schwit1 shares a report from the New York Post: A landmark study out of the University of Adelaide and University of Essex has found that living in a private rental property accelerates the biological aging process by more than two weeks every year. The research found renting had worse effects on biological age than being unemployed (adding 1.4 weeks per year), obesity (adding 1 week per year), or being a former smoker (adding about 1.1 weeks). University of Adelaide Professor of Housing Research Emma Baker said private renting added "about two-and-a-half weeks of aging" per year to a person's biological clock, compared to those who own their homes.

"In fact, private rental is the really interesting thing here, because social renters, for some reason, don't seem to have that effect," Professor Baker told the ABC News Daily podcast. She said the security of social renting -- aka public housing -- and homeownership has compared to people living with an end-of-lease date on their calendars. "When you look at big studies of the Australian population, you see that the average rental lease is between six and 12 months," she said. "So even if you have your lease extended, you still are living in that slight state of kind of unknowingness, really not quite secure if your lease is actually going to be extended or not." "We think that that is one of the things that's contributing to loss of years, effectively."

At the Reagan National Defense Forum in Simi Valley, California, on Saturday, US Commerce Secretary Gina Raimondo issued a cautionary statement to Nvidia, urging them to stop redesigning AI chips for China that maneuver around export restrictions. "We cannot let China get these chips. Period," she said. "We're going to deny them our most cutting-edge technology." Fortune reports: Raimondo said American companies will need to adapt to US national security priorities, including export controls that her department has placed on semiconductor exports. "I know there are CEOs of chip companies in this audience who were a little cranky with me when I did that because you're losing revenue," she said. "Such is life. Protecting our national security matters more than short-term revenue."

Raimondo called out Nvidia Corp., which designed chips specifically for the Chinese market after the US imposed its initial round of curbs in October 2022. "If you redesign a chip around a particular cut line that enables them to do AI, I'm going to control it the very next day," Raimondo said. Communication with China can help stabilize ties between the two countries, but "on matters of national security, we've got to be eyes wide open about the threat," she said. "This is the biggest threat we've ever had and we need to meet the moment," she said. Further reading: Nvidia CEO Says US Will Take Years To Achieve Chip Independence

An anonymous reader quotes a report from Ars Technica: US Senator Edward Markey (D-Mass.) is one of the more technologically engaged of our elected lawmakers. And like many technologically engaged Ars Technica readers, he does not like what he sees in terms of automakers' approach to data privacy. On Friday, Sen. Markey wrote to 14 car companies with a variety of questions about data privacy policies, urging them to do better. As Ars reported in September, the Mozilla Foundation published a scathing report on the subject of data privacy and automakers. The problems were widespread -- most automakers collect too much personal data and are too eager to sell or share it with third parties, the foundation found.

Markey noted (PDF) the Mozilla Foundation report in his letters, which were sent to BMW, Ford, General Motors, Honda, Hyundai, Kia, Mazda, Mercedes-Benz, Nissan, Stellantis, Subaru, Tesla, Toyota, and Volkswagen. The senator is concerned about the large amounts of data that modern cars can collect, including the troubling potential to use biometric data (like the rate a driver blinks and breathes, as well as their pulse) to infer mood or mental health. Sen. Markey is also worried about automakers' use of Bluetooth, which he said has expanded "their surveillance to include information that has nothing to do with a vehicle's operation, such as data from smartphones that are wirelessly connected to the vehicle." "These practices are unacceptable," Markey wrote. "Although certain data collection and sharing practices may have real benefits, consumers should not be subject to a massive data collection apparatus, with any disclosures hidden in pages-long privacy policies filled with legalese. Cars should not -- and cannot -- become yet another venue where privacy takes a backseat."

The 14 automakers have until December 21 to answer Markey's questions.

The API tokens of tech giants Meta, Microsoft, Google, VMware, and more have been found exposed on Hugging Face, opening them up to potential supply chain attacks. From a report: Researchers at Lasso Security found more than 1,500 exposed API tokens on the open source data science and machine learning platform -- which allowed them to gain access to 723 organizations' accounts. In the vast majority of cases (655), the exposed tokens had write permissions granting the ability to modify files in account repositories. A total of 77 organizations were exposed in this way, including Meta, EleutherAI, and BigScience Workshop - which run the Llama, Pythia, and Bloom projects respectively.

