The Rust foundation is making "considerable progress" on a complete security audit of the Rust ecosystem, according to the coding news site I Programmer, citing a newly-released report from the nonprofit Rust foundation: The foundation is investigating the development of a Public Key Infrastructure (PKI) model for the Rust language, including the design and implementation for a PKI CA and a resilient Quorum model for the project to implement, and the report says that language updates suggested by members of the Project were nearly ready for implementation.

Following the XZ backdoor vulnerability, the Security Initiative has focused on supply chain security, including work on provenance-tracking, verifying that a given crate is actually associated with the repository it claims to be. The top 5,000 crates by download count have been checked and verified.

Threat modeling has now been completed on the Crates ecosystem. Rust Infrastructure, crates.io and the Rust Project.

Two open source security tools, Painter and Typomania, have been developed and released. Painter can be used to build a graph database of dependencies and invocations between all crates within the crates.io ecosystem, including the ability to obtain 'unsafe' statistics, better call graph pruning, and FFI boundary mapping. Typomania ports typogard to Rust, and can be used to detect potential typosquatting as a reusable library that can be adapted to any registry.
They've also tightened admin privileges for Rust's package registry, according to the article. And "In addition to the work on the Security Initiative, the Foundation has also been working on improving interoperability between Rust and C++, supported by a $1 million contribution from Google."

According to the Rust foundation's technology director, they've made "impressive technical strides and developed new strategies to reinforce the safety, security, and longevity of the Rust programming language." And the director says the new report "paints a clear picture of the impact of our technical projects like the Security Initiative, Safety-Critical Rust Consortium, infrastructure and crates.io support, Interop Initiative, and much more."

With online dating apps, "Americans have increasingly been marrying someone more like themselves," reports Bloomberg, citing new research that says this accounts for roughly half of the rise in household income inequality between 1980 and 2020: Using data from the Census Bureau's American Community Survey from 2008 to 2021, when online dating quickly became prevalent, the economists found that women became slightly more selective when choosing partners based on age, while men became slightly more selective based on education. But when the researchers compared that with data on married couples from 1960 and 1980, they found that people in the recent period increasingly went for partners with the same wage and education levels...

Overall, the predominance of online apps to find a future partner has led to a 3-percentage-point increase in the Gini coefficient — a widely used measure of income inequality, the research shows.
The reseachers were from the Federal Reserve Banks of Dallas and St. Louis, and from Haverford College, according to the article — which also includes this quote from their paper.

"We find that the increase in income inequality over the past half a century is explained to a large extent by sorting on vertical characteristics, such as income and skill, and their interaction with education."

Wired published some thoughts from Hans Peter Brondmo, the former head of "Google's seven-year mission to give AI a robot body".

An anonymous reader shared this report from Axios: Building AI-powered robots that can flexibly operate in the real world is going to take much longer than Silicon Valley believes and promises, according to the former head of Google's robotics moonshot project, writing in Wired...

Everyday Robotics spent seven years and a small Google fortune developing a one-armed robot on a wheeled platform. By the time Google pulled the plug on the project in February 2023, the robots were helping clean up researchers' desks and sorting trash during the daytime; in the evening, they were improvising dances. [Google hired a professional dancer as an artist-in-residence who teamed with "a few other engineers" to build an AI algorithm trained on the dancer's choreography preferences...]

Google founder Larry Page — favored moving directly to "end to end" (e2e) learning, where you'd hand robots a general task and they'd be able to figure out how to execute it. That, Page felt, was a goal worthy of a moonshot. But it also turned out to be out of reach. "I have come to believe," Brondmo writes, "it will take many, many thousands, maybe even millions of robots doing stuff in the real world to collect enough data to train e2e models that make the robots do anything other than fairly narrow, well-defined tasks...." ["Building robots that perform useful services — like cleaning up and wiping all the tables in a restaurant, or making the beds in a hotel — will require both AI and traditional programming for a long time to come. In other words, don't expect robots to go running off outside our control, doing something they weren't programmed to do, anytime soon."]

