Jessica Lyons reports via The Register: The FCC appears to finally be stepping up efforts to secure decades-old flaws in American telephone networks that are allegedly being used by foreign governments and surveillance outfits to remotely spy on and monitor wireless devices. At issue are the Signaling System Number 7 (SS7) and Diameter protocols, which are used by fixed and mobile network operators to enable interconnection between networks. They are part of the glue that holds today's telecommunications together. According to the US watchdog and some lawmakers, both protocols include security weaknesses that leave folks vulnerable to unwanted snooping. SS7's problems have been known about for years and years, as far back as at least 2008, and we wrote about them in 2010 and 2014, for instance. Little has been done to address these exploitable shortcomings.

SS7, which was developed in the mid-1970s, can be potentially abused to track people's phones' locations; redirect calls and text messages so that info can be intercepted; and spy on users. The Diameter protocol was developed in the late-1990s and includes support for network access and IP mobility in local and roaming calls and messages. It does not, however, encrypt originating IP addresses during transport, which makes it easier for miscreants to carry out network spoofing attacks. "As coverage expands, and more networks and participants are introduced, the opportunity for a bad actor to exploit SS7 and Diameter has increased," according to the FCC [PDF].

On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers' locations. The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and -- if known -- the attacker's identity. This time frame is significant because in 2018, the Communications Security, Reliability, and Interoperability Council (CSRIC), a federal advisory committee to the FCC, issued several security best practices to prevent network intrusions and unauthorized location tracking. Interested parties have until April 26 to submit comments, and then the FCC has a month to respond.

An anonymous reader shares a report: The Federal Communications Commission has scheduled an April 25 vote to restore net neutrality rules similar to the ones introduced during the Obama era and repealed under former President Trump. The text of the pending net neutrality order wasn't released today. The FCC press release said it will prohibit broadband providers "from blocking, slowing down, or creating pay-to-play Internet fast lanes" and "bring back a national standard for broadband reliability, security, and consumer protection."

[...] Numerous consumer advocacy groups praised the FCC for its plan today. Lobby groups representing Internet providers expressed their displeasure. While there hasn't been a national standard since then-Chairman Ajit Pai led a repeal in 2017, Internet service providers still have to follow net neutrality rules because California and other states impose their own similar regulations. The broadband industry's attempts to overturn the state net neutrality laws were rejected in court.

Although ISPs seem to have been able to comply with the state laws, they argue that the federal standard will hurt their businesses and consumers. "Reimposing heavy-handed regulation will not just hobble network investment and innovation, it will also seriously jeopardize our nation's collective efforts to build and sustain reliable broadband in rural and unserved communities," cable lobbyist Michael Powell said today. Powell, the CEO of cable lobby group NCTA-The Internet & Television Association, was the FCC chairman under President George W. Bush. Powell said the FCC must "reverse course to avoid years of litigation and uncertainty" in a reference to the inevitable lawsuits that industry groups will file against the agency.

Microsoft announced an extended support program for Windows 10 last year that would allow users to pay for continued security updates beyond the October 2025 end of support date. Today, the company has unveiled the pricing structure for that program, which starts at $61 per device, and doubles every year for three years. Windows Central: Security updates on Windows are important, as they keep you protected from any vulnerabilities that are discovered in the OS. Microsoft releases a security update for Windows 10 once a month, but that will stop when October 2025 rolls around. Users still on Windows 10 after that date will officially be out of support, unless you pay.

The extended support program for Windows 10 will let users pay for three years of additional security updates. This is handy for businesses and enterprise customers who aren't yet ready to upgrade their fleet of employee laptops and computers to Windows 11. For the first time, Microsoft is also allowing individual users at home to join the extended support program, which will let anyone running Windows 10 pay for extended updates beyond October 2025 for three years. The price is $61 per device, but that price doubles every year for three years. That means the second year will cost you $122 per device, and the third year will cost $244 per device.