The three companies were contacted by The Register for comment but Meta and BigScience Workshop did not not respond at the time of publication, although all of them closed the holes shortly after being notified. Hugging Face is akin to GitHub for AI enthusiasts and hosts a plethora of major projects. More than 250,000 datasets are stored there and more than 500,000 AI models are too. The researchers say that if attackers had exploited the exposed API tokens, it could have led to them swiping data, poisoning training data, or stealing models altogether, impacting more than 1 million users.

An anonymous reader shares a report: On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access "a significant number of files containing profile information about other users' ancestry." But 23andMe would not say how many "other users" were impacted by the breach that the company initially disclosed in early October. As it turns out, there were a lot of "other users" who were victims of this data breach: 6.9 million affected individuals in total.

In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe's DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person's name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.

The latest post on the Google Security blog details a new upgrade to Gmail's spam filters that Google is calling "one of the largest defense upgrades in recent years." ArsTechnica: The upgrade comes in the form of a new text classification system called RETVec (Resilient & Efficient Text Vectorizer). Google says this can help understand "adversarial text manipulations" -- these are emails full of special characters, emojis, typos, and other junk characters that previously were legible by humans but not easily understandable by machines. Previously, spam emails full of special characters made it through Gmail's defenses easily.

[...] The reason emails like this have been so difficult to classify is that, while any spam filter could probably swat down an email that says "Congratulations! A balance of $1000 is available for your jackpot account," that's not what this email actually says. A big portion of the letters here are "homoglyphs" -- by diving into the endless depths of the Unicode standard, you can find obscure characters that look like they're part of the normal Latin alphabet but actually aren't.

The UK's most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China, the Guardian can reveal. From the report: The astonishing disclosure and its potential effects have been consistently covered up by senior staff at the vast nuclear waste and decommissioning site, the investigation has found. The Guardian has discovered that the authorities do not know exactly when the IT systems were first compromised. But sources said breaches were first detected as far back as 2015, when experts realised sleeper malware -- software that can lurk and be used to spy or attack systems -- had been embedded in Sellafield's computer networks.

It is still not known if the malware has been eradicated. It may mean some of Sellafield's most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised. Sources suggest it is likely foreign hackers have accessed the highest echelons of confidential material at the site, which sprawls across 6 sq km (2 sq miles) on the Cumbrian coast and is one of the most hazardous in the world.

What's behind a supposed shortage of cybersecurity workers? Last month cybersecurity professional Ben Rothke questioned whether a "shortage" even existed. Instead Rothke argued that human resources "needs to understand how to effectively hire information security professionals. Expecting an HR generalist to find information security specialists is a fruitless endeavor at best."

Rothke — a founding member of the Cloud Security Alliance — contacted Slashdot this week with "a follow-up piece" arguing there's another problem. "How can you know how many security jobs there are if there's no real statistical data available?" (Most articles on the topic cite the exact same two studies, which Rothke sees as "not statistically defendable.") Which begs the question — how many information security jobs are there? The short answer is that no one has a clue. The problem is that there is no statistically verifiable and empirically researched data on the number of current information security jobs and what the future holds. All data to date is based on surveys and extrapolations, which is a poor way to do meaningful statistical research... Based on LinkedIn job postings, veteran industry analyst Richard Stiennon found 15,849 job openings at 1,433 cybersecurity vendors. As to the millions of security jobs, he notes that the same could be extrapolated for office administrators. There are millions of companies, but it's not like they all will need full-time security people.

Helen Patton is a veteran information security professional and CISO at Cisco Security Business Group, and the author of Navigating the Cybersecurity Career Path. As to the security jobs crisis, she notes that there are plenty of talented and capable people looking for jobs, and feels there's in fact, no crisis at all. Instead, she says part of the issue is hiring managers who don't truly stop to think about the skills required for a role, and how a candidate can demonstrate those skills. What they do is post jobs that ask for false proxies for experience — degrees, certifications, work experience — and as a consequence, they are looking for candidates that don't exist. She suggests that fixing the hiring process will go a lot further to close the skills gap, than training a legion of new people.
Challenging this supposed glut of unfilled positions, Rothke also shares some recent stories from people who've recently looked for information security jobs. ("He tried to explain to the CIO that Agile was not an appropriate methodology for security projects unless they were primarily software-based. The CIO replied, 'oh the CIO at Chase would tell you differently.' Not realizing that most projects at the bank are software-based.") If you want to know how few information security jobs there really are — speak to people who have graduated from security bootcamps and master's degree programs, and they will tell you the challenges they are facing... That's not to say there are not lots of information security jobs. It's just that there are not the exaggerated and hyperbolic amounts that are reported.