The bottom line: So far, robot hype is outpacing robot reality. Boston Dynamics' back-flipping humanoid and quadruped bots have wowed YouTube viewers — but you wouldn't want to let them anywhere near your office or home.
It's an interesting look back. "My job: help figure out what to do with the employees and technology left over from nine robot companies that Google had acquired," Brondmo writes: Andy "the father of Android" Rubin, who had previously been in charge, had suddenly left. Larry Page and Sergey Brin kept trying to offer guidance and direction during occasional flybys in their "spare time...." I knew from firsthand experience how hard it was to build a company that, in Steve Jobs' famous words, could put a dent in the universe, and I believed that Google was the right place to make certain big bets. AI-powered robots, the ones that will live and work alongside us one day, was one such audacious bet.

Eight and a half years later — and 18 months after Google decided to discontinue its largest bet in robotics and AI — it seems as if a new robotics startup pops up every week. I am more convinced than ever that the robots need to come. Yet I have concerns that Silicon Valley, with its focus on "minimum viable products" and VCs' general aversion to investing in hardware, will be patient enough to win the global race to give AI a robot body. And much of the money that is being invested is focusing on the wrong things...

When I arrived, the lab had already hatched Waymo, Google Glass, and other science-fiction-sounding projects like flying energy windmills and stratospheric balloons that would provide internet access to the underserved... [But] in January 2023, two months after OpenAI introduced ChatGPT, Google shut down Everyday Robots, citing overall cost concerns. The robots and a small number of people eventually landed at Google DeepMind to conduct research. In spite of the high cost and the long timeline, everyone involved was shocked.
They'd tackled the problem with earnestness. ("[S]even robots working for months to learn how to pick up a rubber duckling? That wasn't going to cut it... So we built a cloud-based simulator and, in 2021, created more than 240 million robot instances in the sim.ma")

Brondmo adds this his mother had advanced Parkinson's disease, and hoped that one day robots could support her. "Our frequent conversations toward the end of her life convinced me more than ever that a future version of what we started at Everyday Robots will be coming. In fact, it can't come soon enough.

"So the question we are left to ponder becomes: How does this kind of change and future happen? I remain curious, and concerned."

Samba is "a free software re-implementation of the SMB networking protocol," according to Wikipedia. And now the Samba project "has secured significant funding (€688,800.00) from the German Sovereign Tech Fund to advance the project," writes Jeremy Allison — Sam (who is Slashdot reader #8,157 — and also a long standing member of Samba's core team): The investment was successfully applied for by [information security service provider] SerNet. Over the next 18 months, Samba developers from SerNet will tackle 17 key development subprojects aimed at enhancing Samba's security, scalability, and functionality.

The Sovereign Tech Fund is a German federal government funding program that supports the development, improvement, and maintenance of open digital infrastructure. Their goal is to sustainably strengthen the open source ecosystem.

The project's focus is on areas like SMB3 Transparent Failover, SMB3 UNIX extensions, SMB-Direct, Performance and modern security protocols such as SMB over QUIC. These improvements are designed to ensure that Samba remains a robust and secure solution for organizations that rely on a sovereign IT infrastructure. Development work began as early as September the 1st and is expected to be completed by the end of February 2026 for all sub-projects.

All development will be done in the open following the existing Samba development process. First gitlab CI pipelines have already been running and gitlab MRs will appear soon!
Back in 2000, Jeremy Allison answered questions from Slashdot readers about Samba.

Allison is now a board member at both the GNOME Foundation and the Software Freedom Conservancy, a distinguished engineer at Rocky Linux creator CIQ, and a long-time free software advocate.

An anonymous Slashdot reader writes: Haiku (the MIT-licensed operating system, inspired by BeOS) has released its fifth beta for Haiku R1.

Some new features include improved UI color management, improved dark mode coloring, Tracker improvements, TUN/TAP support for VPN connections, TCP throughput improvements, performance optimizations, UFS2 (BSD's filesystem) read-only support, new FAT filesystem driver, improved hardware support, improved POSIX compliance, improved performance, and more.
Slashdot has been covering the fate of the BeOS since 2000 (as well as the short-lived derivative project ZETA — and Haiku).

And now "With a history of over two decades and previously known as OpenBeOS, today's Haiku is pushing forward..." writes the site NotebookCheck: Haiku is a spiritual successor to BeOS, with a focus on a clean and user-friendly design paired with low system requirements. The minimum system requirements are still an Intel Pentium II/AMD Athlon CPU or better, at least 384 MB RAM, an 800x600 screen, and at least 3GB storage. It works on both 32-bit and 64-bit x86 PCs, and the 32-bit version can run many unmodified BeOS applications. It might be the best desktop open-source operating system not based on Linux or Unix... It works well in a virtual machine like VirtualBox or UTM.

