeting Japanese tech giant Casio -- is also known for its aggressive stance against organizations allied with Ukraine, which Russia invaded in 2014.

Researchers with security firm ESET say they found evidence that RomCom combined use of the two zero-day bugs -- described as such because the software makers had no time to roll out fixes before they were used to hack people -- to create a "zero click" exploit, which allows the hackers to remotely plant malware on a target's computer without any user interaction. "This level of sophistication demonstrates the threat actor's capability and intent to develop stealthy attack methods," ESET researchers Damien Schaeffer and Romain Dumont said in a blog post on Monday. [...] Schaeffer told TechCrunch that the number of potential victims from RomCom's "widespread" hacking campaign ranged from a single victim per country to as many as 250 victims, with the majority of targets based in Europe and North America. Mozilla and the Tor Project quickly patched a Firefox-based vulnerability after being alerted by ESET, with no evidence of Tor Browser exploitation. Meanwhile, Microsoft addressed a Windows vulnerability on November 12 following a report by Google's Threat Analysis Group, indicating potential use in government-backed hacking campaigns.

An anonymous reader quotes a report from IEEE Spectrum: Virtual- and augmented-reality setups already modify the way users see and hear the world around them. Add in haptic feedback for a sense of touch and a VR version of Smell-O-Vision, and only one major sense remains: taste. To fill the gap, researchers at the City University of Hong Kong have developed a new interface to simulate taste in virtual and other extended reality (XR). The group previously worked on other systems for wearable interfaces, such as haptic and olfactory feedback. To create a more "immersive VR experience," they turned to adding taste sensations, says Yiming Liu, a coauthor of the group's research paper published today in the Proceedings of the National Academy of Sciences.

The lollipop-shaped lickable device can produce nine different flavors: sugar, salt, citric acid, cherry, passion fruit, green tea, milk, durian, and grapefruit. Each flavor is produced by food-grade chemicals embedded in a pocket of agarose gel. When a voltage is applied to the gel, the chemicals are transported to the surface in a liquid that then mixes with saliva on the tongue like a real lollipop. Increase the voltage, and get a stronger flavor. Initially, the researchers tested several methods for simulating taste, including electrostimulating the tongue. The other methods each came with limitations, such as being too bulky or less safe, so the researchers opted for chemical delivery through a process called iontophoresis, which moves chemicals and ions through hydrogels and has a low electrical-power requirement. With a 2-volt maximum, the device is well within the human safety limit of 30 V, which is considered enough to deliver a substantial shock in some situations. Some of the possible applications mentioned by the authors include gustation tests, virtual grocery shopping, and immersive environments for exploring food flavors. However, the current system is limited to one hour of use due to gel depletion and it only supports a handful of flavor channels.

Future development aims to extend operation time, increase flavor complexity, and improve usability, marking the beginning of a new frontier for XR interfaces.