A software error on the part of Firefly Aerospace doomed Lockheed Martin's Electronic Steerable Antenna (ESA) demonstrator to a shorter-than-expected orbital life following a botched Alpha launch. From a report: According to Firefly's mission update, the error was in the Guidance, Navigation, and Control (GNC) software algorithm, preventing the system from sending the necessary pulse commands to the Reaction Control System (RCS) thrusters before the relight of the second stage. The result was that Lockheed's payload was left in the wrong orbit, and Firefly's engineers were left scratching their heads.

The launch on December 22, 2023 -- dubbed "Fly the Lightning" -- seemed to go well at first. It was the fourth for the Alpha, and after Firefly finally registered a successful launch a few months earlier in September, initial indications looked good. However, a burn of the second stage to circularize the orbit did not go to plan, and Lockheed's satellite was left in the wrong orbit, with little more than weeks remaining until it re-entered the atmosphere.

As it turned out, the Lockheed team completed their primary mission objectives. The payload was, after all, designed to demonstrate faster on-orbit sensor calibration. Just perhaps not quite that fast. Software issues aboard spacecraft are becoming depressingly commonplace. A recent example was the near disastrous first launch of Boeing's CST-100 Starliner, where iffy code could have led, in NASA parlance, to "spacecraft loss." In a recent interview with The Register, former Voyager scientist Garry Hunt questioned if the commercial spaceflight sector of today would take the same approach to quality as the boffins of the past.

Michael Larabel reports via Phoronix: With Valve's release today of the Steam Audio SDK 4.5.2 they have made the software development kit fully open-source under an Apache 2.0 license. Steam Audio 4.5.2 may not sound exciting in the context of a version number but as described in the release announcement is now "the first open source release of the Steam Audio SDK source code." The rest of this work in this Steam Audio SDK release amounts to bug fixes and other standard changes.

In a SteamCommunity.com announcement posted today entitled "Steam Audio Open Source Release," it notes: "The entire Steam Audio codebase, including both the SDK and all plugins, is now released under the Apache 2.0 license. This allows developers to use Steam Audio in commercial products, and to modify or redistribute it under their own licensing terms without having to include source code. We welcome contributions from developers who would like to fix bugs or add features to Steam Audio." You can learn more about Steam Audio via the project site.

An anonymous reader shared an news report: Microsoft has fixed an issue where its Edge browser was again misbehaving, this time by automatically importing browsing data and tabs from Chrome without consent. I personally experienced the bug last month, after I rebooted my PC for a regular Windows update and Microsoft Edge automatically opened with the Chrome tabs I was working on before the update. I asked Microsoft repeatedly to explain why this behavior had occurred for myself and many other Windows users, but the company refused to comment. Microsoft has now quietly issued a fix in the latest Microsoft Edge update.

Here's how Microsoft describes the fix: "Edge has a feature that provides an option to import browser data on each launch from other browsers with user consent. This feature's state might not have been syncing and displaying correctly across multiple devices. This is fixed."

From a blog post by Greg Kroah-Hartman: As was recently announced, the Linux kernel project has been accepted as a CVE Numbering Authority (CNA) for vulnerabilities found in Linux.

This is a trend, of more open source projects taking over the haphazard assignments of CVEs against their project by becoming a CNA so that no other group can assign CVEs without their involvment. Here's the curl project doing much the same thing for the same reasons. I'd like to point out the great work that the Python project has done in supporting this effort, and the OpenSSF project also encouraging it and providing documentation and help for open source projects to accomplish this. I'd also like to thank the cve.org group and board as they all made the application process very smooth for us and provided loads of help in making this all possible.

As many of you all know, I have talked a lot about CVEs in the past, and yes, I think the system overall is broken in many ways, but this change is a way for us to take more responsibility for this, and hopefully make the process better over time. It's also work that it looks like all open source projects might be mandated to do with the recent rules and laws being enacted in different parts of the world, so having this in place with the kernel will allow us to notify all sorts of different CNA-like organizations if needed in the future.
Kroah-Hartman links to his post on the kernel mailing list for "more details about how this is all going to work for the kernel." [D]ue to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team are overly cautious and assign CVE numbers to any bugfix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team...