"A two-day AI Labor Summit between AFL-CIO leaders and Microsoft executives this week reflects the tech giant's revamped approach to unions," writes GeekWire, "which includes a pledge by the company to incorporate feedback from labor unions and their members into the development of artificial intelligence."

But just two days later, "Microsoft Gaming CEO Phil Spencer announced it was game over for the jobs of another 650 Microsoft staffers (on top of an earlier 1,900 employee staff reduction)," writes long-time Slashdot reader theodp, "cuts that Spencer made clear were related to Microsoft's $69B acquisition of Activision Blizzard in 2023." Interestingly, Microsoft's Smith in October 2023 affirmed a "groundbreaking neutrality agreement" with the Communications Workers of America union (CWA) — designed to go into effect if Microsoft was successful in its acquisition of Activision Blizzard — in which Microsoft acknowledged the rights of its employees to unionize and pledged to work constructively with any who did. At the same time, Microsoft made it clear that it hoped its employees wouldn't feel the need to form or join unions, saying they would "never need to organize to have a dialogue with Microsoft's leaders."

In July 2023, the AFL-CIO applauded Microsoft's Activision Blizzard acquisition and the Microsoft-CWA agreement, which AFL-CIO union federation president Liz Shuler said "sets a new standard for respecting workers' rights in the video game industry and the larger technology sector." And in December 2023, Shuler thanked Smith for Microsoft's "absolutely historic partnership" on AI and the Future of the Workforce, which Shuler suggested "can be mutually beneficial for workers, for businesses, and for our country as a whole."
Thursday the CWA union issued critical remarks about the layoffs at Microsoft Gaming (which were later retweeted by the @AFLCIO Twitter account).

"While we would hope that a company like Microsoft with $88 billion in profits last year could achieve 'long-term success' without destroying the livelihoods of 650 of our colleagues, heartless layoffs like these have become all too common."

Redmonk's latest programming language ranking (attempting to gauge "potential future adoption trends") has found evidence of "a landscape resistant to change." Outside of CSS moving down a spot and C++ moving up one, the Top 10 was unchanged. And even in the back half of the rankings, where languages tend to be less entrenched and movement is more common, only three languages moved at all... There are a few signs of languages following in TypeScript's footsteps and working their way up the path, both in the Top 20 and at the back end of the Top 100 as we'll discuss shortly, but they're the exception that proves the rule.

It's possible that we'll see more fluid usage of languages, and increased usage of code assistants would theoretically make that much more likely, but at this point it's a fairly static status quo. With that, some results of note:

- TypeScript (#6): technically TypeScript didn't move, as it was ranked sixth in our last run, but this is the first quarter in which is has been the sole occupant of that spot. CSS, in this case, dropped one place to seven leaving TypeScript just outside the Top 5. It will be interesting to see whether or not it has more momentum to expend or whether it's topped out for the time being.

- Kotlin (#14) / Scala (#14): both of these JVM-based languages jumped up a couple of spots — two spots in Scala's case and three for Kotlin. Scala's rise is notable because it had been on something of a downward trajectory from a one time high of 12th, and Kotlin's placement is a mild surprise because it had spent three consecutive runs not budging from 17, only to make the jump now. The tie here, meanwhile, is interesting because Scala's long history gives it an accretive advantage over Kotlin's more recent development, but in any case the combination is evidence of the continued staying power of the JVM.

- Objective C (#17): speaking of downward trajectories and the 17th placement on this list, Objective C's slide that began in mid-2018 continued and left the language with its lowest placement in these rankings to date at #17. That's still an enormously impressive achievement, of course, and there are dozens of languages that would trade their usage for Objective C's, but the direction of travel seems clear.