An anonymous reader shares a report: Google offers a VPN via its "Google One" monthly subscription plan, and while it debuted on phones, a desktop app has been available for Windows and Mac OS for over a year now. Since a lot of people pay for Google One for the cloud storage increase for their Google accounts, you might be tempted to try the VPN on a desktop, but Windows users testing out the app haven't seemed too happy lately. An open bug report on Google's GitHub for the project says the Windows app "breaks" the Windows DNS, and this has been ongoing since at least November.

A VPN would naturally route all your traffic through a secure tunnel, but you've still got to do DNS lookups somewhere. A lot of VPN services also come with a DNS service, and Google is no different. The problem is that Google's VPN app changes the Windows DNS settings of all network adapters to always use Google's DNS, whether the VPN is on or off. Even if you change them, Google's program will change them back. Most VPN apps don't work this way, and even Google's Mac VPN program doesn't work this way. The users in the thread (and the ones emailing us) expect the app, at minimum, to use the original Windows settings when the VPN is off. Since running a VPN is often about privacy and security, users want to be able to change the DNS away from Google even when the VPN is running.

quonset shares a report: In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying "a cascade of errors" by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo.

The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company's knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China. It concluded that "Microsoft's security culture was inadequate and requires an overhaul" given the company's ubiquity and critical role in the global technology ecosystem. Microsoft products "underpin essential services that support national security, the foundations of our economy, and public health and safety."

The panel said the intrusion, discovered in June by the State Department and dating to May "was preventable and should never have occurred," blaming its success on "a cascade of avoidable errors." What's more, the board said, Microsoft still doesn't know how the hackers got in. [...] It said Microsoft's CEO and board should institute "rapid cultural change" including publicly sharing "a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products."

An anonymous reader quotes a report from Ars Technica: Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable. "Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack," officials wrote Tuesday. "Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal."

The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice. The closure occurred the same day that the county was holding a special election to vote on a proposed sales tax to fund a stadium for MLB's Kansas City Royals and the NFL's Kansas City Chiefs. Neither the Jackson County Board of Elections nor the Kansas City Board of Elections have been affected by the attack; both remain open.

The Jackson County website says there are 654,000 residents in the 607-square-mile county, which includes most of Kansas City, the biggest city in Missouri. The response to the attack and the investigation into it have just begun, but so far, officials said they had no evidence that data had been compromised. Jackson County Executive Frank White, Jr. has issued (PDF) an executive order declaring a state of emergency. The County has notified law enforcement and retained IT security contractors to help investigate and remediate the attack. "The potential significant budgetary impact of this incident may require appropriations from the County's emergency fund and, if these funds are found to be insufficient, the enactment of additional budgetary adjustments or cuts," White wrote. "It is directed that all county staff are to take whatever steps are necessary to protect resident data, county assets, and continue essential services, thereby mitigating the impact of this potential ransomware attack."

The UK and US have signed a landmark deal to work together on testing advanced artificial intelligence (AI) and develop "robust" safety methods for AI tools and their underlying systems. "It is the first bilateral agreement of its kind," reports the BBC. From the report: UK tech minister Michelle Donelan said it is "the defining technology challenge of our generation." "We have always been clear that ensuring the safe development of AI is a shared global issue," she said. "Only by working together can we address the technology's risks head on and harness its enormous potential to help us all live easier and healthier lives."

The secretary of state for science, innovation and technology added that the agreement builds upon commitments made at the AI Safety Summit held in Bletchley Park in November 2023. The event, attended by AI bosses including OpenAI's Sam Altman, Google DeepMind's Demis Hassabis and tech billionaire Elon Musk, saw both the UK and US create AI Safety Institutes which aim to evaluate open and closed-source AI systems. [...]

Gina Raimondo, the US commerce secretary, said the agreement will give the governments a better understanding of AI systems, which will allow them to give better guidance. "It will accelerate both of our Institutes' work across the full spectrum of risks, whether to our national security or to our broader society," she said. "Our partnership makes clear that we aren't running away from these concerns - we're running at them."