Today is the 20th anniversary of its last flight of the supersonic Concorde aircraft. It was faster than the speed of sound, travelling at speeds of 1,350 mph (2,170 km/h).

Long-time Slashdot reader schwit1 shared an article from the Telegraph: As the space race raged and dominated headlines, the U.S. and the Soviet Union were equally competitive about being the first post-war superpower to create a commercial jetliner that could travel faster than the speed of sound." Both started work on secret projects, at the same time that Britain and France — who were less hell-bent on imprinting their superiority on geopolitics, but blessed with many of the world's finest engineering minds — were in pursuit of the same goal.

It has been known for decades that the three-horse race wasn't run entirely fairly. While the Americans, with their colossal and largely pointless Boeing 2707, never got close to getting airborne (they scrapped the project in 1971), the Soviet-built Tupolev Tu-144 won the race in 1968. When it did, though, its design similarities to Concorde appeared to confirm suspicions that the blueprints might have been leaked by espionage. In the late 1990s, it was revealed that an aeronautical engineer codenamed Agent Ace was one such spy. Recruited in 1967, he allegedly handed over some 90,000 pages of detailed technical specifications on new aircraft — including Concorde, the Super VC-10 and Lockheed L-1011 — to the KGB, the foreign intelligence and domestic security agency of the Soviet Union.
The identity of Agent Ace is revealed in Concorde: The Race for Supersonic, a new two-part documentary by the UK public broadcasting station Channel 4.

The Telegraph adds: With the rich benefit of hindsight, John Britton isn't entirely surprised there was a Soviet mole in the factory. It was a long time ago, 1965, but something — or someone — at Filton Aerodrome seemed fishy. "We had dozens, maybe hundreds of people working on the project, and we didn't have enough permanent staff so we took on contractors, all sorts of characters," Britton says. At the time he was a 19-year-old apprentice engineer, working for British Aeroplane Company (BAC) in the design office for a supersonic, passenger-carrying aircraft. An aircraft that would, ideally, fly before the Soviet Union's competing effort did.

"There was one chap working there... He used to stay behind, he'd do a lot of overtime in the drawing library, taking prints off the microfilms of designs..." Britton, who is now 76, initially assumed the man — he thinks his name was George — was merely conscientious and needed copies for his work. He can titter at the memory now. "It was only afterwards, when the Soviet aircraft came out and it looked remarkably like Concorde, when we thought... 'Ah'."

The Atlantic writes: Failing a CAPTCHA isn't just annoying — it keeps people from navigating the internet. Older people can take considerably more time to solve different kinds of CAPTCHAs, according to the UC Irvine researchers, and other research has found that the same is true for non-native English speakers. The annoyance can lead a significant chunk of users to just give up.
But is it all also just a big waste of time? The article notes there's now even CAPTCHA-solving services you can hire. ("2Captcha will solve a thousand CAPTCHAs for a dollar, using human workers paid as low as 50 cents an hour. Newer companies, such as Capsolver, claim to instead be using AI and charge roughly the same price.")

And they also write that this summer saw more discouraging news: In a recent study from researchers at UC Irvine and Microsoft:

- most of the 1,400 human participants took 15 to 26 seconds to solve a CAPTCHA with a grid of images, with 81% accuracy.

- A bot tested in March 2020, meanwhile, was shown to solve similar puzzles in an average of 19.9 seconds, with 83% accuracy.
The article ultimately argues that for roughly 20 years, "CAPTCHAs have been engaged in an arms race against the machines," and that now "The burden is on CAPTCHAs to keep up" — which they're doing by evolving. The most popular type, Google's reCAPTCHA v3, should mostly be okay. It typically ascertains your humanity by monitoring your activity on websites before you even click the checkbox, comparing it with models of "organic human interaction," Jess Leroy, a senior director of product management at Google Cloud, the division that includes reCAPTCHA, told me.
But the automotive site Motor Biscuit speculates something else could also be happening. "Have you noticed it likes to ask about cars, buses, crosswalks, and other vehicle-related images lately?" Google has not confirmed that it uses the reCAPTCHA system for autonomous vehicles, but here are a few reasons why I think that could be the case. Self-driving cars from Waymo and other brands are improving every day, but the process requires a lot of critical technology and data to improve continuously.

According to an old Google Security Blog, using reCAPTCHA and Street View to make locations on Maps more accurate was happening way back in 2014... [I]t would ask users to find the street numbers found on Google Street View and confirm the numbers matched. Previously, it would use distorted text or letters. Using this data, Google could correlate the numbers with addresses and help pinpoint the location on Google Maps...