- Dart (#19) / Rust (#19): while once grouped with Kotlin as up and coming languages driven by differing incentives and trends, Dart and Rust have not been able to match the ascent of their counterpart with five straight quarters of no movement. That's not necessarily a negative; as with Objective C, these are still highly popular languages and communities, but it's worth questioning whether new momentum will arrive and from where, particularly because the communities are experiencing some friction in growing their usage.
It's important to remember Redmonk's methodology. "We extract language rankings from GitHub and Stack Overflow, and combine them for a ranking that attempts to reflect both code (GitHub) and discussion (Stack Overflow) traction. The idea is not to offer a statistically valid representation of current usage, but rather to correlate language discussion and usage in an effort to extract insights into potential future adoption trends."

Having said that, here's the current top ten in Redmonk's ranking:

1. JavaScript
2. Python
3. Java
4. PHP
5. C#
6. TypeScript
7. CSS
8. C++
9. Ruby
10. C

Their announcement also notes that at the other end of the list, the programming language Bicep "jumped eight spots to #78 and Zig 10 to #87. That progress pales next to Ballerina, however, which jumped from #80 to #61 this quarter. The general purpose language from WS02, thus, is added to the list of potential up and comers we're keeping an eye on."

The Washingon Post reports that a regulatory dispute in Ohio may help answer a big question about America's power grid: who will pay for the huge upgrades needed to meet soaring energy demand "from the data centers powering the modern internet and artificial intelligence revolution?" Google, Amazon, Microsoft and Meta are fighting a proposal by an Ohio power company to significantly increase the upfront energy costs they'll pay for their data centers, a move the companies dubbed "unfair" and "discriminatory" in documents filed with Ohio's Public Utility Commission last month. American Electric Power Ohio said in filings that the tariff increase was needed to prevent new infrastructure costs from being passed on to other customers such as households and businesses if the tech industry should fail to follow through on its ambitious, energy-intensive plans. The case could set a national precedent that helps determine whether and how other states force tech firms to be accountable for the costs of their growing energy consumption... The energy demands of data centers have created similar concerns in other hot spots such as Northern Virginia, Atlanta and Maricopa County, Arizona, leaving experts concerned that the U.S. power grid may not be capable of dealing with the combined needs of the green energy transition and the computing boom that artificial intelligence companies say is coming...

Energy customers must sometimes make a monthly payment to a utility that is a percentage of the maximum amount of electricity they predict that they could need. In Ohio, data center companies had agreed to pay 60 percent of the projected amount. But in May, the power company proposed a new, 10-year fee structure raising the charges to 90 percent of the expected load, even if they don't end up using that much. The major tech companies — all of whom are increasing spending on data center infrastructure to compete in AI — strenuously opposed the proposed contract in documents filed last month... According to testimony from AEP Ohio Vice President Lisa Kelso, there are 50 pending requests from data center customers seeking electric service at more than 90 sites, a potential 30,000 megawatts of additional load — enough to power more than 20 million households. That additional demand would more than triple the utility's previous peak load in 2023, she said. Between 2020 and 2024, the data center energy load in central Ohio increased sixfold, from 100 to 600 megawatts, her testimony reads. By 2030, that amount will reach 5,000 megawatts, according to the utility's signed agreements, she testified...

Meeting that demand will require AEP Ohio to build new transmission lines, an expensive and time-consuming process... Chief among the power company's concerns, according to the documents, is what will happen if it invests billions of dollars into new grid infrastructure only for the data centers to leave for greener pastures, or for the AI bubble to burst and the facilities to need much less power than initially projected. If the power company spends big on new infrastructure but the power demand it was built to serve doesn't materialize, other customers — including business and residential payers — will be stuck with the bill, the utility said... AEP Ohio's testimony in the case also questions whether data centers bring as much to local communities as factories or other high-energy-load businesses. Since 2019, non-data center businesses have created approximately 25 jobs for every megawatt of power requested, while data centers have created less than one job per megawatt, according to Kelso's testimony.

The tech companies rejected this criticism, saying the number of jobs they create is not relevant to how much power they have a right to purchase, and highlighted their other contributions to local economies... Amazon said in filings that it pays fees as high as 75 percent of projected demand in some states but that Ohio's proposal to bill it 90 percent goes too far.
"Should the Ohio tariff be approved, Microsoft and Google both threatened in their testimony to leave Ohio." (Although at the same time, "pressure on the electric grid is mounting all over the country...")

And the article points out that on Thursday, "the White House announced measures intended to speed up data center construction for AI projects, including by accelerating permitting."