Bill Toulas reports via BleepingComputer: Firmware security firm Binarly has released a free online scanner to detect Linux executables impacted by the XZ Utils supply chain attack, tracked as CVE-2024-3094. CVE-2024-3094 is a supply chain compromise in XZ Utils, a set of data compression tools and libraries used in many major Linux distributions. Late last month, Microsoft engineer Andres Freud discovered the backdoor in the latest version of the XZ Utils package while investigating unusually slow SSH logins on Debian Sid, a rolling release of the Linux distribution.

The backdoor was introduced by a pseudonymous contributor to XZ version 5.6.0, which remained present in 5.6.1. However, only a few Linux distributions and versions following a "bleeding edge" upgrading approach were impacted, with most using an earlier, safe library version. Following the discovery of the backdoor, a detection and remediation effort was started, with CISA proposing downgrading the XZ Utils 5.4.6 Stable and hunting for and reporting any malicious activity.

Binarly says the approach taken so far in the threat mitigation efforts relies on simple checks such as byte string matching, file hash blocklisting, and YARA rules, which could lead to false positives. This approach can trigger significant alert fatigue and doesn't help detect similar backdoors on other projects. To address this problem, Binarly developed a dedicated scanner that would work for the particular library and any file carrying the same backdoor. [...] Binarly's scanner increases detection as it scans for various supply chain points beyond just the XZ Utils project, and the results are of much higher confidence. Binarly has made a free API available to accomodate bulk scans, too.

A nearly two-pound piece of trash from the International Space Station may have hit a house in Florida. Alejandro Otero said it "tore through the roof and both floors of his two-story house in Naples, Florida," reports Ars Technica. "Otero wasn't home at the time, but his son was there." From the report: A Nest home security camera captured the sound of the crash at 2:34 pm local time (19:34 UTC) on March 8. That's an important piece of information because it is a close match for the time -- 2:29 pm EST (19:29 UTC) -- that US Space Command recorded the reentry of a piece of space debris from the space station. At that time, the object was on a path over the Gulf of Mexico, heading toward southwest Florida. This space junk consisted of depleted batteries from the ISS, attached to a cargo pallet that was originally supposed to come back to Earth in a controlled manner. But a series of delays meant this cargo pallet missed its ride back to Earth, so NASA jettisoned the batteries from the space station in 2021 to head for an unguided reentry.

Otero's likely encounter with space debris was first reported by WINK News, the CBS affiliate for southwest Florida. Since then, NASA has recovered the debris from the homeowner, according to Josh Finch, an agency spokesperson. Engineers at NASA's Kennedy Space Center will analyze the object "as soon as possible to determine its origin," Finch told Ars. "More information will be available once the analysis is complete." [...] In a post on X, Otero said he is waiting for communication from "the responsible agencies" to resolve the cost of damages to his home.

If the object is owned by NASA, Otero or his insurance company could make a claim against the federal government under the Federal Tort Claims Act, according to Michelle Hanlon, executive director of the Center for Air and Space Law at the University of Mississippi. "It gets more interesting if this material is discovered to be not originally from the United States," she told Ars. "If it is a human-made space object which was launched into space by another country, which caused damage on Earth, that country would be absolutely liable to the homeowner for the damage caused." This could be an issue in this case. The batteries were owned by NASA, but they were attached to a pallet structure launched by Japan's space agency.

An anonymous reader shares a report: Echoing the past two years of Rust evangelism and C/C++ ennui, Google reports that Rust shines in production, to the point that its developers are twice as productive using the language compared to C++. Speaking at the Rust Nation UK Conference in London this week, Lars Bergstrom, director of engineering at Google, who works on Android Platform Tools & Libraries, described the web titan's experience migrating projects written in Go or C++ to the Rust programming language.