Medium reports that more than 60 million CAPTCHAs are being solved every day, which saves around 160,000 human hours of work. If these were helping locate addresses, why not also help identify other objects? Help differentiate a bus from a car and even choose a crosswalk over a light pole.
Thanks to Slashdot reader rikfarrow for suggesting the topic.

Long-time Slashdot reader nmb3000 writes: The Electronic Frontier Foundation has published a new white paper, Privacy First: A Better Way to Address Online Harms , to propose an alternative to the "often ill-conceived, bills written by state, federal, and international regulators to tackle a broad set of digital topics ranging from child safety to artificial intelligence." According to the EFF, "these scattershot proposals to correct online harm are often based on censorship and news cycles. Instead of this chaotic approach that rarely leads to the passage of good laws, we propose another solution."
The EFF writes:

The Linux Foundation's own "Open Software Security foundation" has an associated project called Alpha-Omega funded by Microsoft, Google, and Amazon with a mission to catalyze sustainable security improvements to critical open source projects and ecosystems.

It was established nearly two years ago in February of 2022 — and this month announced plans to continue supporting the Rust Foundation Security Initiative: 2022 was also the first full year of operation for the Rust Foundation — an independent nonprofit dedicated to stewarding the Rust programming language and supporting its global community. Given the considerable growth and rising popularity of the Rust programming language in recent years, it has never been more critical to have a healthy and well-funded foundation in place to help ensure the safety and security of this important language.

When the Rust Foundation emerged, OpenSSF recognized a shared vision of global open source security baked into their organizational priorities from day one. These shared security values were the driving force behind Alpha-Omega's decision to grant $460k USD to the Rust Foundation in 2022. This funding helped underwrite their Security Initiative — a program dedicated to improving the state of security within the Rust programming language ecosystem and sowing security best practices within the Rust community. The Security Initiative began in earnest this past January and has now been in operation for a full year with many achievements to note and exciting plans in development.

While security is a clear priority of the Rust language itself and can be seen in its memory safety-critical features, the Rust Project cannot reasonably be expected to foster long term, sustainable security without proper support and funding. Indeed, there is still a pervasive attitude across technology that cybersecurity is being managed and prioritized by "someone else." The unfortunate impact of this attitude is that critical security work often falls on overburdened and under-resourced open source maintainers. By prioritizing the Security Initiative during their first full year in operation, the Rust Foundation has taken on the responsibility of overseeing — and supporting — security improvements within the Rust ecosystem while ensuring meaningful progress...

Alpha-Omega is excited to announce our second year of supporting the Rust Foundation Security Initiative. We believe that this funding will build on the good work and momentum established by the Rust Foundation in 2023. Through this partnership, we are helping relieve maintainer burdens while paving an important path towards a healthier and more secure future within the Rust ecosystem.
Meanwhile, this month the Rust Foundation announced that downloads from Rust's package repository crates.io have now reached 45 billion — and that the foundation is "committed to facilitating the healthy growth of Rust through funding and resources for the community and the Project.

"After conducting initial planning and research and getting approval from our board of directors, we are pleased to announce our intention to help fulfill this commitment by developing a Rust Foundation training and certification program." We continue to be supportive of anyone creating Rust training and education materials. In fact, we are proud to have provided funding to a few individuals involved in this work via our Community Grants Program. Our team is also aware that commercial Rust training courses already exist and that global training entities are already developing their own Rust-focused programs. Given the value of Rust in professional open source, this makes sense. However, we are eager to introduce a program that will allow us to direct profits back into the Rust ecosystem.

As a nonprofit organization, we sit in a unique position thanks to the tools, connections, insights, administrative support, and resources at our disposal — all of which will add value to course material aimed at professional development and adoption. We see our forthcoming program as one tool of many that can be used to verify skills for prospective employers, and for those employers to build out their professional teams of Rust expertise. We will remain supportive of existing training programs offered by Rust Foundation member companies and we'll look for ways to ensure this remains the case as program development progresses... There is no set launch date for the Rust Foundation training and certification program yet, but we plan to continue laying high-quality groundwork in Q4 of 2023 and the first half of 2024.

Three days after Amazon announced its AI chatbot Q, some employees are sounding alarms about accuracy and privacy issues. From a report: Q is "experiencing severe hallucinations and leaking confidential data," including the location of AWS data centers, internal discount programs, and unreleased features, according to leaked documents obtained by Platformer. An employee marked the incident as "sev 2," meaning an incident bad enough to warrant paging engineers at night and make them work through the weekend to fix it.