No CVEs will be assigned for unfixed security issues in the Linux kernel, assignment will only happen after a fix is available as it can be properly tracked that way by the git commit id of the original fix. No CVEs will be assigned for any issue found in a version of the kernel that is not currently being actively supported by the Stable/LTS kernel team.
alanw (Slashdot reader #1,822) worries this could overwhelm the CVE infrastructure, pointing to an ongoing discussion at LWN.net.

But reached for a comment, Greg Kroah-Hartman thinks there's been a misunderstanding. He told Slashdot that the CVE group "explicitly asked for this as part of our application... so if they are comfortable with it, why is no one else?"

Some ZFS news from Phoronix this week. "At the end of last year OpenZFS 2.2.2 was released to fix a rare but nasty data corruption issue, but it turns out there are other data corruption bug(s) still lurking in the OpenZFS file-system codebase." A Phoronix reader wrote in today about an OpenZFS data corruption bug when employing native encryption and making use of send/recv support. Making use of zfs send on an encrypted dataset can cause one or more snapshots to report errors. OpenZFS data corruption issues in this area have apparently been known for years.

Since May 2021 there's been this open issue around ZFS corruption related to snapshots on post-2.0 OpenZFS. That issue remains open. A new ticket has been opened for OpenZFS as well in proposing to add warnings against using ZFS native encryption and the send/receive support in production environments.
jd (Slashdot reader #1,658) spotted the news — and adds a positive note. "Bugs, old and new, are being catalogued and addressed much more quickly now that core development is done under Linux, even though it is not mainstreamed in the kernel."

Apple is officially cutting support for progressive web apps for iPhone users in the European Union. While web apps have been broken for EU users in every iOS 17.4 beta so far, Apple has confirmed that this is a feature, not a bug. Commenting on Apple's move, Epic CEO Tim Sweeney tweeted: I suspect Apple's real reason for killing PWAs is the realization that competing web browsers could do a vastly better job of supporting PWAs -- unlike Safari's intentionally crippled web functionality -- and turn PWAs into legit, untaxed competitors to native apps.

An anonymous reader quotes a report from TechCrunch: The maker of a popular smart ski and bike helmet has fixed a security flaw that allowed the easy real-time location tracking of anyone wearing its helmets. Livall makes internet-connected helmets that allow groups of skiers or bike riders to talk with each other using the helmet's in-built speaker and microphone, and share their real-time location in a friend's group using Livall's smartphone apps. Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, said Livall's smartphone apps had a simple flaw allowing easy access to any group's audio chats and location data. Munro says the two apps, one for skiers and one for bike riders, collectively have about a million users.

At the heart of the bug, Munro found that anyone using Livall's apps for group audio chat and sharing their location must be part of the same friends group, which could be accessed using only that group's six-digit numeric code. "That 6-digit group code simply isn't random enough," Munro said in a blog post describing the flaw. "We could brute force all group IDs in a matter of minutes." In doing so, anyone could access any of the 1 million possible permutations of group chat codes.

"As soon as one entered a valid group code, one joined the group automatically," said Munro, adding that this happened without alerting other group members. "It was therefore trivial to silently join any group, giving us access to any users' location and the ability to listen in to any group audio communications," said Munro. "The only way a rogue group user could be detected was if the legitimate user went to check on the members of that group." [...] In an email, Livall's R&D director Richard Yi explained that the company improved the randomness of group codes by also adding letters, and including alerts for new members joining groups. Yi also said the app now allows the shared location to be turned off at the user level.

Linux developers are in the process of patching a high-severity vulnerability that, in certain cases, allows the installation of malware that runs at the firmware level, giving infections access to the deepest parts of a device where they're hard to detect or remove. ArsTechnica: The vulnerability resides in shim, which in the context of Linux is a small component that runs in the firmware early in the boot process before the operating system has started. More specifically, the shim accompanying virtually all Linux distributions plays a crucial role in secure boot, a protection built into most modern computing devices to ensure every link in the boot process comes from a verified, trusted supplier. Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by executing malicious firmware at the earliest stages of the boot process before the Unified Extensible Firmware Interface firmware has loaded and handed off control to the operating system.