Bergstrom said that while Dropbox in 2016 and Figma in 2018 offered early accounts of rewriting code in memory-safe Rust - and doubts about productivity and the language have subsided - concerns have lingered about its reliability and security. "Even six months ago, this was a really tough conversation," he said. "I would go and I would talk to people and they would say, 'Wait, wait you have an `unsafe` keyword. That means we should all write C++ until the heat death of the Universe.'"

But there's been a shift in awareness across the software development ecosystem, Bergstrom argued, about the challenges of using non-memory safe languages. Such messaging is now coming from government authorities in the US and other nations who understand the role software plays in critical infrastructure. The reason is that the majority of security vulnerabilities in large codebases can be traced to memory security bugs. And since Rust code can largely if not totally avoid such problems when properly implemented, memory safety now looks a lot like a national security issue.

An anonymous reader quotes a report from Android Police, written by Dhruv Bhutani: As someone who is an early adopter of all things smart and has invested a significant amount of money in building a fancy smart home, it saddens me to say that I feel cheated by the thousands of dollars I've spent on smart devices. And it's not a one-off. Amazon's recent move to block off local ADB connections on Fire TV devices is the latest example in a long line of grievances. A brand busy wrestling away control from the consumer after they've bought the product, the software update gimps a feature that has been present on the hardware ever since it launched back in 2014. ADB-based commands let users take deep control of the hardware, and in the case of the Fire TV hardware, it can drastically improve the user experience. [...] A few years ago, I decided to invest in the NVIDIA Shield. The premium streamer was marketed as a utopia for streaming online and offline sources with the ability to plug in hard drives, connect to NAS drives, and more. At launch, it did precisely that while presenting a beautiful, clean interface that was a joy to interact with. However, subsequent updates have converted what was otherwise a clean and elegant solution to an ad-infested overlay that I zoom past to jump into my streaming app of choice. This problem isn't restricted to just the Shield. Even my Google TV running Chromecast has a home screen that's more of an advertising space for Google than an easy way to get to my content.

But why stop at streaming boxes? Google's Nest Hubs are equal victims of feature deterioration. I've spent hundreds of dollars on Nest Hubs and outfitted them in most of my rooms and washrooms. However, Google's consistent degradation of the user experience means I use these speakers for little more than casting music from the Spotify app. The voice recognition barely works on the best of days, and when it does, the answers tend to be wildly inconsistent. It wasn't always the case. In fact, at launch, Google's Nest speakers were some of the best smart home interfaces you could buy. You'd imagine that the experience would only improve from there. That's decidedly not the case. I had high hopes that the Fuchsia update would fix the broken command detection, but that's also not the case. And good luck to you if you decided to invest in Google Assistant-compatible displays. Google's announcement that it would no longer issue software or security updates to third-party displays like the excellent Lenovo Smart Display, right after killing the built-in web browser, is pretty wild. It boggles my mind that a company can get away with such behavior.

Now imagine the plight of Nest Secure owners. A home security system isn't something one expects to switch out for many many years. And yet, Google decided to kill the Nest Secure home monitoring solution merely three years after launching the product range. While I made an initial investment in the Nest ecosystem, I've since switched over to a completely local solution that is entirely under my control, stores data locally, and won't be going out of action because of bad decision-making by another company. "It's clear to me that smart home devices, as they stand, are proving to be very poor investments for consumers," Bhutani writes in closing. "Suffice it to say that I've paused any future investments in smart devices, and I'll be taking a long and hard look at a company's treatment of its current portfolio before splurging out more cash. I'd recommend you do the same."

Personal data from 73 million AT&T customers has leaked onto the dark web, reports CNN — both current and former customers.

AT&T has launched an investigation into the source of the data leak... In a news release Saturday morning, the telecommunications giant said the data was "released on the dark web approximately two weeks ago," and contains information such as account holders' Social Security numbers. ["The information varied by customer and account," AT&T said in a statement, " but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode."]

"It is not yet known whether the data ... originated from AT&T or one of its vendors," the company added. "Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set."