Ars Technica's Stephen Clark reports: A panel of independent experts reported this week that NASA lacks funding to maintain most of its decades-old facilities, could lose its engineering prowess to the commercial space industry, and has a shortsighted roadmap for technology development. "NASA's problem is it always seems to have $3 billion more program than it has of funds," said Norm Augustine, chair of the National Academies panel chartered to examine the critical facilities, workforce, and technology needed to achieve NASA's long-term strategic goals and objectives. Augustine said a similar statement could sum up two previous high-level reviews of NASA's space programs that he chaired in 1990 and 2009. But the report released Tuesday put NASA's predicament in stark terms.

"In NASA's case, the not-uncommon tendency in a constrained budget environment to prioritize initiating new missions as opposed to maintaining and upgrading existing support assets has produced an infrastructure that would not be viewed as acceptable under most industrial standards," the panel wrote in its report. "In fact, during its inspection tours, the committee saw some of the worst facilities many of its members have ever seen." All of NASA's centers have facilities the agency considers marginal, but Johnson Space Center in Houston has the facilities with the worst average score. Johnson oversees astronaut training and is home to NASA's Mission Control Center for the International Space Station and future Artemis lunar missions. The Jet Propulsion Laboratory in California, which develops and operates many of NASA's robotic interplanetary probes, and Stennis Space Center in Mississippi, used for rocket engine testing, are the only centers without a poor infrastructure score.

These ratings cover things like buildings and utilities, not the specific test rigs or instruments inside them. "You can have a world-class microscope and materials lab, but if the building goes down, that microscope is useless to you," [Erik Weiser, NASA's director of facilities and real estate] told the National Academies panel in a meeting last year. The panel recommended that Congress direct NASA to establish an annually replenished revolving working capital fund to pay for maintenance and infrastructure upgrades. Other government agencies use similar funds for infrastructure support. "This is something that will require federal legislation," said Jill Dahlburg, a member of the National Academies panel and former superintendent of the space science division at the Naval Research Laboratory.

Longtime Slashdot reader davidwr writes: Winners of the 34th First Annual Ig Nobel Prizes included studies on hair swirling (natural, not from grade-school bathroom torture), mammals that breath through their anal orifices, and a study on pigeon-guided missiles. There were also prizes for the study of the swimming abilities of a formerly-living trout. "Honors" were also bestowed for research in coin-flipping (no, it's not 50/50), why cows spew milk, and drunken worms, among other topics. Prizes included $10,000,000,000 (in now-worthless Zimbabwe dollars) and items related to Murphy's Law.

Media coverage includes AP, CNN, Gizmodo, Ars Technica, and by the time you read this, probably much more.

An anonymous reader quotes a report from CBC News: Stranded astronauts Butch Wilmore and Suni Williams said Friday it was hard to watch their Boeing capsule return to Earth without them. It was their first public comments since last week's return of the Boeing Starliner capsule that took them to the International Space Station in June. They remained behind after NASA determined the problem-plagued capsule posed too much risk for them to ride back in. "That's how it goes in this business," said Williams, adding that "you have to turn the page and look at the next opportunity."

Wilmore and Williams are now full-fledged station crew members, chipping in on routine maintenance and experiments. They, along with seven others on board, welcomed a Soyuz spacecraft carrying two Russians and an American earlier this week, temporarily raising the station population to 12, a near record. NASA astronauts Butch Wilmore and Suni Williams spoke to the press on Friday for the first time since their Boeing Starliner capsule returned to Earth without them. The two, who have been on the International Space Station since June 6, said they are taking the mission's unexpected extension into 2025 in stride -- even if it means they've had to change their voting plans. The transition to station life was "not that hard" since both had previous stints there, said Williams, who will soon take over as station commander. "This is my happy place. I love being up here in space," she said.

The two Starliner test pilots -- both retired U.S. navy captains and longtime NASA astronauts — will stay at the orbiting laboratory until late February. They have to wait for a SpaceX capsule to bring them back. That spacecraft is due to launch later this month with a reduced crew of two, with two empty seats for Wilmore and Williams for the return leg. The duo said they appreciated all the prayers and well wishes from strangers back home. Wilmore said he will miss out on family milestones such as being around for his youngest daughter's final year of high school. The astronauts, who prepared for eight days in space, will now be up there for eight months, which could have a greater impact on the body. "It is a bit of a change from a sprint to a marathon," said Dr. Adam Sirek of the Canadian Society of Aerospace Medicine.