[...] In a statement, Amazon played down the significance of the employee discussions. "Some employees are sharing feedback through internal channels and ticketing systems, which is standard practice at Amazon," a spokesperson said. "No security issue was identified as a result of that feedback. We appreciate all of the feedback we've already received and will continue to tune Q as it transitions from being a product in preview to being generally available."

An anonymous reader quotes a report from Ars Technica: Valve Software's Steam gaming marketplace and app will drop support for macOS 10.13 (High Sierra) and 10.14 (Mojave), according to a support page post. The change will go into effect on February 15, 2024. What will happen exactly? Valve writes: "After that date, existing Steam Client installations on these operating systems will no longer receive updates of any kind including security updates. Steam Support will be unable to offer users technical support for issues related to the old operating systems, and Steam will be unable to guarantee continued functionality of Steam on the unsupported operating system versions."

"The Steam store will stop considering games that offer only 32-bit macOS binaries to be Mac compatible at the end of 2023," Valve writes. The post also notes that fewer than two percent of current Mac users on Steam are running macOS 10.14 or earlier, so this only affects the small number who are holding on to those older versions that supported 32-bit apps. To be clear, lack of support for macOS 10.14 doesn't necessarily mean Steam won't run at all on machines running that OS. It just means Valve won't guarantee it'll work, and won't lift a finger to help if something breaks in the passage of time. It also means users who continue to use the older software could become vulnerable to security risks, disincentivizing continued use.

Montana's first-of-its-kind state ban on TikTok has been blocked by a U.S. judge, saying it "oversteps state power and infringes on the constitutional rights of users." Reuters reports: TikTok, which is owned by China's ByteDance, did not immediately comment Thursday. The company sued Montana in May, seeking to block the U.S. state ban on several grounds, arguing that it violates the First Amendment free speech rights of the company and users. TikTok users in Montana also filed suit to block the ban. TikTok said in a court filing it "has not shared, and would not share, U.S. user data with the Chinese government, and has taken substantial measures to protect the privacy and security of TikTok users."

Molloy, who was appointed to the bench by Democratic President Bill Clinton, found merit to numerous arguments raised by TikTok in his opinion. During an October hearing, Molloy questioned why no other state had followed Montana in banning TikTok and asked if the state was being "paternalistic" in arguing the ban was necessary to protect the data of TikTok users. Montana could have imposed fines of $10,000 for each violation by TikTok in the state but the law did not impose penalties on individual TikTok users.

An anonymous reader quotes a report from Ars Technica: Security researchers are tracking what they say is the "mass exploitation" of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open source file-sharing server app. The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing "mass exploitation" in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.

CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they're configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week's disclosure, ownCloud officials said that in containerized configurations -- such as those using the Docker virtualization tool -- the URL can reveal data used to log in to the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn't sufficient to lock down a vulnerable server. [...]

To fix the ownCloud vulnerability under exploitation, ownCloud advised users to: "Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.

We also advise to change the following secrets:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key"

China is waging a growing number of cyberattacks on neighboring Taiwan, according to cybersecurity experts at Alphabet's Google. From a report: Google has observed a "massive increase" in Chinese cyberattacks on Taiwan in the last six months or so, said Kate Morgan, a senior engineering manager in Google's threat analysis division, which monitors government-sponsored hacking campaigns. Morgan warned that Chinese hackers are employing tactics that make their work difficult to track, such as breaking into small home and office internet routers and repurposing them to wage attacks while masking their true origin.

"The number of groups in China that are performing hacking and trying to get into technology companies or get into cloud customers is huge," Morgan said. "I don't have the exact number, but it is probably over 100 groups that we are tracking just out of China alone." The hackers are going "after everything," including defense sector, government and private industry on the island, she said. Google's findings come as concerns have grown over the prospect of a conflict in Taiwan. The relationship between the US -- Taiwan's top military backer -- and China has deteriorated in recent years over a wide range of issues including Taiwan, human rights and a race to dominate advanced technologies such as chips, quantum computing and artificial intelligence.