The data seems to have been from 2019 or earlier. The leak does not appear to contain financial information or specifics about call history, according to AT&T. The company said the leak shows approximately 7.6 million current account holders and 65.4 million former account holders were affected.
CNN says the first reports of the leak came two weeks ago from a social media account claiming "the largest collection of malware source code, samples, and papers. Reached for a comment by CNN, AT&T had said at the time that "We have no indications of a compromise of our systems."

AT&T's web site now includes a special page with an FAQ — and the tagline that announces "We take cybersecurity very seriously..."

"It has come to our attention that a number of AT&T passcodes have been compromised..."

The page points out that AT&T has already reset the passcodes of "all 7.6 million impacted customers." It's only further down in the FAQ that they acknowledge that the breach "appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and 65.4 million former account holders." Our internal teams are working with external cybersecurity experts to analyze the situation... We encourage customers to remain vigilant by monitoring account activity and credit reports. You can set up free fraud alerts from nationwide credit bureaus — Equifax, Experian, and TransUnion. You can also request and review your free credit report at any time via Freecreditreport.com...

We will reach out by mail or email to individuals with compromised sensitive personal information and offering complimentary identity theft and credit monitoring services... If your information was impacted, you will be receiving an email or letter from us explaining the incident, what information was compromised, and what we are doing for you in response.

404 Media claims to have identified "the fundamental flaw with the age verification bills and laws" that have already passed in eight state legislatures (with two more taking effect in July): "the delusional, unfounded belief that putting hurdles between people and pornography is going to actually prevent them from viewing porn."

They argue that age verification laws "drag us back to the dark ages of the internet." Slashdot reader samleecole shared this excerpt: What will happen, and is already happening, is that people — including minors — will go to unmoderated, actively harmful alternatives that don't require handing over a government-issued ID to see people have sex. Meanwhile, performers and companies that are trying to do the right thing will suffer....

The legislators passing these bills are doing so under the guise of protecting children, but what's actually happening is a widespread rewiring of the scaffolding of the internet. They ignore long-established legal precedent that has said for years that age verification is unconstitutional, eventually and inevitably reducing everything we see online without impossible privacy hurdles and compromises to that which is not "harmful to minors." The people who live in these states, including the minors the law is allegedly trying to protect, are worse off because of it. So is the rest of the internet.
Yet new legislation is advancing in Kentucky and Nebraska, while the state of Kansas just passed a law which even requires age-verification for viewing "acts of homosexuality," according to a report: Websites can be fined up to $10,000 for each instance a minor accesses their content, and parents are allowed to sue for damages of at least $50,000. This means that the state can "require age verification to access LGBTQ content," according to attorney Alejandra Caraballo, who said on Threads that "Kansas residents may soon need their state IDs" to access material that simply "depicts LGBTQ people."
One newspaper opinion piece argues there's an easier solution: don't buy your children a smartphone: Or we could purchase any of the various software packages that block social media and obscene content from their devices. Or we could allow them to use social media, but limit their screen time. Or we could educate them about the issues that social media causes and simply trust them to make good choices. All of these options would have been denied to us if we lived in a state that passed a strict age verification law. Not only do age verification laws reduce parental freedom, but they also create myriad privacy risks. Requiring platforms to collect government IDs and face scans opens the door to potential exploitation by hackers and enemy governments. The very information intended to protect children could end up in the wrong hands, compromising the privacy and security of millions of users...

Ultimately, age verification laws are a misguided attempt to address the complex issue of underage social media use. Instead of placing undue burdens on users and limiting parental liberty, lawmakers should look for alternative strategies that respect privacy rights while promoting online safety.
This week a trade association for the adult entertainment industry announced plans to petition America's Supreme Court to intervene.

This week every U.S. agency was ordered to appoint a "chief AI officer".