The vulnerability, tracked as CVE-2023-40547, is what's known as a buffer overflow, a coding bug that allows attackers to execute code of their choice. It resides in a part of the shim that processes booting up from a central server on a network using the same HTTP that the the web is based on. Attackers can exploit the code-execution vulnerability in various scenarios, virtually all following some form of successful compromise of either the targeted device or the server or network the device boots from. "An attacker would need to be able to coerce a system into booting from HTTP if it's not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it," Matthew Garrett, a security developer and one of the original shim authors, wrote in an online interview. "An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code)."

An anonymous reader quotes a report from TechCrunch: The recent surprise announcement that Meta will soon be shutting down its Facebook Groups API is throwing some businesses and social media marketers into disarray. On January 23, Meta announced the release of its Facebook Graph API v19.0, which included the news that the company would be deprecating its existing Facebook Groups API. The latter, which is used by developers and businesses to schedule posts to Facebook Groups, will be removed within 90 days, Meta said. This includes all the Permissions and Reviewable Features associated with the API, it also noted.

Meta explained that a major use case for the API was a feature that allowed developers to privately reply in Facebook Groups. For example, a small business that wanted to send a single message to a person who posted on their Facebook Group or who had commented in the group could be messaged through the API. However, Meta said that another change in the new v19.0 API would enable this feature, without the need for the Groups API. But developers told TechCrunch that the shutdown of the API would cause problems for companies that offer solutions to customers who want to schedule and automate their social media posts. [...]

What's more, developers tell us that Meta's motivation behind the API's shutdown is unclear. On the one hand, it could be that Facebook Groups don't generate ad revenue and the shutdown of the API will leave developers without a workaround. But Meta hasn't clarified if that's the case. Instead, Meta's blog post only mentioned one use case that would be addressed through the new v.19.0 API. [...] On Meta's forum for developers, one developer says they're "pretty shocked" by the company's announcement, noting their app relies on the Groups API and will essentially no longer work when the shutdown occurs. Others are frustrated that Meta hasn't clearly explained if posting on Groups will be done with a Page Access token going forward, as the way the announcement is worded it seems that part is only relevant for those posting private replies, not posting to the group as a whole. [...] the whole thing could just be some messaging mistake -- like Meta perhaps forgot to include the part where it was going to note what its new solution would be. There is concern, however, that Meta is deprioritizing developers' interests having recently shut down its developer bug portal as well.

Ivanti warned on Wednesday that hackers are exploiting another previously undisclosed zero-day vulnerability affecting its widely used corporate VPN appliance. From a report: Since early December, ââChinese state-backed hackers have been exploiting Ivanti Connect Secure's flaws -- tracked as CVE-2023-46805 and CVE-2024-21887 -- to break into customer networks and steal information. Ivanti is now warning that it has discovered two additional flaws -- tracked as CVE-2024-21888 and CVE-2024-21893 -- affecting its Connect Secure VPN product. The former is described as a privilege escalation vulnerability, while the latter -- known as a zero-day because Ivanti had no time to fix the bug before hackers began exploiting it -- is a server-side bug that allows an attacker access to certain restricted resources without authentication. In its updated disclosure, Ivanti said it has observed "targeted" exploitation of the server-side bug. Germany's Federal Office for Information Security, known as the BSI, said in a translated advisory on Wednesday that it has knowledge of "multiple compromised systems."

FT Alphaville: Making fun of corporate brands embarrassing themselves online is like shooting fish in a barrel. It's not hard, but washing off the resulting splatter of blood, scales, innards and half-digested crab is, so no one wins. Honestly though, what the hell Franklin? Really? OK maybe Alphaville should tread carefully here, given some readers see our ~cough~ somewhat different approach to news and commentary as at odds with mainFT's brand. But like Meb Faber we prefer our trillion-dollar asset management groups to be boring. Stick to solid, sober and purportedly smart investing. Don't tweet that 60/40 retirement portfolios should include "assets" where it gleefully says "speculation is a feature, not a bug."

Especially when said asset manager was famously named after Benjamin Franklin, because according to founder Rupert Johnson he "epitomised the ideas of frugality and prudence when it came to saving and investing." We get that Franklin needs to revamp itself. Despite a spate of aggressive M&A swelling its assets to $1.4tn, its share price has sagged over the past decade, giving it a current market cap of $13.6bn. That's less than AppLovin, Domino's Pizza and the world's biggest producer of frozen potato chips. It's only barely enough for inclusion into the S&P 500. Beyond the obvious and well-documented challenges of being a very traditional active asset manager in a world that mostly loves alternatives and passive funds, Franklin also has a rep for being a bit old-fashioned. Promoting crypto therefore probably seems like an obvious, fellow-kids way to seem more cool and edgy.