23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023. BleepingComputer reports: The proposed class action settlement (PDF), filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval. "23andMe believes the settlement is fair, adequate, and reasonable," the company said in a memorandum filed (PDF) Friday.

23andMe has also agreed to strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits. The company must also create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. An updated Information Security Program will also be provided to all employees during annual training sessions. "23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives' claims for statutory damages," the company said in the filed preliminary settlement.

"23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever."

Gemini Live is rolling out its Live Voice Mode for all Android users, allowing them to hold real-time, interactive voice conversations with Gemini. "Previously locked into conventional text-based input and responses, Gemini Live Voice Mode gives hands-free ways to explore ideas, brainstorm, and talk through topics in real-time," reports Tom's Guide. From the report: This new voice feature is integrated into the Android Gemini app, so users need to update their app or download it from the Google Play Store if they haven't already done so. Once installed, users can turn on Live Voice Mode and start talking directly to Gemini. Do you want to get your thoughts sorted out or chat? It's fast and interactive, and no typing is required in this mode.

Users can have voice conversations on virtually anything. Suppose one is stuck with a complex project and needs a fresh perspective or researching a new hobby or course of study and wants to flesh out the subject by talking it out with Gemini. It promises to offer rich insight and ideas through conversation so that one's productivity and creativity are enhanced in ways that, up until now, have been possible only with human dialogue. [...]

The main advantage of Gemini Live Voice Mode is that it is interactive. A voice assistant would respond to a question you pose in voice, while with the live voice mode in Gemini, the dialogue sounds and feels more natural, with a tone that takes on that of the discussion and facilitates a back-and-forth interaction style. You can ask follow-up questions, clarify misunderstandings, or refine your ideas as you speak, making it more like a collaboration than a simple Q&A.

The Biden administration is proposing new rules to limit the "de minimis" exemption, which some Chinese e-commerce companies like Shein and Temu use to ship low-cost goods under $800 to U.S. customers without tariffs. The changes would subject certain shipments to closer inspection and tariffs, aiming to protect American consumers and businesses by ensuring a level playing field against Chinese platforms that have exploited this loophole. The Verge reports: Under the proposed rules, the US will prevent companies from claiming the de minimis exemption if their goods are covered by Section 301, Section 232, and Section 201 tariffs, which apply to products from China, steel, and aluminum, as well as washing machines and solar panels. In addition to slapping these shipments with tariffs, the rule change would subject them to closer inspection by US Customs and Border Protection.

The Biden administration said the proposal would help "protect consumers from goods that do not meet regulatory health and safety standards." Even though Shein is headquartered in Singapore, it's known for cheap fast fashion that's mainly manufactured in China. The China-based Temu sells clothes, household items, electronics, and a variety of other goods made in the country as well.

An anonymous reader quotes a report from Ars Technica: Researchers still don't know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries. Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections. "At the moment, the source of the TV boxes' backdoor infection remains unknown," Thursday's post stated. "One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access." The following device models infected by Vo1d are: [R4, TV BOX, KJ-SMART4KVIP].

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What's more, Doctor Web said it's not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models. Further, while only licensed device makers are permitted to modify Google's AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user. "These off-brand devices discovered to be infected were not Play Protect certified Android devices," Google said in a statement. "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety."

Users can confirm if their device runs Android TV OS via this link and following the steps here.

Former FTX CEO Sam Bankman-Fried's legal team has filed an appeal challenging his conviction on seven felony counts and his 25-year prison sentence. They argue that he was not presumed innocent, that the jury received incomplete information about FTX user funds, and that the prosecution's narrative was biased. CoinTelegraph reports: In a Sept. 13 filing in the United States Court of Appeals for the Second Circuit, SBF's lawyers filed a 102-page brief claiming that the former FTX CEO was "never presumed innocent," subject to scrutiny that allegedly affected prosecutors, the presiding judge, and treatment by the media. Bankman-Fried's legal team announced in April -- a few weeks after a federal judge sentenced him to 25 years in prison -- that they intended to appeal. According to the appeal, SBF's lawyers alleged the jury was "only allowed to see half the picture" with FTX user funds, claiming prosecutors had "presented a false narrative" that the money was permanently lost and Bankman-Fried intentionally caused that loss. They also claimed that counsel for the FTX debtors worked with the US government in a way that was above and beyond "cooperation," providing information allegedly as an "arm of the prosecution."