But that wasn't the only AI policy announced. According to CNN, "By the end of the year, travelers should be able to refuse facial recognition scans at airport security screenings without fear it could delay or jeopardize their travel plans." That's just one of the concrete safeguards governing artificial intelligence that the Biden administration says it's rolling out across the U.S. government, in a key first step toward preventing government abuse of AI. The move could also indirectly regulate the AI industry using the government's own substantial purchasing power... The mandates aim to cover situations ranging from screenings by the Transportation Security Administration to decisions by other agencies affecting Americans' health care, employment and housing. Under the requirements taking effect on December 1, agencies using AI tools will have to verify they do not endanger the rights and safety of the American people. In addition, each agency will have to publish online a complete list of the AI systems it uses and their reasons for using them, along with a risk assessment of those systems...

[B]ecause the government is such a large purchaser of commercial technology, its policies around procurement and use of AI are expected to have a powerful influence on the private sector.
CNN notes that Vice President Harris told reporters that the administration intends for the policies to serve as a global model. "Meanwhile, the European Union this month gave final approval to a first-of-its-kind artificial intelligence law, once again leapfrogging the United States on regulating a critical and disruptive technology."

CNN adds that last year, "the White House announced voluntary commitments by leading AI companies to subject their models to outside safety testing."

"Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI," the Register reported Thursday

"Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned." If the package was laced with actual malware, rather than being a benign test, the results could have been disastrous.

According to Bar Lanyado, security researcher at Lasso Security, one of the businesses fooled by AI into incorporating the package is Alibaba, which at the time of writing still includes a pip command to download the Python package huggingface-cli in its GraphTranslator installation instructions. There is a legit huggingface-cli, installed using pip install -U "huggingface_hub[cli]". But the huggingface-cli distributed via the Python Package Index (PyPI) and required by Alibaba's GraphTranslator — installed using pip install huggingface-cli — is fake, imagined by AI and turned real by Lanyado as an experiment.

He created huggingface-cli in December after seeing it repeatedly hallucinated by generative AI; by February this year, Alibaba was referring to it in GraphTranslator's README instructions rather than the real Hugging Face CLI tool... huggingface-cli received more than 15,000 authentic downloads in the three months it has been available... "In addition, we conducted a search on GitHub to determine whether this package was utilized within other companies' repositories," Lanyado said in the write-up for his experiment. "Our findings revealed that several large companies either use or recommend this package in their repositories...."

Lanyado also said that there was a Hugging Face-owned project that incorporated the fake huggingface-cli, but that was removed after he alerted the biz.
"With GPT-4, 24.2 percent of question responses produced hallucinated packages, of which 19.6 percent were repetitive, according to Lanyado..."

Thanks to long-time Slashdot reader schneidafunk for sharing the article.

America's Department of Homeland Security "is expected to stop buying access to data showing the movement of phones," reports the U.S. news site NOTUS.

They call the purchasers "a controversial practice that has allowed it to warrantlessly track hundreds of millions of people for years." Since 2018, agencies within the department — including Immigration and Customs Enforcement, U.S. Customs and Border Protection and the U.S. Secret Service — have been buying access to commercially available data that revealed the movement patterns of devices, many inside the United States. Commercially available phone data can be bought and searched without judicial oversight.

Three people familiar with the matter said the Department of Homeland Security isn't expected to buy access to more of this data, nor will the agency make any additional funding available to buy access to this data. The agency "paused" this practice after a 2023 DHS watchdog report [which had recommended they draw up better privacy controls and policies]. However, the department instead appears to be winding down the use of the data...

"The information that is available commercially would kind of knock your socks off," said former top CIA official Michael Morell on a podcast last year. "If we collected it using traditional intelligence methods, it would be top-secret sensitive. And you wouldn't put it in a database, you'd keep it in a safe...." DHS' internal watchdog opened an investigation after a bipartisan outcry from lawmakers and civil society groups about warrantless tracking...
"Meanwhile, U.S. spy agencies are fighting to preserve the same capability as part of the renewal of surveillance authorities," the article adds.