An anonymous reader quotes a report from Ars Technica: Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, "We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network." That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

Dynamic Security stops HP printers from functioning if an ink cartridge without an HP chip or HP electronic circuitry is installed. HP has issued firmware updates that block printers with such ink cartridges from printing, leading to the above lawsuit (PDF), which is seeking class-action certification. The suit alleges that HP printer customers were not made aware that printer firmware updates issued in late 2022 and early 2023 could result in printer features not working. The lawsuit seeks monetary damages and an injunction preventing HP from issuing printer updates that block ink cartridges without an HP chip. [...]

Unsurprisingly, Lores' claim comes from HP-backed research. The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks. [...] It's clear that HP's tactics are meant to coax HP printer owners into committing to HP ink, which helps the company drive recurring revenue and makes up for money lost when the printers are sold. Lores confirmed in his interview that HP loses money when it sells a printer and makes money through supplies. But HP's ambitions don't end there. It envisions a world where all of its printer customers also subscribe to an HP program offering ink and other printer-related services. "Our long-term objective is to make printing a subscription. This is really what we have been driving," Lores said.

An anonymous reader quotes a report from BleepingComputer: Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches that are used to breach accounts on other sites.

Information-stealing malware attempts to steal a wide variety of data from an infected computer, including credentials saved in browsers, VPN clients, and FTP clients. This type of malware also attempts to steal SSH keys, credit cards, cookies, browsing history, and cryptocurrency wallets. The stolen data is collected in text files and images, which are stored in archives called "logs." These logs are then uploaded to a remote server to be collected later by the attacker. Regardless of how the credentials are stolen, they are then used to breach accounts owned by the victim, sold to other threat actors on cybercrime marketplaces, or released for free on hacker forums to gain reputation amongst the hacking community.

The Naz.API is a dataset allegedly containing over 1 billion lines of stolen credentials compiled from credential stuffing lists and from information-stealing malware logs. It should be noted that while the Naz.API dataset name includes the word "Naz," it is not related to network attached storage (NAS) devices. This dataset has been floating around the data breach community for quite a while but rose to notoriety after it was used to fuel an open-source intelligence (OSINT) platform called illicit.services. This service allows visitors to search a database of stolen information, including names, phone numbers, email addresses, and other personal data. The service shut down in July 2023 out of concerns it was being used for Doxxing and SIM-swapping attacks. However, the operator enabled the service again in September. Illicit.services use data from various sources, but one of its largest sources of data came from the Naz.API dataset, which was shared privately among a small number of people. Each line in the Naz.API data consists of a login URL, its login name, and an associated password stolen from a person's device, as shown [here]. "Here's the back story: this week I was contacted by a well-known tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forum," explained Troy Hunt, the creator of Have I Been Pwned, in blog post. "Whilst this post dates back almost 4 months, it hadn't come across my radar until now and inevitably, also hadn't been sent to the aforementioned tech company."

"They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list."

To check if your credentials are in the Naz.API dataset, you can visit Have I Been Pwned.

Fujitsu has apologized for its role in the British Post Office scandal, acknowledging that its buggy accounting software contributed to the wrongful prosecutions of hundreds of postal employees. From a report: "Fujitsu would like to apologize for our part in this appalling miscarriage of justice," Paul Patterson, co-CEO of Fujitsu's European division, said in a hearing held by the UK Parliament's Business and Trade Committee. "We were involved from the very start. We did have bugs and errors in the system and we did help the Post Office in their prosecutions of the sub-postmasters. For that we are truly sorry."

The committee hearing focused on possible compensation for victims of what has been called "the worst miscarriage of justice in British history." Patterson said that Fujitsu has "a moral obligation" to contribute to the compensation for victims. A BBC report explains that between 1999 and 2015, "more than 900 sub-postmasters and postmistresses were prosecuted for theft and false accounting after money appeared to be missing from their branches, but the prosecutions were based on evidence from faulty Horizon software. Some sub-postmasters wrongfully went to prison, many were financially ruined. Some have since died."