Henry Kissinger, a diplomatic powerhouse whose roles as a national security adviser and secretary of state under two presidents left an indelible mark on U.S. foreign policy and earned him a controversial Nobel Peace Prize, died on Wednesday at age 100. From a report: Kissinger died at his home in Connecticut, according to a statement from his geopolitical consulting firm, Kissinger Associates. No mention was made of the circumstances. It said he would be interred at a private family service, to be followed at a later date by a public memorial service in New York City. Kissinger had been active past his centenary, attending meetings in the White House, publishing a book on leadership styles, and testifying before a Senate committee about the nuclear threat posed by North Korea. In July 2023 he made a surprise visit to Beijing to meet Chinese President Xi Jinping.

During the 1970s in the midst of the Cold War, he had a hand in many of the epoch-changing global events of the decade while serving as national security adviser and secretary of state under Republican President Richard Nixon. The German-born Jewish refugee's efforts led to the U.S. diplomatic opening with China, landmark U.S.-Soviet arms control talks, expanded ties between Israel and its Arab neighbors, and the Paris Peace Accords with North Vietnam. Kissinger's reign as the prime architect of U.S. foreign policy waned with Nixon's resignation in 1974 amid the Watergate scandal. Still, he continued to be a diplomatic force as secretary of state under Nixon's successor, President Gerald Ford, and to offer strong opinions throughout the rest of his life.

While many hailed Kissinger for his brilliance and broad experience, others branded him a war criminal for his support for anti-communist dictatorships, especially in Latin America. In his latter years, his travels were circumscribed by efforts by other nations to arrest or question him about past U.S. foreign policy. His 1973 Peace Prize - awarded jointly to North Vietnam's Le Duc Tho, who would decline it - was one of the most controversial ever. Two members of the Nobel committee resigned over the selection as questions arose about the secret U.S. bombing of Cambodia. Further reading: Henry Kissinger, War Criminal Beloved by America's Ruling Class, Finally Dies.

Dollar Tree was impacted by a third-party data breach stemming from the hack of service provider Zeroed-In Technologies. According to Bleeping Computer, nearly two million customers have been affected. "The information stolen during the attack includes names, dates of birth, and Social Security numbers (SSNs)." From the report: According to a data breach notification shared with the Maine Attorney General, Dollar Tree's service provider, Zeroed-In, suffered a security incident between August 7 and 8, 2023. As part of this cyberattack, the threat actors managed to steal data containing the personal information of Dollar Tree and Family Dollar employees. "While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor," reads the letter sent to affected individuals. "Therefore, Zeroed-In conducted a review of the contents of the systems to determine what information was present at the time of the incident and to whom the information relates."

The information stolen during the attack includes names, dates of birth, and Social Security numbers (SSNs). Zeroed-In has notified the affected individuals and enclosed instructions on enrolling in a twelve-month identity protection and credit monitoring service. Other Zeroed-In customers apart from Dollar Tree and Family Dollar may have also been impacted by the security breach, but this hasn't been confirmed yet. Meanwhile, the scale of the data breach has already triggered investigations from law firms looking into a potential class-action lawsuit against Zeroed-In.

The United States and China are pursuing parallel scientific tracks. To solve crises on multiple fronts, the two roads need to become one, Nature's editorial board wrote Wednesday. From the post: It's no secret that research collaborations between China and the United States -- among other Western countries -- are on a downward trajectory. Early indicators of a possible downturn have been confirmed by more sources. A report from Japan's Ministry of Education, Culture, Sports, Science and Technology, published in August, for instance, stated that the number of research articles co-authored by scientists in the two countries had fallen in 2021, the first annual drop since 1993. Meanwhile, data from Nature Index show that China-based scientists' propensity to collaborate internationally has been waning, when looking at the authorship of papers in the Index's natural-science journals.

Nature reported last month that China's decoupling from the countries loosely described as the West mirrors its strengthening of science links with low- and middle-income countries (LMICs), as part of its Belt and Road Initiative. There are many good reasons for China to be boosting science in LMICs, which could sorely do with greater research funding and capacity building. But this is also creating parallel scientific systems -- one centred on North America and Europe, and the other on China. The biggest challenges faced by humanity, from combating climate change to ending poverty, are embodied in a globally agreed set of targets, the United Nations Sustainable Development Goals (SDGs).

Approaching them without shared knowledge can only slow down progress by creating competing systems for advancing and implementing solutions. It's a scenario that the research community must be more aware of and work to avoid. Nature Index offers some reasons as to why collaboration between China and the West is declining. Travel restrictions during the COVID-19 pandemic took their toll, limiting collaborations and barring new ones from being forged. Geopolitical tensions have led many Western governments to restrict their research partnerships with China, on national-security grounds, and vice versa.