"A bipartisan coalition of lawmakers, led by Democratic Sen. Ron Wyden in the Senate and Republican Rep. Warren Davidson in the House, is pushing to ban U.S. government agencies from buying data on Americans."

"If you want to see what the cutting edge of next-gen clean energy innovation looks like, it'd be hard to find a place better than Texas," Bill Gates wrote recently on his blog," saying "amazing companies" are breaking ground across the state. "Each one represents a huge boon for the local economy, America's energy security, and the fight against climate change." The world is undergoing an energy transition right now, fueled by the development and deployment of new clean energy technologies. The pace of innovation at the heart of this transition is happening faster than many people (including me!) dared hope. The progress makes me optimistic about the future — and excited about the role that American communities will play, especially in places like Texas.

Breakthrough Energy and I have invested more than $130 million into Texas-based entrepreneurs, institutions, and projects. It's a big bet, but it's one I'm confident in. Why? Because of the people. Nearly half a million Texans work in the oil and gas industry, and their skills are directly transferrable to next-generation industries. This workforce will help form the backbone of the world's new clean energy economy, and it will cement Texas's energy leadership for generations to come.

Many of the companies I'm seeing on this trip already employ or plan to employ oil and gas workers. One of those companies is Infinium, which is working on next-generation clean fuels for trucks, ships, and even planes. I'm visiting their first demonstration plant in Corpus Christi, where they're turning waste CO2 and renewable energy into electrofuels — or eFuels — for trucks. They've already signed a deal with Amazon, and sometime soon, if you live in the area, you might get a delivery supported by Infinium eDiesel. The key to Infinium's approach is that their fuels can be dropped into existing engines... I'm especially excited about the work they're doing on sustainable aviation fuel, or SAF — which could reduce emissions from air travel by as much as 90 percent, according to company estimates. Infinium is in the process of converting an old gas-to-liquid plant in West Texas into a new facility that will increase the company's capacity for producing eFuels ten-fold. Breakthrough Energy's Catalyst program has invested in this first-of-its-kind plant, and I can't wait to see it when it's done.

Another company I'll see is Mars Materials. They're a Breakthrough Energy Fellows project working on a different way to reuse CO2. The company is developing a clever technique for turning captured carbon into one of the key components in carbon fiber, an ultra-light, ultra-strong material that is used in everything from clothing to car frames... The Mars Materials team relocated from California to Texas in part because of the skilled oil and gas talent that they could access in the state, and they aren't the first Breakthrough Energy company to do that. I'm going to check out their lab, where their scientists are hard at work optimizing the conversion process.
Both companies assume abundant CO2, Gates writes, but "fortunately for them, Texas is also in the process of becoming a capital for direct air capture... A recent study found that Texas has the greatest DAC deployment potential in the country and could create as many as 400,000 jobs by 2050." Already a direct air capture "hub" in Kingsville, Texas is expected to create 2,500 jobs over the next five years, while Houston has been selected as the site for one of America's seven Regional Clean Hydrogen Hubs.

"If you want to catch a glimpse of our country's clean energy future," Gates writes, "you should head on down to the Lone Star State."

The Record reports: Ross Anderson, a professor of security engineering at the University of Cambridge who is widely recognized for his contributions to computing, passed away at home on Thursday according to friends and colleagues who have been in touch with his family and the University.

Anderson, who also taught at Edinburgh University, was one of the most respected academic engineers and computer scientists of his generation. His research included machine learning, cryptographic protocols, hardware reverse engineering and breaking ciphers, among other topics. His public achievements include, but are by no means limited to, being awarded the British Computer Society's Lovelace Medal in 2015, and publishing several editions of the Security Engineering textbook.
Anderson's security research made headlines throughout his career, with his name appearing in over a dozen Slashdot stories...