"From day one, the prevailing narrative -- initially spun by the lawyers who took over FTX, quickly adopted by their contacts at the US Attorney's Office -- was that Bankman-Fried had stolen billions of dollars of customer funds, driven FTX to insolvency, and caused billions in losses," said the appeal. "Now, nearly two years later, a very different picture is emerging -- one confirming FTX was never insolvent, and in fact had assets worth billions to repay its customers. But the jury at Bankman-Fried's trial never got to see that picture." The legal team requested the appellate court grant SBF a new trial with a different judge. It's unclear whether the Second Circuit could rule to affirm Bankman-Fried's conviction in the US District Court for the Southern District of New York or reverse the decision and set the groundwork for a new trial.

iFixit has created its own USB-C soldering iron and portable power station called FixHub, "designed to allow all types of users to handle soldering work wherever they may be," reports MacRumors. From the report: The Portable Power Station serves as the command and power center for FixHub, including a 55-watt-hour battery to support over eight hours of continuous soldering on a single charge. The power supply delivers up to 100 watts to a pair of USB-C ports, allowing it to run two soldering irons simultaneously, and the fact that it's simply a USB-C power output device means you can also use it to power or recharge an array of devices like phones.

The solidly built power station includes a handy display to show the status of your soldering iron, along with a convenient dial for adjusting the power being delivered to the iron, supporting temperatures up to 400C (750F). A flip-up bracket raises the front of the power station a bit to make the display easier to see while in use, while attachment points on the left and right side allow you to clip on the soldering iron's cap for convenient access as a stand. A USB-C port on the rear of the power station allows for up to 45 watts of input to recharge the station, and iFixit says it is safe to leave continuously connected to power so it's ready whenever you need it. [...]

iFixit is of course known for more than just hardware, and it has hundreds of free soldering guides on its website, ranging from the basics of soldering to specific repair projects. It also wouldn't be an iFixit product without repairability being front of mind, so the FixHub system is designed to allow for easy repairs and iFixit will be releasing a number of guides to help users replace batteries, repair parts, and more. Supplementing the FixHub is an optional Portable Soldering Toolkit, which provides an extensive set of tools and consumables to get you going on soldering projects. The USB Smart Soldering Iron and Portable Soldering Station are priced at $79.95 and $249.95, respectively.

An anonymous reader quotes a report from Wired: You can tell a lot about someone from their eyes. They can indicate how tired you are, the type of mood you're in, and potentially provide clues about health problems. But your eyes could also leak more secretive information: your passwords, PINs, and messages you type. Today, a group of six computer scientists are revealing a new attack against Apple's Vision Pro mixed reality headset where exposed eye-tracking data allowed them to decipher what people entered on the device's virtual keyboard. The attack, dubbed GAZEploit and shared exclusively with WIRED, allowed the researchers to successfully reconstruct passwords, PINs, and messages people typed with their eyes. "Based on the direction of the eye movement, the hacker can determine which key the victim is now typing," says Hanqiu Wang, one of the leading researchers involved in the work. They identified the correct letters people typed in passwords 77 percent of the time within five guesses and 92 percent of the time in messages.

To be clear, the researchers did not gain access to Apple's headset to see what they were viewing. Instead, they worked out what people were typing by remotely analyzing the eye movements of a virtual avatar created by the Vision Pro. This avatar can be used in Zoom calls, Teams, Slack, Reddit, Tinder, Twitter, Skype, and FaceTime. The researchers alerted Apple to the vulnerability in April, and the company issued a patch to stop the potential for data to leak at the end of July. It is the first attack to exploit people's "gaze" data in this way, the researchers say. The findings underline how people's biometric data -- information and measurements about your body -- can expose sensitive information and beused as part of the burgeoning surveillance industry.