Google has formally discontinued its efforts to bring the full Chrome browser experience to its Fuchsia operating system. 9to5Google reports: In 2021, we reported that the Chromium team had begun an effort to get the full Chrome/Chromium browser running on Google's in-house Fuchsia operating system. Months later, in early 2022, we were even able to record a video of the progress, demonstrating that Chromium (the open-source-only variant of Chrome) could work relatively well on a Fuchsia-powered device. This was far from the first time that the Chromium project had been involved with Fuchsia. Google's full lineup of Nest Hub smart displays is currently powered by Fuchsia under the hood, and those displays have limited web browsing capabilities through an embedded version of the browser.

In contrast to that minimal experience, Google was seemingly working to bring the full might of Chrome to Fuchsia. To observers, this was yet another signal that Google intended for Fuchsia to grow beyond the smart home and serve as a full desktop operating system. After all, what good is a laptop or desktop without a web browser? Fans of the Fuchsia project have anticipated its eventual expansion to desktop since Fuchsia was first shown to run on Google's Pixelbook hardware. However, in the intervening time -- a period that also saw significant layoffs in the Fuchsia division -- it seems that Google has since shifted Fuchsia in a different direction. The clearest evidence of that move comes from a Chromium code change (and related bug tracker post) published last month declaring that the "Chrome browser on fuchsia won't be maintained."

Linux Mint 21.3 is now available to download, reports the blog OMG Obuntu.

It's the first version to offer Wayland support in its Cinnamon desktop: Following a successful bout of bug-busting in last month's beta release, Mint devs have gone ahead and rubber-stamped a stable release. Thus, you can reasonably expect to not encounter any major issues when installing or using it... [I]t's based on Ubuntu 22.04 LTS and continues to use the Linux 5.15 kernel by default, but newer kernels are available to install within the OS...

In my own testing I find Cinnamon's Wayland support to be well-rounded. It's not perfect but I didn't hit any major snafus that prevented me from working (though admittedly I did only attempt 'basic' tasks like web browsing, playing music, and adding applets). However, Cinnamon's Wayland support is in an early state, is not enabled by default, and Linux Mint devs expect it won't be good enough for everyone until the 23.x series (due 2026) at the earliest. Still, try it out yourself and see if it works for you. Select the 'Cinnamon on Wayland (Experimental)' session from the login screen session selector, and then login as normal...

Additionally, the latest version of Mozilla Firefox is pre-installed (as a deb, not a Snap)
Among the new features are a whole new category of desktop add-ons — "Actions" — which upgrade the right-clicking context menu. (So for .iso files there's two new choices: "Verify" or "Make bootable USB stick".)

The article says there's also "a raft of smaller refinements," plus "a bevvy of buffs and embellishments" for Linux Mint's homegrown apps.

Any Linux Mint users reading Slashdot? Share your thoughts or experiences in the comments...

jd (Slashdot reader #1,658) shared this story from BleepingComputer. The article notes that "Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption, are vulnerable to a set of flaws collectively referred to as KyberSlash, which could allow the recovery of secret keys."

jd explains that Crystals-Kyber "was chosen to be the U.S. government's post-quantum cryptography system of choice last year, but a side-channel attack has been identified. But in the article, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself."

From the article: CRYSTALS-Kyber is the official implementation of the Kyber key encapsulation mechanism (KEM) for quantum-safe algorithm (QSA) and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. It is designed for general encryption... The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption. If a service implementing Kyber allows multiple operation requests towards the same key pair, an attacker can measure timing differences and gradually compute the secret key...

In a KyberSlash1 demo on a Raspberry Pi system, the researchers recovered Kyber's secret key from decryption timings in two out of three attempts...

On December 30, KyberSlash2 was patched following its discovery and responsible reporting by Prasanna Ravi, a researcher at the Nanyang Technological University in Singapore, and Matthias Kannwischer, who works at the Quantum Safe Migration Center.

Long-time Slashdot reader Geoffrey.landis writes: Hundreds of British postal workers wrongly convicted of theft due to faulty accounting software could have their convictions reversed, according to a story from the BBC. Between 1999 and 2015, the Post Office prosecuted 700 sub-postmasters and sub-postmistresses — an average of one a week — based on information from a computer system called Horizon, after faulty software wrongly made it look like money was missing. Some 283 more cases were brought by other bodies including the Crown Prosecution Service.
2024 began with a four-part dramatization of the scandal airing on British television, and the BBC reporting today that its reporters originally investigating the story confronted "lobbying, misinformation and outright lies."