• 2023: Researchers Warn of 'Model Collapse' As AI Trains On AI-Generated Content

• 2021: 'Trojan Source' Bug Threatens the Security of All Code

• 2015: Factory Reset On Millions of Android Devices Doesn't Wipe Storage

• 2012: UK Web Snooping Plan Invades Privacy, Despite Claims To the Contrary

• 2010: Why "Verified By Visa" System Is Insecure

• 2008: Researchers Expose New Credit Card Fraud Risk

• 2006: "Security Engineering" Is Now Online. [The link from that 2006 post still works. Slashdot called Anderson's book "arguably the best information security book ever written" in one of two reviews, published in 2002 and 2010.]

• 2002:Security of Open vs. Closed Source Software.

• 2002: Analyzing Palladium

My favorite story? UK Banks Attempt To Censor Academic Publication.

"Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online..."

BrianFagioli shares a report from BetaNews: In a recent security announcement, Red Hat's Information Risk and Security and Product Security teams have identified a critical vulnerability in the latest versions of the 'xz' compression tools and libraries. The affected versions, 5.6.0 and 5.6.1, contain malicious code that could potentially allow unauthorized access to systems. Fedora Linux 40 users and those using Fedora Rawhide, the development distribution for future Fedora builds, are at risk.

The vulnerability, designated CVE-2024-3094, impacts users who have updated to the compromised versions of the xz libraries. Red Hat urges all Fedora Rawhide users to immediately cease using the distribution for both work and personal activities until the issue is resolved. Plans are underway to revert Fedora Rawhide to the safer xz-5.4.x version, after which it will be safe to redeploy Fedora Rawhide instances. Although Fedora Linux 40 builds have not been confirmed to be compromised, Red Hat advises users to downgrade to a 5.4 build as a precautionary measure. An update reverting xz to 5.4.x has been released and is being distributed to Fedora Linux 40 users through the normal update system. Users can expedite the update by following instructions provided by Red Hat. Further reader submissions: xz/liblzma Backdoored, Facilitating ssh Compromise;
Malicious Code Discovered in Popular XZ Utils.

Tobias Mann reports via The Register: Cloud server provider Vultr has rapidly revised its terms-of-service after netizens raised the alarm over broad clauses that demanded the "perpetual, irrevocable, royalty-free" rights to customer "content." The red tape was updated in January, as captured by the Internet Archive, and this month users were asked to agree to the changes by a pop-up that appeared when using their web-based Vultr control panel. That prompted folks to look through the terms, and there they found clauses granting the US outfit a "worldwide license ... to use, reproduce, process, adapt ... modify, prepare derivative works, publish, transmit, and distribute" user content.

It turned out these demands have been in place since before the January update; customers have only just noticed them now. Given Vultr hosts servers and storage in the cloud for its subscribers, some feared the biz was giving itself way too much ownership over their stuff, all in this age of AI training data being put up for sale by platforms. In response to online outcry, largely stemming from Reddit, Vultr in the past few hours rewrote its ToS to delete those asserted content rights. CEO J.J. Kardwell told The Register earlier today it's a case of standard legal boilerplate being taken out of context. The clauses were supposed to apply to customer forum posts, rather than private server content, and while, yes, the terms make more sense with that in mind, one might argue the legalese was overly broad in any case.

"We do not use user data," Kardwell stressed to us. "We never have, and we never will. We take privacy and security very seriously. It's at the core of what we do globally." [...] According to Kardwell, the content clauses are entirely separate to user data deployed in its cloud, and are more aimed at one's use of the Vultr website, emphasizing the last line of the relevant fine print: "... for purposes of providing the services to you." He also pointed out that the wording has been that way for some time, and added the prompt asking users to agree to an updated ToS was actually spurred by unrelated Microsoft licensing changes. In light of the controversy, Vultr vowed to remove the above section to "simplify and further clarify" its ToS, and has indeed done so. In a separate statement, the biz told The Register the removal will be followed by a full review and update to its terms of service. "It's clearly causing confusion for some portion of users. We recognize that the average user doesn't have a law degree," Kardwell added. "We're very focused on being responsive to the community and the concerns people have and we believe the strongest thing we can do to demonstrate that there is no bad intent here is to remove it."