The GAZEploit attack consists of two parts, says Zhan, one of the lead researchers. First, the researchers created a way to identify when someone wearing the Vision Pro is typing by analyzing the 3D avatar they are sharing. For this, they trained a recurrent neural network, a type of deep learning model, with recordings of 30 people's avatars while they completed a variety of typing tasks. When someone is typing using the Vision Pro, their gaze fixates on the key they are likely to press, the researchers say, before quickly moving to the next key. "When we are typing our gaze will show some regular patterns," Zhan says. Wang says these patterns are more common during typing than if someone is browsing a website or watching a video while wearing the headset. "During tasks like gaze typing, the frequency of your eye blinking decreases because you are more focused," Wang says. In short: Looking at a QWERTY keyboard and moving between the letters is a pretty distinct behavior.

The second part of the research, Zhan explains, uses geometric calculations to work out where someone has positioned the keyboard and the size they've made it. "The only requirement is that as long as we get enough gaze information that can accurately recover the keyboard, then all following keystrokes can be detected." Combining these two elements, they were able to predict the keys someone was likely to be typing. In a series of lab tests, they didn't have any knowledge of the victim's typing habits, speed, or know where the keyboard was placed. However, the researchers could predict the correct letters typed, in a maximum of five guesses, with 92.1 percent accuracy in messages, 77 percent of the time for passwords, 73 percent of the time for PINs, and 86.1 percent of occasions for emails, URLs, and webpages. (On the first guess, the letters would be right between 35 and 59 percent of the time, depending on what kind of information they were trying to work out.) Duplicate letters and typos add extra challenges.

Have you ever been in a high-stakes situation in which you needed to perform but completely bombed? You're not alone. Experiments in monkeys reveal that 'choking' under pressure is linked to a drop in activity in the neurons that prepare for movement. Nature: "You see it across the board, you see it in sports, in all kinds of different sports and outside of sports as well." says Steven Chase, a neuroscientist at Carnegie Mellon University in Pittsburgh, Pennsylvania. Chase and his colleagues investigated what happens in the brain that causes performance to plummet, and published their findings in Neuron on 12 September.

Choking under pressure is not unique to humans. In the same way that a tennis player might miss a match-winning shot, monkeys can also underperform in high-reward situations. The team set up a computer task in which rhesus monkeys received a reward after quickly and accurately moving a cursor over a target. Each trial gave the monkeys cues as to whether the reward would be small, medium-sized, large or 'jackpot'. Jackpot rewards were rare and unusually big, creating a high-stakes, high-reward situation. Using a tiny, electrode-covered chip implanted into the monkeys' brains, the team watched how neuronal activity changed between reward scenarios. The chip was situated on the motor cortex, an area of the frontal lobe that controls movement.

The researchers found that, in jackpot scenarios, the activity of neurons associated with motor preparation decreased. Motor preparation is the brain's way of making calculations about how to complete a movement -- similar to lining up an arrow on a target before unleashing it. The drop in motor preparation meant that the monkey's brains were underprepared, and so they underperformed. The results "help us understand how reward-outcome-mediated behaviour is not linear," says Bita Moghaddam, a behavioural neuroscientist at Oregon Health & Science University in Portland. To a certain extent, "you just don't perform better as the reward increases," Moghaddam says. It would also be interesting to see how other brain regions respond in jackpot-reward situations, she adds, because multiple regions could be involved.

Dell and HP executives have acknowledged a delay in the anticipated commercial PC refresh cycle. Michael Dell, speaking at the Citi 2024 Global TMT conference, stated that the refresh cycle "has been delayed for sure." The Register adds: Without offering any reasons for postponement -- and not being pressed for one by the analyst interviewing him -- the billionaire reckoned the size of the refresh is "going to be even bigger" because of it. "So first of all we have a certain date with Windows 10 end-of-life and we're almost within a one year window of that, and as you get in that one-year window, the enterprise IT people start screwing around and saying, 'Oh, we better do something about this'," said Dell.

Enrique Lores, CEO at rival PC maker HP, who spoke at the Goldman Sachs Communacopia + Technology conference this week, agreed enterprises are also about to invest in new lines. "First of all there is a large and aging installed base on PCs. Many of these PCs were bought during COVID and now we are four [or] five years after they were bought and they will have to be replaced. "We also see an opportunity driven by the Windows 11 refresh that is only starting now... this is what is behind some of the strength that we see on the commercial side. Microsoft⦠will start discontinuing their support for the previous versions, and this always ties the replacement and upgrade," he said, adding "this is going to be driving demand in the coming quarters."