Yet the Guardian notes that to this day in English and Welsh law, computers are still assumed to be "reliable" unless and until proven otherwise. But critics of this approach say this reverses the burden of proof normally applied in criminal cases. Stephen Mason, a barrister and expert on electronic evidence, said: "It says, for the person who's saying 'there's something wrong with this computer', that they have to prove it. Even if it's the person accusing them who has the information...."

He and colleagues had been expressing alarm about the presumption as far back as 2009. "My view is that the Post Office would never have got anywhere near as far as it did if this presumption wasn't in place," Mason said... [W]hen post office operators were accused of having stolen money, the hallucinatory evidence of the Horizon system was deemed sufficient proof. Without any evidence to the contrary, the defendants could not force the system to be tested in court and their loss was all but guaranteed.

The influence of English common law internationally means that the presumption of reliability is widespread. Mason cites cases from New Zealand, Singapore and the U.S. that upheld the standard and just one notable case where the opposite happened... The rise of AI systems made it even more pressing to reassess the law, said Noah Waisberg, the co-founder and CEO of the legal AI platform Zuva.
Thanks to Slashdot reader Bruce66423 for sharing the article.

Ubisoft's Prince of Persia: The Lost Crown launches next week, but players are likely to encounter an amusing bug as they make their way through the game. Engadget: One of the game's NPCs is voiced by a text-to-speech program, complete with the slightly robotic tones we've come to associate with these services. It's not quite Siri or Alexa, but it's close and certainly doesn't fit the game's Persian-inspired setting. The NPC-in-question is a tree spirit named Kalux and seems to be voiced by a TTS program that's available online for free and typically used by streamers.

This isn't an "AI is coming for your jobs" type thing, but rather a mistake on Ubisoft's part, as each and every other NPC is attached to a voice actor. IGN notes that Kalux doesn't have a voice actor in the credits. Additionally, Kalux only has a few lines, so it likely won't be a tough fix to assign an actor to deliver that dialogue. Ubisoft has readied a day-one patch, but it won't handle the Kalux issue. Look for another patch in late January or early February that replaces the bot with a human.

The University of Massachusetts Amherst has an announcement. A team of computer scientists "recently announced a new method for automatically generating whole proofs that can be used to prevent software bugs and verify that the underlying code is correct." It leverages the AI power of Large Language Models, and the new method, called Baldur, "yields unprecedented efficacy of nearly 66%."

The idea behind the machine-checking technique was "to generate a mathematical proof showing that the code does what it is expected to do," according to the announcement, "and then use a theorem prover to make sure that the proof is also correct. But manually writing these proofs is incredibly time-consuming and requires extensive expertise. "These proofs can be many times longer than the software code itself," says Emily First, the paper's lead author who completed this research as part of her doctoral dissertation at UMass Amherst... First, whose team performed its work at Google, used Minerva, an LLM trained on a large corpus of natural-language text, and then fine-tuned it on 118GB of mathematical scientific papers and webpages containing mathematical expressions. Next, she further fine-tuned the LLM on a language, called Isabelle/HOL, in which the mathematical proofs are written. Baldur then generated an entire proof and worked in tandem with the theorem prover to check its work. When the theorem prover caught an error, it fed the proof, as well as information about the error, back into the LLM, so that it can learn from its mistake and generate a new and hopefully error-free proof.

This process yields a remarkable increase in accuracy. The state-of-the-art tool for automatically generating proofs is called Thor, which can generate proofs 57% of the time. When Baldur (Thor's brother, according to Norse mythology) is paired with Thor, the two can generate proofs 65.7% of the time. Though there is still a large degree of error, Baldur is by far the most effective and efficient way yet devised to verify software correctness, and as the capabilities of AI are increasingly extended and refined, so should Baldur's effectiveness grow.

In addition to First and Brun, the team includes Markus Rabe, who was employed by Google at the time, and Talia Ringer, an assistant professor at the University of Illinois — Urbana Champaign. This work was performed at Google and supported by the Defense Advanced Research Projects Agency and the National Science Foundation.